MEDIUM: checks: enable the PROXY protocol with health checks

When health checks are configured on a server which has the send-proxy
directive and no "port" nor "addr" settings, the health check connections
will automatically use the PROXY protocol. If "port" or "addr" are set,
the "check-send-proxy" directive may be used to force the protocol.

doc/configuration.txt

@@ -7024,6 +7024,17 @@ check
 
   Supported in default-server: No
 
+check-send-proxy
+  This option forces emission of a PROXY protocol line with outgoing health
+  checks, regardless of whether the server uses send-proxy or not for the
+  normal traffic. By default, the PROXY protocol is enabled for health checks
+  if it is already enabled for normal traffic and if no "port" nor "addr"
+  directive is present. However, if such a directive is present, the
+  "check-send-proxy" option needs to be used to force the use of the
+  protocol. See also the "send-proxy" option for more information.
+
+  Supported in default-server: No
+
 check-ssl
   This option forces encryption of all health checks over SSL, regardless of
   whether the server uses SSL or not for the normal traffic. This is generally
@@ -7301,8 +7312,11 @@ send-proxy
   are supported. Other families such as Unix sockets, will report an UNKNOWN
   family. Servers using this option can fully be chained to another instance of
   haproxy listening with an "accept-proxy" setting. This setting must not be
-  used if the server isn't aware of the protocol. See also the "accept-proxy"
-  option of the "bind" keyword.
+  used if the server isn't aware of the protocol. When health checks are sent
+  to the server, the PROXY protocol is automatically used when this option is
+  set, unless there is an explicit "port" or "addr" directive, in which case an
+  explicit "check-send-proxy" directive would also be needed to use the PROXY
+  protocol. See also the "accept-proxy" option of the "bind" keyword.
 
   Supported in default-server: No
 

include/types/server.h

@@ -169,6 +169,7 @@ struct server {
 		short status, code;             /* check result, check code */
 		char desc[HCHK_DESC_LEN];       /* health check descritpion */
 		int use_ssl;                    /* use SSL for health checks */
+		int send_proxy;                 /* send a PROXY protocol header with checks */
 	} check;
 
 #ifdef USE_OPENSSL

src/cfgparse.c

@@ -4145,6 +4145,10 @@ stats_error_parsing:
 				newsrv->state |= SRV_SEND_PROXY;
 				cur_arg ++;
 			}
+			else if (!defsrv && !strcmp(args[cur_arg], "check-send-proxy")) {
+				newsrv->check.send_proxy = 1;
+				cur_arg ++;
+			}
 			else if (!strcmp(args[cur_arg], "weight")) {
 				int w;
 				w = atol(args[cur_arg + 1]);
@@ -4566,8 +4570,10 @@ stats_error_parsing:
 			 * same as for the production traffic. Otherwise we use raw_sock by
 			 * default, unless one is specified.
 			 */
-			if (!newsrv->check.port && !is_addr(&newsrv->check.addr))
+			if (!newsrv->check.port && !is_addr(&newsrv->check.addr)) {
 				newsrv->check.use_ssl |= newsrv->use_ssl;
+				newsrv->check.send_proxy |= (newsrv->state & SRV_SEND_PROXY);
+			}
 
 			/* try to get the port from check.addr if check.port not set */
 			if (!newsrv->check.port)

src/checks.c

@@ -1331,6 +1331,8 @@ static struct task *process_chk(struct task *t)
 		 */
 		ret = s->check.proto->connect(conn, 1);
 		conn->flags |= CO_FL_WAKE_DATA;
+		if (s->check.send_proxy)
+			conn->flags |= CO_FL_LOCAL_SPROXY;
 
 		switch (ret) {
 		case SN_ERR_NONE: