Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / f63704488ea123f6235c5b90d16209dae7de165e^! / . / doc
commitf63704488ea123f6235c5b90d16209dae7de165e[log] [tgz]
authorWilliam Dauchy <wdauchy@gmail.com>Sat Nov 14 19:25:33 2020 +0100
committerWilliam Lallemand <wlallemand@haproxy.org>Wed Nov 18 17:22:28 2020 +0100
tree956de6858d2ea2d65cc88a75bff02b4949f51145
parentfc52f524b085bb53885200e6817d8a37e4710531 [diff]
MEDIUM: cli/ssl: configure ssl on server at runtime

in the context of a progressive backend migration, we want to be able to
activate SSL on outgoing connections to the server at runtime without
reloading.
This patch adds a `set server ssl` command; in order to allow that:

- add `srv_use_ssl` to `show servers state` command for compatibility,
  also update associated parsing
- when using default-server ssl setting, and `no-ssl` on server line,
  init SSL ctx without activating it
- when triggering ssl API, de/activate SSL connections as requested
- clean ongoing connections as it is done for addr/port changes, without
  checking prior server state

example config:

backend be_foo
  default-server ssl
  server srv0 127.0.0.1:6011 weight 1 no-ssl

show servers state:

  5 be_foo 1 srv0 127.0.0.1 2 0 1 1 15 1 0 4 0 0 0 0 - 6011 - -1

where srv0 can switch to ssl later during the runtime:

  set server be_foo/srv0 ssl on

  5 be_foo 1 srv0 127.0.0.1 2 0 1 1 15 1 0 4 0 0 0 0 - 6011 - 1

Also update existing tests and create a new one.

Signed-off-by: William Dauchy <wdauchy@gmail.com>

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 63641a1..d979314 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -13552,6 +13552,10 @@
   It may also be used as "default-server" setting to reset any previous
   "default-server" "ssl" setting.
 
+  Note that using `default-server ssl` setting and `no-ssl` on server will
+  however init SSL connection, so it can be later be enabled through the
+  runtime API: see `set server` commands in management doc.
+
 no-ssl-reuse
   This option disables SSL session reuse when SSL is used to communicate with
   the server. It will force the server to perform a full handshake for every

diff --git a/doc/management.txt b/doc/management.txt
index bf475ae..e7ca98f 100644
--- a/doc/management.txt
+++ b/doc/management.txt

@@ -1861,6 +1861,9 @@
   Change a server's FQDN to the value passed in argument. This requires the
   internal run-time DNS resolver to be configured and enabled for this server.
 
+set server <backend>/<server> ssl [ on | off ]
+  This option configures SSL ciphering on outgoing connections to the server.
+
 set severity-output [ none | number | string ]
   Change the severity output format of the stats socket connected to for the
   duration of the current session.
@@ -2416,6 +2419,7 @@
      srv_fqdn:                    Server FQDN.
      srv_port:                    Server port.
      srvrecord:                   DNS SRV record associated to this SRV.
+     srv_use_ssl:                 use ssl for server connections.
 
 show sess
   Dump all known sessions. Avoid doing this on slow connections as this can