Re: Segfault on 2.6.0 with TCP switching to HTTP/2

Thu, 16 Jun 2022 03:28:21 -0700 

On Thu, 16 Jun 2022 10:22:30 +0200
Christopher Faulet <[email protected]> wrote:

> Le 6/16/22 à 05:12, David Leadbeater a écrit :
> > I tried upgrading to 2.6.0 (from 2.5.6) and I'm seeing a segfault when
> > making HTTP/2 requests. I'm using a frontend in TCP mode and then
> > switching it to HTTP/2.
> > 
> > I've made a minimal config that exhibits the segfault, below. Simply
> > doing curl -vk https://ip is enough to trigger it for me.
> > 
> > Thread 1 "haproxy" received signal SIGSEGV, Segmentation fault.
> > 0x00005555555d1d07 in h2s_close (h2s=0x555555a60b70) at src/mux_h2.c:1497
> > 1497 HA_ATOMIC_DEC(&h2s->h2c->px_counters->open_streams);
> > (gdb) bt
> > #0  0x00005555555d1d07 in h2s_close (h2s=0x555555a60b70) at
> > src/mux_h2.c:1497 #1  h2s_destroy (h2s=0x555555a60b70) at src/mux_h2.c:1515
> > #2  0x00005555555d3463 in h2_detach (sd=<optimised out>) at
> > src/mux_h2.c:4432
> > 
> > The exact backtrace varies but always in h2s_destroy.
> > 
> > (In case you're wondering what on earth I'm doing, there's a write-up
> > of it at https://dgl.cx/2022/04/showing-you-your-actual-http-request)
> > 
> > David
> > 
> > ---
> > global
> >    ssl-default-bind-options no-sslv3 no-tlsv10
> >    user nobody
> > 
> > defaults
> >    timeout connect 10s
> >    timeout client 30s
> >    timeout server 2m
> > 
> > frontend tcp-https
> >    mode tcp
> >    bind [::]:443 v4v6 ssl crt /etc/haproxy/ssl/bodge.cloud.pem alpn
> > h2,http/1.1 
> >    acl ipwtf hdr(Host),lower,field(1,:),word(-1,.,2) ip.wtf
> >    default_backend ipwtf
> >    tcp-request inspect-delay 10s
> >    tcp-request content switch-mode http if !ipwtf
> >    use_backend cloud-regions.bodge.cloud if !ipwtf
> > 
> > backend ipwtf
> >    mode tcp
> >    server ipwtf localhost:8080
> > 
> > backend cloud-regions.bodge.cloud
> >    mode http
> >    server cr localhost:8080
> > 
> 
> Hi,
> 
> Thanks ! I'm able to reproduce the segfault. I'm on it.

But in any way wouldn't be better that the rule

acl ipwtf hdr(Host),lower,field(1,:),word(-1,.,2) ip.wtf

be after  

> >    tcp-request inspect-delay 10s
> >    tcp-request content switch-mode http if !ipwtf

because it "feels somehow wrong" to make header checks in tcp mode.

Or check if it's http before the hdr check.
https://docs.haproxy.org/2.6/configuration.html#7.3.5-req.proto_http

```
tcp-request inspect-delay 10s
tcp-request content switch-mode http if HTTP

acl ipwtf hdr(Host),lower,field(1,:),word(-1,.,2) ip.wtf
```

Opinions?

Jm2c

Regards
Alex

Reply via email to