MINOR: checks: Add the sni option for tcp-check connect rules
With this option, it is possible to specify the SNI to be used for SSL
conncection opened by a tcp-check connect rule.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 40585b8..8aaf912 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -9826,6 +9826,8 @@
ssl opens a ciphered connection
+ sni <sni> specifies the SNI to use to do health checks over SSL.
+
linger cleanly close the connection instead of using a single RST.
Examples:
diff --git a/include/types/checks.h b/include/types/checks.h
index d848e6c..14513c9 100644
--- a/include/types/checks.h
+++ b/include/types/checks.h
@@ -219,8 +219,11 @@
#define TCPCHK_OPT_DEFAULT_CONNECT 0x0008 /* Do a connect using server params */
struct tcpcheck_connect {
- uint16_t port; /* port to connect to */
+ uint16_t port; /* port to connect to */
uint16_t options; /* options when setting up a new connection */
+ char *sni; /* server name to use for SSL connections */
+ char *alpn; /* ALPN to use for the SSL connection */
+ int alpn_len; /* ALPN string length */
};
enum tcpcheck_send_type {
diff --git a/src/checks.c b/src/checks.c
index b9fb4d5..b2322b2 100644
--- a/src/checks.c
+++ b/src/checks.c
@@ -2916,7 +2916,13 @@
}
}
else {
- /* TODO: add support for sock4 and sni option */
+#ifdef USE_OPENSSL
+ if (status == SF_ERR_NONE) {
+ if (connect->sni)
+ ssl_sock_set_servername(conn, connect->sni);
+ }
+#endif
+ /* TODO: add support for sock4 option */
if (connect->options & TCPCHK_OPT_SEND_PROXY) {
conn->send_proxy_ofs = 1;
conn->flags |= CO_FL_SEND_PROXY;
@@ -3445,6 +3451,8 @@
}
break;
case TCPCHK_ACT_CONNECT:
+ free(rule->connect.sni);
+ break;
case TCPCHK_ACT_COMMENT:
break;
case TCPCHK_ACT_ACTION_KW:
@@ -4066,7 +4074,7 @@
char **errmsg)
{
struct tcpcheck_rule *chk = NULL;
- char *comment = NULL;
+ char *comment = NULL, *sni = NULL;
unsigned short conn_opts = 0;
long port = 0;
@@ -4117,12 +4125,25 @@
px->options |= PR_O_TCPCHK_SSL;
conn_opts |= TCPCHK_OPT_SSL;
}
+ else if (strcmp(args[cur_arg], "sni") == 0) {
+ if (!*(args[cur_arg+1])) {
+ memprintf(errmsg, "'%s' expects a string as argument.", args[cur_arg]);
+ goto error;
+ }
+ cur_arg++;
+ free(sni);
+ sni = strdup(args[cur_arg]);
+ if (!sni) {
+ memprintf(errmsg, "out of memory");
+ goto error;
+ }
+ }
#endif /* USE_OPENSSL */
else {
memprintf(errmsg, "expects 'comment', 'port', 'send-proxy'"
#ifdef USE_OPENSSL
- ", 'ssl'"
+ ", 'ssl', 'sni'"
#endif /* USE_OPENSSL */
" or 'linger' but got '%s' as argument.",
args[cur_arg]);
@@ -4140,9 +4161,11 @@
chk->comment = comment;
chk->connect.port = port;
chk->connect.options = conn_opts;
+ chk->connect.sni = sni;
return chk;
error:
+ free(sni);
free(comment);
return NULL;
}