Re: All "server" settings supported on "default-server" lines

[Emmanuel Hocdet]

Hi Willy,

> Le 29 mars 2017 à 18:29, Willy Tarreau  a écrit :
> 
> Hi Manu,
> 
> On Wed, Mar 29, 2017 at 06:10:13PM +0200, Emmanuel Hocdet wrote:
>> Hi Willy,
>> 
>>> Le 27 mars 2017 à 17:54, Willy Tarreau  a écrit :
>>> 
>>> Hi Manu,
>>> 
>>> On Mon, Mar 27, 2017 at 05:46:46PM +0200, Emmanuel Hocdet wrote:
> I'm not much comfortable with the "sslv3" and so on as they easily read
> as "use sslv3 only" (for me at least) but we can get rid of them once we
> have everything needed with min-tls/max-tls, and if some users want to
> keep them anyway then we can complete the doc to mention explicitly what
> they do (ie: stop disabling support for sslv3). So that's no big deal.
> 
 
 If I understand the needs, parameters is to reset settings from default 
 server.
>>> 
>>> Absolutely. The typical use case would be a defaults section setting the 
>>> default
>>> server with "no-sslv3 no-tlsv10 no-tlsv11" but one local server requires to 
>>> run
>>> with one such versions, and just for this we don't want to cancel the 
>>> convenient
>>> default-server settings, so having a statement to say "go back to defaults 
>>> for
>>> this one" is better.
>>> 
 For ssl we could have 'ssl-all' and avoid any 'no, 'no-no' tls version ?
>>> 
>>> Maybe something like this. But I *tend* to think that once we have your
>>> min-tls/max-tls it could be a no-brainer. Emeric told me he thinkgs that
>>> it's probably bad to make an exception for certain keywords (and I tend
>>> to share his opinion on this one), so maybe over the long term we'll still
>>> have them with proper doc and possibly warnings suggesting a different
>>> syntax. After all, saying "I don't want to disable SSLv3 for this server"
>>> tends to imply you explicitly know you want it, so the value of having
>>> these confusing keywords might possibly be only to ensure users naturally
>>> find the keyword they're looking for without having to think too long.
>>> 
>> 
>> 
>> with:
>> force-tlv == min-tlv + max-tlv
> 
> This one I totally agree.
> 
>> no-tlv => obsolete (and no need (no-no) tlv)
> 
> We can't easily obsolete it since it's present in almost 100% of existing
> configs (at least for no-sslv3), so dropping it will postpone adoption
> which is bad for getting useful feedback. That's why I proposed that
> we only reject situations where no-tlsvX leaves a hole.
> 
>> default min-tlv and max-tlv can be overwrite on local definition.
> 
> Yes that was my previous point, they could be used to simply override
> the default-server setting even if this one used to have "no-sslv3"
> for example.
> 
>> So min-tlv, max-tlv (and force-tlv) could be the only useful parameters: tlv 
>> and no-tlv
>> can be removed from default server parameters.
> 
> Hmmm from default-server, that could make sense indeed since they were
> not used in the past.
> 
>> A no-tlv définition on server (compat) can work or generate warning if 'hole'
>> is detected.
> 
> I think we can go as far as an error if there's a hole since the situation
> seems to be mostly undefined today (from what I understand).

I went on a warning to start to not break configuration. openssl work with hole,
but keep the lower or upper range (it depend).
no-tlsv12 work, but will generate warning with tlsv1.3 in openssl.

> So I think that we agree on all these in the end (note however, that it's tls,
> not tlv but that's a detail).
> 

We agree. (note: It’s the short name of tlsv, or I was tired :-D )

> Last point is that sslv3 has to have its name in the value. While there's
> a 2.1 offset between ssl and tls versions (tls 1.0 is ssl 3.1), I'd rather
> not put confusing SSL versions there nor invent fake TLS versions to name
> SSL (eg: tlsv0.9). Strictly speaking we should use only the SSL version
> since it's what is exchanged over the wire. Or we can say that version 0
> is SSLv3. So I'm open to suggestions here.
> 

No changes, keep the name in the version. It’s just shorter to speak with tlsxx 
:).

++
Manu

Re: All "server" settings supported on "default-server" lines

[Willy Tarreau]

Hi Manu,

On Wed, Mar 29, 2017 at 06:10:13PM +0200, Emmanuel Hocdet wrote:
> Hi Willy,
> 
> > Le 27 mars 2017 à 17:54, Willy Tarreau  a écrit :
> > 
> > Hi Manu,
> > 
> > On Mon, Mar 27, 2017 at 05:46:46PM +0200, Emmanuel Hocdet wrote:
> >>> I'm not much comfortable with the "sslv3" and so on as they easily read
> >>> as "use sslv3 only" (for me at least) but we can get rid of them once we
> >>> have everything needed with min-tls/max-tls, and if some users want to
> >>> keep them anyway then we can complete the doc to mention explicitly what
> >>> they do (ie: stop disabling support for sslv3). So that's no big deal.
> >>> 
> >> 
> >> If I understand the needs, parameters is to reset settings from default 
> >> server.
> > 
> > Absolutely. The typical use case would be a defaults section setting the 
> > default
> > server with "no-sslv3 no-tlsv10 no-tlsv11" but one local server requires to 
> > run
> > with one such versions, and just for this we don't want to cancel the 
> > convenient
> > default-server settings, so having a statement to say "go back to defaults 
> > for
> > this one" is better.
> > 
> >> For ssl we could have 'ssl-all' and avoid any 'no, 'no-no' tls version ?
> > 
> > Maybe something like this. But I *tend* to think that once we have your
> > min-tls/max-tls it could be a no-brainer. Emeric told me he thinkgs that
> > it's probably bad to make an exception for certain keywords (and I tend
> > to share his opinion on this one), so maybe over the long term we'll still
> > have them with proper doc and possibly warnings suggesting a different
> > syntax. After all, saying "I don't want to disable SSLv3 for this server"
> > tends to imply you explicitly know you want it, so the value of having
> > these confusing keywords might possibly be only to ensure users naturally
> > find the keyword they're looking for without having to think too long.
> > 
> 
> 
> with:
> force-tlv == min-tlv + max-tlv

This one I totally agree.

> no-tlv => obsolete (and no need (no-no) tlv)

We can't easily obsolete it since it's present in almost 100% of existing
configs (at least for no-sslv3), so dropping it will postpone adoption
which is bad for getting useful feedback. That's why I proposed that
we only reject situations where no-tlsvX leaves a hole.

> default min-tlv and max-tlv can be overwrite on local definition.

Yes that was my previous point, they could be used to simply override
the default-server setting even if this one used to have "no-sslv3"
for example.

> So min-tlv, max-tlv (and force-tlv) could be the only useful parameters: tlv 
> and no-tlv
> can be removed from default server parameters.

Hmmm from default-server, that could make sense indeed since they were
not used in the past.

> A no-tlv définition on server (compat) can work or generate warning if 'hole'
> is detected.

I think we can go as far as an error if there's a hole since the situation
seems to be mostly undefined today (from what I understand).

So I think that we agree on all these in the end (note however, that it's tls,
not tlv but that's a detail).

Last point is that sslv3 has to have its name in the value. While there's
a 2.1 offset between ssl and tls versions (tls 1.0 is ssl 3.1), I'd rather
not put confusing SSL versions there nor invent fake TLS versions to name
SSL (eg: tlsv0.9). Strictly speaking we should use only the SSL version
since it's what is exchanged over the wire. Or we can say that version 0
is SSLv3. So I'm open to suggestions here.

Cheers,
Willy

Re: All "server" settings supported on "default-server" lines

[Emmanuel Hocdet]

Hi Willy,

> Le 27 mars 2017 à 17:54, Willy Tarreau  a écrit :
> 
> Hi Manu,
> 
> On Mon, Mar 27, 2017 at 05:46:46PM +0200, Emmanuel Hocdet wrote:
>>> I'm not much comfortable with the "sslv3" and so on as they easily read
>>> as "use sslv3 only" (for me at least) but we can get rid of them once we
>>> have everything needed with min-tls/max-tls, and if some users want to
>>> keep them anyway then we can complete the doc to mention explicitly what
>>> they do (ie: stop disabling support for sslv3). So that's no big deal.
>>> 
>> 
>> If I understand the needs, parameters is to reset settings from default 
>> server.
> 
> Absolutely. The typical use case would be a defaults section setting the 
> default
> server with "no-sslv3 no-tlsv10 no-tlsv11" but one local server requires to 
> run
> with one such versions, and just for this we don't want to cancel the 
> convenient
> default-server settings, so having a statement to say "go back to defaults for
> this one" is better.
> 
>> For ssl we could have 'ssl-all' and avoid any 'no, 'no-no' tls version ?
> 
> Maybe something like this. But I *tend* to think that once we have your
> min-tls/max-tls it could be a no-brainer. Emeric told me he thinkgs that
> it's probably bad to make an exception for certain keywords (and I tend
> to share his opinion on this one), so maybe over the long term we'll still
> have them with proper doc and possibly warnings suggesting a different
> syntax. After all, saying "I don't want to disable SSLv3 for this server"
> tends to imply you explicitly know you want it, so the value of having
> these confusing keywords might possibly be only to ensure users naturally
> find the keyword they're looking for without having to think too long.
> 


with:
force-tlv == min-tlv + max-tlv
no-tlv => obsolete (and no need (no-no) tlv)
default min-tlv and max-tlv can be overwrite on local definition.

So min-tlv, max-tlv (and force-tlv) could be the only useful parameters: tlv 
and no-tlv
can be removed from default server parameters.
A no-tlv définition on server (compat) can work or generate warning if ‘hole’ 
is detected.

++
Manu

Re: All "server" settings supported on "default-server" lines

[Willy Tarreau]

Hi Manu,

On Mon, Mar 27, 2017 at 05:46:46PM +0200, Emmanuel Hocdet wrote:
> > I'm not much comfortable with the "sslv3" and so on as they easily read
> > as "use sslv3 only" (for me at least) but we can get rid of them once we
> > have everything needed with min-tls/max-tls, and if some users want to
> > keep them anyway then we can complete the doc to mention explicitly what
> > they do (ie: stop disabling support for sslv3). So that's no big deal.
> > 
> 
> If I understand the needs, parameters is to reset settings from default 
> server.

Absolutely. The typical use case would be a defaults section setting the default
server with "no-sslv3 no-tlsv10 no-tlsv11" but one local server requires to run
with one such versions, and just for this we don't want to cancel the convenient
default-server settings, so having a statement to say "go back to defaults for
this one" is better.

> For ssl we could have 'ssl-all' and avoid any 'no, 'no-no' tls version ?

Maybe something like this. But I *tend* to think that once we have your
min-tls/max-tls it could be a no-brainer. Emeric told me he thinkgs that
it's probably bad to make an exception for certain keywords (and I tend
to share his opinion on this one), so maybe over the long term we'll still
have them with proper doc and possibly warnings suggesting a different
syntax. After all, saying "I don't want to disable SSLv3 for this server"
tends to imply you explicitly know you want it, so the value of having
these confusing keywords might possibly be only to ensure users naturally
find the keyword they're looking for without having to think too long.

cheers,
Willy

Re: All "server" settings supported on "default-server" lines

[Willy Tarreau]

On Fri, Mar 24, 2017 at 12:20:45PM +0100, Willy Tarreau wrote:
> On Tue, Mar 21, 2017 at 07:54:30PM +0100, Frederic Lecaille wrote:
> > Hello HAProxy ML,
> > 
> > I am starting this new thread to publish a serie of patches to make
> > all "server" settings be supported on "default-server" lines.
> (...)
> 
> Fred, that's overall very clean stuff, thank you. I've already
> applied the first 7 ones. I'll postpone the SSL ones to the end so that
> we know what to do once Emeric and Manu have found a solution which
> satisfies them both :-)

OK in the end I realized that taking the SSL stuff later would only
complicate things both for you and for Manu/Emeric so I preferred to
take everything now even if some of these have to be adjusted later.

I'm not much comfortable with the "sslv3" and so on as they easily read
as "use sslv3 only" (for me at least) but we can get rid of them once we
have everything needed with min-tls/max-tls, and if some users want to
keep them anyway then we can complete the doc to mention explicitly what
they do (ie: stop disabling support for sslv3). So that's no big deal.

Thanks Fred!
Willy

Re: All "server" settings supported on "default-server" lines

[Willy Tarreau]

On Tue, Mar 21, 2017 at 07:54:30PM +0100, Frederic Lecaille wrote:
> Hello HAProxy ML,
> 
> I am starting this new thread to publish a serie of patches to make
> all "server" settings be supported on "default-server" lines.
(...)

Fred, that's overall very clean stuff, thank you. I've already
applied the first 7 ones. I'll postpone the SSL ones to the end so that
we know what to do once Emeric and Manu have found a solution which
satisfies them both :-)

Will keep you updated.

Thanks,
Willy

Re: All "server" settings supported on "default-server" lines

[Emmanuel Hocdet]

> Le 23 mars 2017 à 12:25, Willy Tarreau  a écrit :
> 
> On Thu, Mar 23, 2017 at 11:26:50AM +0100, Emmanuel Hocdet wrote:
>> Emeric's suggestion is not on the ML.
> 
> I transcripted it in the other e-mail of this same thread.
> 
>> If no- and force- are defined as deprecated it can make a difference.
>> I'm not used to seeing this kind of proposal for haproxy configuration ;-)
> 
> The purpose is not to deprecate them but to "emulate" them and only
> to deprecate those causing trouble.
> 
Ok, this is what I propose.

>> (for the hole, openssl low leveling the range:  no-tlsv1.1 become 
>> max-tlsv1.0)
> 
> Here for me, no-tlsv1.1 alone would be rejected because it's ambigous as it
> either means max-tlsv1.0 or min-tlsv1.2. However if you have :
> 

I agree, haproxy should, at least, warm in this case.
It’s in my todo, waiting for more feedback on my patches.

>no-sslv3 no-tlsv1.0 no-tlsv1.1
> 
> Then there's no ambiguity, only tlsv1.2 remains. Conversely :
> 
>no-tlsv1.1 no-tlsv1.2
> 
> Restricts us to sslv3 and tlsv1.0.
> 
> So in fact we know the bounds we support and we convert a contigous range
> into a min+max. Discontinuities are rejected and it should not be a problem.
> Emeric told me that he knows some deployments where people rejected recent
> versions due to interoperability issues, but there's no reason for blocking
> only a middle version and not either older or newer ones.
> 
Yep, perhaps continue to discuss in the treads with my patches.

> I know Emeric is busy at the moment so I don't expect him to read this
> thread yet :-)
> 


Manu

Re: All "server" settings supported on "default-server" lines

[Willy Tarreau]

On Thu, Mar 23, 2017 at 11:26:50AM +0100, Emmanuel Hocdet wrote:
> Emeric's suggestion is not on the ML.

I transcripted it in the other e-mail of this same thread.

> If no- and force- are defined as deprecated it can make a difference.
> I'm not used to seeing this kind of proposal for haproxy configuration ;-)

The purpose is not to deprecate them but to "emulate" them and only
to deprecate those causing trouble.

> (for the hole, openssl low leveling the range:  no-tlsv1.1 become max-tlsv1.0)

Here for me, no-tlsv1.1 alone would be rejected because it's ambigous as it
either means max-tlsv1.0 or min-tlsv1.2. However if you have :

no-sslv3 no-tlsv1.0 no-tlsv1.1

Then there's no ambiguity, only tlsv1.2 remains. Conversely :

no-tlsv1.1 no-tlsv1.2

Restricts us to sslv3 and tlsv1.0.

So in fact we know the bounds we support and we convert a contigous range
into a min+max. Discontinuities are rejected and it should not be a problem.
Emeric told me that he knows some deployments where people rejected recent
versions due to interoperability issues, but there's no reason for blocking
only a middle version and not either older or newer ones.

I know Emeric is busy at the moment so I don't expect him to read this
thread yet :-)

Willy

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

On 03/23/2017 12:03 PM, Frederic Lecaille wrote:

On 03/21/2017 07:54 PM, Frederic Lecaille wrote:


[snipped]


At this time, as "id" remains as unique setting supported by "server",
the patch attached to this mail now produces these error messages:

[ALERT] 081/111458 (12190) : parsing [haproxy.cfg:97] : 'server srv1'
unknown keyword 'foo'. Registered keywords :
[ SSL] ca-file 
[ SSL] check-ssl
[ SSL] ciphers 
[ SSL] crl-file 
[ SSL] crt 
[ SSL] force-sslv3
[ SSL] force-tlsv10
.
.
[snipped]
.
[ ALL] id  [server_only]
[ ALL] namespace 
[ ALL] no-agent-check
[ ALL] no-backup [dflt_ok]


ooop! wrong copy and paste... well remove this previous line...

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

On 03/21/2017 07:54 PM, Frederic Lecaille wrote:

Hello HAProxy ML,

I am starting this new thread to publish a serie of patches to make
all "server" settings be supported on "default-server" lines.

This is a preliminary work for "server templates" feature.

New boolean settings have been added to disable others. Most of them
have "no-" as prefix.


[snipped]


So, from now on, all server "settings" are supported by "default-server"
except "id" which is only supported on "server" lines.


Before all theses patches, if an unknown "foo" keyword was provided on 
"default-server" or "server" lines, such error messages were displayed:


[ALERT] 081/110011 (11626) : parsing [haproxy.cfg:97] : 'server srv1' 
unknown keyword 'foo'. Registered keywords :

[ ALL] id 
[ TCP] tcp-ut 
[ SSL] ca-file 
.
.
etc.

[ALERT] 081/110011 (11626) : Error(s) found in configuration file : 
haproxy.cfg

[ALERT] 081/110011 (11626) : Fatal errors found in configuration.

Only registered by srv_register_keywords() in 'srv_kwst list keywords 
were displayed.


Most of this thread patches register new keywords in this lists.

