mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-20 21:31:28 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: tcpcheck: Don't use sni as pool-conn-name for non-SSL connections

Browse Source 
When we try to ruse connection to perform an healtcheck, the SNI, from the
tcpcheck connection or the healthcheck itself, must not be used as
connection name for non-SSL connections.

This patch must be backported to 3.2.
This commit is contained in:
Christopher Faulet 2025-09-03 16:50:47 +02:00
parent eb3d4eb59f
commit 58555b8653
1 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/tcpcheck.c
View File

@ -1221,6 +1221,17 @@ static inline int tcpcheck_use_nondefault_connect(const struct check *check,
(connect->options & TCPCHK_MASK_OPTS_CONNECT);
}
/* Returns true if the connect rule uses SSL. */
static inline int tcpcheck_connect_use_ssl(const struct check *check,
const struct tcpcheck_connect *connect)
{
if (connect->options & TCPCHK_OPT_SSL)
return 1;
if (connect->options & TCPCHK_OPT_DEFAULT_CONNECT)
return (check->xprt == xprt_get(XPRT_SSL));
return 0;
}
/* Evaluates a TCPCHK_ACT_CONNECT rule. Returns TCPCHK_EVAL_WAIT to wait the
* connection establishment, TCPCHK_EVAL_CONTINUE to evaluate the next rule or
* TCPCHK_EVAL_STOP if an error occurred.
@ -1276,10 +1287,12 @@ enum tcpcheck_eval_ret tcpcheck_eval_connect(struct check *check, struct tcpchec
if (check->pool_conn_name)
pool_conn_name = ist(check->pool_conn_name);
else if (connect->sni)
pool_conn_name = ist(connect->sni);
else if ((connect->options & TCPCHK_OPT_DEFAULT_CONNECT) && check->sni)
pool_conn_name = ist(check->sni);
else if (tcpcheck_connect_use_ssl(check, connect)) {
if (connect->sni)
pool_conn_name = ist(connect->sni);
else if ((connect->options & TCPCHK_OPT_DEFAULT_CONNECT) && check->sni)
pool_conn_name = ist(check->sni);
}
if (!(s->flags & SRV_F_RHTTP)) {
dst_tmp = s->addr;