Le Dimanche 17 Janvier 2010 18:36:06, Cyril Bonté a écrit :
> Hi all,
>
> Le Samedi 16 Janvier 2010 23:58:25, Willy Tarreau a écrit :
> > Hi Hervé,
> >
> > On Sat, Jan 16, 2010 at 11:34:38PM +0100, Herve COMMOWICK wrote:
> > > Hi Cyril,
> > >
> > > You forgot the log-error option that much sysadmin use for correct
> > > debugging
> > > without pollution, but i don't think it logs incorrect logging (if i
> > > remember well).
>
> Actually, the "log-error" file contains mysql start/stop messages and
> critical errors (engines integrity errors, server/thread crashes, ...) but
> authentication is not logged in it.
Oh ok, I think I get it...maybe you talked about log-warnings. In that case,
the mysql-check will add logs on the mysql server, but only if the "haproxy"
user exists.
To prevent this, haproxy *must* quit properly by sending another packet to
execute the COM_QUIT command (mysql_close).
A quick test shows that appending this packet to the authentication packet
works :
const char mysql40_client_auth_pkt[] = {
"\x0e\x00\x00" /* packet length */
"\x01" /* packet number */
"\x00\x00" /* client capabilities */
"\x00\x00\x01" /* max packet */
"haproxy\x00" /* username (null terminated string) */
"\x00" /* filler (always 0x00) */
"\x01\x00\x00" /* packet length */
"\x00" /* packet number */
"\x01" /* COM_QUIT command */
};
Currently, I can't confirm it won't block the server if we send a second packet
like this on the same connection when the authentication fails (my first tests
shows it seems to work but it' preferable to have a second look on this).
But it would be better to follow the negotiation sequentially (then I agree
with what you said at the beginning of this thread, currently it can't be done
in a clean way) :
server -> client : Handshake Initialisation Packet
client -> server : Authentication request (with a valid user, this time)
server -> client : Authentication succeeded (EOF packet)
client -> server : COM_QUIT command (to send only if the previous response
succeeded)
--
Cyril Bonté