So now, the new error messages are:

[ALERT] 081/111458 (12190) : parsing [haproxy.cfg:97] : 'server srv1' 
unknown keyword 'foo'. Registered keywords :

[ SSL] ca-file  [dflt_ok]
[ SSL] check-ssl [dflt_ok]
[ SSL] ciphers  [dflt_ok]
[ SSL] crl-file  [dflt_ok]
[ SSL] crt  [dflt_ok]
[ SSL] force-sslv3 [dflt_ok]
[ SSL] force-tlsv10 [dflt_ok]
.
.
[snipped]
.
[ ALL] id 
[ ALL] namespace  [dflt_ok]
[ ALL] no-agent-check [dflt_ok]
[ ALL] no-backup [dflt_ok]

From my point of view, this is not acceptable to flag all these 
settings as supported on "default-server" lines.


At this time, as "id" remains as unique setting supported by "server", 
the patch attached to this mail now produces these error messages:


[ALERT] 081/111458 (12190) : parsing [haproxy.cfg:97] : 'server srv1' 
unknown keyword 'foo'. Registered keywords :

[ SSL] ca-file 
[ SSL] check-ssl
[ SSL] ciphers 
[ SSL] crl-file 
[ SSL] crt 
[ SSL] force-sslv3
[ SSL] force-tlsv10
.
.
[snipped]
.
[ ALL] id  [server_only]
[ ALL] namespace 
[ ALL] no-agent-check
[ ALL] no-backup [dflt_ok]


It does not make sens to backport this patch. It is only supposed to be
used to fix the boring error messages this thread patches introduced.


>From 94f81538cc6b9f042800b47bb57cc5e1e4a9ee24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Thu, 23 Mar 2017 11:39:10 +0100
Subject: [PATCH] MINOR: server: Display only server keywords which are only
 supported on "server" lines.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.01, version=1.2.4

When displaying error messages when parsing unknown "server" keywords,
in place of flagging keywords which are also supported on "default-server" lines,,
and as in the future almost all "server" setting will be supported by "default-server",
this patch make the error message handlers flag only keywords which are only
supported on server lines.

Does not make sense to be backported.
---
 src/server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/server.c b/src/server.c
index 5589723..1b02ee5 100644
--- a/src/server.c
+++ b/src/server.c
@@ -206,7 +206,7 @@ void srv_dump_kws(char **out)
   kwl->scope,
   kwl->kw[index].kw,
   kwl->kw[index].skip ? " " : "",
-  kwl->kw[index].default_ok ? " [dflt_ok]" : "",
+  kwl->kw[index].default_ok ? "" : " [server_only]",
   kwl->kw[index].parse ? "" : " (not supported)");
 			}
 		}
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Emmanuel Hocdet]

> Le 22 mars 2017 à 22:58, Willy Tarreau  a écrit :
> 
> On Wed, Mar 22, 2017 at 05:30:09PM +0100, Emmanuel Hocdet wrote:
>> I have patches sent in the ML who change the internal implementation of
>> no/force-tlsxx and add min/max-tlsxx (who can replace no/force usage).
>> It could simplify (or not)  what you want to do, but there will be an impact
>> on your patches if they are accepted.
> 
> Yes, as I said in the other mail I think that's on a good track but as
> Emeric suggested we'd rather have them provide an argument instead of
> using the keyword name, that will make it much easier to process. We
> can still support most older valid use cases and use warnings to explain
> how to convert that to the new mode (if really needed, not even sure) and
> emit errors explaining what to do for the situations that openssl does
> not support anymore (holes in the range).
> 

Emeric's suggestion is not on the ML.
If no- and force- are defined as deprecated it can make a difference.
I'm not used to seeing this kind of proposal for haproxy configuration ;-)
(for the hole, openssl low leveling the range:  no-tlsv1.1 become max-tlsv1.0)

++
Manu

Re: All "server" settings supported on "default-server" lines

[Willy Tarreau]

On Wed, Mar 22, 2017 at 05:30:09PM +0100, Emmanuel Hocdet wrote:
> I have patches sent in the ML who change the internal implementation of
> no/force-tlsxx and add min/max-tlsxx (who can replace no/force usage).
> It could simplify (or not)  what you want to do, but there will be an impact
> on your patches if they are accepted.

Yes, as I said in the other mail I think that's on a good track but as
Emeric suggested we'd rather have them provide an argument instead of
using the keyword name, that will make it much easier to process. We
can still support most older valid use cases and use warnings to explain
how to convert that to the new mode (if really needed, not even sure) and
emit errors explaining what to do for the situations that openssl does
not support anymore (holes in the range).

Cheers,
Willy

Re: All "server" settings supported on "default-server" lines

[Willy Tarreau]

On Wed, Mar 22, 2017 at 09:32:01PM +0100, Frederic Lecaille wrote:
> > (...)
> > > "sslv2" disables "no-sslv3",
> > > "ssl-reuse" disables "no-ssl-reuse",
> > > "stick" disables "non-stick",
> > > "tlsv10" disables "no-tlsv10",
> > > "tlsv11" disables "no-tlsv11",
> > > "tlsv12" disables "no-tlsv12",
> > > "tls-tickets" disables "no-tls-tickets".
> > 
> > Hmmm I hadn't thought about these ones, I suspect they'll cause more
> > confusion than anything else, especially given that the "tlsv11" above
> > cancelling "no-tlsv11" is not the same as "force-tlsv11". We need to
> > discuss this with Emeric, he's already scratching his head around these
> > ones without these double negations, he will hate us now :-)
> 
> 
> Yes I agree. I should have asked about this before posting.

No, quite the opposite, it's much better to open the discussion here with
more people sharing ideas.

> But from my
> point of view this is only a naming issue which may easily fixed.

Definitely, yes.

> Why no adding synonyms prefixed by "disallow-" for the existing "no(n)-*"
> options, and rename my silly new options to "allow-*"?
> 
> Or with "forbid(permit)-*" prefix (suffix)?

The thing is that we already use "no" for many other options to disable
the effect of a possible default setting. And we were not the first ones,
due to some network vendors having been doing this over the last 25 years,
most network equipments also use "no" to disable a default statement :-)

> Anything else?
> 
> "no-force-*" is not very English, even for me ;)
> Could be replaced by "do-not-force-*" but it's quite long.

We do have some "dont" (abbreviated) at some places. The rule with "no-"
in front of any keyword is easier to remember even when it causes some
strange wording than having better sounding names for some exceptions.
And this discussion is a perfect example, users will see that "no-" fails
and wonder "ah what's the f*cking prefix for this one".

The real trouble in my opinion really is the "foo" to cancel the "no-foo"
statements whose goal was to disable foo already. Taking sslv3 as an
example, by default it's enabled. By setting "no-sslv3" in a default-server
we disable it for all servers. And if we don't want to disable it for a
given server, that would not be "sslv3" which would make one think we
want to force it, and the theorical "no-no-sslv3" doesn't parse well
either. It could be "enable-sslv3" for example.

But given that there's currently a discussion ongoing between Manu and
Emeric regarding how to deal with long-term SSL versions, it's very
possible that the outcome of their head-scratching sessions will bring
the solution. I've seen them suggest min- and max- to set version ranges,
that could then easily solve the problem by suggesting that we deprecate
the use of no-sslv3 or no-tlsv1 in favor of these names with explicit
arguments.

One (short) discussion I had with Emeric already went into that direction,
we realized that Manu's min- and max- suggestion would solve a lot of problems
with some adjustments and would still allow us to support most valid existing
no-ssl-XYZ setups by converting them to an internal min+max range an map
"force-ssl-xyz" to min=max=xyz, that would ease config transitions and
reject unsupported configs opening holes (eg: no-tlsv11 when upper and
lower ones are still supported).

Emeric also suggested that in order to avoid the trouble of adding many
keywords and making parsers painful for API developers, instead of having,
say, min-tls11 we could in fact have "min-tls 1.1" with 1.1 being an
argument. As you have noticed, by playing like this we automatically
remove the need for "no-no-tls11" and "no-force-tls11" for example since
min-tls / max-tls can override them :-)

Thus I'm really not worried for these ones, what matters is that everyone
can configure what they need in a safe and durable way.

Cheers,
Willy

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

On 03/22/2017 05:30 PM, Emmanuel Hocdet wrote:

Hi Fred,


Hi Emmanuel,


Le 21 mars 2017 à 23:14, Willy Tarreau  a écrit :
On Tue, Mar 21, 2017 at 07:54:30PM +0100, Frederic Lecaille wrote:

Hello HAProxy ML,

I am starting this new thread to publish a serie of patches to make
all "server" settings be supported on "default-server" lines.

This is a preliminary work for "server templates" feature.

New boolean settings have been added to disable others. Most of them
have "no-" as prefix.

(...)

Wow I didn't realize you had already done all this! That's really cool!



I agree :)


Here is an exhaustive list:

(...)

"sslv2" disables "no-sslv3",
"ssl-reuse" disables "no-ssl-reuse",
"stick" disables "non-stick",
"tlsv10" disables "no-tlsv10",
"tlsv11" disables "no-tlsv11",
"tlsv12" disables "no-tlsv12",
"tls-tickets" disables "no-tls-tickets".


Hmmm I hadn't thought about these ones, I suspect they'll cause more
confusion than anything else, especially given that the "tlsv11" above
cancelling "no-tlsv11" is not the same as "force-tlsv11". We need to
discuss this with Emeric, he's already scratching his head around these
ones without these double negations, he will hate us now :-)


I have patches sent in the ML who change the internal implementation of 
no/force-tlsxx and add min/max-tlsxx (who can replace no/force usage).
It could simplify (or not)  what you want to do, but there will be an impact on 
your patches if they are accepted.

++
Manu



Ok. Thank your for these information Emmanuel,

Fred

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

On 03/21/2017 11:14 PM, Willy Tarreau wrote:

Hi Fred!


Hello Willy,


On Tue, Mar 21, 2017 at 07:54:30PM +0100, Frederic Lecaille wrote:

Hello HAProxy ML,

I am starting this new thread to publish a serie of patches to make
all "server" settings be supported on "default-server" lines.

This is a preliminary work for "server templates" feature.

New boolean settings have been added to disable others. Most of them
have "no-" as prefix.

(...)

Wow I didn't realize you had already done all this! That's really cool!


Here is an exhaustive list:

(...)

"sslv2" disables "no-sslv3",
"ssl-reuse" disables "no-ssl-reuse",
"stick" disables "non-stick",
"tlsv10" disables "no-tlsv10",
"tlsv11" disables "no-tlsv11",
"tlsv12" disables "no-tlsv12",
"tls-tickets" disables "no-tls-tickets".


Hmmm I hadn't thought about these ones, I suspect they'll cause more
confusion than anything else, especially given that the "tlsv11" above
cancelling "no-tlsv11" is not the same as "force-tlsv11". We need to
discuss this with Emeric, he's already scratching his head around these
ones without these double negations, he will hate us now :-)



Yes I agree. I should have asked about this before posting. But from my 
point of view this is only a naming issue which may easily fixed.


Why no adding synonyms prefixed by "disallow-" for the existing 
"no(n)-*" options, and rename my silly new options to "allow-*"?


Or with "forbid(permit)-*" prefix (suffix)?

Anything else?

"no-force-*" is not very English, even for me ;)
Could be replaced by "do-not-force-*" but it's quite long.

Re: All "server" settings supported on "default-server" lines

[Emmanuel Hocdet]

Hi Fred,

> Le 21 mars 2017 à 23:14, Willy Tarreau  a écrit :
> On Tue, Mar 21, 2017 at 07:54:30PM +0100, Frederic Lecaille wrote:
>> Hello HAProxy ML,
>> 
>> I am starting this new thread to publish a serie of patches to make
>> all "server" settings be supported on "default-server" lines.
>> 
>> This is a preliminary work for "server templates" feature.
>> 
>> New boolean settings have been added to disable others. Most of them
>> have "no-" as prefix.
> (...)
> 
> Wow I didn't realize you had already done all this! That's really cool!
> 

I agree :)

>> Here is an exhaustive list:
> (...)
>> "sslv2" disables "no-sslv3",
>> "ssl-reuse" disables "no-ssl-reuse",
>> "stick" disables "non-stick",
>> "tlsv10" disables "no-tlsv10",
>> "tlsv11" disables "no-tlsv11",
>> "tlsv12" disables "no-tlsv12",
>> "tls-tickets" disables "no-tls-tickets".
> 
> Hmmm I hadn't thought about these ones, I suspect they'll cause more
> confusion than anything else, especially given that the "tlsv11" above
> cancelling "no-tlsv11" is not the same as "force-tlsv11". We need to
> discuss this with Emeric, he's already scratching his head around these
> ones without these double negations, he will hate us now :-)
> 
I have patches sent in the ML who change the internal implementation of 
no/force-tlsxx and add min/max-tlsxx (who can replace no/force usage).
It could simplify (or not)  what you want to do, but there will be an impact on 
your patches if they are accepted.

++
Manu

Re: All "server" settings supported on "default-server" lines

[Willy Tarreau]

Hi Fred!

On Tue, Mar 21, 2017 at 07:54:30PM +0100, Frederic Lecaille wrote:
> Hello HAProxy ML,
> 
> I am starting this new thread to publish a serie of patches to make
> all "server" settings be supported on "default-server" lines.
> 
> This is a preliminary work for "server templates" feature.
> 
> New boolean settings have been added to disable others. Most of them
> have "no-" as prefix.
(...)

Wow I didn't realize you had already done all this! That's really cool!

> Here is an exhaustive list:
(...)
> "sslv2" disables "no-sslv3",
> "ssl-reuse" disables "no-ssl-reuse",
> "stick" disables "non-stick",
> "tlsv10" disables "no-tlsv10",
> "tlsv11" disables "no-tlsv11",
> "tlsv12" disables "no-tlsv12",
> "tls-tickets" disables "no-tls-tickets".

Hmmm I hadn't thought about these ones, I suspect they'll cause more
confusion than anything else, especially given that the "tlsv11" above
cancelling "no-tlsv11" is not the same as "force-tlsv11". We need to
discuss this with Emeric, he's already scratching his head around these
ones without these double negations, he will hate us now :-)

> Furthemore, some settings with arguments are from now supported by
> "default-server" directive:
> 
> "addr", "ca-file", "ciphers", "crl-file", "crt", "cookie", "namespace",
> "observe", "redir", "sni", "source", "tcp-ut" and "track".
> 
> The documentation have been consequently updated.
> 
> So, from now on, all server "settings" are supported by "default-server"

That's really cool. I'm going to check all this ASAP (everyone is welcome
to help, there's so much stuff!).

> except "id" which is only supported on "server" lines.

Good point!

Thanks!
Willy

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From b2b7b543da9c46b23c27672ed567d77df254848f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Tue, 21 Mar 2017 18:52:12 +0100
Subject: [PATCH 31/31] DOC: server: Add docs for "server" and "default-server"
 new "no-*" and other settings.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

New boolean settings have been added to disable others. Most of them have "no-" as prefix.

"enabled" disables "disabled" setting,
"no-agent-check" disables "agent-check",
"no-backup" disables "backup",
"no-check" disables "check",
"no-check-ssl" disables "check-ssl",
"no-force-sslv3" disables "force-sslv3",
"no-force-tlsv10" disables "force-tlsv10",
"no-force-tlsv11" disables "force-tlsv11",
"no-force-tlsv12" disables "force-tlsv12,
"no-send-proxy" disables "send-proxy",
"no-send-proxy-v2" disables "send-proxy-v2",
"no-send-proxy-v2-ssl" disables "send-proxy-v2-ssl",
"no-send-proxy-v2-ssl-cn" disables "send-proxy-v2-ssl-cn",
"no-ssl" disables "ssl",
"no-verifyhost" disables "verifyhost",
"sslv2" disables "no-sslv3",
"ssl-reuse" disables "no-ssl-reuse",
"stick" disables "non-stick",
"tlsv10" disables "no-tlsv10",
"tlsv11" disables "no-tlsv11",
"tlsv12" disables "no-tlsv12",
"tls-tickets" disables "no-tls-tickets".

Settings with arguments are now supported on "default-server" lines:

"addr", "ca-file", "ciphers", "crl-file", "crt", "cookie", "namespace", "observe",
"redir", "sni", "source", "tcp-ut" and "track".

>From now on, all server "settings" including the new ones above are supported by
"default-server" except "id" which is only supported on "server" lines.
---
 doc/configuration.txt | 306 +-
 1 file changed, 181 insertions(+), 125 deletions(-)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 73a4f4b..0241ab1 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -10639,6 +10639,9 @@ address if they are used:
   server  [:port] [settings ...]
   default-server [settings ...]
 
+Note that all these settings are supported both by "server" and "default-server"
+keywords, except "id" which is only supported by "server".
+
 The currently supported settings are the following ones.
 
 addr 
@@ -10649,8 +10652,6 @@ addr 
   This parameter is ignored if the "check" parameter is not set. See also the
   "port" parameter.
 
-  Supported in default-server: No
-
 agent-check
   Enable an auxiliary agent check which is run independently of a regular
   health check. An agent health check is performed by making a TCP connection
@@ -10710,9 +10711,7 @@ agent-check
   force an agent's result in order to work around a bogus agent if needed.
 
   Requires the "agent-port" parameter to be set. See also the "agent-inter"
-  parameter.
-
-  Supported in default-server: No
+  and "no-agent-check" parameters.
 
 agent-send 
   If this option is specified, haproxy will send the given string (verbatim)
@@ -10737,8 +10736,6 @@ agent-inter 
 
   See also the "agent-check" and "agent-port" parameters.
 
-  Supported in default-server: Yes
-
 agent-addr 
   The "agent-addr" parameter sets address for agent check.
 
@@ -10752,25 +10749,19 @@ agent-port 
 
   See also the "agent-check" and "agent-inter" parameters.
 
-  Supported in default-server: Yes
-
 backup
   When "backup" is present on a server line, the server is only used in load
   balancing when all other non-backup servers are unavailable. Requests coming
   with a persistence cookie referencing the server will always be served
   though. By default, only the first operational backup server is used, unless
-  the "allbackups" option is set in the backend. See also the "allbackups"
-  option.
-
-  Supported in default-server: No
+  the "allbackups" option is set in the backend. See also the "no-backup" and
+  "allbackups" options.
 
 ca-file 
   This setting is only available when support for OpenSSL was built in. It
   designates a PEM file from which to load CA certificates used to verify
   server's certificate.
 
-  Supported in default-server: No
-
 check
   This option enables health checks on the server. By default, a server is
   always considered available. If "check" is set, the server is available when
@@ -10782,9 +10773,8 @@ check
   address, and the interval and timers using the "inter", "rise" and "fall"
   parameters. The request method is define in the backend using the "httpchk",
   "smtpchk", "mysql-check", "pgsql-check" and "ssl-hello-chk" options. Please
-  refer to those options and parameters for more information.
-
-  Supported in default-server: No
+  refer to those options and parameters for more information. See also
+  "no-check" option.
 
 check-send-proxy
   This option forces emission of a PROXY protocol line with outgoing health
@@ -10795,8 +10785,6 @@ check-send-proxy
   "check-send-proxy" option needs to be 

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From d749c16ea9a94354998b853233b7558007bff4fc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Tue, 21 Mar 2017 11:53:54 +0100
Subject: [PATCH 29/31] MINOR: server: Make 'default-server' support 'disabled'
 keyword.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

Before this patch, only 'server' directives could support 'disabled' setting.
This patch makes also 'default-server' directives support this setting.
It is used to disable a list of servers declared after a 'defaut-server' directive.
'enabled' new keyword has been added, both supported as 'default-server' and
'server' setting, to enable again a list of servers (so, declared after a
'default-server enabled' directive) or to explicitly enable a specific server declared
after a 'default-server disabled' directive.

For instance provided this configuration:

default-server disabled
server srv1...
server srv2...
server srv3... enabled
server srv4... enabled

srv1 and srv2 are disabled and srv3 and srv4 enabled.

This is equivalent to this configuration:

default-server disabled
server srv1...
server srv2...
default-server enabled
server srv3...
server srv4...

even if it would have been preferable/shorter to declare:

server srv3...
server srv4...
default-server disabled
server srv1...
server srv2...

as 'enabled' is the default server state.
---
 src/server.c | 39 +++
 1 file changed, 31 insertions(+), 8 deletions(-)

diff --git a/src/server.c b/src/server.c
index 83a7052..0274d84 100644
--- a/src/server.c
+++ b/src/server.c
@@ -305,6 +305,28 @@ static int srv_parse_cookie(char **args, int *cur_arg,
 	return 0;
 }
 
+/* Parse the "disabled" server keyword */
+static int srv_parse_disabled(char **args, int *cur_arg,
+  struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	newsrv->admin |= SRV_ADMF_CMAINT | SRV_ADMF_FMAINT;
+	newsrv->state = SRV_ST_STOPPED;
+	newsrv->check.state |= CHK_ST_PAUSED;
+	newsrv->check.health = 0;
+	return 0;
+}
+
+/* Parse the "enabled" server keyword */
+static int srv_parse_enabled(char **args, int *cur_arg,
+ struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	newsrv->admin &= ~SRV_ADMF_CMAINT & ~SRV_ADMF_FMAINT;
+	newsrv->state = SRV_ST_RUNNING;
+	newsrv->check.state &= ~CHK_ST_PAUSED;
+	newsrv->check.health = newsrv->check.rise;
+	return 0;
+}
+
 /* parse the "id" server keyword */
 static int srv_parse_id(char **args, int *cur_arg, struct proxy *curproxy, struct server *newsrv, char **err)
 {
@@ -1323,6 +1345,8 @@ static struct srv_kw_list srv_kws = { "ALL", { }, {
 	{ "check",   srv_parse_check,   0,  1 }, /* enable health checks */
 	{ "check-send-proxy",srv_parse_check_send_proxy,0,  1 }, /* enable PROXY protocol for health checks */
 	{ "cookie",  srv_parse_cookie,  1,  1 }, /* Assign a cookie to the server */
+	{ "disabled",srv_parse_disabled,0,  1 }, /* Start the server in 'disabled' state */
+	{ "enabled", srv_parse_enabled, 0,  1 }, /* Start the server in 'enabled' state */
 	{ "id",  srv_parse_id,  1,  0 }, /* set id# of server */
 	{ "namespace",   srv_parse_namespace,   1,  1 }, /* Namespace the server socket belongs to (if supported) */
 	{ "no-backup",   srv_parse_no_backup,   0,  1 }, /* Flag as non-backup server */
@@ -1755,6 +1779,13 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 			newsrv->check.rise	= curproxy->defsrv.check.rise;
 			newsrv->check.fall	= curproxy->defsrv.check.fall;
 			newsrv->check.health	= newsrv->check.rise;	/* up, but will fall down at first failure */
+			/* Here we check if 'disabled' is the default server state */
+			if (curproxy->defsrv.admin & (SRV_ADMF_CMAINT | SRV_ADMF_FMAINT)) {
+newsrv->admin |= SRV_ADMF_CMAINT | SRV_ADMF_FMAINT;
+newsrv->state = SRV_ST_STOPPED;
+newsrv->check.state |= CHK_ST_PAUSED;
+newsrv->check.health = 0;
+			}
 			newsrv->check.server	= newsrv;
 			newsrv->check.tcpcheck_rules	= >tcpcheck_rules;
 
@@ -2096,14 +2127,6 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 newsrv->slowstart = (val + 999) / 1000;
 cur_arg += 2;
 			}
-			else if (!defsrv && !strcmp(args[cur_arg], "disabled")) {
-newsrv->admin |= SRV_ADMF_CMAINT;
-newsrv->admin |= SRV_ADMF_FMAINT;
-newsrv->state = SRV_ST_STOPPED;
-newsrv->check.state |= CHK_ST_PAUSED;
-newsrv->check.health = 0;
-cur_arg += 1;
-			}
 			else if (!strcmp(args[cur_arg], "on-error")) {
 if (!strcmp(args[cur_arg + 1], "fastinter"))
 	newsrv->onerror = HANA_ONERR_FASTINTER;
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From d42d42d4d105320248277fb8fba040da02302c24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Tue, 21 Mar 2017 16:39:15 +0100
Subject: [PATCH 30/31] MINOR: server: Add 'no-agent-check' server keyword.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

This patch adds 'no-agent-check' setting supported both by 'default-server'
and 'server' directives to disable an agent check for a specific server which would
have 'agent-check' set as default value (inherited from 'default-server'
'agent-check' setting), or, on 'default-server' lines, to disable 'agent-check' setting
as default value for any further 'server' declarations.

For instance, provided this configuration:

default-server agent-check
server srv1
server srv2 no-agent-check
server srv3
default-server no-agent-check
server srv4

srv1 and srv3 would have an agent check enabled contrary to srv2 and srv4.

We do not allocate anymore anything when parsing 'default-server' 'agent-check'
setting.
---
 include/types/server.h |  1 +
 src/checks.c   |  3 +++
 src/server.c   | 35 +++
 3 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/include/types/server.h b/include/types/server.h
index 781a889..bfaa941 100644
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -241,6 +241,7 @@ struct server {
 	int tcp_ut; /* for TCP, user timeout */
 
 	int do_check;   /* temporary variable used during parsing to denote if health checks must be enabled */
+	int do_agent;   /* temporary variable used during parsing to denote if an auxiliary agent check must be enabled */
 	struct check check; /* health-check specific configuration */
 	struct check agent; /* agent specific configuration */
 
diff --git a/src/checks.c b/src/checks.c
index 77d57dc..778fc6a 100644
--- a/src/checks.c
+++ b/src/checks.c
@@ -3082,8 +3082,11 @@ const char *init_check(struct check *check, int type)
 void free_check(struct check *check)
 {
 	free(check->bi);
+	check->bi = NULL;
 	free(check->bo);
+	check->bo = NULL;
 	free(check->conn);
+	check->conn = NULL;
 }
 
 void email_alert_free(struct email_alert *alert)
diff --git a/src/server.c b/src/server.c
index 0274d84..6614a22 100644
--- a/src/server.c
+++ b/src/server.c
@@ -262,6 +262,14 @@ static int srv_parse_addr(char **args, int *cur_arg,
 	return ERR_ALERT | ERR_FATAL;
 }
 
+/* Parse the "agent-check" server keyword */
+static int srv_parse_agent_check(char **args, int *cur_arg,
+ struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	newsrv->do_agent = 1;
+	return 0;
+}
+
 /* Parse the "backup" server keyword */
 static int srv_parse_backup(char **args, int *cur_arg,
 struct proxy *curproxy, struct server *newsrv, char **err)
@@ -401,6 +409,18 @@ static int srv_parse_namespace(char **args, int *cur_arg,
 #endif
 }
 
+/* Parse the "no-agent-check" server keyword */
+static int srv_parse_no_agent_check(char **args, int *cur_arg,
+ struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	free_check(>agent);
+	newsrv->agent.inter = 0;
+	newsrv->agent.port = 0;
+	newsrv->agent.state &= ~CHK_ST_CONFIGURED & ~CHK_ST_ENABLED & ~CHK_ST_AGENT;
+	newsrv->do_agent = 0;
+	return 0;
+}
+
 /* Parse the "no-backup" server keyword */
 static int srv_parse_no_backup(char **args, int *cur_arg,
struct proxy *curproxy, struct server *newsrv, char **err)
@@ -1341,6 +1361,7 @@ void srv_compute_all_admin_states(struct proxy *px)
  */
 static struct srv_kw_list srv_kws = { "ALL", { }, {
 	{ "addr",srv_parse_addr,1,  1 }, /* IP address to send health to or to probe from agent-check */
+	{ "agent-check", srv_parse_agent_check, 0,  1 }, /* Enable an auxiliary agent check */
 	{ "backup",  srv_parse_backup,  0,  1 }, /* Flag as backup server */
 	{ "check",   srv_parse_check,   0,  1 }, /* enable health checks */
 	{ "check-send-proxy",srv_parse_check_send_proxy,0,  1 }, /* enable PROXY protocol for health checks */
@@ -1349,6 +1370,7 @@ static struct srv_kw_list srv_kws = { "ALL", { }, {
 	{ "enabled", srv_parse_enabled, 0,  1 }, /* Start the server in 'enabled' state */
 	{ "id",  srv_parse_id,  1,  0 }, /* set id# of server */
 	{ "namespace",   srv_parse_namespace,   1,  1 }, /* Namespace the server socket belongs to (if supported) */
+	{ "no-agent-check",  srv_parse_no_agent_check,  0,  1 }, /* Do not enable any auxiliary agent check */
 	{ "no-backup",   srv_parse_no_backup,   0,  1 }, /* Flag as non-backup server */
 	{ "no-check",

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 57c710d9866bd06837b6aeb7ff5b45e7891b5f0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Mon, 20 Mar 2017 16:30:18 +0100
Subject: [PATCH 28/31] MINOR: server: Make 'default-server' support 'addr'
 keyword.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

This patch makes 'default-server' support 'addr' setting.
The code which was responsible of parsing 'server' 'addr' setting
has moved from parse_server() to implement a new parser
callable both as 'default-server' and 'server' 'addr' setting parser.

Should not break anything.
---
 src/server.c | 82 
 1 file changed, 49 insertions(+), 33 deletions(-)

diff --git a/src/server.c b/src/server.c
index 404c0b1..83a7052 100644
--- a/src/server.c
+++ b/src/server.c
@@ -215,6 +215,53 @@ void srv_dump_kws(char **out)
 	}
 }
 
+/* Parse the "addr" server keyword */
+static int srv_parse_addr(char **args, int *cur_arg,
+  struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	char *errmsg, *arg;
+	struct sockaddr_storage *sk;
+	int port1, port2;
+	struct protocol *proto;
+
+	errmsg = NULL;
+	arg = args[*cur_arg + 1];
+
+	if (!*arg) {
+		memprintf(err, "'%s' expects  as argument.\n", args[*cur_arg]);
+		goto err;
+	}
+
+	sk = str2sa_range(arg, NULL, , , , NULL, NULL, 1);
+	if (!sk) {
+		memprintf(err, "'%s' : %s", args[*cur_arg], errmsg);
+		goto err;
+	}
+
+	proto = protocol_by_family(sk->ss_family);
+	if (!proto || !proto->connect) {
+		memprintf(err, "'%s %s' : connect() not supported for this address family.\n",
+		  args[*cur_arg], arg);
+		goto err;
+	}
+
+	if (port1 != port2) {
+		memprintf(err, "'%s' : port ranges and offsets are not allowed in '%s'\n",
+		  args[*cur_arg], arg);
+		goto err;
+	}
+
+	newsrv->check.addr = newsrv->agent.addr = *sk;
+	newsrv->flags |= SRV_F_CHECKADDR;
+	newsrv->flags |= SRV_F_AGENTADDR;
+
+	return 0;
+
+ err:
+	free(errmsg);
+	return ERR_ALERT | ERR_FATAL;
+}
+
 /* Parse the "backup" server keyword */
 static int srv_parse_backup(char **args, int *cur_arg,
 struct proxy *curproxy, struct server *newsrv, char **err)
@@ -1271,6 +1318,7 @@ void srv_compute_all_admin_states(struct proxy *px)
  * not enabled.
  */
 static struct srv_kw_list srv_kws = { "ALL", { }, {
+	{ "addr",srv_parse_addr,1,  1 }, /* IP address to send health to or to probe from agent-check */
 	{ "backup",  srv_parse_backup,  0,  1 }, /* Flag as backup server */
 	{ "check",   srv_parse_check,   0,  1 }, /* enable health checks */
 	{ "check-send-proxy",srv_parse_check_send_proxy,0,  1 }, /* enable PROXY protocol for health checks */
@@ -1668,6 +1716,7 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 newsrv->cklen = curproxy->defsrv.cklen;
 			}
 			newsrv->use_ssl		= curproxy->defsrv.use_ssl;
+			newsrv->check.addr = newsrv->agent.addr = curproxy->defsrv.check.addr;
 			newsrv->check.use_ssl	= curproxy->defsrv.check.use_ssl;
 			newsrv->check.port	= curproxy->defsrv.check.port;
 			/* Note: 'flags' field has potentially been already initialized. */
@@ -2006,39 +2055,6 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 newsrv->check.downinter = val;
 cur_arg += 2;
 			}
-			else if (!defsrv && !strcmp(args[cur_arg], "addr")) {
-struct sockaddr_storage *sk;
-int port1, port2;
-struct protocol *proto;
-
-sk = str2sa_range(args[cur_arg + 1], NULL, , , , NULL, NULL, 1);
-if (!sk) {
-	Alert("parsing [%s:%d] : '%s' : %s\n",
-	  file, linenum, args[cur_arg], errmsg);
-	err_code |= ERR_ALERT | ERR_FATAL;
-	goto out;
-}
-
-proto = protocol_by_family(sk->ss_family);
-if (!proto || !proto->connect) {
-	Alert("parsing [%s:%d] : '%s %s' : connect() not supported for this address family.\n",
-	  file, linenum, args[cur_arg], args[cur_arg + 1]);
-	err_code |= ERR_ALERT | ERR_FATAL;
-	goto out;
-}
-
-if (port1 != port2) {
-	Alert("parsing [%s:%d] : '%s' : port ranges and offsets are not allowed in '%s'\n",
-	  file, linenum, args[cur_arg], args[cur_arg + 1]);
-	err_code |= ERR_ALERT | ERR_FATAL;
-	goto out;
-}
-
-newsrv->check.addr = newsrv->agent.addr = *sk;
-newsrv->flags |= SRV_F_CHECKADDR;
-newsrv->flags |= SRV_F_AGENTADDR;
-cur_arg += 2;
-			}
 			else if (!strcmp(args[cur_arg], "port")) {
 newsrv->check.port = atol(args[cur_arg + 1]);
 newsrv->flags |= SRV_F_CHECKPORT;
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 78c8279eb296b4a70eecb7eff599e2851749b3c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Mon, 20 Mar 2017 14:54:41 +0100
Subject: [PATCH 27/31] MINOR: server: Make 'default-server' support 'sni'
 keyword.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

This patch makes 'default-server' directives support 'sni' settings.
A field 'sni_expr' has been added to 'struct server' to temporary
stores SNI expressions as strings during both 'default-server' and 'server'
lines parsing. So, to duplicate SNI expressions from 'default-server' 'sni' setting
for new 'server' instances we only have to "strdup" these strings as this is
often done for most of the 'server' settings.
Then, sample expressions are computed calling sample_parse_expr() (only for 'server'
instances).
A new function has been added to produce the same error output as before in case
of any error during 'sni' settings parsing (display_parser_err()).
Should not break anything.
---
 include/types/server.h |  1 +
 src/server.c   | 75 +-
 src/ssl_sock.c | 27 --
 3 files changed, 75 insertions(+), 28 deletions(-)

diff --git a/include/types/server.h b/include/types/server.h
index c973d69..781a889 100644
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -254,6 +254,7 @@ struct server {
 
 	int use_ssl;/* ssl enabled  */
 #ifdef USE_OPENSSL
+	char *sni_expr; /* Temporary variable to store a sample expression for SNI */
 	struct {
 		SSL_CTX *ctx;
 		SSL_SESSION *reused_sess;
diff --git a/src/server.c b/src/server.c
index 51c5ee6..404c0b1 100644
--- a/src/server.c
+++ b/src/server.c
@@ -36,6 +36,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -1438,6 +1439,53 @@ const char *server_parse_maxconn_change_request(struct server *sv,
 	return NULL;
 }
 
