Lasse Birnbaum Jensen reported an issue when agent checks are used at the same time as standard healthchecks when SSL is enabled on the server side.
The symptom is that agent checks try to communicate in SSL while it should manage raw data. This happens because the transport layer is shared between all kind of checks. To fix the issue, the transport layer is not stored anymore in the common structure, but determined at runtime, depending on the SSL requirement of the check. An agent check should always use the raw_sock implementation. The fix must be backported to 1.5. --- include/types/checks.h | 2 +- include/types/server.h | 1 - src/checks.c | 15 ++++++++++++++- src/server.c | 2 +- src/ssl_sock.c | 2 -- 5 files changed, 16 insertions(+), 6 deletions(-) diff --git a/include/types/checks.h b/include/types/checks.h index d09d3e4..6046423 100644 --- a/include/types/checks.h +++ b/include/types/checks.h @@ -136,7 +136,7 @@ struct check { struct timeval start; /* last health check start time */ long duration; /* time in ms took to finish last health check */ short status, code; /* check result, check code */ - char desc[HCHK_DESC_LEN]; /* health check descritpion */ + char desc[HCHK_DESC_LEN]; /* health check description */ int use_ssl; /* use SSL for health checks */ int send_proxy; /* send a PROXY protocol header with checks */ struct tcpcheck_rule *current_step; /* current step when using tcpcheck */ diff --git a/include/types/server.h b/include/types/server.h index 94f9a0f..5798fab 100644 --- a/include/types/server.h +++ b/include/types/server.h @@ -202,7 +202,6 @@ struct server { struct { /* configuration used by health-check and agent-check */ struct protocol *proto; /* server address protocol for health checks */ - struct xprt_ops *xprt; /* transport layer operations for health checks */ struct sockaddr_storage addr; /* the address to check, if different from <addr> */ } check_common; diff --git a/src/checks.c b/src/checks.c index 15a3c40..3775ad2 100644 --- a/src/checks.c +++ b/src/checks.c @@ -1386,6 +1386,7 @@ static int connect_conn_chk(struct task *t) struct server *s = check->server; struct connection *conn = check->conn; struct protocol *proto; + struct xprt_ops *xprt; int ret; /* tcpcheck send/expect initialisation */ @@ -1417,9 +1418,21 @@ static int connect_conn_chk(struct task *t) } } + /* use the right transport layer depending on the check mode. + * agent should alawys use raw_sock. + */ +#ifdef USE_OPENSSL + if (check->use_ssl) + xprt = &ssl_sock; + else + xprt = &raw_sock; +#else /* USE_OPENSSL */ + xprt = &raw_sock; +#endif /* USE_OPENSSL */ + /* prepare a new connection */ conn_init(conn); - conn_prepare(conn, s->check_common.proto, s->check_common.xprt); + conn_prepare(conn, s->check_common.proto, xprt); conn_attach(conn, check, &check_conn_cb); conn->target = &s->obj_type; diff --git a/src/server.c b/src/server.c index fdb63cc..57e4730 100644 --- a/src/server.c +++ b/src/server.c @@ -929,7 +929,7 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr newsrv->addr = *sk; newsrv->proto = newsrv->check_common.proto = protocol_by_family(newsrv->addr.ss_family); - newsrv->xprt = newsrv->check_common.xprt = &raw_sock; + newsrv->xprt = &raw_sock; if (!newsrv->proto) { Alert("parsing [%s:%d] : Unknown protocol family %d '%s'\n", diff --git a/src/ssl_sock.c b/src/ssl_sock.c index fbf8f9a..f1708d5 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1819,8 +1819,6 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy) srv->ssl_ctx.reused_sess = NULL; if (srv->use_ssl) srv->xprt = &ssl_sock; - if (srv->check.use_ssl) - srv->check_common.xprt = &ssl_sock; srv->ssl_ctx.ctx = SSL_CTX_new(SSLv23_client_method()); if (!srv->ssl_ctx.ctx) { -- 2.1.3