Le 02/10/2020 à 08:58, Willy Tarreau a écrit :
So if anyone currently uses socks4 to talk to servers, I suggest you run a quick test on 2.2 or 2.3 to see if health checks continue to work over socks4 or not, in which case it's likely you'll be able to provide an easier reproducer that will allow to fix the problem. This will save everyone time and protect our eyeballs by keeping them away from this blinking patch.
There is indeed a bug. The flag CO_FL_SOCKS4 is set after the connect() for tcp-checks, making the health-checks though a socks4 proxy fail. Here is a patch to fix this bug. I will push it very soon.
Remains the support of the SOCKS4A in Alex patches. But I will let anyone motivated by this part working on it :)
-- Christopher Faulet
>From 18c4c8b281c0a5ee9b345dadbb13c1559f0c254b Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@haproxy.com> Date: Fri, 2 Oct 2020 13:41:55 +0200 Subject: [PATCH] BUG/MINOR: tcpcheck: Set socks4 and send-proxy flags before the connect call Since the health-check refactoring in the 2.2, the checks through a socks4 proxy are broken. To fix this bug, CO_FL_SOCKS4 flag must be set on the connection before calling the connect() callback function because this flags is checked to use the right destination address. The same is done for the CO_FL_SEND_PROXY flag for a consistency purpose. This patch must be backported to 2.2. --- src/tcpcheck.c | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/src/tcpcheck.c b/src/tcpcheck.c index 5bd237ad6..b9ef3802b 100644 --- a/src/tcpcheck.c +++ b/src/tcpcheck.c @@ -1073,6 +1073,24 @@ enum tcpcheck_eval_ret tcpcheck_eval_connect(struct check *check, struct tcpchec conn_prepare(conn, proto, xprt); cs_attach(cs, check, &check_conn_cb); + if ((connect->options & TCPCHK_OPT_SOCKS4) && s && (s->flags & SRV_F_SOCKS4_PROXY)) { + conn->send_proxy_ofs = 1; + conn->flags |= CO_FL_SOCKS4; + } + else if ((connect->options & TCPCHK_OPT_DEFAULT_CONNECT) && s && s->check.via_socks4 && (s->flags & SRV_F_SOCKS4_PROXY)) { + conn->send_proxy_ofs = 1; + conn->flags |= CO_FL_SOCKS4; + } + + if (connect->options & TCPCHK_OPT_SEND_PROXY) { + conn->send_proxy_ofs = 1; + conn->flags |= CO_FL_SEND_PROXY; + } + else if ((connect->options & TCPCHK_OPT_DEFAULT_CONNECT) && s && s->check.send_proxy && !(check->state & CHK_ST_AGENT)) { + conn->send_proxy_ofs = 1; + conn->flags |= CO_FL_SEND_PROXY; + } + status = SF_ERR_INTERNAL; next = get_next_tcpcheck_rule(check->tcpcheck_rules, rule); if (proto && proto->connect) { @@ -1102,23 +1120,6 @@ enum tcpcheck_eval_ret tcpcheck_eval_connect(struct check *check, struct tcpchec else if ((connect->options & TCPCHK_OPT_DEFAULT_CONNECT) && s && s->check.alpn_str) ssl_sock_set_alpn(conn, (unsigned char *)s->check.alpn_str, s->check.alpn_len); #endif - if ((connect->options & TCPCHK_OPT_SOCKS4) && s && (s->flags & SRV_F_SOCKS4_PROXY)) { - conn->send_proxy_ofs = 1; - conn->flags |= CO_FL_SOCKS4; - } - else if ((connect->options & TCPCHK_OPT_DEFAULT_CONNECT) && s && s->check.via_socks4 && (s->flags & SRV_F_SOCKS4_PROXY)) { - conn->send_proxy_ofs = 1; - conn->flags |= CO_FL_SOCKS4; - } - - if (connect->options & TCPCHK_OPT_SEND_PROXY) { - conn->send_proxy_ofs = 1; - conn->flags |= CO_FL_SEND_PROXY; - } - else if ((connect->options & TCPCHK_OPT_DEFAULT_CONNECT) && s && s->check.send_proxy && !(check->state & CHK_ST_AGENT)) { - conn->send_proxy_ofs = 1; - conn->flags |= CO_FL_SEND_PROXY; - } if (conn_ctrl_ready(conn) && (connect->options & TCPCHK_OPT_LINGER)) { /* Some servers don't like reset on close */ -- 2.26.2