haproxy_check.py does not validate SSL config correctly

[mahdiadnan]

problem

When using LB in SSL mode, CloudStack adds the following to the HAProxy config:

bind x.x.x.x:443 ssl crt /etc/cloudstack/ssl/x_x_x_x-443.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2 no-tls-tickets ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256 ciphersuites TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256

Which is a valid HAProxy configuration, but the health check for the VR is failing at haproxy_check.py advanced check, because of this:

cloudstack/systemvm/debian/root/health_checks/haproxy_check.py

Line 53 in a5b6bc3

if cfgSection["bind"][0] != bindStr:

Maybe it is better to ignore all options after IP:PORT and rely on the haproxy config validation output?
/usr/sbin/haproxy -c -f /etc/haproxy/haproxy.cfg

versions

4.22

The steps to reproduce the bug

...

What to do about it?

No response

[weizhouapache]

@mahdiadnan
thanks for reporting. it is a bug indded.

can you test with

                if bindStr not in cfgSection["bind"][0]: 

[mahdiadnan]

Hi @weizhouapache yes, this fixed the issue.

[weizhouapache]

Hi @weizhouapache yes, this fixed the issue.

thanks @mahdiadnan

could you please try this as well ?

if not cfgSection["bind"][0].startswith(bindStr):

[mahdiadnan]

This one works fine as well.

[DaanHoogland]

@weizhouapache this would also apply to prior versions, no? (cc @mahdiadnan )