MEDIUM: cli/ssl: configure ssl on server at runtime
in the context of a progressive backend migration, we want to be able to
activate SSL on outgoing connections to the server at runtime without
reloading.
This patch adds a `set server ssl` command; in order to allow that:
- add `srv_use_ssl` to `show servers state` command for compatibility,
also update associated parsing
- when using default-server ssl setting, and `no-ssl` on server line,
init SSL ctx without activating it
- when triggering ssl API, de/activate SSL connections as requested
- clean ongoing connections as it is done for addr/port changes, without
checking prior server state
example config:
backend be_foo
default-server ssl
server srv0 127.0.0.1:6011 weight 1 no-ssl
show servers state:
5 be_foo 1 srv0 127.0.0.1 2 0 1 1 15 1 0 4 0 0 0 0 - 6011 - -1
where srv0 can switch to ssl later during the runtime:
set server be_foo/srv0 ssl on
5 be_foo 1 srv0 127.0.0.1 2 0 1 1 15 1 0 4 0 0 0 0 - 6011 - 1
Also update existing tests and create a new one.
Signed-off-by: William Dauchy <wdauchy@gmail.com>
diff --git a/reg-tests/server/cli_set_ssl.vtc b/reg-tests/server/cli_set_ssl.vtc
new file mode 100644
index 0000000..15fa586
--- /dev/null
+++ b/reg-tests/server/cli_set_ssl.vtc
@@ -0,0 +1,54 @@
+varnishtest "Set server ssl via CLI"
+
+feature ignore_unknown_macro
+
+# for "set server <srv> ssl"
+#REQUIRE_VERSION=2.4
+#REGTEST_TYPE=bug
+
+# Do nothing. Is there only to create s1_* macros
+server s1 {
+} -start
+
+haproxy h1 -conf {
+ global
+ ssl-server-verify none
+
+ defaults
+ mode http
+ ${no-htx} option http-use-htx
+ timeout connect 1s
+ timeout client 1s
+ timeout server 1s
+
+ frontend myfrontend
+ bind "fd@${my_fe}"
+ default_backend test0
+
+ backend test0
+ default-server ssl
+ server www0 ${s1_addr}:${s1_port} no-ssl
+
+ backend test1
+ server www0 ${s1_addr}:${s1_port} no-ssl
+} -start
+
+haproxy h1 -cli {
+ # supported case
+ send "show servers state test0"
+ expect ~ "test0 1 www0 ${s1_addr} .* - ${s1_port} - -1"
+ send "set server test0/www0 ssl on"
+ expect ~ "server ssl setting updated"
+ send "show servers state test0"
+ expect ~ "test0 1 www0 ${s1_addr} .* - ${s1_port} - 1"
+ send "set server test0/www0 ssl off"
+ expect ~ "server ssl setting updated"
+ send "show servers state test0"
+ expect ~ "test0 1 www0 ${s1_addr} .* - ${s1_port} - 0"
+
+ # unsupported case
+ send "show servers state test1"
+ expect ~ "test1 1 www0 ${s1_addr} .* - ${s1_port} - -1"
+ send "set server test1/www0 ssl on"
+ expect ~ "'set server <srv> ssl' cannot be set"
+} -wait