Re: Increased CPU usage after upgrading 1.5.15 to 1.5.16

[Willy Tarreau]

On Fri, Apr 08, 2016 at 03:15:22PM +0200, Janusz Dziemidowicz wrote:
> 2016-04-07 17:47 GMT+02:00 Willy Tarreau :
> > If someone who can reliably reproduce the issue could check whether 1.6 has
> > the same issue, it would help me cut the problem in half. That obviously
> > excludes all those running sensitive production of course.
> 
> I can try to test 1.6 next week and see what happens.

Wow that could be great if you could, thanks Janusz!

Willy

Re: Conditionally include unique-id-header

[Thierry FOURNIER]

It is avalaible in the development version (1.7dev).

Thierry


On Fri, 8 Apr 2016 16:23:44 +
Scott Rankin  wrote:

> Hi Thierry,
> 
> Thanks for the suggestion - but the %[unique-id] variable is empty when I use 
> the config below. I’m using HAProxy 1.6.4.  Did you have to do anything else 
> to get that to show up?
> 
> 
> 
> Thanks!
> Scott
> 
> On 4/8/16, 12:04 PM, "Thierry FOURNIER"  wrote:
> 
> >Hi,
> >
> >I ve just submit a sample which returns the content of the unique-id.
> >So, you can write:
> >
> >   unique-id-format %{+X}o\ %ci-%cp-%rt-%pid-%Ts%fp
> >   acl unique_id_missing hdr_cnt(X-Unique-ID) eq 0
> >   http-request add-header X-Unique-ID %[unique-id] if unique_id_missing
> >
> >Thierry
> >
> >
> >On Fri, 8 Apr 2016 15:31:22 +
> >Scott Rankin  wrote:
> >
> >> Hi all,
> >>
> >> I’m trying to replicate functionality from a previous load balancer in 
> >> HAProxy, and the final sticking point seems to be the unique ID header.  I 
> >> found the unique-id-header and unique-id-format commands, which are great, 
> >> but what I want to do is only add a unique-id-header if there is not 
> >> already one present.  If there is one present, I do not want to add 
> >> another one (which is what seems to be happening by default).
> >>
> >> I’ve tried adding a conditional:
> >>
> >>   acl unique_id_missing hdr_cnt(X-Unique-ID) eq 0
> >>   unique-id-format %{+X}o\ %ci-%cp-%rt-%pid-%Ts%fp
> >>   unique-id-header X-Unique-ID if unique_id_missing
> >>
> >> But that does not seem to be working.  Should it?  If not, is there 
> >> another way to go about this?
> >>
> >> Thanks!
> >> Scott
> >>
> >> This email message contains information that Motus, LLC considers 
> >> confidential and/or proprietary, or may later designate as confidential 
> >> and proprietary. It is intended only for use of the individual or entity 
> >> named above and should not be forwarded to any other persons or entities 
> >> without the express consent of Motus, LLC, nor should it be used for any 
> >> purpose other than in the course of any potential or actual business 
> >> relationship with Motus, LLC. If the reader of this message is not the 
> >> intended recipient, or the employee or agent responsible to deliver it to 
> >> the intended recipient, you are hereby notified that any dissemination, 
> >> distribution, or copying of this communication is strictly prohibited. If 
> >> you have received this communication in error, please notify sender 
> >> immediately and destroy the original message.
> >>
> >> Internal Revenue Service regulations require that certain types of written 
> >> advice include a disclaimer. To the extent the preceding message contains 
> >> advice relating to a Federal tax issue, unless expressly stated otherwise 
> >> the advice is not intended or written to be used, and it cannot be used by 
> >> the recipient or any other taxpayer, for the purpose of avoiding Federal 
> >> tax penalties, and was not written to support the promotion or marketing 
> >> of any transaction or matter discussed herein.
> >
> >
> >--
> >
> This email message contains information that Motus, LLC considers 
> confidential and/or proprietary, or may later designate as confidential and 
> proprietary. It is intended only for use of the individual or entity named 
> above and should not be forwarded to any other persons or entities without 
> the express consent of Motus, LLC, nor should it be used for any purpose 
> other than in the course of any potential or actual business relationship 
> with Motus, LLC. If the reader of this message is not the intended recipient, 
> or the employee or agent responsible to deliver it to the intended recipient, 
> you are hereby notified that any dissemination, distribution, or copying of 
> this communication is strictly prohibited. If you have received this 
> communication in error, please notify sender immediately and destroy the 
> original message.
> 
> Internal Revenue Service regulations require that certain types of written 
> advice include a disclaimer. To the extent the preceding message contains 
> advice relating to a Federal tax issue, unless expressly stated otherwise the 
> advice is not intended or written to be used, and it cannot be used by the 
> recipient or any other taxpayer, for the purpose of avoiding Federal tax 
> penalties, and was not written to support the promotion or marketing of any 
> transaction or matter discussed herein.


