mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-04-01 22:48:25 +00:00
MINOR: config: Add "cluster-secret" new global keyword
It could be usefull to set a ASCII secret which could be used for different usages. For instance, it will be used to derive QUIC stateless reset tokens.
This commit is contained in:
parent
7cc8b3166a
commit
372508cc42
@ -992,6 +992,7 @@ The following keywords are supported in the "global" section :
|
||||
* Process management and security
|
||||
- ca-base
|
||||
- chroot
|
||||
- cluster-secret
|
||||
- crt-base
|
||||
- cpu-map
|
||||
- daemon
|
||||
@ -1161,6 +1162,13 @@ chroot <jail dir>
|
||||
with superuser privileges. It is important to ensure that <jail_dir> is both
|
||||
empty and non-writable to anyone.
|
||||
|
||||
cluster-secret <secret>
|
||||
Define an ASCII string secret shared between several nodes belonging to the
|
||||
same cluster. It could be used for different usages. It is at least used to
|
||||
derive stateless reset tokens for all the QUIC connections instantiated by
|
||||
this process. If you do not set this parameter, the stateless reset QUIC
|
||||
feature will be silently disabled.
|
||||
|
||||
close-spread-time <time>
|
||||
Define a time window during which idle connections and active connections
|
||||
closing is spread in case of soft-stop. After a SIGUSR1 is received and the
|
||||
|
@ -130,6 +130,7 @@ struct global {
|
||||
char *log_send_hostname; /* set hostname in syslog header */
|
||||
char *server_state_base; /* path to a directory where server state files can be found */
|
||||
char *server_state_file; /* path to the file where server states are loaded from */
|
||||
char *cluster_secret; /* Secret defined as ASCII string */
|
||||
struct {
|
||||
int maxpollevents; /* max number of poll events at once */
|
||||
int maxaccept; /* max number of consecutive accept() */
|
||||
|
@ -45,7 +45,7 @@ static const char *common_kw_list[] = {
|
||||
"log-tag", "spread-checks", "max-spread-checks", "cpu-map", "setenv",
|
||||
"presetenv", "unsetenv", "resetenv", "strict-limits", "localpeer",
|
||||
"numa-cpu-mapping", "defaults", "listen", "frontend", "backend",
|
||||
"peers", "resolvers",
|
||||
"peers", "resolvers", "cluster-secret",
|
||||
NULL /* must be last */
|
||||
};
|
||||
|
||||
@ -486,6 +486,22 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
else if (strcmp(args[0], "cluster-secret") == 0) {
|
||||
if (alertif_too_many_args(1, file, linenum, args, &err_code))
|
||||
goto out;
|
||||
if (*args[1] == 0) {
|
||||
ha_alert("parsing [%s:%d] : expects an ASCII string argument.\n", file, linenum);
|
||||
err_code |= ERR_ALERT | ERR_FATAL;
|
||||
goto out;
|
||||
}
|
||||
if (global.cluster_secret != NULL) {
|
||||
ha_alert("parsing [%s:%d] : '%s' already specified. Continuing.\n", file, linenum, args[0]);
|
||||
err_code |= ERR_ALERT;
|
||||
goto out;
|
||||
}
|
||||
ha_free(&global.cluster_secret);
|
||||
global.cluster_secret = strdup(args[1]);
|
||||
}
|
||||
else if (strcmp(args[0], "uid") == 0) {
|
||||
if (alertif_too_many_args(1, file, linenum, args, &err_code))
|
||||
goto out;
|
||||
|
@ -2450,6 +2450,7 @@ int check_config_validity()
|
||||
struct cfg_postparser *postparser;
|
||||
struct resolvers *curr_resolvers = NULL;
|
||||
int i;
|
||||
int diag_no_cluster_secret = 0;
|
||||
|
||||
bind_conf = NULL;
|
||||
/*
|
||||
@ -3947,6 +3948,8 @@ out_uri_auth_compat:
|
||||
#ifdef USE_QUIC
|
||||
/* override the accept callback for QUIC listeners. */
|
||||
if (listener->flags & LI_F_QUIC_LISTENER) {
|
||||
if (!global.cluster_secret)
|
||||
diag_no_cluster_secret = 1;
|
||||
listener->accept = quic_session_accept;
|
||||
li_init_per_thr(listener);
|
||||
}
|
||||
@ -3987,6 +3990,10 @@ out_uri_auth_compat:
|
||||
}
|
||||
}
|
||||
|
||||
if (diag_no_cluster_secret)
|
||||
ha_diag_warning("No cluster secret was set. The stateless reset feature"
|
||||
" is disabled for all QUIC bindings.\n");
|
||||
|
||||
/*
|
||||
* Recount currently required checks.
|
||||
*/
|
||||
|
@ -2664,6 +2664,7 @@ void deinit(void)
|
||||
ha_free(&global.log_send_hostname);
|
||||
chunk_destroy(&global.log_tag);
|
||||
ha_free(&global.chroot);
|
||||
ha_free(&global.cluster_secret);
|
||||
ha_free(&global.pidfile);
|
||||
ha_free(&global.node);
|
||||
ha_free(&global.desc);
|
||||
|
Loading…
Reference in New Issue
Block a user