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+static int server_parse_sni_expr(struct server *newsrv, struct proxy *px, char **err)
+{
+	int idx;
+	struct sample_expr *expr;
+	const char *args[] = {
+		newsrv->sni_expr,
+		NULL,
+	};
+
+	idx = 0;
+	proxy->conf.args.ctx = ARGC_SRV;
+
+	expr = sample_parse_expr((char **)args, , px->conf.file, px->conf.line,
+	 err, >conf.args);
+	if (!expr) {
+		memprintf(err, "error detected while parsing sni expression : %s", *err);
+		return ERR_ALERT | ERR_FATAL;
+	}
+
+	if (!(expr->fetch->val & SMP_VAL_BE_SRV_CON)) {
+		memprintf(err, "error detected while parsing sni expression : "
+		  " fetch method '%s' extracts information from '%s', "
+		  "none of which is available here.\n",
+		  args[0], sample_src_names(expr->fetch->use));
+		return ERR_ALERT | ERR_FATAL;
+	}
+
+	px->http_needed |= !!(expr->fetch->use & SMP_USE_HTTP_ANY);
+	release_sample_expr(newsrv->ssl_ctx.sni);
+	newsrv->ssl_ctx.sni = expr;
+
+	return 0;
+}
+#endif
+
+static void display_parser_err(const char *file, int linenum, char **args, int cur_arg, char **err)
+{
+	if (err && *err) {
+		indent_msg(err, 2);
+		Alert("parsing [%s:%d] : '%s %s' : %s\n", file, linenum, args[0], args[1], *err);
+	}
+	else
+		Alert("parsing [%s:%d] : '%s %s' : error encountered while processing '%s'.\n",
+		  file, linenum, args[0], args[1], args[cur_arg]);
+}
+
 int parse_server(const char *file, int linenum, char **args, struct proxy *curproxy, struct proxy *defproxy)
 {
 	struct server *newsrv = NULL;
@@ -1688,6 +1736,8 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 newsrv->ssl_ctx.verify_host = strdup(curproxy->defsrv.ssl_ctx.verify_host);
 			if (curproxy->defsrv.ssl_ctx.ciphers != NULL)
 newsrv->ssl_ctx.ciphers = strdup(curproxy->defsrv.ssl_ctx.ciphers);
+			if (curproxy->defsrv.sni_expr != NULL)
+newsrv->sni_expr = strdup(curproxy->defsrv.sni_expr);
 #endif
 
 #ifdef TCP_USER_TIMEOUT
@@ -2135,13 +2185,7 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 	err_code |= code;
 
 	if (code) {
-		if (err && *err) {
-			indent_msg(, 2);
-			Alert("parsing [%s:%d] : '%s %s' : %s\n", file, linenum, args[0], args[1], err);
-		}
-		else
-			Alert("parsing [%s:%d] : '%s %s' : error encountered while processing '%s'.\n",
-			  file, linenum, args[0], args[1], args[cur_arg]);
+		display_parser_err(file, linenum, args, cur_arg, );
 		if (code & ERR_FATAL) {
 			free(err);
 			cur_arg += 1 + kw->skip;
@@ -2270,6 +2314,23 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 
 			srv_lb_commit_status(newsrv);
 		}
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+		if (!defsrv && newsrv->sni_expr) {
+			int code;
+			char *err;
+
+			err = NULL;
+
+			code = server_parse_sni_expr(newsrv, curproxy, );
+			err_code |= code;
+			if (code) {
+display_parser_err(file, linenum, args, cur_arg, );
+free(err);
+

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 57d54d2e1f1b200c2c44cbe135c2c74900b83d36 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Fri, 17 Mar 2017 15:33:50 +0100
Subject: [PATCH 26/31] MINOR: server: Make 'default-server' support 'source'
 keyword.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

Before this patch, only 'server' directives could support 'source' setting.
This patch makes also 'default-server' directives support this setting.

To do so, we had to extract the code responsible of parsing 'source' setting
arguments from parse_server() function and make it callable both
as 'default-server' and 'server' 'source' setting parser. So, the code is mostly
the same as before except that before allocating anything for 'struct conn_src'
members, we must free the memory previously allocated.

Should not break anything.
---
 src/server.c | 385 ---
 1 file changed, 211 insertions(+), 174 deletions(-)

diff --git a/src/server.c b/src/server.c
index cab0772..51c5ee6 100644
--- a/src/server.c
+++ b/src/server.c
@@ -460,6 +460,180 @@ static int srv_parse_send_proxy_v2(char **args, int *cur_arg,
 	return srv_enable_pp_flags(newsrv, SRV_PP_V2);
 }
 
+
+/* Parse the "source" server keyword */
+static int srv_parse_source(char **args, int *cur_arg,
+struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	char *errmsg;
+	int port_low, port_high;
+	struct sockaddr_storage *sk;
+	struct protocol *proto;
+
+	errmsg = NULL;
+
+	if (!*args[*cur_arg + 1]) {
+		memprintf(err, "'%s' expects [:[-]], and optionally '%s' , "
+		   "and '%s'  as argument.\n", args[*cur_arg], "usesrc", "interface");
+		goto err;
+	}
+
+	/* 'sk' is statically allocated (no need to be freed). */
+	sk = str2sa_range(args[*cur_arg + 1], NULL, _low, _high, , NULL, NULL, 1);
+	if (!sk) {
+		memprintf(err, "'%s %s' : %s\n", args[*cur_arg], args[*cur_arg + 1], errmsg);
+		goto err;
+	}
+
+	proto = protocol_by_family(sk->ss_family);
+	if (!proto || !proto->connect) {
+		Alert("'%s %s' : connect() not supported for this address family.\n",
+		  args[*cur_arg], args[*cur_arg + 1]);
+		goto err;
+	}
+
+	newsrv->conn_src.opts |= CO_SRC_BIND;
+	newsrv->conn_src.source_addr = *sk;
+
+	if (port_low != port_high) {
+		int i;
+
+		if (!port_low || !port_high) {
+			Alert("'%s' does not support port offsets (found '%s').\n",
+			  args[*cur_arg], args[*cur_arg + 1]);
+			goto err;
+		}
+
+		if (port_low  <= 0 || port_low  > 65535 ||
+			port_high <= 0 || port_high > 65535 ||
+			port_low > port_high) {
+			Alert("'%s': invalid source port range %d-%d.\n", args[*cur_arg], port_low, port_high);
+			goto err;
+		}
+		newsrv->conn_src.sport_range = port_range_alloc_range(port_high - port_low + 1);
+		for (i = 0; i < newsrv->conn_src.sport_range->size; i++)
+			newsrv->conn_src.sport_range->ports[i] = port_low + i;
+	}
+
+	*cur_arg += 2;
+	while (*(args[*cur_arg])) {
+		if (!strcmp(args[*cur_arg], "usesrc")) {  /* address to use outside */
+#if defined(CONFIG_HAP_TRANSPARENT)
+			if (!*args[*cur_arg + 1]) {
+Alert("'usesrc' expects [:], 'client', 'clientip', "
+  "or 'hdr_ip(name,#)' as argument.\n");
+goto err;
+			}
+			if (!strcmp(args[*cur_arg + 1], "client")) {
+newsrv->conn_src.opts &= ~CO_SRC_TPROXY_MASK;
+newsrv->conn_src.opts |= CO_SRC_TPROXY_CLI;
+			}
+			else if (!strcmp(args[*cur_arg + 1], "clientip")) {
+newsrv->conn_src.opts &= ~CO_SRC_TPROXY_MASK;
+newsrv->conn_src.opts |= CO_SRC_TPROXY_CIP;
+			}
+			else if (!strncmp(args[*cur_arg + 1], "hdr_ip(", 7)) {
+char *name, *end;
+
+name = args[*cur_arg + 1] + 7;
+while (isspace(*name))
+	name++;
+
+end = name;
+while (*end && !isspace(*end) && *end != ',' && *end != ')')
+	end++;
+
+newsrv->conn_src.opts &= ~CO_SRC_TPROXY_MASK;
+newsrv->conn_src.opts |= CO_SRC_TPROXY_DYN;
+free(newsrv->conn_src.bind_hdr_name);
+newsrv->conn_src.bind_hdr_name = calloc(1, end - name + 1);
+newsrv->conn_src.bind_hdr_len = end - name;
+memcpy(newsrv->conn_src.bind_hdr_name, name, end - name);
+newsrv->conn_src.bind_hdr_name[end - name] = '\0';
+newsrv->conn_src.bind_hdr_occ = -1;
+
+/* now look for an occurrence number */
+while (isspace(*end))
+	end++;
+if (*end == ',') {
+	end++;
+	name = end;
+	if (*end == '-')
+		end++;
+	while (isdigit((int)*end))
+		end++;
+	newsrv->conn_src.bind_hdr_occ = strl2ic(name, end - name);
+}
+
+if (newsrv->conn_src.bind_hdr_occ < -MAX_HDR_HISTORY) {
+	Alert("usesrc hdr_ip(name,num) does not support negative"
+	  " occurrences values smaller than %d.\n", MAX_HDR_HISTORY);
+	goto err;
+}
+			}
+			else {
+struct sockaddr_storage *sk;
+int port1, port2;
+
+/* 'sk' is statically allocated (no need to be freed). */
+sk = str2sa_range(args[*cur_arg + 1], NULL, , , , 

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From e47f6ab5d8a8fb61888b165adf6f7e12f07c10b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Thu, 16 Mar 2017 17:17:36 +0100
Subject: [PATCH 25/31] MINOR: server: Make 'default-server' support
 'namespace' keyword.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

Before this patch, 'namespace' setting was only supported by 'server' directive.
This patch makes 'default-server' directive support this setting.
---
 src/server.c | 68 ++--
 1 file changed, 43 insertions(+), 25 deletions(-)

diff --git a/src/server.c b/src/server.c
index 7654211..cab0772 100644
--- a/src/server.c
+++ b/src/server.c
@@ -289,6 +289,48 @@ static int srv_parse_id(char **args, int *cur_arg, struct proxy *curproxy, struc
 	return 0;
 }
 
+/* Parse the "namespace" server keyword */
+static int srv_parse_namespace(char **args, int *cur_arg,
+   struct proxy *curproxy, struct server *newsrv, char **err)
+{
+#ifdef CONFIG_HAP_NS
+	char *arg;
+
+	arg = args[*cur_arg + 1];
+	if (!*arg) {
+		memprintf(err, "'%s' : expects  as argument", args[*cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+
+	if (!strcmp(arg, "*")) {
+		/* Use the namespace associated with the connection (if present). */
+		newsrv->flags |= SRV_F_USE_NS_FROM_PP;
+		return 0;
+	}
+
+	/*
+	 * As this parser may be called several times for the same 'default-server'
+	 * object, or for a new 'server' instance deriving from a 'default-server'
+	 * one with SRV_F_USE_NS_FROM_PP flag enabled, let's reset it.
+	 */
+	newsrv->flags &= ~SRV_F_USE_NS_FROM_PP;
+
+	newsrv->netns = netns_store_lookup(arg, strlen(arg));
+	if (!newsrv->netns)
+		newsrv->netns = netns_store_insert(arg);
+
+	if (!newsrv->netns) {
+		memprintf(err, "Cannot open namespace '%s'", arg);
+		return ERR_ALERT | ERR_FATAL;
+	}
+
+	return 0;
+#else
+	memprintf(err, "'%s': '%s' option not implemented", args[0], args[*cur_arg]);
+	return ERR_ALERT | ERR_FATAL;
+#endif
+}
+
 /* Parse the "no-backup" server keyword */
 static int srv_parse_no_backup(char **args, int *cur_arg,
struct proxy *curproxy, struct server *newsrv, char **err)
@@ -1058,6 +1100,7 @@ static struct srv_kw_list srv_kws = { "ALL", { }, {
 	{ "check-send-proxy",srv_parse_check_send_proxy,0,  1 }, /* enable PROXY protocol for health checks */
 	{ "cookie",  srv_parse_cookie,  1,  1 }, /* Assign a cookie to the server */
 	{ "id",  srv_parse_id,  1,  0 }, /* set id# of server */
+	{ "namespace",   srv_parse_namespace,   1,  1 }, /* Namespace the server socket belongs to (if supported) */
 	{ "no-backup",   srv_parse_no_backup,   0,  1 }, /* Flag as non-backup server */
 	{ "no-check",srv_parse_no_check,0,  1 }, /* disable health checks */
 	{ "no-check-send-proxy", srv_parse_no_check_send_proxy, 0,  1 }, /* disable PROXY protol for health checks */
@@ -2025,31 +2068,6 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 err_code |= ERR_ALERT | ERR_FATAL;
 goto out;
 			}
-			else if (!defsrv && !strcmp(args[cur_arg], "namespace")) {
-#ifdef CONFIG_HAP_NS
-char *arg = args[cur_arg + 1];
-if (!strcmp(arg, "*")) {
-	newsrv->flags |= SRV_F_USE_NS_FROM_PP;
-} else {
-	newsrv->netns = netns_store_lookup(arg, strlen(arg));
-
-	if (newsrv->netns == NULL)
-		newsrv->netns = netns_store_insert(arg);
-
-	if (newsrv->netns == NULL) {
-		Alert("Cannot open namespace '%s'.\n", args[cur_arg + 1]);
-		err_code |= ERR_ALERT | ERR_FATAL;
-		goto out;
-	}
-}
-#else
-Alert("parsing [%s:%d] : '%s' : '%s' option not implemented.\n",
-  file, linenum, args[0], args[cur_arg]);
-err_code |= ERR_ALERT | ERR_FATAL;
-goto out;
-#endif
-cur_arg += 2;
-			}
 			else {
 static int srv_dumped;
 struct srv_kw *kw;
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 324ec06ee477cce5f9b2ba7b031e87d62c333826 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Wed, 15 Mar 2017 16:20:02 +0100
Subject: [PATCH 23/31] MINOR: server: Make 'default-server' support 'ciphers'
 keyword.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

This patch makes 'default-server' directive support 'ciphers' setting.
---
 src/server.c   | 2 ++
 src/ssl_sock.c | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/server.c b/src/server.c
index 79dcca7..a9cfac3 100644
--- a/src/server.c
+++ b/src/server.c
@@ -1431,6 +1431,8 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 			newsrv->ssl_ctx.verify = curproxy->defsrv.ssl_ctx.verify;
 			if (curproxy->defsrv.ssl_ctx.verify_host != NULL)
 newsrv->ssl_ctx.verify_host = strdup(curproxy->defsrv.ssl_ctx.verify_host);
+			if (curproxy->defsrv.ssl_ctx.ciphers != NULL)
+newsrv->ssl_ctx.ciphers = strdup(curproxy->defsrv.ssl_ctx.ciphers);
 #endif
 
 			cur_arg = 3;
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 72b3259..9d85eac 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7487,7 +7487,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
 static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "ca-file", srv_parse_ca_file,   1, 1 }, /* set CAfile to process verify server cert */
 	{ "check-ssl",   srv_parse_check_ssl, 0, 1 }, /* enable SSL for health checks */
-	{ "ciphers", srv_parse_ciphers,   1, 0 }, /* select the cipher suite */
+	{ "ciphers", srv_parse_ciphers,   1, 1 }, /* select the cipher suite */
 	{ "crl-file",srv_parse_crl_file,  1, 1 }, /* set certificate revocation list file use on server cert verify */
 	{ "crt", srv_parse_crt,   1, 1 }, /* set client certificate */
 	{ "force-sslv3", srv_parse_force_sslv3,   0, 1 }, /* force SSLv3 */
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 6ab43989ab00ceef2b681bac8ac919f3fd25311f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Wed, 15 Mar 2017 09:13:33 +0100
Subject: [PATCH 22/31] MINOR: server: Make 'default-server' support 'cookie'
 keyword.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

Before this patch, 'cookie' setting was only supported by 'server' directives.
This patch makes 'default-server' directive also support 'cookie' setting.
Should not break anything.
---
 src/server.c | 30 --
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/src/server.c b/src/server.c
index b855b1b..79dcca7 100644
--- a/src/server.c
+++ b/src/server.c
@@ -237,6 +237,25 @@ static int srv_parse_check_send_proxy(char **args, int *cur_arg,
 	return 0;
 }
 
+/* Parse the "cookie" server keyword */
+static int srv_parse_cookie(char **args, int *cur_arg,
+struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	char *arg;
+
+	arg = args[*cur_arg + 1];
+	if (!*arg) {
+		memprintf(err, "'%s' expects  as argument.\n", args[*cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+
+	free(newsrv->cookie);
+	newsrv->cookie = strdup(arg);
+	newsrv->cklen = strlen(arg);
+	newsrv->flags |= SRV_F_COOKIESET;
+	return 0;
+}
+
 /* parse the "id" server keyword */
 static int srv_parse_id(char **args, int *cur_arg, struct proxy *curproxy, struct server *newsrv, char **err)
 {
@@ -1036,6 +1055,7 @@ static struct srv_kw_list srv_kws = { "ALL", { }, {
 	{ "backup",  srv_parse_backup,  0,  1 }, /* Flag as backup server */
 	{ "check",   srv_parse_check,   0,  1 }, /* enable health checks */
 	{ "check-send-proxy",srv_parse_check_send_proxy,0,  1 }, /* enable PROXY protocol for health checks */
+	{ "cookie",  srv_parse_cookie,  1,  1 }, /* Assign a cookie to the server */
 	{ "id",  srv_parse_id,  1,  0 }, /* set id# of server */
 	{ "no-backup",   srv_parse_no_backup,   0,  1 }, /* Flag as non-backup server */
 	{ "no-check",srv_parse_no_check,0,  1 }, /* disable health checks */
@@ -1340,6 +1360,10 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 newsrv->rdr_pfx = strdup(curproxy->defsrv.rdr_pfx);
 newsrv->rdr_len = curproxy->defsrv.rdr_len;
 			}
+			if (curproxy->defsrv.cookie != NULL) {
+newsrv->cookie = strdup(curproxy->defsrv.cookie);
+newsrv->cklen = curproxy->defsrv.cklen;
+			}
 			newsrv->use_ssl		= curproxy->defsrv.use_ssl;
 			newsrv->check.use_ssl	= curproxy->defsrv.check.use_ssl;
 			newsrv->check.port	= curproxy->defsrv.check.port;
@@ -1459,12 +1483,6 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 memcpy(newsrv->agent.send_string, args[cur_arg + 1], newsrv->agent.send_string_len);
 cur_arg += 2;
 			}
-			else if (!defsrv && !strcmp(args[cur_arg], "cookie")) {
-newsrv->cookie = strdup(args[cur_arg + 1]);
-newsrv->cklen = strlen(args[cur_arg + 1]);
-newsrv->flags |= SRV_F_COOKIESET;
-cur_arg += 2;
-			}
 			else if (!strcmp(args[cur_arg], "init-addr")) {
 char *p, *end;
 int done;
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 93f6899637050a8c00549d8b127c19d5e7aad81a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Wed, 15 Mar 2017 16:36:09 +0100
Subject: [PATCH 24/31] MINOR: server: Make 'default-server' support 'tcp-ut'
 keyword.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

