MINOR: checks: Add a new keyword to specify a SNI when doing SSL checks.

Add a new keyword, "check-sni", to be able to specify the SNI to be used when doing health checks over SSL.
2026-02-18 18:19:39 -05:00 · 2017-10-17 17:33:43 +02:00 · 2017-10-17 17:33:43 +02:00 · 9130a9605d
commit 9130a9605d
parent f8eb8d56a7
4 changed files with 32 additions and 0 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -10970,6 +10970,10 @@ check-send-proxy
  "check-send-proxy" option needs to be used to force the use of the
  protocol. See also the "send-proxy" option for more information.

+check-sni
+  This option allows you to specify the SNI to be used when doing health checks
+  over SSL.
+
 check-ssl
  This option forces encryption of all health checks over SSL, regardless of
  whether the server uses SSL or not for the normal traffic. This is generally
--- a/include/types/checks.h
+++ b/include/types/checks.h
@ -184,6 +184,7 @@ struct check {
 	char **envp;				/* the environment to use if running a process-based check */
 	struct pid_list *curpid;		/* entry in pid_list used for current process-based test, or -1 if not in test */
 	struct sockaddr_storage addr;   	/* the address to check */
+	char *sni;				/* Server name */
 };

 struct check_status {
--- a/src/checks.c
+++ b/src/checks.c
@ -60,6 +60,10 @@
 #include <proto/dns.h>
 #include <proto/proto_udp.h>

+#ifdef USE_OPENSSL
+#include <proto/ssl_sock.h>
+#endif /* USE_OPENSSL */
+
 static int httpchk_expect(struct server *s, int done);
 static int tcpcheck_get_step_id(struct check *);
 static char * tcpcheck_get_step_comment(struct check *, int);
@ -1597,6 +1601,10 @@ static int connect_conn_chk(struct task *t)
 	ret = SF_ERR_INTERNAL;
 	if (proto && proto->connect)
 		ret = proto->connect(conn, check->type, quickack ? 2 : 0);
+#ifdef USE_OPENSSL
+	if (s->check.sni)
+		ssl_sock_set_servername(conn, s->check.sni);
+#endif
 	if (s->check.send_proxy && !(check->state & CHK_ST_AGENT)) {
 		conn->send_proxy_ofs = 1;
 		conn->flags |= CO_FL_SEND_PROXY;
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -7075,6 +7075,24 @@ static int srv_parse_ca_file(char **args, int *cur_arg, struct proxy *px, struct
 	return 0;
 }

+/* parse the "check-sni" server keyword */
+static int srv_parse_check_sni(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	if (!*args[*cur_arg + 1]) {
+		if (err)
+			memprintf(err, "'%s' : missing SNI", args[*cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+
+	newsrv->check.sni = strdup(args[*cur_arg + 1]);
+	if (!newsrv->check.sni) {
+		memprintf(err, "'%s' : failed to allocate memory", args[*cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+	return 0;
+
+}
+
 /* parse the "check-ssl" server keyword */
 static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@ -8031,6 +8049,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
 */
 static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "ca-file",                 srv_parse_ca_file,            1, 1 }, /* set CAfile to process verify server cert */
+	{ "check-sni",               srv_parse_check_sni,          1, 1 }, /* set SNI */
 	{ "check-ssl",               srv_parse_check_ssl,          0, 1 }, /* enable SSL for health checks */
 	{ "ciphers",                 srv_parse_ciphers,            1, 1 }, /* select the cipher suite */
 	{ "crl-file",                srv_parse_crl_file,           1, 1 }, /* set certificate revocation list file use on server cert verify */