From: Willy Tarreau Date: Thu, 4 Oct 2012 22:04:16 +0000 (+0200) Subject: MEDIUM: checks: enable the PROXY protocol with health checks X-Git-Tag: v1.5-dev13~199 X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=6c16adc661be22516f5904d949913bba8928bf0b;p=haproxy-2.1.git MEDIUM: checks: enable the PROXY protocol with health checks When health checks are configured on a server which has the send-proxy directive and no "port" nor "addr" settings, the health check connections will automatically use the PROXY protocol. If "port" or "addr" are set, the "check-send-proxy" directive may be used to force the protocol. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index d4ad107..eba05b4 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -7024,6 +7024,17 @@ check Supported in default-server: No +check-send-proxy + This option forces emission of a PROXY protocol line with outgoing health + checks, regardless of whether the server uses send-proxy or not for the + normal traffic. By default, the PROXY protocol is enabled for health checks + if it is already enabled for normal traffic and if no "port" nor "addr" + directive is present. However, if such a directive is present, the + "check-send-proxy" option needs to be used to force the use of the + protocol. See also the "send-proxy" option for more information. + + Supported in default-server: No + check-ssl This option forces encryption of all health checks over SSL, regardless of whether the server uses SSL or not for the normal traffic. This is generally @@ -7301,8 +7312,11 @@ send-proxy are supported. Other families such as Unix sockets, will report an UNKNOWN family. Servers using this option can fully be chained to another instance of haproxy listening with an "accept-proxy" setting. This setting must not be - used if the server isn't aware of the protocol. See also the "accept-proxy" - option of the "bind" keyword. + used if the server isn't aware of the protocol. When health checks are sent + to the server, the PROXY protocol is automatically used when this option is + set, unless there is an explicit "port" or "addr" directive, in which case an + explicit "check-send-proxy" directive would also be needed to use the PROXY + protocol. See also the "accept-proxy" option of the "bind" keyword. Supported in default-server: No diff --git a/include/types/server.h b/include/types/server.h index 864b56e..acfdeaf 100644 --- a/include/types/server.h +++ b/include/types/server.h @@ -169,6 +169,7 @@ struct server { short status, code; /* check result, check code */ char desc[HCHK_DESC_LEN]; /* health check descritpion */ int use_ssl; /* use SSL for health checks */ + int send_proxy; /* send a PROXY protocol header with checks */ } check; #ifdef USE_OPENSSL diff --git a/src/cfgparse.c b/src/cfgparse.c index 3f785ce..c6b0235 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -4145,6 +4145,10 @@ stats_error_parsing: newsrv->state |= SRV_SEND_PROXY; cur_arg ++; } + else if (!defsrv && !strcmp(args[cur_arg], "check-send-proxy")) { + newsrv->check.send_proxy = 1; + cur_arg ++; + } else if (!strcmp(args[cur_arg], "weight")) { int w; w = atol(args[cur_arg + 1]); @@ -4566,8 +4570,10 @@ stats_error_parsing: * same as for the production traffic. Otherwise we use raw_sock by * default, unless one is specified. */ - if (!newsrv->check.port && !is_addr(&newsrv->check.addr)) + if (!newsrv->check.port && !is_addr(&newsrv->check.addr)) { newsrv->check.use_ssl |= newsrv->use_ssl; + newsrv->check.send_proxy |= (newsrv->state & SRV_SEND_PROXY); + } /* try to get the port from check.addr if check.port not set */ if (!newsrv->check.port) diff --git a/src/checks.c b/src/checks.c index 52f70d2..7895e5d 100644 --- a/src/checks.c +++ b/src/checks.c @@ -1331,6 +1331,8 @@ static struct task *process_chk(struct task *t) */ ret = s->check.proto->connect(conn, 1); conn->flags |= CO_FL_WAKE_DATA; + if (s->check.send_proxy) + conn->flags |= CO_FL_LOCAL_SPROXY; switch (ret) { case SN_ERR_NONE: