Fix health-monitors with ALPN members

Using HTTP or HTTPS health-monitor on a ALPN pool failed with SSL
errors.
haproxy doc mentions that when using "check" with ALPN servers, the
check-alpn option must be enabled.

[0] https://docs.haproxy.org/2.8/configuration.html#5.2-check

Closes-Bug: #2043812

Change-Id: I5698558857cbaa585f8a3d7ac37aaa31c0189d46
This commit is contained in:
Gregory Thiemonge 2023-11-20 02:16:37 -05:00
parent 7310986de9
commit c28eb84dca
3 changed files with 30 additions and 18 deletions

View File

@ -208,13 +208,18 @@ frontend {{ listener.id }}
{% else %} {% else %}
{% set monitor_port_opt = "" %} {% set monitor_port_opt = "" %}
{% endif %} {% endif %}
{% if pool.alpn_protocols is defined %}
{% set alpn_opt = " check-alpn %s"|format(pool.alpn_protocols) %}
{% else %}
{% set alpn_opt = "" %}
{% endif %}
{% if pool.health_monitor.type == constants.HEALTH_MONITOR_HTTPS %} {% if pool.health_monitor.type == constants.HEALTH_MONITOR_HTTPS %}
{% set monitor_ssl_opt = " check-ssl verify none" %} {% set monitor_ssl_opt = " check-ssl verify none" %}
{% else %} {% else %}
{% set monitor_ssl_opt = "" %} {% set monitor_ssl_opt = "" %}
{% endif %} {% endif %}
{% set hm_opt = " check%s inter %ds fall %d rise %d%s%s"|format( {% set hm_opt = " check%s%s inter %ds fall %d rise %d%s%s"|format(
monitor_ssl_opt, pool.health_monitor.delay, monitor_ssl_opt, alpn_opt, pool.health_monitor.delay,
pool.health_monitor.fall_threshold, pool.health_monitor.fall_threshold,
pool.health_monitor.rise_threshold, monitor_addr_opt, pool.health_monitor.rise_threshold, monitor_addr_opt,
monitor_port_opt) %} monitor_port_opt) %}

View File

@ -1331,11 +1331,11 @@ class TestHaproxyCfg(base.TestCase):
" timeout connect 5000\n" " timeout connect 5000\n"
" timeout server 50000\n" " timeout server 50000\n"
" server sample_member_id_1 10.0.0.99:82 weight 13 " " server sample_member_id_1 10.0.0.99:82 weight 13 "
"check inter 30s fall 3 rise 2 cookie sample_member_id_1 " "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie "
"{opts} alpn {alpn}\n" "sample_member_id_1 {opts} alpn {alpn}\n"
" server sample_member_id_2 10.0.0.98:82 weight 13 " " server sample_member_id_2 10.0.0.98:82 weight 13 "
"check inter 30s fall 3 rise 2 cookie sample_member_id_2 " "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie "
"{opts} alpn {alpn}\n\n").format( "sample_member_id_2 {opts} alpn {alpn}\n\n").format(
maxconn=constants.HAPROXY_DEFAULT_MAXCONN, maxconn=constants.HAPROXY_DEFAULT_MAXCONN,
opts="ssl crt %s verify none sni ssl_fc_sni" % cert_file_path + opts="ssl crt %s verify none sni ssl_fc_sni" % cert_file_path +
" ciphers " + constants.CIPHERS_OWASP_SUITE_B + " ciphers " + constants.CIPHERS_OWASP_SUITE_B +
@ -1410,11 +1410,11 @@ class TestHaproxyCfg(base.TestCase):
" timeout connect 5000\n" " timeout connect 5000\n"
" timeout server 50000\n" " timeout server 50000\n"
" server sample_member_id_1 10.0.0.99:82 weight 13 " " server sample_member_id_1 10.0.0.99:82 weight 13 "
"check inter 30s fall 3 rise 2 cookie sample_member_id_1 " "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie "
"{opts} alpn {alpn}\n" "sample_member_id_1 {opts} alpn {alpn}\n"
" server sample_member_id_2 10.0.0.98:82 weight 13 " " server sample_member_id_2 10.0.0.98:82 weight 13 "
"check inter 30s fall 3 rise 2 cookie sample_member_id_2 " "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie "
"{opts} alpn {alpn}\n\n").format( "sample_member_id_2 {opts} alpn {alpn}\n\n").format(
maxconn=constants.HAPROXY_DEFAULT_MAXCONN, maxconn=constants.HAPROXY_DEFAULT_MAXCONN,
opts="ssl crt %s verify none sni ssl_fc_sni" % cert_file_path + opts="ssl crt %s verify none sni ssl_fc_sni" % cert_file_path +
" ciphers " + constants.CIPHERS_OWASP_SUITE_B, " ciphers " + constants.CIPHERS_OWASP_SUITE_B,
@ -1450,11 +1450,11 @@ class TestHaproxyCfg(base.TestCase):
" timeout connect 5000\n" " timeout connect 5000\n"
" timeout server 50000\n" " timeout server 50000\n"
" server sample_member_id_1 10.0.0.99:82 weight 13 " " server sample_member_id_1 10.0.0.99:82 weight 13 "
"check inter 30s fall 3 rise 2 cookie sample_member_id_1 " "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie "
"{opts} alpn {alpn}\n" "sample_member_id_1 {opts} alpn {alpn}\n"
" server sample_member_id_2 10.0.0.98:82 weight 13 " " server sample_member_id_2 10.0.0.98:82 weight 13 "
"check inter 30s fall 3 rise 2 cookie sample_member_id_2 " "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie "
"{opts} alpn {alpn}\n\n").format( "sample_member_id_2 {opts} alpn {alpn}\n\n").format(
maxconn=constants.HAPROXY_DEFAULT_MAXCONN, maxconn=constants.HAPROXY_DEFAULT_MAXCONN,
opts="ssl crt %s verify none sni ssl_fc_sni" % cert_file_path + opts="ssl crt %s verify none sni ssl_fc_sni" % cert_file_path +
" no-sslv3 no-tlsv10 no-tlsv11", " no-sslv3 no-tlsv10 no-tlsv11",
@ -1550,11 +1550,11 @@ class TestHaproxyCfg(base.TestCase):
" timeout connect 5000\n" " timeout connect 5000\n"
" timeout server 50000\n" " timeout server 50000\n"
" server sample_member_id_1 10.0.0.99:82 weight 13 " " server sample_member_id_1 10.0.0.99:82 weight 13 "
"check inter 30s fall 3 rise 2 cookie sample_member_id_1 " "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie "
"{opts} alpn {alpn}\n" "sample_member_id_1 {opts} alpn {alpn}\n"
" server sample_member_id_2 10.0.0.98:82 weight 13 " " server sample_member_id_2 10.0.0.98:82 weight 13 "
"check inter 30s fall 3 rise 2 cookie sample_member_id_2 " "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie "
"{opts} alpn {alpn}\n\n").format( "sample_member_id_2 {opts} alpn {alpn}\n\n").format(
maxconn=constants.HAPROXY_DEFAULT_MAXCONN, maxconn=constants.HAPROXY_DEFAULT_MAXCONN,
opts="%s %s %s %s %s %s" % ( opts="%s %s %s %s %s %s" % (
"ssl", "crt", pool_client_cert, "ssl", "crt", pool_client_cert,

View File

@ -0,0 +1,7 @@
---
fixes:
- |
Fixed a bug with HTTP/HTTPS health-monitors on pools with ALPN protocols in
the amphora-driver. The healthchecks sent by haproxy were flagged as bad
requests by the backend servers. Updated haproxy configuration to use ALPN
for the heathchecks too.