From: Christopher Faulet <cfaulet@haproxy.com>
Date: Thu, 26 Mar 2026 21:54:12 +0000 (+0100)
Subject: MINOR: tcpcheck: Use tcpcheck flags to know a healthcheck uses SSL connections
X-Git-Tag: v3.4-dev8~59
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=64e3029e8ba4d413d41823b47cad56a16b326df2;p=thirdparty%2Fhaproxy.git

MINOR: tcpcheck: Use tcpcheck flags to know a healthcheck uses SSL connections

The proxy flag PR_O_TCPCHK_SSL is replaced by a flag on the tcpcheck
itself. When TCPCHK_FL_USE_SSL flag is set, it means the healthcheck will
use an SSL connection and the SSL xprt must be prepared for the server.
---

diff --git a/include/haproxy/proxy-t.h b/include/haproxy/proxy-t.h
index 4ab6fccb0..5e786da3e 100644
--- a/include/haproxy/proxy-t.h
+++ b/include/haproxy/proxy-t.h
@@ -117,7 +117,7 @@ enum PR_SRV_STATE_FILE {
 #define PR_O_HTTP_DROP_REQ_TRLS 0x04000000 /* Drop the request trailers when forwarding to the server */
 #define PR_O_HTTP_DROP_RES_TRLS 0x08000000 /* Drop response trailers when forwarding to the client */
 
-#define PR_O_TCPCHK_SSL 0x10000000      /* at least one TCPCHECK connect rule requires SSL */
+/* unused: 0x10000000 */
 #define PR_O_CONTSTATS  0x20000000      /* continuous counters */
 /* unused: 0x40000000..0x80000000 */
 
diff --git a/include/haproxy/tcpcheck-t.h b/include/haproxy/tcpcheck-t.h
index a0879b65d..c3e87b6fe 100644
--- a/include/haproxy/tcpcheck-t.h
+++ b/include/haproxy/tcpcheck-t.h
@@ -108,6 +108,7 @@ enum tcpcheck_rule_type {
 #define TCPCHK_FL_UNUSED_TCP_RS  0x00000001 /* An unused tcp-check ruleset exists for the current proxy */
 #define TCPCHK_FL_UNUSED_HTTP_RS 0x00000002 /* An unused http-check ruleset exists for the current proxy  */
 #define TCPCHK_FL_UNUSED_RS      0x00000003 /* Mask for unused ruleset */
+#define TCPCHK_FL_USE_SSL        0x00000004 /* tcp-check uses SSL connection */
 
 #define TCPCHK_RULES_NONE         0x00000000
 #define TCPCHK_RULES_DISABLE404   0x00000001 /* Disable a server on a 404 response wht HTTP health checks */
diff --git a/src/proxy.c b/src/proxy.c
index 494f4f5d6..c028e348c 100644
--- a/src/proxy.c
+++ b/src/proxy.c
@@ -2542,7 +2542,7 @@ int proxy_finalize(struct proxy *px, int *err_code)
 		 * if default-server have use_ssl, prerare ssl init
 		 * without activating it */
 		if (newsrv->use_ssl == 1 || newsrv->check.use_ssl == 1 ||
-		    (newsrv->proxy->options & PR_O_TCPCHK_SSL) ||
+		    (newsrv->check.tcpcheck->flags & TCPCHK_FL_USE_SSL) ||
 		    ((newsrv->flags & SRV_F_DEFSRV_USE_SSL) && newsrv->use_ssl != 1)) {
 			if (xprt_get(XPRT_SSL) && xprt_get(XPRT_SSL)->prepare_srv)
 				cfgerr += xprt_get(XPRT_SSL)->prepare_srv(newsrv);
diff --git a/src/server.c b/src/server.c
index 1dcf62841..d6a414710 100644
--- a/src/server.c
+++ b/src/server.c
@@ -6262,7 +6262,7 @@ static int cli_parse_add_server(char **args, char *payload, struct appctx *appct
 	/* ensure minconn/maxconn consistency */
 	srv_minmax_conn_apply(srv);
 
-	if (srv->use_ssl == 1 || (srv->proxy->options & PR_O_TCPCHK_SSL) ||
+	if (srv->use_ssl == 1 || (srv->check.tcpcheck->flags & TCPCHK_FL_USE_SSL) ||
 	    srv->check.use_ssl == 1) {
 		if (xprt_get(XPRT_SSL) && xprt_get(XPRT_SSL)->prepare_srv) {
 			if (xprt_get(XPRT_SSL)->prepare_srv(srv))
diff --git a/src/tcpcheck.c b/src/tcpcheck.c
index 70861b6ef..e476cbd88 100644
--- a/src/tcpcheck.c
+++ b/src/tcpcheck.c
@@ -2839,7 +2839,7 @@ struct tcpcheck_rule *parse_tcpcheck_connect(char **args, int cur_arg, struct pr
 			conn_opts |= TCPCHK_OPT_LINGER;
 #ifdef USE_OPENSSL
 		else if (strcmp(args[cur_arg], "ssl") == 0) {
-			px->options |= PR_O_TCPCHK_SSL;
+			px->tcpcheck.flags |= TCPCHK_FL_USE_SSL;
 			conn_opts |= TCPCHK_OPT_SSL;
 		}
 		else if (strcmp(args[cur_arg], "sni") == 0) {