This patch makes 'default-server' directive support 'tcp-ut' keyword.
---
 src/proto_tcp.c | 2 +-
 src/server.c| 5 +
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 4741651..b664831 100644
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -1833,7 +1833,7 @@ static struct bind_kw_list bind_kws = { "TCP", { }, {
 
 static struct srv_kw_list srv_kws = { "TCP", { }, {
 #ifdef TCP_USER_TIMEOUT
-	{ "tcp-ut",srv_parse_tcp_ut,1,  0 }, /* set TCP user timeout on server */
+	{ "tcp-ut",srv_parse_tcp_ut,1,  1 }, /* set TCP user timeout on server */
 #endif
 	{ NULL, NULL, 0 },
 }};
diff --git a/src/server.c b/src/server.c
index a9cfac3..7654211 100644
--- a/src/server.c
+++ b/src/server.c
@@ -13,6 +13,7 @@
 
 #include 
 #include 
+#include 
 
 #include 
 
@@ -1435,6 +1436,10 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 newsrv->ssl_ctx.ciphers = strdup(curproxy->defsrv.ssl_ctx.ciphers);
 #endif
 
+#ifdef TCP_USER_TIMEOUT
+			newsrv->tcp_ut = curproxy->defsrv.tcp_ut;
+#endif
+
 			cur_arg = 3;
 		} else {
 			newsrv = >defsrv;
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 0f1fc0c3325bd15d97fc9005a72b2094c170c609 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Wed, 15 Mar 2017 08:55:39 +0100
Subject: [PATCH 21/31] MINOR: server: Make 'default-server' support 'observe'
 keyword.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

Before this path, 'observe' setting was only supported by 'server' directives.
This patch makes 'default-server' directives also support 'observe' setting.
Should not break anything.
---
 src/server.c | 59 ---
 1 file changed, 36 insertions(+), 23 deletions(-)

diff --git a/src/server.c b/src/server.c
index 1fc10c5..b855b1b 100644
--- a/src/server.c
+++ b/src/server.c
@@ -331,6 +331,40 @@ static int inline srv_enable_pp_flags(struct server *srv, unsigned int flags)
 	return 0;
 }
 
+/* Parse the "observe" server keyword */
+static int srv_parse_observe(char **args, int *cur_arg,
+ struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	char *arg;
+
+	arg = args[*cur_arg + 1];
+	if (!*arg) {
+		memprintf(err, "'%s' expects  as argument.\n", args[*cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+
+	if (!strcmp(arg, "none")) {
+		newsrv->observe = HANA_OBS_NONE;
+	}
+	else if (!strcmp(arg, "layer4")) {
+		newsrv->observe = HANA_OBS_LAYER4;
+	}
+	else if (!strcmp(arg, "layer7")) {
+		if (curproxy->mode != PR_MODE_HTTP) {
+			memprintf(err, "'%s' can only be used in http proxies.\n", arg);
+			return ERR_ALERT;
+		}
+		newsrv->observe = HANA_OBS_LAYER7;
+	}
+	else {
+		memprintf(err, "'%s' expects one of 'none', 'layer4', 'layer7' "
+		   "but got '%s'\n", args[*cur_arg], arg);
+		return ERR_ALERT | ERR_FATAL;
+	}
+
+	return 0;
+}
+
 /* Parse the "redir" server keyword */
 static int srv_parse_redir(char **args, int *cur_arg,
struct proxy *curproxy, struct server *newsrv, char **err)
@@ -1009,6 +1043,7 @@ static struct srv_kw_list srv_kws = { "ALL", { }, {
 	{ "no-send-proxy",   srv_parse_no_send_proxy,   0,  1 }, /* Disable use of PROXY V1 protocol */
 	{ "no-send-proxy-v2",srv_parse_no_send_proxy_v2,0,  1 }, /* Disable use of PROXY V2 protocol */
 	{ "non-stick",   srv_parse_non_stick,   0,  1 }, /* Disable stick-table persistence */
+	{ "observe", srv_parse_observe, 1,  1 }, /* Enables health adjusting based on observing communication with the server */
 	{ "redir",   srv_parse_redir,   1,  1 }, /* Enable redirection mode */
 	{ "send-proxy",  srv_parse_send_proxy,  0,  1 }, /* Enforce use of PROXY V1 protocol */
 	{ "send-proxy-v2",   srv_parse_send_proxy_v2,   0,  1 }, /* Enforce use of PROXY V2 protocol */
@@ -1328,6 +1363,7 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 			newsrv->minconn		= curproxy->defsrv.minconn;
 			newsrv->maxconn		= curproxy->defsrv.maxconn;
 			newsrv->slowstart	= curproxy->defsrv.slowstart;
+			newsrv->observe = curproxy->defsrv.observe;
 			newsrv->onerror		= curproxy->defsrv.onerror;
 			newsrv->onmarkeddown= curproxy->defsrv.onmarkeddown;
 			newsrv->onmarkedup  = curproxy->defsrv.onmarkedup;
@@ -1723,29 +1759,6 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 newsrv->check.health = 0;
 cur_arg += 1;
 			}
-			else if (!defsrv && !strcmp(args[cur_arg], "observe")) {
-if (!strcmp(args[cur_arg + 1], "none"))
-	newsrv->observe = HANA_OBS_NONE;
-else if (!strcmp(args[cur_arg + 1], "layer4"))
-	newsrv->observe = HANA_OBS_LAYER4;
-else if (!strcmp(args[cur_arg + 1], "layer7")) {
-	if (curproxy->mode != PR_MODE_HTTP) {
-		Alert("parsing [%s:%d]: '%s' can only be used in http proxies.\n",
-			file, linenum, args[cur_arg + 1]);
-		err_code |= ERR_ALERT;
-	}
-	newsrv->observe = HANA_OBS_LAYER7;
-}
-else {
-	Alert("parsing [%s:%d]: '%s' expects one of 'none', "
-		"'layer4', 'layer7' but got '%s'\n",
-		file, linenum, args[cur_arg], args[cur_arg + 1]);
-	err_code |= ERR_ALERT | ERR_FATAL;
-	goto out;
-}
-
-cur_arg += 2;
-			}
 			else if (!strcmp(args[cur_arg], "on-error")) {
 if (!strcmp(args[cur_arg + 1], "fastinter"))
 	newsrv->onerror = HANA_ONERR_FASTINTER;
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 617a66ec167fd7b780028a7a58b44546dba3e810 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Tue, 14 Mar 2017 16:42:49 +0100
Subject: [PATCH 20/31] MINOR: server: Make 'default-server' support 'redir'
 keyword.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

Before this patch only 'server' directives could support 'redir' setting.
This patch makes also 'default-server' directives support 'redir' setting.
Should not break anything.
---
 src/server.c | 29 -
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/src/server.c b/src/server.c
index c94e5dc..1fc10c5 100644
--- a/src/server.c
+++ b/src/server.c
@@ -331,6 +331,25 @@ static int inline srv_enable_pp_flags(struct server *srv, unsigned int flags)
 	return 0;
 }
 
+/* Parse the "redir" server keyword */
+static int srv_parse_redir(char **args, int *cur_arg,
+   struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	char *arg;
+
+	arg = args[*cur_arg + 1];
+	if (!*arg) {
+		memprintf(err, "'%s' expects  as argument.\n", args[*cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+
+	free(newsrv->rdr_pfx);
+	newsrv->rdr_pfx = strdup(arg);
+	newsrv->rdr_len = strlen(arg);
+
+	return 0;
+}
+
 /* Parse the "send-proxy" server keyword */
 static int srv_parse_send_proxy(char **args, int *cur_arg,
 struct proxy *curproxy, struct server *newsrv, char **err)
@@ -990,6 +1009,7 @@ static struct srv_kw_list srv_kws = { "ALL", { }, {
 	{ "no-send-proxy",   srv_parse_no_send_proxy,   0,  1 }, /* Disable use of PROXY V1 protocol */
 	{ "no-send-proxy-v2",srv_parse_no_send_proxy_v2,0,  1 }, /* Disable use of PROXY V2 protocol */
 	{ "non-stick",   srv_parse_non_stick,   0,  1 }, /* Disable stick-table persistence */
+	{ "redir",   srv_parse_redir,   1,  1 }, /* Enable redirection mode */
 	{ "send-proxy",  srv_parse_send_proxy,  0,  1 }, /* Enforce use of PROXY V1 protocol */
 	{ "send-proxy-v2",   srv_parse_send_proxy_v2,   0,  1 }, /* Enforce use of PROXY V2 protocol */
 	{ "stick",   srv_parse_stick,   0,  1 }, /* Enable stick-table persistence */
@@ -1281,6 +1301,10 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 			}
 
 			newsrv->pp_opts		= curproxy->defsrv.pp_opts;
+			if (curproxy->defsrv.rdr_pfx != NULL) {
+newsrv->rdr_pfx = strdup(curproxy->defsrv.rdr_pfx);
+newsrv->rdr_len = curproxy->defsrv.rdr_len;
+			}
 			newsrv->use_ssl		= curproxy->defsrv.use_ssl;
 			newsrv->check.use_ssl	= curproxy->defsrv.check.use_ssl;
 			newsrv->check.port	= curproxy->defsrv.check.port;
@@ -1454,11 +1478,6 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 }
 cur_arg += 2;
 			}
-			else if (!defsrv && !strcmp(args[cur_arg], "redir")) {
-newsrv->rdr_pfx = strdup(args[cur_arg + 1]);
-newsrv->rdr_len = strlen(args[cur_arg + 1]);
-cur_arg += 2;
-			}
 			else if (!strcmp(args[cur_arg], "resolvers")) {
 newsrv->resolvers_id = strdup(args[cur_arg + 1]);
 cur_arg += 2;
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 9da661d95b42cac3c65be783b4c8c71e900366e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Tue, 14 Mar 2017 15:52:04 +0100
Subject: [PATCH 19/31] MINOR: server: Make 'default-server' support 'ca-file',
 'crl-file' and 'crt' settings.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

This patch makes 'default-server' directives support 'ca-file', 'crl-file' and
'crt' settings.
---
 src/server.c   | 6 ++
 src/ssl_sock.c | 6 +++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/server.c b/src/server.c
index 988abee..c94e5dc 100644
--- a/src/server.c
+++ b/src/server.c
@@ -1338,6 +1338,12 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 			newsrv->init_addr = curproxy->defsrv.init_addr;
 #if defined(USE_OPENSSL)
 			/* SSL config. */
+			if (curproxy->defsrv.ssl_ctx.ca_file != NULL)
+newsrv->ssl_ctx.ca_file = strdup(curproxy->defsrv.ssl_ctx.ca_file);
+			if (curproxy->defsrv.ssl_ctx.crl_file != NULL)
+newsrv->ssl_ctx.crl_file = strdup(curproxy->defsrv.ssl_ctx.crl_file);
+			if (curproxy->defsrv.ssl_ctx.client_crt != NULL)
+newsrv->ssl_ctx.client_crt = strdup(curproxy->defsrv.ssl_ctx.crl_file);
 			newsrv->ssl_ctx.verify = curproxy->defsrv.ssl_ctx.verify;
 			if (curproxy->defsrv.ssl_ctx.verify_host != NULL)
 newsrv->ssl_ctx.verify_host = strdup(curproxy->defsrv.ssl_ctx.verify_host);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 34860fe..72b3259 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7485,11 +7485,11 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
  * not enabled.
  */
 static struct srv_kw_list srv_kws = { "SSL", { }, {
-	{ "ca-file", srv_parse_ca_file,   1, 0 }, /* set CAfile to process verify server cert */
+	{ "ca-file", srv_parse_ca_file,   1, 1 }, /* set CAfile to process verify server cert */
 	{ "check-ssl",   srv_parse_check_ssl, 0, 1 }, /* enable SSL for health checks */
 	{ "ciphers", srv_parse_ciphers,   1, 0 }, /* select the cipher suite */
-	{ "crl-file",srv_parse_crl_file,  1, 0 }, /* set certificate revocation list file use on server cert verify */
-	{ "crt", srv_parse_crt,   1, 0 }, /* set client certificate */
+	{ "crl-file",srv_parse_crl_file,  1, 1 }, /* set certificate revocation list file use on server cert verify */
+	{ "crt", srv_parse_crt,   1, 1 }, /* set client certificate */
 	{ "force-sslv3", srv_parse_force_sslv3,   0, 1 }, /* force SSLv3 */
 	{ "force-tlsv10",srv_parse_force_tlsv10,  0, 1 }, /* force TLSv10 */
 	{ "force-tlsv11",srv_parse_force_tlsv11,  0, 1 }, /* force TLSv11 */
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 6b94e45e66da74f50c42b11cd3c087f0be991513 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Tue, 14 Mar 2017 15:21:31 +0100
Subject: [PATCH 18/31] MINOR: server: Make 'default-server' support 'track'
 setting.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

Before this patch only 'server' directives could support 'track' setting.
This patch makes 'default-server' directives also support this setting.
Should not break anything.
---
 src/server.c | 34 +-
 1 file changed, 21 insertions(+), 13 deletions(-)

diff --git a/src/server.c b/src/server.c
index 87d2448..988abee 100644
--- a/src/server.c
+++ b/src/server.c
@@ -353,6 +353,24 @@ static int srv_parse_stick(char **args, int *cur_arg,
 	return 0;
 }
 
+/* Parse the "track" server keyword */
+static int srv_parse_track(char **args, int *cur_arg,
+   struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	char *arg;
+
+	arg = args[*cur_arg + 1];
+	if (!*arg) {
+		memprintf(err, "'track' expects [/] as argument.\n");
+		return ERR_ALERT | ERR_FATAL;
+	}
+
+	free(newsrv->trackit);
+	newsrv->trackit = strdup(arg);
+
+	return 0;
+}
+
 /* Shutdown all connections of a server. The caller must pass a termination
  * code in , which must be one of SF_ERR_* indicating the reason for the
  * shutdown.
@@ -975,6 +993,7 @@ static struct srv_kw_list srv_kws = { "ALL", { }, {
 	{ "send-proxy",  srv_parse_send_proxy,  0,  1 }, /* Enforce use of PROXY V1 protocol */
 	{ "send-proxy-v2",   srv_parse_send_proxy_v2,   0,  1 }, /* Enforce use of PROXY V2 protocol */
 	{ "stick",   srv_parse_stick,   0,  1 }, /* Enable stick-table persistence */
+	{ "track",   srv_parse_track,   1,  1 }, /* Set the current state of the server, tracking another one */
 	{ NULL, NULL, 0 },
 }};
 
@@ -1288,6 +1307,8 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 			newsrv->onerror		= curproxy->defsrv.onerror;
 			newsrv->onmarkeddown= curproxy->defsrv.onmarkeddown;
 			newsrv->onmarkedup  = curproxy->defsrv.onmarkedup;
+			if (curproxy->defsrv.trackit != NULL)
+newsrv->trackit = strdup(curproxy->defsrv.trackit);
 			newsrv->consecutive_errors_limit
 		= curproxy->defsrv.consecutive_errors_limit;
 			newsrv->uweight = newsrv->iweight
@@ -1669,19 +1690,6 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 newsrv->slowstart = (val + 999) / 1000;
 cur_arg += 2;
 			}
-			else if (!defsrv && !strcmp(args[cur_arg], "track")) {
-
-if (!*args[cur_arg + 1]) {
-	Alert("parsing [%s:%d]: 'track' expects [/] as argument.\n",
-		file, linenum);
-	err_code |= ERR_ALERT | ERR_FATAL;
-	goto out;
-}
-
-newsrv->trackit = strdup(args[cur_arg + 1]);
-
-cur_arg += 2;
-			}
 			else if (!defsrv && !strcmp(args[cur_arg], "disabled")) {
 newsrv->admin |= SRV_ADMF_CMAINT;
 newsrv->admin |= SRV_ADMF_FMAINT;
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 72440786d18c7e6141bf655287ce3d0c90aafc08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Tue, 14 Mar 2017 14:32:17 +0100
Subject: [PATCH 17/31] BUG/MINOR: cfgparse: loop in tracked servers lists not
 detected by check_config_validity().
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

There is a silly case where a loop is not detected in tracked servers lists:
when a server tracks itself.

Ex:
   server srv1 127.0.0.1:8000 track srv1

Well, this never happens and this does not prevent haproxy from working.

But with this next following configuration:

   server srv1 127.0.0.1:8000 track srv2
   server srv2 127.0.0.1:8000 track srv2
   server srv3 127.0.0.1:8000 track srv2

the code in charge of detecting such loops never returns (without any error message).
haproxy becomes stuck in an infinite loop because of this statement found
in check_config_validity():

for (loop = srv->track; loop && loop != newsrv; loop = loop->track);

Again, such a configuration is never accidentally used I guess.
This latter example seems silly, but as several 'default-server' directives may be used
in the same proxy section, and as 'default-server' settings are not resetted each a
new 'default-server' line is created, it will match the following configuration, in the future,
when 'track' setting will be supported by 'default-server':

   default-server track srv3
   server srv1 127.0.0.1:8000
   server srv2 127.0.0.1:8000
   .
   .
   .
   default-server check
   server srv3 127.0.0.1:8000
---
 src/cfgparse.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/cfgparse.c b/src/cfgparse.c
index 2eb25ed..b03a821 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -8396,11 +8396,12 @@ out_uri_auth_compat:
 
 for (loop = srv->track; loop && loop != newsrv; loop = loop->track);
 
-if (loop) {
+if (newsrv == srv || loop) {
 	Alert("config : %s '%s', server '%s': unable to track %s/%s as it "
 	  "belongs to a tracking chain looping back to %s/%s.\n",
 	  proxy_type_str(curproxy), curproxy->id,
-	  newsrv->id, px->id, srv->id, px->id, loop->id);
+	  newsrv->id, px->id, srv->id, px->id,
+	  newsrv == srv ? srv->id : loop->id);
 	cfgerr++;
 	goto next_srv;
 }
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 174406c72eae257d07e2239a9aea6284a644017a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Tue, 14 Mar 2017 11:20:13 +0100
Subject: [PATCH 16/31] MINOR: server: Make 'default-server' support 'check'
 keyword.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

Before this patch 'check' setting was only supported by 'server' directives.
This patch makes also 'default-server' directives support this setting.
A new 'no-check' keyword parser has been implemented to disable this setting both
in 'default-server' and 'server' directives.
Should not break anything.
---
 include/types/server.h |  1 +
 src/server.c   | 33 +
 2 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/include/types/server.h b/include/types/server.h
index feede6d..c973d69 100644
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -240,6 +240,7 @@ struct server {
 	int puid;/* proxy-unique server ID, used for SNMP, and "first" LB algo */
 	int tcp_ut; /* for TCP, user timeout */
 
+	int do_check;   /* temporary variable used during parsing to denote if health checks must be enabled */
 	struct check check; /* health-check specific configuration */
 	struct check agent; /* agent specific configuration */
 
diff --git a/src/server.c b/src/server.c
index 5819b75..87d2448 100644
--- a/src/server.c
+++ b/src/server.c
@@ -221,6 +221,14 @@ static int srv_parse_backup(char **args, int *cur_arg,
 	return 0;
 }
 
+/* Parse the "check" server keyword */
+static int srv_parse_check(char **args, int *cur_arg,
+   struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	newsrv->do_check = 1;
+	return 0;
+}
+
 /* Parse the "check-send-proxy" server keyword */
 static int srv_parse_check_send_proxy(char **args, int *cur_arg,
   struct proxy *curproxy, struct server *newsrv, char **err)
@@ -269,6 +277,16 @@ static int srv_parse_no_backup(char **args, int *cur_arg,
 	return 0;
 }
 
+/* Parse the "no-check" server keyword */
+static int srv_parse_no_check(char **args, int *cur_arg,
+  struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	free_check(>check);
+	newsrv->check.state &= ~CHK_ST_CONFIGURED | ~CHK_ST_ENABLED;
+	newsrv->do_check = 0;
+	return 0;
+}
+
 /* Parse the "no-check-send-proxy" server keyword */
 static int srv_parse_no_check_send_proxy(char **args, int *cur_arg,
  struct proxy *curproxy, struct server *newsrv, char **err)
@@ -945,9 +963,11 @@ void srv_compute_all_admin_states(struct proxy *px)
  */
 static struct srv_kw_list srv_kws = { "ALL", { }, {
 	{ "backup",  srv_parse_backup,  0,  1 }, /* Flag as backup server */
+	{ "check",   srv_parse_check,   0,  1 }, /* enable health checks */
 	{ "check-send-proxy",srv_parse_check_send_proxy,0,  1 }, /* enable PROXY protocol for health checks */
 	{ "id",  srv_parse_id,  1,  0 }, /* set id# of server */
 	{ "no-backup",   srv_parse_no_backup,   0,  1 }, /* Flag as non-backup server */
+	{ "no-check",srv_parse_no_check,0,  1 }, /* disable health checks */
 	{ "no-check-send-proxy", srv_parse_no_check_send_proxy, 0,  1 }, /* disable PROXY protol for health checks */
 	{ "no-send-proxy",   srv_parse_no_send_proxy,   0,  1 }, /* Disable use of PROXY V1 protocol */
 	{ "no-send-proxy-v2",srv_parse_no_send_proxy_v2,0,  1 }, /* Disable use of PROXY V2 protocol */
@@ -1110,7 +1130,7 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 
 	if (!strcmp(args[0], "server") || !strcmp(args[0], "default-server")) {  /* server address */
 		int cur_arg;
-		int do_agent = 0, do_check = 0, defsrv = (*args[0] == 'd');
+		int do_agent = 0, defsrv = (*args[0] == 'd');
 
 		if (!defsrv && curproxy == defproxy) {
 			Alert("parsing [%s:%d] : '%s' not allowed in 'defaults' section.\n", file, linenum, args[0]);
@@ -1160,7 +1180,6 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 			LIST_INIT(>priv_conns);
 			LIST_INIT(>idle_conns);
 			LIST_INIT(>safe_conns);
-			do_check = 0;
 			do_agent = 0;
 			newsrv->flags = 0;
 			newsrv->admin = 0;
@@ -1248,6 +1267,7 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 			newsrv->check.port	= curproxy->defsrv.check.port;
 			/* Note: 'flags' field has potentially been already initialized. */
 			newsrv->flags   |= curproxy->defsrv.flags;
+			newsrv->do_check= curproxy->defsrv.do_check;
 			if (newsrv->check.port)
 newsrv->flags |= SRV_F_CHECKPORT;
 			newsrv->check.inter	= curproxy->defsrv.check.inter;
@@ -1662,11 +1682,6 @@ int parse_server(const 

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From ffaf903ad7d5c7b9920e1e32ddc4f510365e8e5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Mon, 13 Mar 2017 15:52:01 +0100
Subject: [PATCH 15/31] MINOR: server: Make 'default-server' support
 'verifyhost' setting.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

This patch makes 'default-server' directive support 'verifyhost' setting.
Note: there was a little memory leak when several 'verifyhost' arguments were
supplied on the same 'server' line.
---
 src/server.c   | 2 ++
 src/ssl_sock.c | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/server.c b/src/server.c
index b69d1d1..5819b75 100644
--- a/src/server.c
+++ b/src/server.c
@@ -1298,6 +1298,8 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 #if defined(USE_OPENSSL)
 			/* SSL config. */
 			newsrv->ssl_ctx.verify = curproxy->defsrv.ssl_ctx.verify;
+			if (curproxy->defsrv.ssl_ctx.verify_host != NULL)
+newsrv->ssl_ctx.verify_host = strdup(curproxy->defsrv.ssl_ctx.verify_host);
 #endif
 
 			cur_arg = 3;
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 5285e24..34860fe 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6792,6 +6792,7 @@ static int srv_parse_verifyhost(char **args, int *cur_arg, struct proxy *px, str
 		return ERR_ALERT | ERR_FATAL;
 	}
 
+	free(newsrv->ssl_ctx.verify_host);
 	newsrv->ssl_ctx.verify_host = strdup(args[*cur_arg + 1]);
 
 	return 0;
@@ -7518,7 +7519,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "tlsv12",  srv_parse_tlsv12,0, 1 }, /* enable TLSv12 */
 	{ "tls-tickets", srv_parse_tls_tickets,   0, 1 }, /* enable session resumption tickets */
 	{ "verify",  srv_parse_verify,1, 1 }, /* set SSL verify method */
-	{ "verifyhost",  srv_parse_verifyhost,1, 0 }, /* require that SSL cert verifies for hostname */
+	{ "verifyhost",  srv_parse_verifyhost,1, 1 }, /* require that SSL cert verifies for hostname */
 	{ NULL, NULL, 0, 0 },
 }};
 
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 984c811ffcf50df6e400ff7e4f774d96e401924a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Mon, 13 Mar 2017 13:10:59 +0100
Subject: [PATCH 13/31] CLEANUP: server: code alignement.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

Code alignement again.
---
 src/ssl_sock.c | 66 +-
 1 file changed, 33 insertions(+), 33 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 41b967e..802f0a0 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7484,41 +7484,41 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
  * not enabled.
  */
 static struct srv_kw_list srv_kws = { "SSL", { }, {
-	{ "ca-file",   srv_parse_ca_file, 1, 0 }, /* set CAfile to process verify server cert */
-	{ "check-ssl", srv_parse_check_ssl,   0, 1 }, /* enable SSL for health checks */
-	{ "ciphers",   srv_parse_ciphers, 1, 0 }, /* select the cipher suite */
-	{ "crl-file",  srv_parse_crl_file,1, 0 }, /* set certificate revocation list file use on server cert verify */
-	{ "crt",   srv_parse_crt, 1, 0 }, /* set client certificate */
-	{ "force-sslv3",   srv_parse_force_sslv3, 0, 1 }, /* force SSLv3 */
-	{ "force-tlsv10",  srv_parse_force_tlsv10,0, 1 }, /* force TLSv10 */
-	{ "force-tlsv11",  srv_parse_force_tlsv11,0, 1 }, /* force TLSv11 */
-	{ "force-tlsv12",  srv_parse_force_tlsv12,0, 1 }, /* force TLSv12 */
-	{ "no-check-ssl",  srv_parse_no_check_ssl,0, 1 }, /* disable SSL for health checks */
-	{ "no-force-sslv3",srv_parse_no_force_sslv3,  0, 1 }, /* do not force SSLv3 */
-	{ "no-force-tlsv10",   srv_parse_no_force_tlsv10, 0, 1 }, /* do not force TLSv10 */
-	{ "no-force-tlsv11",   srv_parse_no_force_tlsv11, 0, 1 }, /* do not force TLSv11 */
-	{ "no-force-tlsv12",   srv_parse_no_force_tlsv12, 0, 1 }, /* do not force TLSv12 */
+	{ "ca-file", srv_parse_ca_file,   1, 0 }, /* set CAfile to process verify server cert */
+	{ "check-ssl",   srv_parse_check_ssl, 0, 1 }, /* enable SSL for health checks */
+	{ "ciphers", srv_parse_ciphers,   1, 0 }, /* select the cipher suite */
+	{ "crl-file",srv_parse_crl_file,  1, 0 }, /* set certificate revocation list file use on server cert verify */
+	{ "crt", srv_parse_crt,   1, 0 }, /* set client certificate */
+	{ "force-sslv3", srv_parse_force_sslv3,   0, 1 }, /* force SSLv3 */
+	{ "force-tlsv10",srv_parse_force_tlsv10,  0, 1 }, /* force TLSv10 */
+	{ "force-tlsv11",srv_parse_force_tlsv11,  0, 1 }, /* force TLSv11 */
+	{ "force-tlsv12",srv_parse_force_tlsv12,  0, 1 }, /* force TLSv12 */
+	{ "no-check-ssl",srv_parse_no_check_ssl,  0, 1 }, /* disable SSL for health checks */
+	{ "no-force-sslv3",  srv_parse_no_force_sslv3,0, 1 }, /* do not force SSLv3 */
+	{ "no-force-tlsv10", srv_parse_no_force_tlsv10,   0, 1 }, /* do not force TLSv10 */
+	{ "no-force-tlsv11", srv_parse_no_force_tlsv11,   0, 1 }, /* do not force TLSv11 */
+	{ "no-force-tlsv12", srv_parse_no_force_tlsv12,   0, 1 }, /* do not force TLSv12 */
 	{ "no-send-proxy-v2-ssl",srv_parse_no_send_proxy_ssl, 0, 1 }, /* do not send PROXY protocol header v2 with SSL info */
 	{ "no-send-proxy-v2-ssl-cn", srv_parse_no_send_proxy_cn,  0, 1 }, /* do not send PROXY protocol header v2 with CN */
-	{ "no-ssl",srv_parse_no_ssl,  0, 1 }, /* disable SSL processing */
-	{ "no-ssl-reuse",  srv_parse_no_ssl_reuse,0, 1 }, /* disable session reuse */
-	{ "no-sslv3",  srv_parse_no_sslv3,0, 1 }, /* disable SSLv3 */
-	{ "no-tlsv10", srv_parse_no_tlsv10,   0, 1 }, /* disable TLSv10 */
-	{ "no-tlsv11", srv_parse_no_tlsv11,   0, 1 }, /* disable TLSv11 */
-	{ "no-tlsv12", srv_parse_no_tlsv12,   0, 1 }, /* disable TLSv12 */
-	{ "no-tls-tickets",srv_parse_no_tls_tickets,  0, 1 }, /* disable session resumption tickets */
-	{ "send-proxy-v2-ssl", srv_parse_send_proxy_ssl,  0, 1 }, /* send PROXY protocol header v2 with SSL info */
-	{ "send-proxy-v2-ssl-cn",  srv_parse_send_proxy_cn,   0, 1 }, /* send PROXY protocol header v2 with CN */
-	{ "sni",   srv_parse_sni, 1, 0 }, /* send SNI extension */
-	{ "ssl",   srv_parse_ssl, 0, 1 }, /* enable SSL processing */
-	{ "ssl-reuse", srv_parse_ssl_reuse,   0, 1 }, /* enable session reuse */
-	{ "sslv3", srv_parse_sslv3,   0, 1 }, /* enable SSLv3 */
-	{ "tlsv10",srv_parse_tlsv10,  0, 1 }, /* enable TLSv10 */
-	{ "tlsv11",   

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 39d6ba95c1c1cf2b33d916c15c40f8d6f223e60b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Mon, 13 Mar 2017 13:41:16 +0100
Subject: [PATCH 14/31] MINOR: server: Make 'default-server' support 'verify'
 keyword.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

This patch makes 'default-server' directive support 'verify' keyword.
---
 src/server.c   | 4 
 src/ssl_sock.c | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/server.c b/src/server.c
index ddb2842..b69d1d1 100644
--- a/src/server.c
+++ b/src/server.c
@@ -1295,6 +1295,10 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 			newsrv->dns_opts.pref_net_nb = curproxy->defsrv.dns_opts.pref_net_nb;
 			newsrv->init_addr_methods = curproxy->defsrv.init_addr_methods;
 			newsrv->init_addr = curproxy->defsrv.init_addr;
+#if defined(USE_OPENSSL)
+			/* SSL config. */
+			newsrv->ssl_ctx.verify = curproxy->defsrv.ssl_ctx.verify;
+#endif
 
 			cur_arg = 3;
 		} else {
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 802f0a0..5285e24 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7517,7 +7517,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "tlsv11",  srv_parse_tlsv11,0, 1 }, /* enable TLSv11 */
 	{ "tlsv12",  srv_parse_tlsv12,0, 1 }, /* enable TLSv12 */
 	{ "tls-tickets", srv_parse_tls_tickets,   0, 1 }, /* enable session resumption tickets */
-	{ "verify",  srv_parse_verify,1, 0 }, /* set SSL verify method */
+	{ "verify",  srv_parse_verify,1, 1 }, /* set SSL verify method */
 	{ "verifyhost",  srv_parse_verifyhost,1, 0 }, /* require that SSL cert verifies for hostname */
 	{ NULL, NULL, 0, 0 },
 }};
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 70b9d6c0246b1c3e28ded68f1617497aed1dd2d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Mon, 13 Mar 2017 12:08:01 +0100
Subject: [PATCH 12/31] MINOR: server: Make 'default-server' support
 'send-proxy-v2-ssl*' keywords.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

This patch makes 'default-server' directive support 'send-proxy-v2-ssl'
(resp. 'send-proxy-v2-ssl-cn') setting.
A new keyword 'no-send-proxy-v2-ssl' (resp. 'no-send-proxy-v2-ssl-cn') has been
added to disable 'send-proxy-v2-ssl' (resp. 'send-proxy-v2-ssl-cn') setting both
in 'server' and 'default-server' directives.
---
 src/ssl_sock.c | 23 +--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 3d1e444..41b967e 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6588,6 +6588,23 @@ static int srv_parse_no_force_tlsv12(char **args, int *cur_arg, struct proxy *px
 #endif
 }
 
+/* parse the "no-send-proxy-v2-ssl" server keyword */
+static int srv_parse_no_send_proxy_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->pp_opts &= ~SRV_PP_V2;
+	newsrv->pp_opts &= ~SRV_PP_V2_SSL;
+	return 0;
+}
+
+/* parse the "no-send-proxy-v2-ssl-cn" server keyword */
+static int srv_parse_no_send_proxy_cn(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->pp_opts &= ~SRV_PP_V2;
+	newsrv->pp_opts &= ~SRV_PP_V2_SSL;
+	newsrv->pp_opts &= ~SRV_PP_V2_SSL_CN;
+	return 0;
+}
+
 /* parse the "no-ssl" server keyword */
 static int srv_parse_no_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@@ -7481,6 +7498,8 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "no-force-tlsv10",   srv_parse_no_force_tlsv10, 0, 1 }, /* do not force TLSv10 */
 	{ "no-force-tlsv11",   srv_parse_no_force_tlsv11, 0, 1 }, /* do not force TLSv11 */
 	{ "no-force-tlsv12",   srv_parse_no_force_tlsv12, 0, 1 }, /* do not force TLSv12 */
+	{ "no-send-proxy-v2-ssl",srv_parse_no_send_proxy_ssl, 0, 1 }, /* do not send PROXY protocol header v2 with SSL info */
+	{ "no-send-proxy-v2-ssl-cn", srv_parse_no_send_proxy_cn,  0, 1 }, /* do not send PROXY protocol header v2 with CN */
 	{ "no-ssl",srv_parse_no_ssl,  0, 1 }, /* disable SSL processing */
 	{ "no-ssl-reuse",  srv_parse_no_ssl_reuse,0, 1 }, /* disable session reuse */
 	{ "no-sslv3",  srv_parse_no_sslv3,0, 1 }, /* disable SSLv3 */
@@ -7488,8 +7507,8 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "no-tlsv11", srv_parse_no_tlsv11,   0, 1 }, /* disable TLSv11 */
 	{ "no-tlsv12", srv_parse_no_tlsv12,   0, 1 }, /* disable TLSv12 */
 	{ "no-tls-tickets",srv_parse_no_tls_tickets,  0, 1 }, /* disable session resumption tickets */
-	{ "send-proxy-v2-ssl", srv_parse_send_proxy_ssl,  0, 0 }, /* send PROXY protocol header v2 with SSL info */
-	{ "send-proxy-v2-ssl-cn",  srv_parse_send_proxy_cn,   0, 0 }, /* send PROXY protocol header v2 with CN */
+	{ "send-proxy-v2-ssl", srv_parse_send_proxy_ssl,  0, 1 }, /* send PROXY protocol header v2 with SSL info */
+	{ "send-proxy-v2-ssl-cn",  srv_parse_send_proxy_cn,   0, 1 }, /* send PROXY protocol header v2 with CN */
 	{ "sni",   srv_parse_sni, 1, 0 }, /* send SNI extension */
 	{ "ssl",   srv_parse_ssl, 0, 1 }, /* enable SSL processing */
 	{ "ssl-reuse", srv_parse_ssl_reuse,   0, 1 }, /* enable session reuse */
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From e6118524a2aaee921971a6be9020b75775507b52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Mon, 13 Mar 2017 11:54:17 +0100
Subject: [PATCH 11/31]  MINOR: server: Make 'default-server' support 'ssl'
 keyword.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

