Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 7d098bea2b63e8450227cff2e44c08796de7c9a6^! / . / doc / configuration.txt
commit7d098bea2b63e8450227cff2e44c08796de7c9a6[log] [tgz]
authorAmaury Denoyelle <adenoyelle@haproxy.com>Wed Mar 09 14:20:10 2022 +0100
committerAmaury Denoyelle <adenoyelle@haproxy.com>Fri Mar 11 14:28:28 2022 +0100
tree878394dfec0152139fbda346e03583231eb4b96b
parent6ccfa3c40fc665620a0639fbed727b04d05716d5 [diff] [blame]
MEDIUM: check: do not auto configure SSL/PROXY for dynamic servers

For server checks, SSL and PROXY is automatically inherited from the
server settings if no specific check port is specified. Change this
behavior for dynamic servers : explicit "check-ssl"/"check-send-proxy"
are required for them.

Without this change, it is impossible to add a dynamic server with
SSL/PROXY settings and checks without, if the check port is not
explicit. This is because "no-check-ssl"/"no-check-send-proxy" keywords
are not available for dynamic servers.

This change respects the principle that dynamic servers on the CLI
should not reuse the same shortcuts used during the config file parsing.
Mostly because we expect this feature to be manipulated by automated
tools, contrary to the config file which should aim to be the shortest
possible for human readability.

Update the documentation of the "check" keyword to reflect this change.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 583df47..e1ae117 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -14435,7 +14435,8 @@
       transport layer. This means TCP by default, or SSL/TLS when "ssl" or
       "check-ssl" are set, both possibly combined with connection prefixes such
       as a PROXY protocol header when "send-proxy" or "check-send-proxy" are
-      set.
+      set. This behavior is slightly different for dynamic servers, read the
+      following paragraphs for more details.
     - when set and an application-level health check is defined, the
       application-level exchanges are performed on top of the configured
       transport layer and the server is considered available if all of the
@@ -14449,6 +14450,11 @@
   parameters are not reused. One must explicitly set "check-send-proxy" to send
   connection headers, "check-ssl" to use SSL/TLS.
 
+  Note that the implicit configuration of ssl and PROXY protocol is not
+  performed for dynamic servers. In this case, it is required to explicitely
+  use "check-ssl" and "check-send-proxy" when wanted, even if the check port is
+  not overridden.
+
   When "sni" or "alpn" are set on the server line, their value is not used for
   health checks and one must use "check-sni" or "check-alpn".