mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-02-23 06:06:54 +00:00
MINOR: connection: add proxy-v2-options ssl-cipher,cert-sig,cert-key
This patch implement proxy protocol v2 options related to crypto information: ssl-cipher (PP2_SUBTYPE_SSL_CIPHER), cert-sig (PP2_SUBTYPE_SSL_SIG_ALG) and cert-key (PP2_SUBTYPE_SSL_KEY_ALG).
This commit is contained in:
parent
283e004a85
commit
fa8d0f1875
@ -11722,7 +11722,9 @@ send-proxy-v2
|
||||
proxy-v2-options <option>[,<option>]*
|
||||
The "proxy-v2-options" parameter add option to send in PROXY protocol version
|
||||
2 when "send-proxy-v2" is used. Options available are "ssl" (see also
|
||||
send-proxy-v2-ssl), "cert-cn" (see also "send-proxy-v2-ssl-cn").
|
||||
send-proxy-v2-ssl), "cert-cn" (see also "send-proxy-v2-ssl-cn"), "ssl-cipher":
|
||||
name of the used cipher, "cert-sig": signature algorithm of the used
|
||||
certificate, "cert-key": key algorithm of the used certificate).
|
||||
|
||||
send-proxy-v2-ssl
|
||||
The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version
|
||||
|
@ -144,10 +144,13 @@ enum srv_initaddr {
|
||||
#define SRV_F_COOKIESET 0x0100 /* this server has a cookie configured, so don't generate dynamic cookies */
|
||||
|
||||
/* configured server options for send-proxy (server->pp_opts) */
|
||||
#define SRV_PP_V1 0x0001 /* proxy protocol version 1 */
|
||||
#define SRV_PP_V2 0x0002 /* proxy protocol version 2 */
|
||||
#define SRV_PP_V2_SSL 0x0004 /* proxy protocol version 2 with SSL*/
|
||||
#define SRV_PP_V2_SSL_CN 0x0008 /* proxy protocol version 2 with SSL and CN*/
|
||||
#define SRV_PP_V1 0x0001 /* proxy protocol version 1 */
|
||||
#define SRV_PP_V2 0x0002 /* proxy protocol version 2 */
|
||||
#define SRV_PP_V2_SSL 0x0004 /* proxy protocol version 2 with SSL */
|
||||
#define SRV_PP_V2_SSL_CN 0x0008 /* proxy protocol version 2 with CN */
|
||||
#define SRV_PP_V2_SSL_KEY_ALG 0x0010 /* proxy protocol version 2 with cert key algorithm */
|
||||
#define SRV_PP_V2_SSL_SIG_ALG 0x0020 /* proxy protocol version 2 with cert signature algorithm */
|
||||
#define SRV_PP_V2_SSL_CIPHER 0x0040 /* proxy protocol version 2 with cipher used */
|
||||
|
||||
/* function which act on servers need to return various errors */
|
||||
#define SRV_STATUS_OK 0 /* everything is OK. */
|
||||
|
@ -1071,6 +1071,24 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
|
||||
ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_SUBTYPE_SSL_CN, cn_trash->len, cn_trash->str);
|
||||
}
|
||||
}
|
||||
if (srv->pp_opts & SRV_PP_V2_SSL_KEY_ALG) {
|
||||
struct chunk *pkey_trash = get_trash_chunk();
|
||||
if (ssl_sock_get_pkey_algo(remote, pkey_trash) > 0) {
|
||||
ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_SUBTYPE_SSL_KEY_ALG, pkey_trash->len, pkey_trash->str);
|
||||
}
|
||||
}
|
||||
if (srv->pp_opts & SRV_PP_V2_SSL_SIG_ALG) {
|
||||
value = ssl_sock_get_cert_sig(remote);
|
||||
if (value) {
|
||||
ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_SUBTYPE_SSL_SIG_ALG, strlen(value), value);
|
||||
}
|
||||
}
|
||||
if (srv->pp_opts & SRV_PP_V2_SSL_CIPHER) {
|
||||
value = ssl_sock_get_cipher_name(remote);
|
||||
if (value) {
|
||||
ssl_tlv_len += make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_SUBTYPE_SSL_CIPHER, strlen(value), value);
|
||||
}
|
||||
}
|
||||
}
|
||||
tlv->tlv.length_hi = (uint16_t)(ssl_tlv_len - sizeof(struct tlv)) >> 8;
|
||||
tlv->tlv.length_lo = (uint16_t)(ssl_tlv_len - sizeof(struct tlv)) & 0x00ff;
|
||||
|
@ -517,6 +517,15 @@ static int srv_parse_proxy_v2_options(char **args, int *cur_arg,
|
||||
} else if (!strcmp(p, "cert-cn")) {
|
||||
newsrv->pp_opts |= SRV_PP_V2_SSL;
|
||||
newsrv->pp_opts |= SRV_PP_V2_SSL_CN;
|
||||
} else if (!strcmp(p, "cert-key")) {
|
||||
newsrv->pp_opts |= SRV_PP_V2_SSL;
|
||||
newsrv->pp_opts |= SRV_PP_V2_SSL_KEY_ALG;
|
||||
} else if (!strcmp(p, "cert-sig")) {
|
||||
newsrv->pp_opts |= SRV_PP_V2_SSL;
|
||||
newsrv->pp_opts |= SRV_PP_V2_SSL_SIG_ALG;
|
||||
} else if (!strcmp(p, "ssl-cipher")) {
|
||||
newsrv->pp_opts |= SRV_PP_V2_SSL;
|
||||
newsrv->pp_opts |= SRV_PP_V2_SSL_CIPHER;
|
||||
} else
|
||||
goto fail;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user