 This patch makes 'default-server' directive support 'ssl' setting.
 A new keyword 'no-ssl' has been added to disable this setting both
 in 'server' and 'default-server' directives.
---
 src/ssl_sock.c | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 2066e30..3d1e444 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6588,6 +6588,15 @@ static int srv_parse_no_force_tlsv12(char **args, int *cur_arg, struct proxy *px
 #endif
 }
 
+/* parse the "no-ssl" server keyword */
+static int srv_parse_no_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->use_ssl = 0;
+	free(newsrv->ssl_ctx.ciphers);
+	newsrv->ssl_ctx.ciphers = NULL;
+	return 0;
+}
+
 /* parse the "no-ssl-reuse" server keyword */
 static int srv_parse_no_ssl_reuse(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@@ -7472,6 +7481,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "no-force-tlsv10",   srv_parse_no_force_tlsv10, 0, 1 }, /* do not force TLSv10 */
 	{ "no-force-tlsv11",   srv_parse_no_force_tlsv11, 0, 1 }, /* do not force TLSv11 */
 	{ "no-force-tlsv12",   srv_parse_no_force_tlsv12, 0, 1 }, /* do not force TLSv12 */
+	{ "no-ssl",srv_parse_no_ssl,  0, 1 }, /* disable SSL processing */
 	{ "no-ssl-reuse",  srv_parse_no_ssl_reuse,0, 1 }, /* disable session reuse */
 	{ "no-sslv3",  srv_parse_no_sslv3,0, 1 }, /* disable SSLv3 */
 	{ "no-tlsv10", srv_parse_no_tlsv10,   0, 1 }, /* disable TLSv10 */
@@ -7481,7 +7491,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "send-proxy-v2-ssl", srv_parse_send_proxy_ssl,  0, 0 }, /* send PROXY protocol header v2 with SSL info */
 	{ "send-proxy-v2-ssl-cn",  srv_parse_send_proxy_cn,   0, 0 }, /* send PROXY protocol header v2 with CN */
 	{ "sni",   srv_parse_sni, 1, 0 }, /* send SNI extension */
-	{ "ssl",   srv_parse_ssl, 0, 0 }, /* enable SSL processing */
+	{ "ssl",   srv_parse_ssl, 0, 1 }, /* enable SSL processing */
 	{ "ssl-reuse", srv_parse_ssl_reuse,   0, 1 }, /* enable session reuse */
 	{ "sslv3", srv_parse_sslv3,   0, 1 }, /* enable SSLv3 */
 	{ "tlsv10",srv_parse_tlsv10,  0, 1 }, /* enable TLSv10 */
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 1e0bb327696daf9f2b39beff1f981767fd047cc0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Mon, 13 Mar 2017 11:32:20 +0100
Subject: [PATCH 10/31] MINOR: server: Make 'default-server' support 'no-ssl*'
 and 'no-tlsv*' keywo rds.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

This patch makes 'default-server' directive support 'no-sslv3' (resp. 'no-ssl-reuse',
'no-tlsv10', 'no-tlsv11', 'no-tlsv12', and 'no-tls-tickets') setting.
New keywords 'sslv3' (resp. 'ssl-reuse', 'tlsv10', 'tlsv11', 'tlsv12', and
'tls-no-tickets') have been added to disable these settings both in 'server' and
'default-server' directives.
---
 src/ssl_sock.c | 60 --
 1 file changed, 54 insertions(+), 6 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 2e7ae4b..2066e30 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6692,6 +6692,48 @@ static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct ser
 	return 0;
 }
 
+/* parse the "ssl-reuse" server keyword */
+static int srv_parse_ssl_reuse(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_REUSE;
+	return 0;
+}
+
+/* parse the "sslv3" server keyword */
+static int srv_parse_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_SSLV3;
+	return 0;
+}
+
+/* parse the "tlsv10" server keyword */
+static int srv_parse_tlsv10(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV10;
+	return 0;
+}
+
+/* parse the "tlsv11" server keyword */
+static int srv_parse_tlsv11(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV11;
+	return 0;
+}
+
+/* parse the "tlsv12" server keyword */
+static int srv_parse_tlsv12(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV12;
+	return 0;
+}
+
+/* parse the "tls-tickets" server keyword */
+static int srv_parse_tls_tickets(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLS_TICKETS;
+	return 0;
+}
+
 /* parse the "verify" server keyword */
 static int srv_parse_verify(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@@ -7430,16 +7472,22 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "no-force-tlsv10",   srv_parse_no_force_tlsv10, 0, 1 }, /* do not force TLSv10 */
 	{ "no-force-tlsv11",   srv_parse_no_force_tlsv11, 0, 1 }, /* do not force TLSv11 */
 	{ "no-force-tlsv12",   srv_parse_no_force_tlsv12, 0, 1 }, /* do not force TLSv12 */
-	{ "no-ssl-reuse",  srv_parse_no_ssl_reuse,0, 0 }, /* disable session reuse */
-	{ "no-sslv3",  srv_parse_no_sslv3,0, 0 }, /* disable SSLv3 */
-	{ "no-tlsv10", srv_parse_no_tlsv10,   0, 0 }, /* disable TLSv10 */
-	{ "no-tlsv11", srv_parse_no_tlsv11,   0, 0 }, /* disable TLSv11 */
-	{ "no-tlsv12", srv_parse_no_tlsv12,   0, 0 }, /* disable TLSv12 */
-	{ "no-tls-tickets",srv_parse_no_tls_tickets,  0, 0 }, /* disable session resumption tickets */
+	{ "no-ssl-reuse",  srv_parse_no_ssl_reuse,0, 1 }, /* disable session reuse */
+	{ "no-sslv3",  srv_parse_no_sslv3,0, 1 }, /* disable SSLv3 */
+	{ "no-tlsv10", srv_parse_no_tlsv10,   0, 1 }, /* disable TLSv10 */
+	{ "no-tlsv11", srv_parse_no_tlsv11,   0, 1 }, /* disable TLSv11 */
+	{ "no-tlsv12", srv_parse_no_tlsv12,   0, 1 }, /* disable TLSv12 */
+	{ "no-tls-tickets",srv_parse_no_tls_tickets,  0, 1 }, /* disable session resumption tickets */
 	{ "send-proxy-v2-ssl", srv_parse_send_proxy_ssl,  0, 0 }, /* send PROXY protocol header v2 with SSL info */
 	{ "send-proxy-v2-ssl-cn",  srv_parse_send_proxy_cn,   0, 0 }, /* send PROXY protocol header v2 with CN */
 	{ "sni",   srv_parse_sni, 1, 0 }, /* send SNI extension */
 	{ "ssl",   srv_parse_ssl, 0, 0 }, /* enable SSL processing */
+	{ "ssl-reuse", srv_parse_ssl_reuse,   0, 1 }, /* enable session reuse */
+	{ "sslv3", srv_parse_sslv3,   0, 1 }, /* enable SSLv3 */
+	{ "tlsv10",srv_parse_tlsv10,  0, 1 }, /* enable TLSv10 */
+	{ "tlsv11",srv_parse_tlsv11,  0, 1 }, /* enable TLSv11 */
+	{ "tlsv12",srv_parse_tlsv12,  0, 1 }, /* enable TLSv12 */
+	{ "tls-tickets",   srv_parse_tls_tickets, 0, 1 }, /* enable session resumption tickets */
 	{ "verify",srv_parse_verify,  1, 0 }, /* set 

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From bed0db831d2cd504f3d66df21fd53c92dc4be52a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Mon, 13 Mar 2017 11:02:01 +0100
Subject: [PATCH 09/31] CLEANUP: server: code alignement.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

Code alignement.
---
 src/ssl_sock.c | 44 ++--
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 925d0a5..2e7ae4b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7416,32 +7416,32 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
  * not enabled.
  */
 static struct srv_kw_list srv_kws = { "SSL", { }, {
-	{ "ca-file",   srv_parse_ca_file,1, 0 }, /* set CAfile to process verify server cert */
-	{ "check-ssl", srv_parse_check_ssl,  0, 1 }, /* enable SSL for health checks */
-	{ "ciphers",   srv_parse_ciphers,1, 0 }, /* select the cipher suite */
-	{ "crl-file",  srv_parse_crl_file,   1, 0 }, /* set certificate revocation list file use on server cert verify */
-	{ "crt",   srv_parse_crt,1, 0 }, /* set client certificate */
-	{ "force-sslv3",   srv_parse_force_sslv3,0, 1 }, /* force SSLv3 */
-	{ "force-tlsv10",  srv_parse_force_tlsv10,   0, 1 }, /* force TLSv10 */
-	{ "force-tlsv11",  srv_parse_force_tlsv11,   0, 1 }, /* force TLSv11 */
-	{ "force-tlsv12",  srv_parse_force_tlsv12,   0, 1 }, /* force TLSv12 */
-	{ "no-check-ssl",  srv_parse_no_check_ssl,   0, 1 }, /* disable SSL for health checks */
+	{ "ca-file",   srv_parse_ca_file, 1, 0 }, /* set CAfile to process verify server cert */
+	{ "check-ssl", srv_parse_check_ssl,   0, 1 }, /* enable SSL for health checks */
+	{ "ciphers",   srv_parse_ciphers, 1, 0 }, /* select the cipher suite */
+	{ "crl-file",  srv_parse_crl_file,1, 0 }, /* set certificate revocation list file use on server cert verify */
+	{ "crt",   srv_parse_crt, 1, 0 }, /* set client certificate */
+	{ "force-sslv3",   srv_parse_force_sslv3, 0, 1 }, /* force SSLv3 */
+	{ "force-tlsv10",  srv_parse_force_tlsv10,0, 1 }, /* force TLSv10 */
+	{ "force-tlsv11",  srv_parse_force_tlsv11,0, 1 }, /* force TLSv11 */
+	{ "force-tlsv12",  srv_parse_force_tlsv12,0, 1 }, /* force TLSv12 */
+	{ "no-check-ssl",  srv_parse_no_check_ssl,0, 1 }, /* disable SSL for health checks */
 	{ "no-force-sslv3",srv_parse_no_force_sslv3,  0, 1 }, /* do not force SSLv3 */
 	{ "no-force-tlsv10",   srv_parse_no_force_tlsv10, 0, 1 }, /* do not force TLSv10 */
 	{ "no-force-tlsv11",   srv_parse_no_force_tlsv11, 0, 1 }, /* do not force TLSv11 */
 	{ "no-force-tlsv12",   srv_parse_no_force_tlsv12, 0, 1 }, /* do not force TLSv12 */
-	{ "no-ssl-reuse",  srv_parse_no_ssl_reuse,   0, 0 }, /* disable session reuse */
-	{ "no-sslv3",  srv_parse_no_sslv3,   0, 0 }, /* disable SSLv3 */
-	{ "no-tlsv10", srv_parse_no_tlsv10,  0, 0 }, /* disable TLSv10 */
-	{ "no-tlsv11", srv_parse_no_tlsv11,  0, 0 }, /* disable TLSv11 */
-	{ "no-tlsv12", srv_parse_no_tlsv12,  0, 0 }, /* disable TLSv12 */
-	{ "no-tls-tickets",srv_parse_no_tls_tickets, 0, 0 }, /* disable session resumption tickets */
-	{ "send-proxy-v2-ssl", srv_parse_send_proxy_ssl, 0, 0 }, /* send PROXY protocol header v2 with SSL info */
-	{ "send-proxy-v2-ssl-cn",  srv_parse_send_proxy_cn,  0, 0 }, /* send PROXY protocol header v2 with CN */
-	{ "sni",   srv_parse_sni,1, 0 }, /* send SNI extension */
-	{ "ssl",   srv_parse_ssl,0, 0 }, /* enable SSL processing */
-	{ "verify",srv_parse_verify, 1, 0 }, /* set SSL verify method */
-	{ "verifyhost",srv_parse_verifyhost, 1, 0 }, /* require that SSL cert verifies for hostname */
+	{ "no-ssl-reuse",  srv_parse_no_ssl_reuse,0, 0 }, /* disable session reuse */
+	{ "no-sslv3",  srv_parse_no_sslv3,0, 0 }, /* disable SSLv3 */
+	{ "no-tlsv10", srv_parse_no_tlsv10,   0, 0 }, /* disable TLSv10 */
+	{ "no-tlsv11", srv_parse_no_tlsv11,   0, 0 }, /* disable TLSv11 */
+	{ "no-tlsv12", srv_parse_no_tlsv12,   0, 0 }, /* disable TLSv12 */
+	{ "no-tls-tickets",srv_parse_no_tls_tickets,  0, 0 }, /* disable session resumption tickets */
+	{ "send-proxy-v2-ssl", srv_parse_send_proxy_ssl,  0, 0 }, /* send PROXY protocol header v2 with SSL info */
+	{ "send-proxy-v2-ssl-cn",  srv_parse_send_proxy_cn,   0, 0 }, /* send PROXY protocol header v2 with CN */
+	{ "sni",   srv_parse_sni, 1, 0 }, /* send SNI extension */
+	{ "ssl", 

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 94220ddfed21228e15f09dd73a5357f0245c13ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Mon, 13 Mar 2017 10:54:52 +0100
Subject: [PATCH 08/31] MINOR: server: Make 'default-server' support
 'force-sslv3' and 'force-tlsv1[0-2]' keywords.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

This patch makes 'default-server' directive support 'force-sslv3'
and 'force-tlsv1[0-2]' settings.
New keywords 'no-force-sslv3' (resp. 'no-tlsv1[0-2]') have been added
to disable 'force-sslv3' (resp. 'force-tlsv1[0-2]') setting both in 'server' and
'default-server' directives.
---
 src/ssl_sock.c | 58 ++
 1 file changed, 54 insertions(+), 4 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index ff3f6c6..925d0a5 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6542,6 +6542,52 @@ static int srv_parse_no_check_ssl(char **args, int *cur_arg, struct proxy *px, s
 	return 0;
 }
 
+/* parse the "no-force-sslv3" server keyword */
+static int srv_parse_no_force_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+#ifndef OPENSSL_NO_SSL3
+	newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_SSLV3;
+	return 0;
+#else
+	if (err)
+		memprintf(err, "'%s' : library does not support protocol SSLv3", args[*cur_arg]);
+	return ERR_ALERT | ERR_FATAL;
+#endif
+}
+
+/* parse the "no-force-tlsv10" server keyword */
+static int srv_parse_no_force_tlsv10(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_TLSV10;
+	return 0;
+}
+
+/* parse the "no-force-tlsv11" server keyword */
+static int srv_parse_no_force_tlsv11(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+#if SSL_OP_NO_TLSv1_1
+	newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_TLSV11;
+	return 0;
+#else
+	if (err)
+		memprintf(err, "'%s' : library does not support protocol TLSv1.1", args[*cur_arg]);
+	return ERR_ALERT | ERR_FATAL;
+#endif
+}
+
+/* parse the "no-force-tlsv12" server keyword */
+static int srv_parse_no_force_tlsv12(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+#if SSL_OP_NO_TLSv1_2
+	newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_TLSV12;
+	return 0;
+#else
+	if (err)
+		memprintf(err, "'%s' : library does not support protocol TLSv1.2", args[*cur_arg]);
+	return ERR_ALERT | ERR_FATAL;
+#endif
+}
+
 /* parse the "no-ssl-reuse" server keyword */
 static int srv_parse_no_ssl_reuse(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@@ -7375,11 +7421,15 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "ciphers",   srv_parse_ciphers,1, 0 }, /* select the cipher suite */
 	{ "crl-file",  srv_parse_crl_file,   1, 0 }, /* set certificate revocation list file use on server cert verify */
 	{ "crt",   srv_parse_crt,1, 0 }, /* set client certificate */
-	{ "force-sslv3",   srv_parse_force_sslv3,0, 0 }, /* force SSLv3 */
-	{ "force-tlsv10",  srv_parse_force_tlsv10,   0, 0 }, /* force TLSv10 */
-	{ "force-tlsv11",  srv_parse_force_tlsv11,   0, 0 }, /* force TLSv11 */
-	{ "force-tlsv12",  srv_parse_force_tlsv12,   0, 0 }, /* force TLSv12 */
+	{ "force-sslv3",   srv_parse_force_sslv3,0, 1 }, /* force SSLv3 */
+	{ "force-tlsv10",  srv_parse_force_tlsv10,   0, 1 }, /* force TLSv10 */
+	{ "force-tlsv11",  srv_parse_force_tlsv11,   0, 1 }, /* force TLSv11 */
+	{ "force-tlsv12",  srv_parse_force_tlsv12,   0, 1 }, /* force TLSv12 */
 	{ "no-check-ssl",  srv_parse_no_check_ssl,   0, 1 }, /* disable SSL for health checks */
+	{ "no-force-sslv3",srv_parse_no_force_sslv3,  0, 1 }, /* do not force SSLv3 */
+	{ "no-force-tlsv10",   srv_parse_no_force_tlsv10, 0, 1 }, /* do not force TLSv10 */
+	{ "no-force-tlsv11",   srv_parse_no_force_tlsv11, 0, 1 }, /* do not force TLSv11 */
+	{ "no-force-tlsv12",   srv_parse_no_force_tlsv12, 0, 1 }, /* do not force TLSv12 */
 	{ "no-ssl-reuse",  srv_parse_no_ssl_reuse,   0, 0 }, /* disable session reuse */
 	{ "no-sslv3",  srv_parse_no_sslv3,   0, 0 }, /* disable SSLv3 */
 	{ "no-tlsv10", srv_parse_no_tlsv10,  0, 0 }, /* disable TLSv10 */
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 17f461d5878f902e34a113d462218a661c747d4c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Mon, 13 Mar 2017 10:38:04 +0100
Subject: [PATCH 07/31]  MINOR: server: Make 'default-server' support
 'check-ssl' keyword.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