-- 

Re: [PATCH] CLEANUP: .gitignore cleanup

[Vincent Bernat]

 ❦  8 avril 2016 22:22 +0200, Vincent Bernat  :

> .gitignore is an odd beast. All the stuff at the beginning is useless
> since in the bottom part starts with /.* and /*. Therefore, the top part
> is useless. Moreover, the bottom part makes unignore *.o and
> friends. Add it back at the bottom.

I know we already talked about that in the past, but I remember that the
bottom part wasn't here.
-- 
Perilous to all of us are the devices of an art deeper than we ourselves
possess.
-- Gandalf the Grey [J.R.R. Tolkien, "Lord of the
Rings"]

[PATCH] CLEANUP: .gitignore cleanup

[Vincent Bernat]

From: Vincent Bernat 

.gitignore is an odd beast. All the stuff at the beginning is useless
since in the bottom part starts with /.* and /*. Therefore, the top part
is useless. Moreover, the bottom part makes unignore *.o and
friends. Add it back at the bottom.
---
 .gitignore | 49 +
 1 file changed, 1 insertion(+), 48 deletions(-)

diff --git a/.gitignore b/.gitignore
index 0292bcc1b4ce..54c9cdeb3a3b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,51 +1,3 @@
-*.o
-*/.svn
-*~
-.flxdisk*
-.flxpkg
-.flxstatus*
-.svn
-haproxy
-src/*.o
-*.rej
-*.orig
-*.log*
-*.trace*
-haproxy-*
-!doc/haproxy-*.txt
-!src/*.c
-make-*
-dlmalloc.c
-00*.patch
-*.service
-*.bak
-.nfs*
-contrib/base64/base64rev
-contrib/halog/halog
-contrib/ip6range/ip6range
-contrib/iprange/iprange
-tests/test_hashes
-/*.cfg
-/*.conf
-/*.diff
-/*.patch
-/*.c
-/*.o
-/*.so
-/*.txt
-/*.TXT
-/*.txt.*
-/*.prof
-/*.gprof
-/*.prof.*
-/*.gprof.*
-/*.tar
-/*.tar.gz
-/*.tgz
-/*.mbox
-/*.sh
-/bug*
-/TAGS
 # Below we forbid everything and only allow what we know, that's much easier
 # than blocking about 500 different test files and bug report outputs.
 /.*
@@ -69,3 +21,4 @@ tests/test_hashes
 !/src
 !/tests
 !/debian
+*.o
-- 
2.8.0.rc3

[PATCH 2/2] BUG/MEDIUM: dns: fix alignment issue when building DNS queries

[Vincent Bernat]

From: Vincent Bernat 

On some architectures, unaligned access is not authorized. On most
architectures, it is just slower. Therefore, we have to use memcpy()
when an unaligned access is needed, specifically when writing the qinfo.

Also remove the unaligned access when reading answer count when reading
the answer. It's likely that this instruction was optimized away by the
compiler since it is unneeded. Add a comment to explain why we use 7 as
an offset instead of 6. Not an unaligned offset since "resp" is
"unsigned char", then promoted to int.
---
 src/dns.c | 11 +--
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/dns.c b/src/dns.c
index 3906742bce36..3b3dfc59e065 100644
--- a/src/dns.c
+++ b/src/dns.c
@@ -619,8 +619,7 @@ int dns_get_ip_from_response(unsigned char *resp, unsigned 
char *resp_end,
cname = *newip = newip4 = newip6 = NULL;
cnamelen = currentip_found = 0;
*newip_sin_family = AF_UNSPEC;
-   ancount = (((struct dns_header *)resp)->ancount);
-   ancount = *(resp + 7);
+   ancount = *(resp + 7);  /* Assume no more than 256 answers */
 
