MEDIUM: cli/ssl: configure ssl on server at runtime
in the context of a progressive backend migration, we want to be able to
activate SSL on outgoing connections to the server at runtime without
reloading.
This patch adds a `set server ssl` command; in order to allow that:
- add `srv_use_ssl` to `show servers state` command for compatibility,
also update associated parsing
- when using default-server ssl setting, and `no-ssl` on server line,
init SSL ctx without activating it
- when triggering ssl API, de/activate SSL connections as requested
- clean ongoing connections as it is done for addr/port changes, without
checking prior server state
example config:
backend be_foo
default-server ssl
server srv0 127.0.0.1:6011 weight 1 no-ssl
show servers state:
5 be_foo 1 srv0 127.0.0.1 2 0 1 1 15 1 0 4 0 0 0 0 - 6011 - -1
where srv0 can switch to ssl later during the runtime:
set server be_foo/srv0 ssl on
5 be_foo 1 srv0 127.0.0.1 2 0 1 1 15 1 0 4 0 0 0 0 - 6011 - 1
Also update existing tests and create a new one.
Signed-off-by: William Dauchy <wdauchy@gmail.com>
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index f4207f0..bc61489 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -1483,9 +1483,14 @@
/* parse the "no-ssl" server keyword */
static int srv_parse_no_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
+ /* if default-server have use_ssl, prepare ssl settings */
+ if (newsrv->use_ssl == 1)
+ ssl_sock_init_srv(newsrv);
+ else {
+ free(newsrv->ssl_ctx.ciphers);
+ newsrv->ssl_ctx.ciphers = NULL;
+ }
newsrv->use_ssl = -1;
- free(newsrv->ssl_ctx.ciphers);
- newsrv->ssl_ctx.ciphers = NULL;
return 0;
}