MEDIUM: checks: enable the PROXY protocol with health checks
When health checks are configured on a server which has the send-proxy
directive and no "port" nor "addr" settings, the health check connections
will automatically use the PROXY protocol. If "port" or "addr" are set,
the "check-send-proxy" directive may be used to force the protocol.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index d4ad107..eba05b4 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -7024,6 +7024,17 @@
Supported in default-server: No
+check-send-proxy
+ This option forces emission of a PROXY protocol line with outgoing health
+ checks, regardless of whether the server uses send-proxy or not for the
+ normal traffic. By default, the PROXY protocol is enabled for health checks
+ if it is already enabled for normal traffic and if no "port" nor "addr"
+ directive is present. However, if such a directive is present, the
+ "check-send-proxy" option needs to be used to force the use of the
+ protocol. See also the "send-proxy" option for more information.
+
+ Supported in default-server: No
+
check-ssl
This option forces encryption of all health checks over SSL, regardless of
whether the server uses SSL or not for the normal traffic. This is generally
@@ -7301,8 +7312,11 @@
are supported. Other families such as Unix sockets, will report an UNKNOWN
family. Servers using this option can fully be chained to another instance of
haproxy listening with an "accept-proxy" setting. This setting must not be
- used if the server isn't aware of the protocol. See also the "accept-proxy"
- option of the "bind" keyword.
+ used if the server isn't aware of the protocol. When health checks are sent
+ to the server, the PROXY protocol is automatically used when this option is
+ set, unless there is an explicit "port" or "addr" directive, in which case an
+ explicit "check-send-proxy" directive would also be needed to use the PROXY
+ protocol. See also the "accept-proxy" option of the "bind" keyword.
Supported in default-server: No
diff --git a/include/types/server.h b/include/types/server.h
index 864b56e..acfdeaf 100644
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -169,6 +169,7 @@
short status, code; /* check result, check code */
char desc[HCHK_DESC_LEN]; /* health check descritpion */
int use_ssl; /* use SSL for health checks */
+ int send_proxy; /* send a PROXY protocol header with checks */
} check;
#ifdef USE_OPENSSL
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 3f785ce..c6b0235 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -4145,6 +4145,10 @@
newsrv->state |= SRV_SEND_PROXY;
cur_arg ++;
}
+ else if (!defsrv && !strcmp(args[cur_arg], "check-send-proxy")) {
+ newsrv->check.send_proxy = 1;
+ cur_arg ++;
+ }
else if (!strcmp(args[cur_arg], "weight")) {
int w;
w = atol(args[cur_arg + 1]);
@@ -4566,8 +4570,10 @@
* same as for the production traffic. Otherwise we use raw_sock by
* default, unless one is specified.
*/
- if (!newsrv->check.port && !is_addr(&newsrv->check.addr))
+ if (!newsrv->check.port && !is_addr(&newsrv->check.addr)) {
newsrv->check.use_ssl |= newsrv->use_ssl;
+ newsrv->check.send_proxy |= (newsrv->state & SRV_SEND_PROXY);
+ }
/* try to get the port from check.addr if check.port not set */
if (!newsrv->check.port)
diff --git a/src/checks.c b/src/checks.c
index 52f70d2..7895e5d 100644
--- a/src/checks.c
+++ b/src/checks.c
@@ -1331,6 +1331,8 @@
*/
ret = s->check.proto->connect(conn, 1);
conn->flags |= CO_FL_WAKE_DATA;
+ if (s->check.send_proxy)
+ conn->flags |= CO_FL_LOCAL_SPROXY;
switch (ret) {
case SN_ERR_NONE: