commit f63704488ea123f6235c5b90d16209dae7de165e
author William Dauchy <wdauchy@gmail.com> Sat Nov 14 19:25:33 2020 +0100
committer William Lallemand <wlallemand@haproxy.org> Wed Nov 18 17:22:28 2020 +0100
tree 956de6858d2ea2d65cc88a75bff02b4949f51145
parent fc52f524b085bb53885200e6817d8a37e4710531

MEDIUM: cli/ssl: configure ssl on server at runtime

in the context of a progressive backend migration, we want to be able to
activate SSL on outgoing connections to the server at runtime without
reloading.
This patch adds a `set server ssl` command; in order to allow that:

- add `srv_use_ssl` to `show servers state` command for compatibility,
  also update associated parsing
- when using default-server ssl setting, and `no-ssl` on server line,
  init SSL ctx without activating it
- when triggering ssl API, de/activate SSL connections as requested
- clean ongoing connections as it is done for addr/port changes, without
  checking prior server state

example config:

backend be_foo
  default-server ssl
  server srv0 127.0.0.1:6011 weight 1 no-ssl

show servers state:

  5 be_foo 1 srv0 127.0.0.1 2 0 1 1 15 1 0 4 0 0 0 0 - 6011 - -1

where srv0 can switch to ssl later during the runtime:

  set server be_foo/srv0 ssl on

  5 be_foo 1 srv0 127.0.0.1 2 0 1 1 15 1 0 4 0 0 0 0 - 6011 - 1

Also update existing tests and create a new one.

Signed-off-by: William Dauchy <wdauchy@gmail.com>

reg-tests/server/cli_set_ssl.vtc

diff --git a/reg-tests/server/cli_set_ssl.vtc b/reg-tests/server/cli_set_ssl.vtc
new file mode 100644
index 0000000..15fa586
--- /dev/null
+++ b/reg-tests/server/cli_set_ssl.vtc
@@ -0,0 +1,54 @@
+varnishtest "Set server ssl via CLI"
+
+feature ignore_unknown_macro
+
+# for "set server <srv> ssl"
+#REQUIRE_VERSION=2.4
+#REGTEST_TYPE=bug
+
+# Do nothing. Is there only to create s1_* macros
+server s1 {
+} -start
+
+haproxy h1 -conf {
+    global
+        ssl-server-verify none
+
+    defaults
+        mode http
+        ${no-htx} option http-use-htx
+        timeout connect 1s
+        timeout client  1s
+        timeout server  1s
+
+    frontend myfrontend
+        bind "fd@${my_fe}"
+        default_backend test0
+
+    backend test0
+        default-server ssl
+        server www0 ${s1_addr}:${s1_port} no-ssl
+
+    backend test1
+        server www0 ${s1_addr}:${s1_port} no-ssl
+} -start
+
+haproxy h1 -cli {
+    # supported case
+    send "show servers state test0"
+    expect ~ "test0 1 www0 ${s1_addr} .* - ${s1_port} - -1"
+    send "set server test0/www0 ssl on"
+    expect ~ "server ssl setting updated"
+    send "show servers state test0"
+    expect ~ "test0 1 www0 ${s1_addr} .* - ${s1_port} - 1"
+    send "set server test0/www0 ssl off"
+    expect ~ "server ssl setting updated"
+    send "show servers state test0"
+    expect ~ "test0 1 www0 ${s1_addr} .* - ${s1_port} - 0"
+
+    # unsupported case
+    send "show servers state test1"
+    expect ~ "test1 1 www0 ${s1_addr} .* - ${s1_port} - -1"
+    send "set server test1/www0 ssl on"
+    expect ~ "'set server <srv> ssl' cannot be set"
+} -wait