BUG/MINOR: checks: Respect the no-check-ssl option
This options is used to force a non-SSL connection to check a SSL server or to
invert a check-ssl option inherited from the default section. The use_ssl field
in the check structure is used to know if a SSL connection must be used
(use_ssl=1) or not (use_ssl=0). The server configuration is used by default.
The problem is that we cannot distinguish the default case (no specific SSL
check option) and the case of an explicit non-SSL check. In both, use_ssl is set
to 0. So the server configuration is always used. For a SSL server, when
no-check-ssl option is set, the check is still performed using a SSL
configuration.
To fix the bug, instead of a boolean value (0=TCP, 1=SSL), we use a ternary value :
* 0 = use server config
* 1 = force SSL
* -1 = force non-SSL
The same is done for the server parameter. It is not really necessary for
now. But it is a good way to know is the server no-ssl option is set.
In addition, the PR_O_TCPCHK_SSL proxy option is no longer used to set use_ssl
to 1 for a check. Instead the flag is directly tested to prepare or destroy the
server SSL context.
This patch should be backported as far as 1.8.
(cherry picked from commit f61f33a1b274c2a42afd96aab19ee8e1d8b121cc)
[wt: minor context adjustments]
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 8a5bf35ce7b690353a6adef55cebb4c07d76bf02)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/include/types/checks.h b/include/types/checks.h
index 8a26073..b926c95 100644
--- a/include/types/checks.h
+++ b/include/types/checks.h
@@ -167,7 +167,7 @@
short status, code; /* check result, check code */
unsigned short port; /* the port to use for the health checks */
char desc[HCHK_DESC_LEN]; /* health check description */
- int use_ssl; /* use SSL for health checks */
+ char use_ssl; /* use SSL for health checks (1: on, 0: server mode, -1: off) */
int send_proxy; /* send a PROXY protocol header with checks */
struct list *tcpcheck_rules; /* tcp-check send / expect rules */
struct tcpcheck_rule *current_step; /* current step when using tcpcheck */
diff --git a/include/types/server.h b/include/types/server.h
index e053416..5edb273 100644
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -199,7 +199,7 @@
enum obj_type obj_type; /* object type == OBJ_TYPE_SERVER */
enum srv_state next_state, cur_state; /* server state among SRV_ST_* */
enum srv_admin next_admin, cur_admin; /* server maintenance status : SRV_ADMF_* */
- unsigned char use_ssl; /* ssl enabled */
+ char use_ssl; /* ssl enabled (1: on, 0: disabled, -1 forced off) */
unsigned int pp_opts; /* proxy protocol options (SRV_PP_*) */
struct server *next;
int cklen; /* the len of the cookie, to speed up checks */