From a97bd0f50520b8f70fe0d543a6be863b4b84ac9d Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Wed, 3 Sep 2025 16:36:25 +0200
Subject: [PATCH] BUG/MINOR: server: Update healthcheck when server settings
 are changed via CLI

not all changes are concerned. But when the SSL is enabled or disabled for a
server, the healthcheck xprt must be eventually be updated too. This happens
when the healthcheck relies on the server settings.

In the same spirit, when the healthcheck address and port are updated, we
must fallback on the raw xprt if the SSL is not explicitly enabled for the
healthcheck with a "check-ssl" parameter.

This patch should be backported to all stable versions.
---
 src/server.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/server.c b/src/server.c
index a41ffed16..441b7f831 100644
--- a/src/server.c
+++ b/src/server.c
@@ -2779,6 +2779,9 @@ int srv_set_ssl(struct server *s, int use_ssl)
 		}
 		s->xprt = xprt_get(XPRT_RAW);
 	}
+	/* Check if we must rely on the server XPRT for the health-check */
+	if (!s->check.port && !is_addr(&s->check.addr) && !s->check.use_ssl)
+		s->check.xprt = s->xprt;
 
 	return 0;
 }
@@ -4601,6 +4604,10 @@ out:
 			s->check.addr = sk;
 		if (port)
 			s->check.port = new_port;
+
+		/* Fallback to raw XPRT for the health-check */
+		if (!s->check.use_ssl)
+			s->check.xprt = xprt_get(XPRT_RAW);
 	}
 	return NULL;
 }