haproxy/reg-tests/server/cli_set_ssl.vtc
Christopher Faulet 4ab2679689 BUG/MINOR: server: Don't rely on last default-server to init server SSL context
During post-parsing stage, the SSL context of a server is initialized if SSL
is configured on the server or its default-server. It is required to be able
to enable SSL at runtime. However a regression was introduced, because the
last parsed default-server is used. But it is not necessarily the
default-server line used to configure the server. This may lead to
erroneously initialize the SSL context for a server without SSL parameter or
the skip it while it should be done.

The problem is the default-server used to configure a server is not saved
during configuration parsing. So, the information is lost during the
post-parsing. To fix the bug, the SRV_F_DEFSRV_USE_SSL flag is
introduced. It is used to know when a server was initialized with a
default-server using SSL.

For the record, the commit f63704488e ("MEDIUM: cli/ssl: configure ssl on
server at runtime") has introduced the bug.

This patch must be backported as far as 2.4.
2021-12-01 11:47:08 +01:00

61 lines
1.7 KiB
Plaintext

varnishtest "Set server ssl via CLI"
feature ignore_unknown_macro
# for "set server <srv> ssl"
#REQUIRE_VERSION=2.4
#REGTEST_TYPE=devel
#REQUIRE_OPTIONS=OPENSSL
# Do nothing. Is there only to create s1_* macros
server s1 {
} -start
haproxy h1 -conf {
global
ssl-server-verify none
defaults
mode http
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend myfrontend
bind "fd@${my_fe}"
default_backend test0
backend test0
server www0 ${s1_addr}:${s1_port} no-ssl
default-server ssl
server www1 ${s1_addr}:${s1_port} no-ssl
backend test1
server www0 ${s1_addr}:${s1_port} no-ssl
} -start
haproxy h1 -cli {
# supported case
send "show servers state test0"
expect ~ "test0 2 www1 ${s1_addr} .* - ${s1_port} - -1"
send "set server test0/www1 ssl on"
expect ~ "server ssl setting updated"
send "show servers state test0"
expect ~ "test0 2 www1 ${s1_addr} .* - ${s1_port} - 1"
send "set server test0/www1 ssl off"
expect ~ "server ssl setting updated"
send "show servers state test0"
expect ~ "test0 2 www1 ${s1_addr} .* - ${s1_port} - 0"
# unsupported cases
send "show servers state test0"
expect ~ "test0 1 www0 ${s1_addr} .* - ${s1_port} - -1"
send "set server test0/www0 ssl on"
expect ~ "'set server <srv> ssl' cannot be set"
send "show servers state test1"
expect ~ "test1 1 www0 ${s1_addr} .* - ${s1_port} - -1"
send "set server test1/www0 ssl on"
expect ~ "'set server <srv> ssl' cannot be set"
} -wait