MEDIUM: checks: add the "check-ssl" server option

This option forces health checks to be sent over SSL even if the address or port are not the standard ones.
2024-12-15 07:54:33 +00:00 · 2012-10-04 23:15:39 +02:00 · 2012-10-04 23:15:39 +02:00 · 763a95bfde
commit 763a95bfde
parent f150317671
2 changed files with 51 additions and 6 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -3984,7 +3984,11 @@ option ssl-hello-chk
  and most servers tested do not even log the requests containing only hello
  messages, which is appreciable.

-  See also: "option httpchk"
+  Note that this check works even when SSL support was not built into haproxy
+  because it forges the SSL message. When SSL support is available, it is best
+  to use native SSL health checks instead of this one.
+
+  See also: "option httpchk", "check-ssl"


 option tcp-smart-accept
@ -7020,6 +7024,19 @@ check

  Supported in default-server: No

+check-ssl
+  This option forces encryption of all health checks over SSL, regardless of
+  whether the server uses SSL or not for the normal traffic. This is generally
+  used when an explicit "port" or "addr" directive is specified and SSL health
+  checks are not inherited. It is important to understand that this option
+  inserts an SSL transport layer below the ckecks, so that a simple TCP connect
+  check becomes an SSL connect, which replaces the old ssl-hello-chk. The most
+  common use is to send HTTPS checks by combining "httpchk" with SSL checks.
+  All SSL settings are common to health checks and traffic (eg: ciphers).
+  See the "ssl" option for more information.
+
+  Supported in default-server: No
+
 ciphers <ciphers>
  This option sets the string describing the list of cipher algorithms that is
  is negociated during the SSL/TLS handshake with the server. The format of the
@ -7030,6 +7047,8 @@ ciphers <ciphers>
  Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all
  is needed and just connectivity, using DES can be appropriate.

+  Supported in default-server: No
+
 cookie <value>
  The "cookie" parameter sets the cookie value assigned to the server to
  <value>. This value will be checked in incoming requests, and the first
@ -7144,29 +7163,39 @@ nosslv3
  the server. Note that SSLv2 is disabled in the code and cannot be enabled
  using any configuration option.

+  Supported in default-server: No
+
 notlsv10
  This option disables support for TLSv10 when SSL is used to communicate with
  the server. Note that SSLv2 is disabled in the code and cannot be enabled
  using any configuration option. TLSv1 is more expensive than SSLv3 so it
  often makes sense to disable it when communicating with local servers.

+  Supported in default-server: No
+
 notlsv11
  This option disables support for TLSv11 when SSL is used to communicate with
  the server. Note that SSLv2 is disabled in the code and cannot be enabled
  using any configuration option. TLSv1 is more expensive than SSLv3 so it
  often makes sense to disable it when communicating with local servers.

+  Supported in default-server: No
+
 notlsv12
  This option disables support for TLSv12 when SSL is used to communicate with
  the server. Note that SSLv2 is disabled in the code and cannot be enabled
  using any configuration option. TLSv1 is more expensive than SSLv3 so it
  often makes sense to disable it when communicating with local servers.

+  Supported in default-server: No
+
 non-stick
  Never add connections allocated to this sever to a stick-table.
  This may be used in conjunction with backup to ensure that
  stick-table persistence is disabled for backup servers.

+  Supported in default-server: No
+
 observe <mode>
  This option enables health adjusting based on observing communication with
  the server. By default this functionality is disabled and enabling it also
@ -7318,11 +7347,16 @@ source <addr>[:<pl>[-<ph>]] [interface <name>] ...
  Supported in default-server: No

 ssl
-   This option enables SSL ciphering on outgoing connections to the server. At
-   the moment, server certificates are not checked, so this is prone to man in
-   the middle attacks. The real intended use is to permit SSL communication
-   with software which cannot work in other modes over networks that would
-   otherwise be considered safe enough for clear text communications.
+  This option enables SSL ciphering on outgoing connections to the server. At
+  the moment, server certificates are not checked, so this is prone to man in
+  the middle attacks. The real intended use is to permit SSL communication
+  with software which cannot work in other modes over networks that would
+  otherwise be considered safe enough for clear text communications. When this
+  option is used, health checks are automatically sent in SSL too unless there
+  is a "port" or an "addr" directive indicating the check should be sent to a
+  different location. See the "check-ssl" optino to force SSL health checks.
+
+  Supported in default-server: No

 track [<proxy>/]<server>
  This option enables ability to set the current state of the server by
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@ -4220,6 +4220,17 @@ stats_error_parsing:
 				      file, linenum, args[cur_arg]);
 				err_code |= ERR_ALERT | ERR_FATAL;
 				goto out;
+#endif /* USE_OPENSSL */
+			}
+			else if (!strcmp(args[cur_arg], "check-ssl")) {
+#ifdef USE_OPENSSL
+				newsrv->check.use_ssl = 1;
+				cur_arg += 1;
+#else /* USE_OPENSSL */
+				Alert("parsing [%s:%d]: '%s' option not implemented.\n",
+				      file, linenum, args[cur_arg]);
+				err_code |= ERR_ALERT | ERR_FATAL;
+				goto out;
 #endif /* USE_OPENSSL */
 			}
 			else if (!strcmp(args[cur_arg], "ciphers")) { /* use this SSL cipher suite */