This patch makes 'default-server' directive support 'check-ssl' setting
to enable SSL for health checks.
A new keyword 'no-check-ssl' has been added to disable this setting both in
'server' and 'default-server' directives.
---
 src/ssl_sock.c | 13 -
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 1e63c57..ff3f6c6 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6532,6 +6532,16 @@ static int srv_parse_force_tlsv12(char **args, int *cur_arg, struct proxy *px, s
 #endif
 }
 
+/* parse the "no-check-ssl" server keyword */
+static int srv_parse_no_check_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->check.use_ssl = 0;
+	free(newsrv->ssl_ctx.ciphers);
+	newsrv->ssl_ctx.ciphers = NULL;
+	newsrv->ssl_ctx.options &= ~global_ssl.connect_default_ssloptions;
+	return 0;
+}
+
 /* parse the "no-ssl-reuse" server keyword */
 static int srv_parse_no_ssl_reuse(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@@ -7361,7 +7371,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
  */
 static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "ca-file",   srv_parse_ca_file,1, 0 }, /* set CAfile to process verify server cert */
-	{ "check-ssl", srv_parse_check_ssl,  0, 0 }, /* enable SSL for health checks */
+	{ "check-ssl", srv_parse_check_ssl,  0, 1 }, /* enable SSL for health checks */
 	{ "ciphers",   srv_parse_ciphers,1, 0 }, /* select the cipher suite */
 	{ "crl-file",  srv_parse_crl_file,   1, 0 }, /* set certificate revocation list file use on server cert verify */
 	{ "crt",   srv_parse_crt,1, 0 }, /* set client certificate */
@@ -7369,6 +7379,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "force-tlsv10",  srv_parse_force_tlsv10,   0, 0 }, /* force TLSv10 */
 	{ "force-tlsv11",  srv_parse_force_tlsv11,   0, 0 }, /* force TLSv11 */
 	{ "force-tlsv12",  srv_parse_force_tlsv12,   0, 0 }, /* force TLSv12 */
+	{ "no-check-ssl",  srv_parse_no_check_ssl,   0, 1 }, /* disable SSL for health checks */
 	{ "no-ssl-reuse",  srv_parse_no_ssl_reuse,   0, 0 }, /* disable session reuse */
 	{ "no-sslv3",  srv_parse_no_sslv3,   0, 0 }, /* disable SSLv3 */
 	{ "no-tlsv10", srv_parse_no_tlsv10,  0, 0 }, /* disable TLSv10 */
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From bd77e21eab9aa777962ae94ce7dbff2224b1b295 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Fri, 10 Mar 2017 16:40:00 +0100
Subject: [PATCH 06/31] MINOR: server: Make 'default-server' support
 'send-proxy' and 'send-proxy-v2 keywords.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

This patch makes 'default-server' directive support 'send-proxy'
(resp. 'send-proxy-v2') setting.
A new keyword 'no-send-proxy' (resp. 'no-send-proxy-v2') has been added
to disable 'send-proxy' (resp. 'send-proxy-v2') setting both in 'server' and
'default-server' directives.
---
 src/server.c | 55 +++
 1 file changed, 47 insertions(+), 8 deletions(-)

diff --git a/src/server.c b/src/server.c
index c5a4d31..ddb2842 100644
--- a/src/server.c
+++ b/src/server.c
@@ -277,6 +277,27 @@ static int srv_parse_no_check_send_proxy(char **args, int *cur_arg,
 	return 0;
 }
 
+/* Disable server PROXY protocol flags. */
+static int inline srv_disable_pp_flags(struct server *srv, unsigned int flags)
+{
+	srv->pp_opts &= ~flags;
+	return 0;
+}
+
+/* Parse the "no-send-proxy" server keyword */
+static int srv_parse_no_send_proxy(char **args, int *cur_arg,
+   struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	return srv_disable_pp_flags(newsrv, SRV_PP_V1);
+}
+
+/* Parse the "no-send-proxy-v2" server keyword */
+static int srv_parse_no_send_proxy_v2(char **args, int *cur_arg,
+  struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	return srv_disable_pp_flags(newsrv, SRV_PP_V2);
+}
+
 /* Parse the "non-stick" server keyword */
 static int srv_parse_non_stick(char **args, int *cur_arg,
struct proxy *curproxy, struct server *newsrv, char **err)
@@ -285,6 +306,27 @@ static int srv_parse_non_stick(char **args, int *cur_arg,
 	return 0;
 }
 
+/* Enable server PROXY protocol flags. */
+static int inline srv_enable_pp_flags(struct server *srv, unsigned int flags)
+{
+	srv->pp_opts |= flags;
+	return 0;
+}
+
+/* Parse the "send-proxy" server keyword */
+static int srv_parse_send_proxy(char **args, int *cur_arg,
+struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	return srv_enable_pp_flags(newsrv, SRV_PP_V1);
+}
+
+/* Parse the "send-proxy-v2" server keyword */
+static int srv_parse_send_proxy_v2(char **args, int *cur_arg,
+   struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	return srv_enable_pp_flags(newsrv, SRV_PP_V2);
+}
+
 /* Parse the "stick" server keyword */
 static int srv_parse_stick(char **args, int *cur_arg,
struct proxy *curproxy, struct server *newsrv, char **err)
@@ -907,7 +949,11 @@ static struct srv_kw_list srv_kws = { "ALL", { }, {
 	{ "id",  srv_parse_id,  1,  0 }, /* set id# of server */
 	{ "no-backup",   srv_parse_no_backup,   0,  1 }, /* Flag as non-backup server */
 	{ "no-check-send-proxy", srv_parse_no_check_send_proxy, 0,  1 }, /* disable PROXY protol for health checks */
+	{ "no-send-proxy",   srv_parse_no_send_proxy,   0,  1 }, /* Disable use of PROXY V1 protocol */
+	{ "no-send-proxy-v2",srv_parse_no_send_proxy_v2,0,  1 }, /* Disable use of PROXY V2 protocol */
 	{ "non-stick",   srv_parse_non_stick,   0,  1 }, /* Disable stick-table persistence */
+	{ "send-proxy",  srv_parse_send_proxy,  0,  1 }, /* Enforce use of PROXY V1 protocol */
+	{ "send-proxy-v2",   srv_parse_send_proxy_v2,   0,  1 }, /* Enforce use of PROXY V2 protocol */
 	{ "stick",   srv_parse_stick,   0,  1 }, /* Enable stick-table persistence */
 	{ NULL, NULL, 0 },
 }};
@@ -1196,6 +1242,7 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 goto out;
 			}
 
+			newsrv->pp_opts		= curproxy->defsrv.pp_opts;
 			newsrv->use_ssl		= curproxy->defsrv.use_ssl;
 			newsrv->check.use_ssl	= curproxy->defsrv.check.use_ssl;
 			newsrv->check.port	= curproxy->defsrv.check.port;
@@ -1560,14 +1607,6 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 newsrv->flags |= SRV_F_CHECKPORT;
 cur_arg += 2;
 			}
-			else if (!defsrv && !strcmp(args[cur_arg], "send-proxy")) {
-newsrv->pp_opts |= SRV_PP_V1;
-cur_arg ++;
-			}
-			else if (!defsrv && !strcmp(args[cur_arg], "send-proxy-v2")) {
-newsrv->pp_opts |= SRV_PP_V2;
-cur_arg ++;
-			}
 			else if (!strcmp(args[cur_arg], "weight")) {
 int w;
 w = atol(args[cur_arg + 1]);
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From 83766d4697f3af4626506a6af8b186028b565fe8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Fri, 10 Mar 2017 15:50:49 +0100
Subject: [PATCH 05/31] MINOR: server: Make 'default-server' support
 'non-stick' keyword.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

This patch makes 'default-server' directive support 'non-stick' setting.
A new keyword 'stick' has been added so that to disable
'non-stick' setting both in 'server' and 'default-server' directives.
---
 src/server.c | 22 ++
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/src/server.c b/src/server.c
index 09f196b..c5a4d31 100644
--- a/src/server.c
+++ b/src/server.c
@@ -277,6 +277,22 @@ static int srv_parse_no_check_send_proxy(char **args, int *cur_arg,
 	return 0;
 }
 
+/* Parse the "non-stick" server keyword */
+static int srv_parse_non_stick(char **args, int *cur_arg,
+   struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	newsrv->flags |= SRV_F_NON_STICK;
+	return 0;
+}
+
+/* Parse the "stick" server keyword */
+static int srv_parse_stick(char **args, int *cur_arg,
+   struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	newsrv->flags &= ~SRV_F_NON_STICK;
+	return 0;
+}
+
 /* Shutdown all connections of a server. The caller must pass a termination
  * code in , which must be one of SF_ERR_* indicating the reason for the
  * shutdown.
@@ -891,6 +907,8 @@ static struct srv_kw_list srv_kws = { "ALL", { }, {
 	{ "id",  srv_parse_id,  1,  0 }, /* set id# of server */
 	{ "no-backup",   srv_parse_no_backup,   0,  1 }, /* Flag as non-backup server */
 	{ "no-check-send-proxy", srv_parse_no_check_send_proxy, 0,  1 }, /* disable PROXY protol for health checks */
+	{ "non-stick",   srv_parse_non_stick,   0,  1 }, /* Disable stick-table persistence */
+	{ "stick",   srv_parse_stick,   0,  1 }, /* Enable stick-table persistence */
 	{ NULL, NULL, 0 },
 }};
 
@@ -1542,10 +1560,6 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 newsrv->flags |= SRV_F_CHECKPORT;
 cur_arg += 2;
 			}
-			else if (!defsrv && !strcmp(args[cur_arg], "non-stick")) {
-newsrv->flags |= SRV_F_NON_STICK;
-cur_arg ++;
-			}
 			else if (!defsrv && !strcmp(args[cur_arg], "send-proxy")) {
 newsrv->pp_opts |= SRV_PP_V1;
 cur_arg ++;
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From c39ce3eba31d37c2e790426c8127d131d6ec9072 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Fri, 10 Mar 2017 15:36:14 +0100
Subject: [PATCH 04/31] CLEANUP: server: code alignement.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.010097, version=1.2.4

Code alignement.
---
 src/server.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/server.c b/src/server.c
index 796ff51..09f196b 100644
--- a/src/server.c
+++ b/src/server.c
@@ -886,10 +886,10 @@ void srv_compute_all_admin_states(struct proxy *px)
  * not enabled.
  */
 static struct srv_kw_list srv_kws = { "ALL", { }, {
-	{ "backup",   srv_parse_backup,   0,  1 }, /* Flag as backup server */
+	{ "backup",  srv_parse_backup,  0,  1 }, /* Flag as backup server */
 	{ "check-send-proxy",srv_parse_check_send_proxy,0,  1 }, /* enable PROXY protocol for health checks */
-	{ "id",   srv_parse_id,   1,  0 }, /* set id# of server */
-	{ "no-backup",srv_parse_no_backup,0,  1 }, /* Flag as non-backup server */
+	{ "id",  srv_parse_id,  1,  0 }, /* set id# of server */
+	{ "no-backup",   srv_parse_no_backup,   0,  1 }, /* Flag as non-backup server */
 	{ "no-check-send-proxy", srv_parse_no_check_send_proxy, 0,  1 }, /* disable PROXY protol for health checks */
 	{ NULL, NULL, 0 },
 }};
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From a7f6425b24e7855259b6b858e8a322fde0d2bd39 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Fri, 10 Mar 2017 14:04:31 +0100
Subject: [PATCH 03/31] MINOR: server: Make 'default-server' support
 'check-send-proxy' keyword.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

This patch makes 'default-server' directive support 'check-send-proxy' setting.
A new keyword 'no-check-send-proxy' has been added so that to disable
'check-send-proxy' setting both in 'server' and 'default-server' directives.
---
 src/server.c | 23 +++
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/src/server.c b/src/server.c
index 2b0a5da..796ff51 100644
--- a/src/server.c
+++ b/src/server.c
@@ -221,6 +221,14 @@ static int srv_parse_backup(char **args, int *cur_arg,
 	return 0;
 }
 
+/* Parse the "check-send-proxy" server keyword */
+static int srv_parse_check_send_proxy(char **args, int *cur_arg,
+  struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	newsrv->check.send_proxy = 1;
+	return 0;
+}
+
 /* parse the "id" server keyword */
 static int srv_parse_id(char **args, int *cur_arg, struct proxy *curproxy, struct server *newsrv, char **err)
 {
@@ -261,6 +269,14 @@ static int srv_parse_no_backup(char **args, int *cur_arg,
 	return 0;
 }
 
+/* Parse the "no-check-send-proxy" server keyword */
+static int srv_parse_no_check_send_proxy(char **args, int *cur_arg,
+ struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	newsrv->check.send_proxy = 0;
+	return 0;
+}
+
 /* Shutdown all connections of a server. The caller must pass a termination
  * code in , which must be one of SF_ERR_* indicating the reason for the
  * shutdown.
@@ -871,8 +887,10 @@ void srv_compute_all_admin_states(struct proxy *px)
  */
 static struct srv_kw_list srv_kws = { "ALL", { }, {
 	{ "backup",   srv_parse_backup,   0,  1 }, /* Flag as backup server */
+	{ "check-send-proxy",srv_parse_check_send_proxy,0,  1 }, /* enable PROXY protocol for health checks */
 	{ "id",   srv_parse_id,   1,  0 }, /* set id# of server */
 	{ "no-backup",srv_parse_no_backup,0,  1 }, /* Flag as non-backup server */
+	{ "no-check-send-proxy", srv_parse_no_check_send_proxy, 0,  1 }, /* disable PROXY protol for health checks */
 	{ NULL, NULL, 0 },
 }};
 
@@ -1191,6 +1209,7 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 		= curproxy->defsrv.iweight;
 
 			newsrv->check.status	= HCHK_STATUS_INI;
+			newsrv->check.send_proxy = curproxy->defsrv.check.send_proxy;
 			newsrv->check.rise	= curproxy->defsrv.check.rise;
 			newsrv->check.fall	= curproxy->defsrv.check.fall;
 			newsrv->check.health	= newsrv->check.rise;	/* up, but will fall down at first failure */
@@ -1535,10 +1554,6 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 newsrv->pp_opts |= SRV_PP_V2;
 cur_arg ++;
 			}
-			else if (!defsrv && !strcmp(args[cur_arg], "check-send-proxy")) {
-newsrv->check.send_proxy = 1;
-cur_arg ++;
-			}
 			else if (!strcmp(args[cur_arg], "weight")) {
 int w;
 w = atol(args[cur_arg + 1]);
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

[Frederic Lecaille]

>From ff5d557c972a9953073773103e4fccad9bc32638 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Fri, 10 Mar 2017 11:51:05 +0100
Subject: [PATCH 02/31] MINOR: server: Make 'default-server' support 'backup'
 keyword.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4

At this time, only 'server' supported 'backup' keyword.
This patch makes also 'default-server' directive support this keyword.
A new keyword 'no-backup' has been added so that to disable 'backup' setting
both in 'server' and 'default-server' directives.

For instance, provided the following sequence of directives:

default-server backup
server srv1
server srv2 no-backup

default-server no-backup
server srv3
server srv4 backup

srv1 and srv4 are declared as backup servers,
srv2 and srv3 are declared as non-backup servers.
---
 src/server.c | 24 
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/server.c b/src/server.c
index 563d38d..2b0a5da 100644
--- a/src/server.c
+++ b/src/server.c
@@ -213,6 +213,14 @@ void srv_dump_kws(char **out)
 	}
 }
 
+/* Parse the "backup" server keyword */
+static int srv_parse_backup(char **args, int *cur_arg,
+struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	newsrv->flags |= SRV_F_BACKUP;
+	return 0;
+}
+
 /* parse the "id" server keyword */
 static int srv_parse_id(char **args, int *cur_arg, struct proxy *curproxy, struct server *newsrv, char **err)
 {
@@ -245,6 +253,14 @@ static int srv_parse_id(char **args, int *cur_arg, struct proxy *curproxy, struc
 	return 0;
 }
 
+/* Parse the "no-backup" server keyword */
+static int srv_parse_no_backup(char **args, int *cur_arg,
+   struct proxy *curproxy, struct server *newsrv, char **err)
+{
+	newsrv->flags &= ~SRV_F_BACKUP;
+	return 0;
+}
+
 /* Shutdown all connections of a server. The caller must pass a termination
  * code in , which must be one of SF_ERR_* indicating the reason for the
  * shutdown.
@@ -854,7 +870,9 @@ void srv_compute_all_admin_states(struct proxy *px)
  * not enabled.
  */
 static struct srv_kw_list srv_kws = { "ALL", { }, {
+	{ "backup",   srv_parse_backup,   0,  1 }, /* Flag as backup server */
 	{ "id",   srv_parse_id,   1,  0 }, /* set id# of server */
+	{ "no-backup",srv_parse_no_backup,0,  1 }, /* Flag as non-backup server */
 	{ NULL, NULL, 0 },
 }};
 
@@ -1145,6 +1163,8 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 			newsrv->use_ssl		= curproxy->defsrv.use_ssl;
 			newsrv->check.use_ssl	= curproxy->defsrv.check.use_ssl;
 			newsrv->check.port	= curproxy->defsrv.check.port;
+			/* Note: 'flags' field has potentially been already initialized. */
+			newsrv->flags   |= curproxy->defsrv.flags;
 			if (newsrv->check.port)
 newsrv->flags |= SRV_F_CHECKPORT;
 			newsrv->check.inter	= curproxy->defsrv.check.inter;
@@ -1503,10 +1523,6 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 newsrv->flags |= SRV_F_CHECKPORT;
 cur_arg += 2;
 			}
-			else if (!defsrv && !strcmp(args[cur_arg], "backup")) {
-newsrv->flags |= SRV_F_BACKUP;
-cur_arg ++;
-			}
 			else if (!defsrv && !strcmp(args[cur_arg], "non-stick")) {
 newsrv->flags |= SRV_F_NON_STICK;
 cur_arg ++;
-- 
2.1.4