/* bypass DNS response header */
reader = resp + sizeof(struct dns_header);
@@ -975,7 +974,7 @@ int dns_init_resolvers(void)
 int dns_build_query(int query_id, int query_type, char *hostname_dn, int 
hostname_dn_len, char *buf, int bufsize)
 {
struct dns_header *dns;
-   struct dns_question *qinfo;
+   struct dns_question qinfo;
char *ptr, *bufend;
 
memset(buf, '\0', bufsize);
@@ -1021,9 +1020,9 @@ int dns_build_query(int query_id, int query_type, char 
*hostname_dn, int hostnam
return -1;
 
/* set up query info (type and class) */
-   qinfo = (struct dns_question *)ptr;
-   qinfo->qtype = htons(query_type);
-   qinfo->qclass = htons(DNS_RCLASS_IN);
+   qinfo.qtype = htons(query_type);
+   qinfo.qclass = htons(DNS_RCLASS_IN);
+   memcpy(ptr, , sizeof(qinfo));
 
ptr += sizeof(struct dns_question);
 
-- 
2.8.0.rc3

[PATCH 1/2] BUG/MINOR: dns: fix DNS header definition

[Vincent Bernat]

From: Vincent Bernat 

Conforming to RFC 2535, section 6.1. This is not an important bug as
those fields don't seem to be set to something else than 0 and to be
checked on answers.
---
 include/types/dns.h | 14 +++---
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/include/types/dns.h b/include/types/dns.h
index 757eaaf28d9a..98adc983bf44 100644
--- a/include/types/dns.h
+++ b/include/types/dns.h
@@ -63,16 +63,16 @@
 /* DNS request or response header structure */
 struct dns_header {
unsigned short  id:16;  /* identifier */
-   unsigned char   rd :1;  /* recursion desired 0: no, 1: yes */
-   unsigned char   tc :1;  /* truncation 0:no, 1: yes */
-   unsigned char   aa :1;  /* authoritative answer 0: no, 1: yes */
-   unsigned char   opcode :4;  /* operation code */
unsigned char   qr :1;  /* query/response 0: query, 1: response 
*/
-   unsigned char   rcode :4;   /* response code */
-   unsigned char   z :1;   /* no used */
+   unsigned char   opcode :4;  /* operation code */
+   unsigned char   aa :1;  /* authoritative answer 0: no, 1: yes */
+   unsigned char   tc :1;  /* truncation 0:no, 1: yes */
+   unsigned char   rd :1;  /* recursion desired 0: no, 1: yes */
+   unsigned char   ra :1;  /* recursion available 0: no, 1: yes */
+   unsigned char   z :1;   /* not used */
unsigned char   ad :1;  /* authentic data */
unsigned char   cd :1;  /* checking disabled */
-   unsigned char   ra :1;  /* recursion available 0: no, 1: yes */
+   unsigned char   rcode :4;   /* response code */
unsigned short  qdcount :16;/* question count */
unsigned short  ancount :16;/* answer count */
unsigned short  nscount :16;/* authority count */
-- 
2.8.0.rc3

Re: Conditionally include unique-id-header

[Scott Rankin]

Hi Thierry,

Thanks for the suggestion - but the %[unique-id] variable is empty when I use 
the config below. I’m using HAProxy 1.6.4.  Did you have to do anything else to 
get that to show up?



Thanks!
Scott

On 4/8/16, 12:04 PM, "Thierry FOURNIER"  wrote:

>Hi,
>
>I ve just submit a sample which returns the content of the unique-id.
>So, you can write:
>
>   unique-id-format %{+X}o\ %ci-%cp-%rt-%pid-%Ts%fp
>   acl unique_id_missing hdr_cnt(X-Unique-ID) eq 0
>   http-request add-header X-Unique-ID %[unique-id] if unique_id_missing
>
>Thierry
>
>
>On Fri, 8 Apr 2016 15:31:22 +
>Scott Rankin  wrote:
>
>> Hi all,
>>
>> I’m trying to replicate functionality from a previous load balancer in 
>> HAProxy, and the final sticking point seems to be the unique ID header.  I 
>> found the unique-id-header and unique-id-format commands, which are great, 
>> but what I want to do is only add a unique-id-header if there is not already 
>> one present.  If there is one present, I do not want to add another one 
>> (which is what seems to be happening by default).
>>
>> I’ve tried adding a conditional:
>>
>>   acl unique_id_missing hdr_cnt(X-Unique-ID) eq 0
>>   unique-id-format %{+X}o\ %ci-%cp-%rt-%pid-%Ts%fp
>>   unique-id-header X-Unique-ID if unique_id_missing
>>
>> But that does not seem to be working.  Should it?  If not, is there another 
>> way to go about this?
>>
>> Thanks!
>> Scott
>>
>> This email message contains information that Motus, LLC considers 
>> confidential and/or proprietary, or may later designate as confidential and 
>> proprietary. It is intended only for use of the individual or entity named 
>> above and should not be forwarded to any other persons or entities without 
>> the express consent of Motus, LLC, nor should it be used for any purpose 
>> other than in the course of any potential or actual business relationship 
>> with Motus, LLC. If the reader of this message is not the intended 
>> recipient, or the employee or agent responsible to deliver it to the 
>> intended recipient, you are hereby notified that any dissemination, 
>> distribution, or copying of this communication is strictly prohibited. If 
>> you have received this communication in error, please notify sender 
>> immediately and destroy the original message.
>>
>> Internal Revenue Service regulations require that certain types of written 
>> advice include a disclaimer. To the extent the preceding message contains 
>> advice relating to a Federal tax issue, unless expressly stated otherwise 
>> the advice is not intended or written to be used, and it cannot be used by 
>> the recipient or any other taxpayer, for the purpose of avoiding Federal tax 
>> penalties, and was not written to support the promotion or marketing of any 
>> transaction or matter discussed herein.
>
>
>--
>
This email message contains information that Motus, LLC considers confidential 
and/or proprietary, or may later designate as confidential and proprietary. It 
is intended only for use of the individual or entity named above and should not 
be forwarded to any other persons or entities without the express consent of 
Motus, LLC, nor should it be used for any purpose other than in the course of 
any potential or actual business relationship with Motus, LLC. If the reader of 
this message is not the intended recipient, or the employee or agent 
responsible to deliver it to the intended recipient, you are hereby notified 
that any dissemination, distribution, or copying of this communication is 
strictly prohibited. If you have received this communication in error, please 
notify sender immediately and destroy the original message.

Internal Revenue Service regulations require that certain types of written 
advice include a disclaimer. To the extent the preceding message contains 
advice relating to a Federal tax issue, unless expressly stated otherwise the 
advice is not intended or written to be used, and it cannot be used by the 
recipient or any other taxpayer, for the purpose of avoiding Federal tax 
penalties, and was not written to support the promotion or marketing of any 
transaction or matter discussed herein.

Re: Conditionally include unique-id-header

[Thierry FOURNIER]

Hi,

I ve just submit a sample which returns the content of the unique-id.
So, you can write:

   unique-id-format %{+X}o\ %ci-%cp-%rt-%pid-%Ts%fp
   acl unique_id_missing hdr_cnt(X-Unique-ID) eq 0
   http-request add-header X-Unique-ID %[unique-id] if unique_id_missing

Thierry


On Fri, 8 Apr 2016 15:31:22 +
Scott Rankin  wrote:

> Hi all,
> 
> I’m trying to replicate functionality from a previous load balancer in 
> HAProxy, and the final sticking point seems to be the unique ID header.  I 
> found the unique-id-header and unique-id-format commands, which are great, 
> but what I want to do is only add a unique-id-header if there is not already 
> one present.  If there is one present, I do not want to add another one 
> (which is what seems to be happening by default).
> 
> I’ve tried adding a conditional:
> 
>   acl unique_id_missing hdr_cnt(X-Unique-ID) eq 0
>   unique-id-format %{+X}o\ %ci-%cp-%rt-%pid-%Ts%fp
>   unique-id-header X-Unique-ID if unique_id_missing
> 
> But that does not seem to be working.  Should it?  If not, is there another 
> way to go about this?
> 
> Thanks!
> Scott
> 
> This email message contains information that Motus, LLC considers 
> confidential and/or proprietary, or may later designate as confidential and 
> proprietary. It is intended only for use of the individual or entity named 
> above and should not be forwarded to any other persons or entities without 
> the express consent of Motus, LLC, nor should it be used for any purpose 
> other than in the course of any potential or actual business relationship 
> with Motus, LLC. If the reader of this message is not the intended recipient, 
> or the employee or agent responsible to deliver it to the intended recipient, 
> you are hereby notified that any dissemination, distribution, or copying of 
> this communication is strictly prohibited. If you have received this 
> communication in error, please notify sender immediately and destroy the 
> original message.
> 
> Internal Revenue Service regulations require that certain types of written 
> advice include a disclaimer. To the extent the preceding message contains 
> advice relating to a Federal tax issue, unless expressly stated otherwise the 
> advice is not intended or written to be used, and it cannot be used by the 
> recipient or any other taxpayer, for the purpose of avoiding Federal tax 
> penalties, and was not written to support the promotion or marketing of any 
> transaction or matter discussed herein.


