sinjuginas/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

REORG: config: use parsing ctx for server config check

Browse Source 
Initialize the parsing context when checking server config validity.
Adjust the log messages to remove redundant config file/line and server
name. Do a similar cleaning in prepare_srv from ssl_sock as this
function is called at the same stage.

This will standardize the stderr output on startup with the parse_server
function.
This commit is contained in:
Amaury Denoyelle 2021-05-28 10:34:01 +02:00
parent 0fc136ce5b
commit e74cbc3227
2 changed files with 28 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/cfgparse.c
View File

@ -3523,6 +3523,8 @@ out_uri_auth_compat:
*/ */
newsrv = curproxy->srv; newsrv = curproxy->srv;
while (newsrv != NULL) { while (newsrv != NULL) {
set_usermsgs_ctx(newsrv->conf.file, newsrv->conf.line, &newsrv->obj_type);
if (newsrv->minconn > newsrv->maxconn) { if (newsrv->minconn > newsrv->maxconn) {
/* Only 'minconn' was specified, or it was higher than or equal /* Only 'minconn' was specified, or it was higher than or equal
* to 'maxconn'. Let's turn this into maxconn and clean it, as * to 'maxconn'. Let's turn this into maxconn and clean it, as
@ -3548,10 +3550,7 @@ out_uri_auth_compat:
if ((newsrv->flags & SRV_F_FASTOPEN) && if ((newsrv->flags & SRV_F_FASTOPEN) &&
((curproxy->retry_type & (PR_RE_DISCONNECTED | PR_RE_TIMEOUT)) != ((curproxy->retry_type & (PR_RE_DISCONNECTED | PR_RE_TIMEOUT)) !=
(PR_RE_DISCONNECTED | PR_RE_TIMEOUT))) (PR_RE_DISCONNECTED | PR_RE_TIMEOUT)))
ha_warning("parsing [%s:%d] : %s '%s': server '%s' has tfo activated, the backend should be configured with at least 'conn-failure', 'empty-response' and 'response-timeout' or we wouldn't be able to retry the connection on failure.\n", ha_warning("server has tfo activated, the backend should be configured with at least 'conn-failure', 'empty-response' and 'response-timeout' or we wouldn't be able to retry the connection on failure.\n");
newsrv->conf.file, newsrv->conf.line,
proxy_type_str(curproxy), curproxy->id,
newsrv->id);
if (newsrv->trackit) { if (newsrv->trackit) {
struct proxy *px; struct proxy *px;
@ -3571,9 +3570,8 @@ out_uri_auth_compat:
if (pname) { if (pname) {
px = proxy_be_by_name(pname); px = proxy_be_by_name(pname);
if (!px) { if (!px) {
ha_alert("config : %s '%s', server '%s': unable to find required proxy '%s' for tracking.\n", ha_alert("unable to find required proxy '%s' for tracking.\n",
proxy_type_str(curproxy), curproxy->id, pname);
newsrv->id, pname);
cfgerr++; cfgerr++;
goto next_srv; goto next_srv;
} }
@ -3582,18 +3580,16 @@ out_uri_auth_compat:
srv = findserver(px, sname); srv = findserver(px, sname);
if (!srv) { if (!srv) {
ha_alert("config : %s '%s', server '%s': unable to find required server '%s' for tracking.\n", ha_alert("unable to find required server '%s' for tracking.\n",
proxy_type_str(curproxy), curproxy->id, sname);
newsrv->id, sname);
cfgerr++; cfgerr++;
goto next_srv; goto next_srv;
} }
if (!srv->do_check && !srv->do_agent && !srv->track && !srv->trackit) { if (!srv->do_check && !srv->do_agent && !srv->track && !srv->trackit) {
ha_alert("config : %s '%s', server '%s': unable to use %s/%s for " ha_alert("unable to use %s/%s for "
"tracking as it does not have any check nor agent enabled.\n", "tracking as it does not have any check nor agent enabled.\n",
proxy_type_str(curproxy), curproxy->id, px->id, srv->id);
newsrv->id, px->id, srv->id);
cfgerr++; cfgerr++;
goto next_srv; goto next_srv;
} }
@ -3601,10 +3597,9 @@ out_uri_auth_compat:
for (loop = srv->track; loop && loop != newsrv; loop = loop->track); for (loop = srv->track; loop && loop != newsrv; loop = loop->track);
if (newsrv == srv || loop) { if (newsrv == srv || loop) {
ha_alert("config : %s '%s', server '%s': unable to track %s/%s as it " ha_alert("unable to track %s/%s as it "
"belongs to a tracking chain looping back to %s/%s.\n", "belongs to a tracking chain looping back to %s/%s.\n",
proxy_type_str(curproxy), curproxy->id, px->id, srv->id, px->id,
newsrv->id, px->id, srv->id, px->id,
newsrv == srv ? srv->id : loop->id); newsrv == srv ? srv->id : loop->id);
cfgerr++; cfgerr++;
goto next_srv; goto next_srv;
@ -3612,10 +3607,9 @@ out_uri_auth_compat:
if (curproxy != px && if (curproxy != px &&
(curproxy->options & PR_O_DISABLE404) != (px->options & PR_O_DISABLE404)) { (curproxy->options & PR_O_DISABLE404) != (px->options & PR_O_DISABLE404)) {
ha_alert("config : %s '%s', server '%s': unable to use %s/%s for" ha_alert("unable to use %s/%s for"
"tracking: disable-on-404 option inconsistency.\n", "tracking: disable-on-404 option inconsistency.\n",
proxy_type_str(curproxy), curproxy->id, px->id, srv->id);
newsrv->id, px->id, srv->id);
cfgerr++; cfgerr++;
goto next_srv; goto next_srv;
} }
@ -3628,6 +3622,7 @@ out_uri_auth_compat:
} }
next_srv: next_srv:
reset_usermsgs_ctx();
newsrv = newsrv->next; newsrv = newsrv->next;
} }

