From: Amaury Denoyelle Date: Thu, 30 Oct 2025 16:29:47 +0000 (+0100) Subject: MINOR: check: ensure QUIC checks configuration coherency X-Git-Tag: v3.3-dev13~12 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ef206d441cd7d6b08c4f5b28e962b14cf7ddda4f;p=thirdparty%2Fhaproxy.git MINOR: check: ensure QUIC checks configuration coherency QUIC is now supported on the backend side, thus it is possible to use it with server checks. However, checks configuration can be quite extensive, differing greatly from the server settings. This patch ensures that QUIC checks are always performed under a controlled context. Objectives are to avoid any crashes and ensure that there is no suprise for users in respect to the configuration. The first part of this patch ensures that QUIC checks can only be activated on QUIC servers. Indeed, QUIC requires dedicated initialization steps prior to its usage. The other part of this patch disables QUIC usage when one or multiple specific check connection settings are specified in the configuration, diverging from the server settings. This is the simplest solution for now and ensure that there is no hidden behavior to users. This means that it's currently impossible to perform QUIC checks if other endpoints that the server itself. However for now there is no real use-case for this scenario. Along with these changes, check-proto documentation is updated to clarify QUIC checks behavior. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index a88a72391..8b2cee98f 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -17918,11 +17918,17 @@ check-proto fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG + quic : mode=HTTP side=FE|BE mux=QUIC flags=HTX|NO_UPG|FRAMED Idea behind this option is to bypass the selection of the best multiplexer's protocol for health-check connections established to this server. If not defined, the server one will be used, if set. + QUIC check configuration is not fully implemented yet. First, QUIC checks may + only be performed for QUIC servers. Second, if one or more check specific + connection parameters is specified on a QUIC server, check protocol will + fallback to TCP usage. + check-sni-auto May be used in the following contexts: tcp, http, log diff --git a/src/check.c b/src/check.c index 25b892099..ba15a7283 100644 --- a/src/check.c +++ b/src/check.c @@ -1876,6 +1876,14 @@ int init_srv_check(struct server *srv) ret |= ERR_ALERT | ERR_FATAL; } } + else { + if (srv->check.mux_proto == get_mux_proto(ist("quic"))) { + ha_alert("config: %s '%s': QUIC checks on non-QUIC server '%s' is not yet supported.\n", + proxy_type_str(srv->proxy), srv->proxy->id, srv->id); + ret |= ERR_ALERT | ERR_FATAL; + goto out; + } + } /* We need at least a service port, a check port or the first tcp-check * rule must be a 'connect' one when checking an IPv4/IPv6 server. diff --git a/src/tcpcheck.c b/src/tcpcheck.c index e353ef62d..815a84099 100644 --- a/src/tcpcheck.c +++ b/src/tcpcheck.c @@ -1411,9 +1411,21 @@ enum tcpcheck_eval_ret tcpcheck_eval_connect(struct check *check, struct tcpchec *conn->dst = (is_addr(&connect->addr) ? connect->addr : (is_addr(&check->addr) ? check->addr : s->addr)); - proto = s ? - protocol_lookup(conn->dst->ss_family, s->addr_type.proto_type, s->alt_proto) : - protocol_lookup(conn->dst->ss_family, PROTO_TYPE_STREAM, 0); + + if (s && srv_is_quic(s) && tcpcheck_use_nondefault_connect(check, connect)) { + /* For QUIC servers, fallback to TCP checks if any specific + * check connection parameter is set. + */ + proto = protocol_lookup(conn->dst->ss_family, PROTO_TYPE_STREAM, 0); + /* Also reset MUX protocol if set to QUIC. */ + if (check->mux_proto == s->mux_proto) + check->mux_proto = NULL; + } + else { + proto = s ? + protocol_lookup(conn->dst->ss_family, s->addr_type.proto_type, s->alt_proto) : + protocol_lookup(conn->dst->ss_family, PROTO_TYPE_STREAM, 0); + } port = 0; if (connect->port)