getting BADREQ on logs in ssl requests

2009-11-09 Thread Gabriel Sosa 
guys,

we have setup an haproxy for http and ssl traffic, so far all worked
as expected. but today looking at the request logs each time some
user goes to the ssl part of the site I can see in the logs
BADREQ but the request goes just fine. what does this mean? how do
I fix this?

Nov  9 08:14:59 localhost.localdomain haproxy[14783]:
190.191.225.213:50871 [09/Nov/2009:08:14:59.167] load_balanced_http
load_balanced_http/webserver4 0/0/2/7/348 200 9950 - -  0/0/0/0/0
0/0 GET / HTTP/1.1
Nov  9 08:15:03 localhost.localdomain haproxy[14783]:
190.191.225.213:50885 [09/Nov/2009:08:15:02.590] load_balanced_https
load_balanced_https/webserver2 -1/1/1/-1/828 200 11497 - - 
0/0/0/0/0 0/0 BADREQ


this is my current configuration

global
maxconn 15000 # Total Max Connections.
log 127.0.0.1   local0
log 127.0.0.1   local1 notice
daemon
nbproc  1 # Number of processes
userhaproxy
group   haproxy

defaults
log global
option  httplog
modetcp
clitimeout  6
srvtimeout  3
contimeout  4000
retries 3
option  redispatch

listen  load_balanced_https AAA.BBB.CCC.DDD:443
balance source
option  ssl-hello-chk
modetcp
option  httpclose
option  forwardfor

server webserver1 AAA.BBB.CCC.DDD weight 1 maxconn 5000 check
server webserver2 AAA.BBB.CCC.DDD weight 1 maxconn 5000 check

listen  load_balanced_http  AAA.BBB.CCC.DDD:80
balance roundrobin
modehttp
option  forwardfor


server webserver4 AAA.BBB.CCC.DDD weight 1 maxconn 5000 check
server webserver3 AAA.BBB.CCC.DDD weight 1 maxconn 5000 check
server webserver5 AAA.BBB.CCC.DDD weight 1 maxconn 5000 check backup



listen  admin_stats 127.0.0.1:80
modehttp
stats uri   /proxy-stats
stats realm Global\ statistics



-- 
Gabriel Sosa
Si buscas resultados distintos, no hagas siempre lo mismo. - Einstein

Re: getting BADREQ on logs in ssl requests

2009-11-09 Thread Willy Tarreau 
Hi,

On Mon, Nov 09, 2009 at 12:25:29PM -0200, Gabriel Sosa wrote:
 guys,
 
 we have setup an haproxy for http and ssl traffic, so far all worked
 as expected. but today looking at the request logs each time some
 user goes to the ssl part of the site I can see in the logs
 BADREQ but the request goes just fine. what does this mean? how do
 I fix this?

Pretty amazing, this bug has been around since almost the beginning it
seems and nobody caught it yet ! This is caused by option httplog in
your default settings which gets inherited by the https instance which
then tries to log in http. I thought there was a check for this, and
obviously I was wrong.

defaults
log global
option  httplog
^^^
modetcp
...

listen  load_balanced_https AAA.BBB.CCC.DDD:443
balance source
option  ssl-hello-chk
modetcp
^^^

Also be careful, the following options are wrong too in HTTPS (since
haproxy can't touch the stream). However they are just harmless, but
may become invalid and cause an error when checks become stricter :

option  httpclose
option  forwardfor
...


I've committed the following patch which emits a warning in case of
such a wrong setting which might be hard to catch. It also automatically
falls back to tcplog for a TCP proxy.

Thanks for the report!
Willy

From 5f0bd6537f8b56b643ef485d7a3c96d996d9b01a Mon Sep 17 00:00:00 2001
From: Willy Tarreau w...@1wt.eu
Date: Mon, 9 Nov 2009 21:27:51 +0100
Subject: [BUG] config: disable 'option httplog' on TCP proxies

Gabriel Sosa reported that logs were appearing with BADREQ when
'option httplog' was used with a TCP proxy (eg: inherited via a
default instance). This patch detects it and falls back to tcplog
after emitting a warning.
---
 src/proxy.c |5 +
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/src/proxy.c b/src/proxy.c
index 69b070e..15f9b92 100644
--- a/src/proxy.c
+++ b/src/proxy.c
@@ -327,6 +327,11 @@ int proxy_cfg_ensure_no_http(struct proxy *curproxy)
Warning(config : Layer 7 hash not possible for %s '%s' (needs 
'mode http'). Falling back to round robin.\n,
proxy_type_str(curproxy), curproxy-id);
}
+   if (curproxy-to_log  (LW_REQ | LW_RESP)) {
+   curproxy-to_log = ~(LW_REQ | LW_RESP);
+   Warning(config : 'option httplog' not usable with %s '%s' 
(needs 'mode http'). Falling back to 'option tcplog'.\n,
+   proxy_type_str(curproxy), curproxy-id);
+   }
return 0;
 }
 
-- 
1.6.4.4