mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-01-03 10:42:07 +00:00
4ab2679689
During post-parsing stage, the SSL context of a server is initialized if SSL
is configured on the server or its default-server. It is required to be able
to enable SSL at runtime. However a regression was introduced, because the
last parsed default-server is used. But it is not necessarily the
default-server line used to configure the server. This may lead to
erroneously initialize the SSL context for a server without SSL parameter or
the skip it while it should be done.
The problem is the default-server used to configure a server is not saved
during configuration parsing. So, the information is lost during the
post-parsing. To fix the bug, the SRV_F_DEFSRV_USE_SSL flag is
introduced. It is used to know when a server was initialized with a
default-server using SSL.
For the record, the commit f63704488e
("MEDIUM: cli/ssl: configure ssl on
server at runtime") has introduced the bug.
This patch must be backported as far as 2.4.
61 lines
1.7 KiB
Plaintext
61 lines
1.7 KiB
Plaintext
varnishtest "Set server ssl via CLI"
|
|
|
|
feature ignore_unknown_macro
|
|
|
|
# for "set server <srv> ssl"
|
|
#REQUIRE_VERSION=2.4
|
|
#REGTEST_TYPE=devel
|
|
#REQUIRE_OPTIONS=OPENSSL
|
|
|
|
# Do nothing. Is there only to create s1_* macros
|
|
server s1 {
|
|
} -start
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
ssl-server-verify none
|
|
|
|
defaults
|
|
mode http
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend myfrontend
|
|
bind "fd@${my_fe}"
|
|
default_backend test0
|
|
|
|
backend test0
|
|
server www0 ${s1_addr}:${s1_port} no-ssl
|
|
default-server ssl
|
|
server www1 ${s1_addr}:${s1_port} no-ssl
|
|
|
|
backend test1
|
|
server www0 ${s1_addr}:${s1_port} no-ssl
|
|
} -start
|
|
|
|
haproxy h1 -cli {
|
|
# supported case
|
|
send "show servers state test0"
|
|
expect ~ "test0 2 www1 ${s1_addr} .* - ${s1_port} - -1"
|
|
send "set server test0/www1 ssl on"
|
|
expect ~ "server ssl setting updated"
|
|
send "show servers state test0"
|
|
expect ~ "test0 2 www1 ${s1_addr} .* - ${s1_port} - 1"
|
|
send "set server test0/www1 ssl off"
|
|
expect ~ "server ssl setting updated"
|
|
send "show servers state test0"
|
|
expect ~ "test0 2 www1 ${s1_addr} .* - ${s1_port} - 0"
|
|
|
|
# unsupported cases
|
|
send "show servers state test0"
|
|
expect ~ "test0 1 www0 ${s1_addr} .* - ${s1_port} - -1"
|
|
send "set server test0/www0 ssl on"
|
|
expect ~ "'set server <srv> ssl' cannot be set"
|
|
|
|
send "show servers state test1"
|
|
expect ~ "test1 1 www0 ${s1_addr} .* - ${s1_port} - -1"
|
|
send "set server test1/www0 ssl on"
|
|
expect ~ "'set server <srv> ssl' cannot be set"
|
|
} -wait
|