MINOR: global: generate random cluster.secret if not defined

If no cluster-secret is defined by the user, a random one is silently generated. This ensures that at least QUIC Retry tokens are generated if abnormal conditions are detected. However, it is advisable to specify it in the configuration for tokens to be valid even after a reload or across LBs instances in the same cluster. This should be backported up to 2.6.
2025-08-06 23:27:04 +02:00 · 2022-11-14 16:18:46 +01:00 · 2022-11-14 16:18:46 +01:00 · 28ea31c7cb
commit 28ea31c7cb
parent 996ca7d0fa
3 changed files with 33 additions and 5 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -1239,8 +1239,11 @@ cluster-secret <secret>
  same cluster. It could be used for different usages. It is at least used to
  derive stateless reset tokens for all the QUIC connections instantiated by
  this process. This is also the case to derive secrets used to encrypt Retry
-  tokens. If you do not set this parameter, the stateless reset and Retry QUIC
-  features will be both silently disabled.
+  tokens.
+
+  If this parameter is not set, a random value will be selected on process
+  startup. This allows to use features which rely on it, albeit with some
+  limitations.

 cpu-map [auto:]<thread-group>[/<thread-set>] <cpu-set>...
  On some operating systems, it is possible to bind a thread group or a thread
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@ -4375,9 +4375,11 @@ int check_config_validity()
 			goto init_proxies_list_stage2;
 	}

-	if (diag_no_cluster_secret)
-		ha_diag_warning("No cluster secret was set. The stateless reset and Retry"
-		                " features are disabled for all QUIC bindings.\n");
+	if (diag_no_cluster_secret) {
+		ha_diag_warning("Generating a random cluster secret. "
+		                "You should define your own one in the configuration to ensure consistency "
+		                "after reload/restart or across your whole cluster.\n");
+	}

 	/*
 	 * Recount currently required checks.
--- a/src/haproxy.c
+++ b/src/haproxy.c
@ -1895,6 +1895,26 @@ static void dump_registered_keywords(void)
 	}
 }

+/* Generate a random cluster-secret in case the setting is not provided in the
+ * configuration. This allows to use features which rely on it albeit with some
+ * limitations.
+ */
+static void generate_random_cluster_secret()
+{
+	/* used as a default random cluster-secret if none defined. */
+	uint64_t rand = ha_random64();
+
+	/* The caller must not overwrite an already defined secret. */
+	BUG_ON(global.cluster_secret);
+
+	global.cluster_secret = malloc(8);
+	if (!global.cluster_secret)
+		return;
+
+	memcpy(global.cluster_secret, &rand, sizeof(rand));
+	global.cluster_secret[7] = '\0';
+}
+
 /*
 * This function initializes all the necessary variables. It only returns
 * if everything is OK. If something fails, it exits.
@ -2562,6 +2582,9 @@ static void init(int argc, char **argv)
 		exit(1);
 	}

+	if (!global.cluster_secret)
+		generate_random_cluster_secret();
+
 	/*
 	 * Note: we could register external pollers here.
 	 * Built-in pollers have been registered before main().