42
src/ssl_sock.c
View File

@ -4619,7 +4619,6 @@ static int ssl_sock_srv_verifycbk(int ok, X509_STORE_CTX *ctx)
/* prepare ssl context from servers options. Returns an error count */ /* prepare ssl context from servers options. Returns an error count */
int ssl_sock_prepare_srv_ctx(struct server *srv) int ssl_sock_prepare_srv_ctx(struct server *srv)
{ {
struct proxy *curproxy = srv->proxy;
int cfgerr = 0; int cfgerr = 0;
SSL_CTX *ctx = srv->ssl_ctx.ctx; SSL_CTX *ctx = srv->ssl_ctx.ctx;
@ -4635,9 +4634,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
/* Initiate SSL context for current server */ /* Initiate SSL context for current server */
if (!srv->ssl_ctx.reused_sess) { if (!srv->ssl_ctx.reused_sess) {
if ((srv->ssl_ctx.reused_sess = calloc(1, global.nbthread*sizeof(*srv->ssl_ctx.reused_sess))) == NULL) { if ((srv->ssl_ctx.reused_sess = calloc(1, global.nbthread*sizeof(*srv->ssl_ctx.reused_sess))) == NULL) {
ha_alert("Proxy '%s', server '%s' [%s:%d] out of memory.\n", ha_alert("out of memory.\n");
curproxy->id, srv->id,
srv->conf.file, srv->conf.line);
cfgerr++; cfgerr++;
return cfgerr; return cfgerr;
} }
@ -4650,9 +4647,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
if (!ctx) { if (!ctx) {
ctx = SSL_CTX_new(SSLv23_client_method()); ctx = SSL_CTX_new(SSLv23_client_method());
if (!ctx) { if (!ctx) {
ha_alert("config : %s '%s', server '%s': unable to allocate ssl context.\n", ha_alert("unable to allocate ssl context.\n");
proxy_type_str(curproxy), curproxy->id,
srv->id);
cfgerr++; cfgerr++;
return cfgerr; return cfgerr;
} }
@ -4687,9 +4682,8 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
int flags = MC_SSL_O_ALL; int flags = MC_SSL_O_ALL;
if (conf_ssl_methods->flags && (conf_ssl_methods->min || conf_ssl_methods->max)) if (conf_ssl_methods->flags && (conf_ssl_methods->min || conf_ssl_methods->max))
ha_warning("config : %s '%s': no-sslv3/no-tlsv1x are ignored for server '%s'. " ha_warning("no-sslv3/no-tlsv1x are ignored for this server. "
"Use only 'ssl-min-ver' and 'ssl-max-ver' to fix.\n", "Use only 'ssl-min-ver' and 'ssl-max-ver' to fix.\n");
proxy_type_str(curproxy), curproxy->id, srv->id);
else else
flags = conf_ssl_methods->flags; flags = conf_ssl_methods->flags;
@ -4770,21 +4764,16 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
if (srv->ssl_ctx.ca_file) { if (srv->ssl_ctx.ca_file) {
/* set CAfile to verify */ /* set CAfile to verify */
if (!ssl_set_verify_locations_file(ctx, srv->ssl_ctx.ca_file)) { if (!ssl_set_verify_locations_file(ctx, srv->ssl_ctx.ca_file)) {
