mirror of
https://github.com/haproxy/haproxy.git
synced 2026-05-21 01:15:17 -04:00
MINOR: proxy/server: reject TCP ALPN h3 without experimental
Add a postparsing check on TCP ALPN bind and server setting. An error is reported if the token "h3" is present and expose-experimental-directives is not globally activated. This ensures that QMux protocol won't be selected if experimental features are not explicitely requested. The check is not performed though if "proto qmux" is explicitely defined, as this setting already checks for experimental support. Currently, it's not possible to activate QMux without any explicit "proto qmux" config. However, this will be implemented in a next patch, so this check will become necessary.
This commit is contained in:
Amaury Denoyelle
parent
879c78c909
commit
e30bcfe6cd
2 changed files with 28 additions and 0 deletions
16
src/proxy.c
16
src/proxy.c
|
|
@ -1778,6 +1778,22 @@ int proxy_finalize(struct proxy *px, int *err_code)
|
|||
}
|
||||
#endif /* TLSEXT_TYPE_application_layer_protocol_negotiation */
|
||||
} /* HTTP && bufsize < 16384 */
|
||||
|
||||
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
|
||||
if (px->mode == PR_MODE_HTTP && !bind_conf->mux_proto &&
|
||||
bind_conf->ssl_conf.alpn_str &&
|
||||
strstr(bind_conf->ssl_conf.alpn_str, "\002h3")) {
|
||||
if (!experimental_directives_allowed) {
|
||||
ha_alert("HTTP/3 on TCP listed via ALPN on frontend '%s' at [%s:%d] relies on the experimental QMux protocol, "
|
||||
"must be allowed via a global 'expose-experimental-directives'.\n",
|
||||
px->id, bind_conf->file, bind_conf->line);
|
||||
cfgerr++;
|
||||
}
|
||||
|
||||
mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
|
||||
}
|
||||
#endif /* TLSEXT_TYPE_application_layer_protocol_negotiation */
|
||||
|
||||
#endif /* USE_OPENSSL */
|
||||
|
||||
#ifdef USE_QUIC
|
||||
|
|
|
|||
12
src/server.c
12
src/server.c
|
|
@ -4036,6 +4036,18 @@ static int _srv_parse_finalize(char **args, int cur_arg,
|
|||
return ERR_ALERT | ERR_FATAL;
|
||||
#endif
|
||||
}
|
||||
else {
|
||||
if (srv->proxy->mode == PR_MODE_HTTP && !srv->mux_proto &&
|
||||
srv->ssl_ctx.alpn_str && strstr(srv->ssl_ctx.alpn_str, "\002h3")) {
|
||||
if (!experimental_directives_allowed) {
|
||||
ha_alert("HTTP/3 on TCP listed via ALPN requires the QMUX protocol which is experimental, "
|
||||
"must be allowed via a global 'expose-experimental-directives'.\n");
|
||||
return ERR_ALERT | ERR_FATAL;
|
||||
}
|
||||
|
||||
mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
|
||||
}
|
||||
}
|
||||
|
||||
if (!(srv->proxy->cap & PR_CAP_LB)) {
|
||||
/* No need to wait for effective proxy mode, it is already known:
|
||||
|
|
|
|||
Loading…
Reference in a new issue