From 0678d0a69b1a2a903781e33153630ae203a72aa7 Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Tue, 9 Sep 2025 11:20:46 +0200
Subject: [PATCH] MINOR: check: reject invalid check config on a QUIC server

QUIC is now supported on the backend side. The previous commit ensures
that simple checks can be activated on QUIC servers without any issue.

The current patch ensures that check server settings remain compatible
with a QUIC server. Thus, configuration is now invalid if check
specifies an explicit MUX proto other than QUIC, disables SSL or try to
use PROXY protocol.
---
 src/check.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/src/check.c b/src/check.c
index 03c85613f..3b046a27e 100644
--- a/src/check.c
+++ b/src/check.c
@@ -1854,6 +1854,27 @@ int init_srv_check(struct server *srv)
 
 	/* validate <srv> server health-check settings */
 
+	if (srv_is_quic(srv)) {
+		if (srv->check.mux_proto && srv->check.mux_proto != get_mux_proto(ist("quic"))) {
+			ha_alert("config: %s '%s': QUIC server '%s' uses an incompatible MUX protocol for checks.\n",
+			         proxy_type_str(srv->proxy), srv->proxy->id, srv->id);
+			ret |= ERR_ALERT | ERR_FATAL;
+			goto out;
+		}
+
+		if (srv->check.use_ssl < 0) {
+			ha_alert("config: %s '%s': SSL is mandatory for checks on QUIC server '%s'.\n",
+			         proxy_type_str(srv->proxy), srv->proxy->id, srv->id);
+			ret |= ERR_ALERT | ERR_FATAL;
+		}
+
+		if (srv->check.send_proxy) {
+			ha_alert("config: %s '%s': cannot use PROXY protocol for checks on QUIC server '%s'.\n",
+			         proxy_type_str(srv->proxy), srv->proxy->id, srv->id);
+			ret |= ERR_ALERT | ERR_FATAL;
+		}
+	}
+
 	/* We need at least a service port, a check port or the first tcp-check
 	 * rule must be a 'connect' one when checking an IPv4/IPv6 server.
 	 */