ha_alert("Proxy '%s', server '%s' [%s:%d] unable to set CA file '%s'.\n", ha_alert("unable to set CA file '%s'.\n",
curproxy->id, srv->id, srv->ssl_ctx.ca_file);
srv->conf.file, srv->conf.line, srv->ssl_ctx.ca_file);
cfgerr++; cfgerr++;
} }
} }
else { else {
if (global.ssl_server_verify == SSL_SERVER_VERIFY_REQUIRED) if (global.ssl_server_verify == SSL_SERVER_VERIFY_REQUIRED)
ha_alert("Proxy '%s', server '%s' [%s:%d] verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default.\n", ha_alert("verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default.\n");
curproxy->id, srv->id,
srv->conf.file, srv->conf.line);
else else
ha_alert("Proxy '%s', server '%s' [%s:%d] verify is enabled but no CA file specified.\n", ha_alert("verify is enabled but no CA file specified.\n");
curproxy->id, srv->id,
srv->conf.file, srv->conf.line);
cfgerr++; cfgerr++;
} }
#ifdef X509_V_FLAG_CRL_CHECK #ifdef X509_V_FLAG_CRL_CHECK
@ -4792,9 +4781,8 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
X509_STORE *store = SSL_CTX_get_cert_store(ctx); X509_STORE *store = SSL_CTX_get_cert_store(ctx);
if (!ssl_set_cert_crl_file(store, srv->ssl_ctx.crl_file)) { if (!ssl_set_cert_crl_file(store, srv->ssl_ctx.crl_file)) {
ha_alert("Proxy '%s', server '%s' [%s:%d] unable to configure CRL file '%s'.\n", ha_alert("unable to configure CRL file '%s'.\n",
curproxy->id, srv->id, srv->ssl_ctx.crl_file);
srv->conf.file, srv->conf.line, srv->ssl_ctx.crl_file);
cfgerr++; cfgerr++;
} }
else { else {
@ -4808,18 +4796,16 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
SSL_CTX_sess_set_new_cb(ctx, ssl_sess_new_srv_cb); SSL_CTX_sess_set_new_cb(ctx, ssl_sess_new_srv_cb);
if (srv->ssl_ctx.ciphers && if (srv->ssl_ctx.ciphers &&
!SSL_CTX_set_cipher_list(ctx, srv->ssl_ctx.ciphers)) { !SSL_CTX_set_cipher_list(ctx, srv->ssl_ctx.ciphers)) {
ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set SSL cipher list to '%s'.\n", ha_alert("unable to set SSL cipher list to '%s'.\n",
curproxy->id, srv->id, srv->ssl_ctx.ciphers);
srv->conf.file, srv->conf.line, srv->ssl_ctx.ciphers);
cfgerr++; cfgerr++;
} }
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
if (srv->ssl_ctx.ciphersuites && if (srv->ssl_ctx.ciphersuites &&
!SSL_CTX_set_ciphersuites(ctx, srv->ssl_ctx.ciphersuites)) { !SSL_CTX_set_ciphersuites(ctx, srv->ssl_ctx.ciphersuites)) {
ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set TLS 1.3 cipher suites to '%s'.\n", ha_alert("unable to set TLS 1.3 cipher suites to '%s'.\n",
curproxy->id, srv->id, srv->ssl_ctx.ciphersuites);
srv->conf.file, srv->conf.line, srv->ssl_ctx.ciphersuites);
cfgerr++; cfgerr++;
} }
#endif #endif