Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 79b90e8cd47464c714d36a2a315b2ab95b5ba5f3^! / .
commit79b90e8cd47464c714d36a2a315b2ab95b5ba5f3[log] [tgz]
authorAmaury Denoyelle <adenoyelle@haproxy.com>Mon Sep 20 15:15:19 2021 +0200
committerAmaury Denoyelle <adenoyelle@haproxy.com>Tue Sep 21 14:00:07 2021 +0200
tree158c034c2459a3e8ea382fccd8a54d15150a87dc
parentb621552ca3f7b5196bea68a3dc0f3ed6e6a859b0 [diff]
MINOR: server: enable more keywords for ssl checks for dynamic servers

Allow to configure ssl support for dynamic server checks independently
of the ssl server configuration. This is done via the keyword
"check-ssl". Also enable to configure the sni/alpn used for the check
via "check-sni/alpn".

diff --git a/doc/management.txt b/doc/management.txt
index a713071..254f604 100644
--- a/doc/management.txt
+++ b/doc/management.txt

@@ -1507,8 +1507,11 @@
   - backup
   - ca-file
   - check
+  - check-alpn
   - check-proto
   - check-send-proxy
+  - check-sni
+  - check-ssl
   - check-via-socks4
   - ciphers
   - ciphersuites

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 0ca8cab..09bcc64 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c

@@ -1887,9 +1887,9 @@
 	{ "allow-0rtt",              srv_parse_allow_0rtt,         0, 1, 1 }, /* Allow using early data on this server */
 	{ "alpn",                    srv_parse_alpn,               1, 1, 1 }, /* Set ALPN supported protocols */
 	{ "ca-file",                 srv_parse_ca_file,            1, 1, 1 }, /* set CAfile to process verify server cert */
-	{ "check-alpn",              srv_parse_check_alpn,         1, 1, 0 }, /* Set ALPN used for checks */
-	{ "check-sni",               srv_parse_check_sni,          1, 1, 0 }, /* set SNI */
-	{ "check-ssl",               srv_parse_check_ssl,          0, 1, 0 }, /* enable SSL for health checks */
+	{ "check-alpn",              srv_parse_check_alpn,         1, 1, 1 }, /* Set ALPN used for checks */
+	{ "check-sni",               srv_parse_check_sni,          1, 1, 1 }, /* set SNI */
+	{ "check-ssl",               srv_parse_check_ssl,          0, 1, 1 }, /* enable SSL for health checks */
 	{ "ciphers",                 srv_parse_ciphers,            1, 1, 1 }, /* select the cipher suite */
 #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
 	{ "ciphersuites",            srv_parse_ciphersuites,       1, 1, 1 }, /* select the cipher suite */

diff --git a/src/server.c b/src/server.c
index a39569e..96c71fb 100644
--- a/src/server.c
+++ b/src/server.c

@@ -4563,7 +4563,8 @@
 		goto out;
 	}
 
-	if (srv->use_ssl == 1 || (srv->proxy->options & PR_O_TCPCHK_SSL)) {
+	if (srv->use_ssl == 1 || (srv->proxy->options & PR_O_TCPCHK_SSL) ||
+	    srv->check.use_ssl == 1) {
 		if (xprt_get(XPRT_SSL) && xprt_get(XPRT_SSL)->prepare_srv) {
 			if (xprt_get(XPRT_SSL)->prepare_srv(srv))
 				goto out;