From 79b90e8cd47464c714d36a2a315b2ab95b5ba5f3 Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Mon, 20 Sep 2021 15:15:19 +0200
Subject: [PATCH] MINOR: server: enable more keywords for ssl checks for
 dynamic servers

Allow to configure ssl support for dynamic server checks independently
of the ssl server configuration. This is done via the keyword
"check-ssl". Also enable to configure the sni/alpn used for the check
via "check-sni/alpn".
---
 doc/management.txt | 3 +++
 src/cfgparse-ssl.c | 6 +++---
 src/server.c       | 3 ++-
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/doc/management.txt b/doc/management.txt
index a71307169..254f604e7 100644
--- a/doc/management.txt
+++ b/doc/management.txt
@@ -1507,8 +1507,11 @@ add server <backend>/<server> [args]*
   - backup
   - ca-file
   - check
+  - check-alpn
   - check-proto
   - check-send-proxy
+  - check-sni
+  - check-ssl
   - check-via-socks4
   - ciphers
   - ciphersuites
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 0ca8cab31..09bcc64f7 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -1887,9 +1887,9 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "allow-0rtt",              srv_parse_allow_0rtt,         0, 1, 1 }, /* Allow using early data on this server */
 	{ "alpn",                    srv_parse_alpn,               1, 1, 1 }, /* Set ALPN supported protocols */
 	{ "ca-file",                 srv_parse_ca_file,            1, 1, 1 }, /* set CAfile to process verify server cert */
-	{ "check-alpn",              srv_parse_check_alpn,         1, 1, 0 }, /* Set ALPN used for checks */
-	{ "check-sni",               srv_parse_check_sni,          1, 1, 0 }, /* set SNI */
-	{ "check-ssl",               srv_parse_check_ssl,          0, 1, 0 }, /* enable SSL for health checks */
+	{ "check-alpn",              srv_parse_check_alpn,         1, 1, 1 }, /* Set ALPN used for checks */
+	{ "check-sni",               srv_parse_check_sni,          1, 1, 1 }, /* set SNI */
+	{ "check-ssl",               srv_parse_check_ssl,          0, 1, 1 }, /* enable SSL for health checks */
 	{ "ciphers",                 srv_parse_ciphers,            1, 1, 1 }, /* select the cipher suite */
 #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
 	{ "ciphersuites",            srv_parse_ciphersuites,       1, 1, 1 }, /* select the cipher suite */
diff --git a/src/server.c b/src/server.c
index a39569ea1..96c71fb51 100644
--- a/src/server.c
+++ b/src/server.c
@@ -4563,7 +4563,8 @@ static int cli_parse_add_server(char **args, char *payload, struct appctx *appct
 		goto out;
 	}
 
-	if (srv->use_ssl == 1 || (srv->proxy->options & PR_O_TCPCHK_SSL)) {
+	if (srv->use_ssl == 1 || (srv->proxy->options & PR_O_TCPCHK_SSL) ||
+	    srv->check.use_ssl == 1) {
 		if (xprt_get(XPRT_SSL) && xprt_get(XPRT_SSL)->prepare_srv) {
 			if (xprt_get(XPRT_SSL)->prepare_srv(srv))
 				goto out;