BUG/MEDIUM: checks: fix conflicts between agent checks and ssl healthchecks

Lasse Birnbaum Jensen reported an issue when agent checks are used at the same time as standard healthchecks when SSL is enabled on the server side. The symptom is that agent checks try to communicate in SSL while it should manage raw data. This happens because the transport layer is shared between all kind of checks. To fix the issue, the transport layer is now stored in each check type, allowing to use SSL healthchecks when required, while an agent check should always use the raw_sock implementation. The fix must be backported to 1.5.
2025-12-16 15:11:01 +01:00 · 2014-11-15 22:41:27 +01:00 · 2014-11-15 22:41:27 +01:00 · 9ce1311ebc
commit 9ce1311ebc
parent eb11889f1e
5 changed files with 5 additions and 5 deletions
--- a/include/types/checks.h
+++ b/include/types/checks.h
@ -129,6 +129,7 @@ enum {
 };

 struct check {
+	struct xprt_ops *xprt;			/* transport layer operations for health checks */
 	struct connection *conn;		/* connection state for health checks */
 	unsigned short port;			/* the port to use for the health checks */
 	struct buffer *bi, *bo;			/* input and output buffers to send/recv check */
@ -136,7 +137,7 @@ struct check {
 	struct timeval start;			/* last health check start time */
 	long duration;				/* time in ms took to finish last health check */
 	short status, code;			/* check result, check code */
-	char desc[HCHK_DESC_LEN];		/* health check descritpion */
+	char desc[HCHK_DESC_LEN];		/* health check description */
 	int use_ssl;				/* use SSL for health checks */
 	int send_proxy;				/* send a PROXY protocol header with checks */
 	struct tcpcheck_rule *current_step;     /* current step when using tcpcheck */
--- a/include/types/server.h
+++ b/include/types/server.h
@ -202,7 +202,6 @@ struct server {

 	struct {                                /* configuration  used by health-check and agent-check */
 		struct protocol *proto;	        /* server address protocol for health checks */
-		struct xprt_ops *xprt;          /* transport layer operations for health checks */
 		struct sockaddr_storage addr;   /* the address to check, if different from <addr> */
 	} check_common;

--- a/src/checks.c
+++ b/src/checks.c
@ -1419,7 +1419,7 @@ static int connect_conn_chk(struct task *t)

 	/* prepare a new connection */
 	conn_init(conn);
-	conn_prepare(conn, s->check_common.proto, s->check_common.xprt);
+	conn_prepare(conn, s->check_common.proto, check->xprt);
 	conn_attach(conn, check, &check_conn_cb);
 	conn->target = &s->obj_type;

--- a/src/server.c
+++ b/src/server.c
@ -929,7 +929,7 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr

 			newsrv->addr = *sk;
 			newsrv->proto = newsrv->check_common.proto = protocol_by_family(newsrv->addr.ss_family);
-			newsrv->xprt  = newsrv->check_common.xprt  = &raw_sock;
+			newsrv->xprt  = newsrv->check.xprt = newsrv->agent.xprt = &raw_sock;

 			if (!newsrv->proto) {
 				Alert("parsing [%s:%d] : Unknown protocol family %d '%s'\n",
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -1825,7 +1825,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
 	if (srv->use_ssl)
 		srv->xprt = &ssl_sock;
 	if (srv->check.use_ssl)
-		srv->check_common.xprt = &ssl_sock;
+		srv->check.xprt = &ssl_sock;

 	srv->ssl_ctx.ctx = SSL_CTX_new(SSLv23_client_method());
 	if (!srv->ssl_ctx.ctx) {