Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 9857232c9fe5b880b6d12b4bb10ac00e8a62befc^! / .
commit9857232c9fe5b880b6d12b4bb10ac00e8a62befc[log] [tgz]
authorChristopher Faulet <cfaulet@haproxy.com>Mon Mar 30 13:16:44 2020 +0200
committerChristopher Faulet <cfaulet@haproxy.com>Mon Apr 27 09:39:37 2020 +0200
tree7f43e9c895b1bd492d885f0ef99a089fea61d2c3
parent085426aea98c21bab7716883c8832d7d02c3cc6c [diff]
MINOR: checks: Add the alpn option for tcp-check connect rules

This option defines which protocols to advertise with ALPN on the SSL conection
opened by a tcp-check connect rule.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 649ded2..327399d 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -9830,6 +9830,11 @@
 
     sni <sni>    specifies the SNI to use to do health checks over SSL.
 
+    alpn <alpn>  defines which protocols to advertise with ALPN. The protocol
+                 list consists in a comma-delimited list of protocol names,
+                 for instance: "http/1.1,http/1.0" (without quotes).
+                 If it is not set, the server ALPN is used.
+
     linger    cleanly close the connection instead of using a single RST.
 
     Examples:

diff --git a/src/checks.c b/src/checks.c
index 97f68f1..e396036 100644
--- a/src/checks.c
+++ b/src/checks.c

@@ -2920,6 +2920,9 @@
 		if (status == SF_ERR_NONE) {
 			if (connect->sni)
 				ssl_sock_set_servername(conn, connect->sni);
+			if (connect->alpn)
+				ssl_sock_set_alpn(conn, (unsigned char *)connect->alpn,
+						  connect->alpn_len);
 		}
 #endif
 		if ((connect->options & TCPCHK_OPT_SOCKS4) && (s->flags & SRV_F_SOCKS4_PROXY)) {
@@ -3455,6 +3458,7 @@
 		break;
 	case TCPCHK_ACT_CONNECT:
 		free(rule->connect.sni);
+		free(rule->connect.alpn);
 		break;
 	case TCPCHK_ACT_COMMENT:
 		break;
@@ -4077,9 +4081,10 @@
 						    char **errmsg)
 {
 	struct tcpcheck_rule *chk = NULL;
-	char *comment = NULL, *sni = NULL;
+	char *comment = NULL, *sni = NULL, *alpn = NULL;
 	unsigned short conn_opts = 0;
 	long port = 0;
+	int alpn_len = 0;
 
 	list_for_each_entry(chk, rules, list) {
 		if (chk->action != TCPCHK_ACT_COMMENT && chk->action != TCPCHK_ACT_ACTION_KW)
@@ -4143,12 +4148,25 @@
 				goto error;
 			}
 		}
+		else if (strcmp(args[cur_arg], "alpn") == 0) {
+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+			free(alpn);
+			if (ssl_sock_parse_alpn(args[cur_arg + 1], &alpn, &alpn_len, errmsg)) {
+				memprintf(errmsg, "'%s' : %s", args[cur_arg], *errmsg);
+				goto error;
+			}
+			cur_arg++;
+#else
+			memprintf(errmsg, "'%s' : library does not support TLS ALPN extension.", args[cur_arg]);
+			goto error;
+#endif
+		}
 #endif /* USE_OPENSSL */
 
 		else {
 			memprintf(errmsg, "expects 'comment', 'port', 'send-proxy'"
 #ifdef USE_OPENSSL
-				  ", 'ssl', 'sni'"
+				  ", 'ssl', 'sni', 'alpn'"
 #endif /* USE_OPENSSL */
 				  " or 'via-socks4', 'linger' but got '%s' as argument.",
 				  args[cur_arg]);
@@ -4167,9 +4185,12 @@
 	chk->connect.port    = port;
 	chk->connect.options = conn_opts;
 	chk->connect.sni     = sni;
+	chk->connect.alpn    = alpn;
+	chk->connect.alpn_len= alpn_len;
 	return chk;
 
   error:
+	free(alpn);
 	free(sni);
 	free(comment);
 	return NULL;