Skip to content

Commit

Permalink
MINOR: config: rhttp: Don't require SSL when attach-srv name parsing
Browse files Browse the repository at this point in the history 
An attach-srv config line usually looks like this:

    tcp-request session attach-srv be/srv name ssl_c_s_dn(CN)

while a rhttp server line usually looks like this:

    server srv rhttp@ sni req.hdr(host)

The server sni argument is used as a key for looking up connection in the
connection pool.  The attach-srv name argument is used as a key for
inserting connections into the pool.  For it to work correctly they must
match.  There was a check that either both the attach-srv and server
provide that key or neither does.

It also checked that SSL and SNI was activated on the server.  This is too
strict.  This patch removes that requirement.  Now you can pass arbitrary
expressions as the name expression.

With this patch we also produce a more helpful and specific error message.

I'm doing this as I want to use `fc_pp_unique_id` as the name.

Arguably it would be easier to understand if instead of using `name` and
`sni` for `attach-srv` and `server` rules it used the same term in both
places - like "conn-pool-key" or something.  That would make it clear that
the two must match.  But it's too late to change that now.
  • Loading branch information
@wmanley
wmanley committed May 8, 2024
1 parent 5742051 commit d06427d
Showing 1 changed file with 10 additions and 4 deletions.
14 changes: 10 additions & 4 deletions src/tcp_act.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -451,10 +451,16 @@ static int tcp_check_attach_srv(struct act_rule *rule, struct proxy *px, char **
return 0;
}

if ((rule->arg.attach_srv.name && (!srv->use_ssl || !srv->sni_expr)) ||
(!rule->arg.attach_srv.name && srv->use_ssl && srv->sni_expr)) {
memprintf(err, "attach-srv rule: connection will never be used; either specify name argument in conjunction with defined SSL SNI on targeted server or none of these");
return 0;
if (rule->arg.attach_srv.name) {
if (!srv->sni_expr) {
memprintf(err, "attach-srv rule has a name argument while server '%s/%s' does not have an sni argument; either add a sni argument to the server or remove the name argument from this attach-srv rule", ist0(be_name), ist0(sv_name));
return 0;
}
} else {
if (srv->sni_expr) {
memprintf(err, "attach-srv rule has no name argument while server '%s/%s' has an sni argument; either add a name argument to the attach-srv rule or remove the sni argument from the server", ist0(be_name), ist0(sv_name));
return 0;
}
}

rule->arg.attach_srv.srv = srv;
Expand Down

0 comments on commit d06427d

Please sign in to comment.