Hi,
The attached patch adds a new keyword to servers, "check-sni", that lets you
specify which SNI to use when doing health checks over SSL.
Regards,
Olivier
>From 24779f0985041f4e680855d453a4bc5d096756f9 Mon Sep 17 00:00:00 2001
From: Olivier Houchard <ohouch...@haproxy.com>
Date: Tue, 17 Oct 2017 17:33:43 +0200
Subject: [PATCH] MINOR: checks: Add a new keyword to specify a SNI when doing
SSL checks.
Add a new keyword, "check-sni", to be able to specify the SNI to be used when
doing health checks over SSL.
---
doc/configuration.txt | 4 ++++
include/types/checks.h | 1 +
src/checks.c | 8 ++++++++
src/ssl_sock.c | 19 +++++++++++++++++++
4 files changed, 32 insertions(+)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 934f87759..1421808b8 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -10970,6 +10970,10 @@ check-send-proxy
"check-send-proxy" option needs to be used to force the use of the
protocol. See also the "send-proxy" option for more information.
+check-sni
+ This option allows you to specify the SNI to be used when doing health checks
+ over SSL.
+
check-ssl
This option forces encryption of all health checks over SSL, regardless of
whether the server uses SSL or not for the normal traffic. This is generally
diff --git a/include/types/checks.h b/include/types/checks.h
index 283ff3dbe..3559f2d52 100644
--- a/include/types/checks.h
+++ b/include/types/checks.h
@@ -184,6 +184,7 @@ struct check {
char **envp; /* the environment to use if
running a process-based check */
struct pid_list *curpid; /* entry in pid_list used for
current process-based test, or -1 if not in test */
struct sockaddr_storage addr; /* the address to check */
+ char *sni; /* Server name */
};
struct check_status {
diff --git a/src/checks.c b/src/checks.c
index c02935cf0..413365b24 100644
--- a/src/checks.c
+++ b/src/checks.c
@@ -60,6 +60,10 @@
#include <proto/dns.h>
#include <proto/proto_udp.h>
+#ifdef USE_OPENSSL
+#include <proto/ssl_sock.h>
+#endif /* USE_OPENSSL */
+
static int httpchk_expect(struct server *s, int done);
static int tcpcheck_get_step_id(struct check *);
static char * tcpcheck_get_step_comment(struct check *, int);
@@ -1597,6 +1601,10 @@ static int connect_conn_chk(struct task *t)
ret = SF_ERR_INTERNAL;
if (proto && proto->connect)
ret = proto->connect(conn, check->type, quickack ? 2 : 0);
+#ifdef USE_OPENSSL
+ if (s->check.sni)
+ ssl_sock_set_servername(conn, s->check.sni);
+#endif
if (s->check.send_proxy && !(check->state & CHK_ST_AGENT)) {
conn->send_proxy_ofs = 1;
conn->flags |= CO_FL_SEND_PROXY;
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 774a5a683..1d00b42e4 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7075,6 +7075,24 @@ static int srv_parse_ca_file(char **args, int *cur_arg,
struct proxy *px, struct
return 0;
}
+/* parse the "check-sni" server keyword */
+static int srv_parse_check_sni(char **args, int *cur_arg, struct proxy *px,
struct server *newsrv, char **err)
+{
+ if (!*args[*cur_arg + 1]) {
+ if (err)
+ memprintf(err, "'%s' : missing SNI", args[*cur_arg]);
+ return ERR_ALERT | ERR_FATAL;
+ }
+
+ newsrv->check.sni = strdup(args[*cur_arg + 1]);
+ if (!newsrv->check.sni) {
+ memprintf(err, "'%s' : failed to allocate memory",
args[*cur_arg]);
+ return ERR_ALERT | ERR_FATAL;
+ }
+ return 0;
+
+}
+
/* parse the "check-ssl" server keyword */
static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px,
struct server *newsrv, char **err)
{
@@ -8031,6 +8049,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
*/
static struct srv_kw_list srv_kws = { "SSL", { }, {
{ "ca-file", srv_parse_ca_file, 1, 1 }, /*
set CAfile to process verify server cert */
+ { "check-sni", srv_parse_check_sni, 1, 1 }, /*
set SNI */
{ "check-ssl", srv_parse_check_ssl, 0, 1 }, /*
enable SSL for health checks */
{ "ciphers", srv_parse_ciphers, 1, 1 }, /*
select the cipher suite */
{ "crl-file", srv_parse_crl_file, 1, 1 }, /*
set certificate revocation list file use on server cert verify */
--
2.13.5