-- 

Conditionally include unique-id-header

[Scott Rankin]

Hi all,

I’m trying to replicate functionality from a previous load balancer in HAProxy, 
and the final sticking point seems to be the unique ID header.  I found the 
unique-id-header and unique-id-format commands, which are great, but what I 
want to do is only add a unique-id-header if there is not already one present.  
If there is one present, I do not want to add another one (which is what seems 
to be happening by default).

I’ve tried adding a conditional:

  acl unique_id_missing hdr_cnt(X-Unique-ID) eq 0
  unique-id-format %{+X}o\ %ci-%cp-%rt-%pid-%Ts%fp
  unique-id-header X-Unique-ID if unique_id_missing

But that does not seem to be working.  Should it?  If not, is there another way 
to go about this?

Thanks!
Scott

This email message contains information that Motus, LLC considers confidential 
and/or proprietary, or may later designate as confidential and proprietary. It 
is intended only for use of the individual or entity named above and should not 
be forwarded to any other persons or entities without the express consent of 
Motus, LLC, nor should it be used for any purpose other than in the course of 
any potential or actual business relationship with Motus, LLC. If the reader of 
this message is not the intended recipient, or the employee or agent 
responsible to deliver it to the intended recipient, you are hereby notified 
that any dissemination, distribution, or copying of this communication is 
strictly prohibited. If you have received this communication in error, please 
notify sender immediately and destroy the original message.

Internal Revenue Service regulations require that certain types of written 
advice include a disclaimer. To the extent the preceding message contains 
advice relating to a Federal tax issue, unless expressly stated otherwise the 
advice is not intended or written to be used, and it cannot be used by the 
recipient or any other taxpayer, for the purpose of avoiding Federal tax 
penalties, and was not written to support the promotion or marketing of any 
transaction or matter discussed herein.

Re: Increased CPU usage after upgrading 1.5.15 to 1.5.16

[Janusz Dziemidowicz]

2016-04-07 17:47 GMT+02:00 Willy Tarreau :
> If someone who can reliably reproduce the issue could check whether 1.6 has
> the same issue, it would help me cut the problem in half. That obviously
> excludes all those running sensitive production of course.

I can try to test 1.6 next week and see what happens.

-- 
Janusz Dziemidowicz

LUA: Skip HTTP headers and forward TCP traffic

[Florian Aßmann]

Hi everybody,

I try to connect to an SSH process via proxytunnel. The incoming request 
carries normal HTTP headers that I have to skip those in order to forward 
further encrypted SSH traffic to an SSH process. I thought I could tackle this 
task using Lua and register_action, but since it’s my first time working with 
Lua and haproxy and I got stuck. I hope someone could help me on this topic.

### Output:
Apr 08 10:15:48 HOST docker[4059]: [info] 098/101548 (12) : connect-ssh
Apr 08 10:15:48 HOST docker[4059]: [debug] 098/101548 (12) : CONNECT 
127.0.0.1:22 HTTP/1.1..
Apr 08 10:15:48 HOST docker[4059]: [debug] 098/101548 (12) : Host: FQDN..
Apr 08 10:15:48 HOST docker[4059]: [debug] 098/101548 (12) : Proxy-Connection: 
Keep-Alive..
Apr 08 10:15:48 HOST docker[4059]: [debug] 098/101548 (12) : X-Forwarded-Proto: 
https..
Apr 08 10:15:48 HOST docker[4059]: [debug] 098/101548 (12) : X-Forwarded-For: 
IP..
Apr 08 10:15:48 HOST docker[4059]: [debug] 098/101548 (12) : ..
Apr 08 10:15:53 HOST docker[4059]: [ALERT] 098/101553 (12) : Lua function 
'connect-ssh': yield not allowed.

### haproxy.cfg:
global
lua-load /etc/haproxy/proxytunnel.lua

…

frontend multiplex-ssh-http
bind :80
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content lua.connect-ssh if METH_CONNECT

# Detect SSH connection attempts
acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30

use_backend tcp-ssh if client_attempts_ssh
default_backend http-nginx

backend tcp-ssh
mode tcp
option  tcplog
server ssh dockerhost:22
timeout server 2h

…

### proxytunnel.lua:
function string.starts(haystack,  needle)
  return haystack:sub(1, needle:len()) == needle
end

core.register_action('connect-ssh', { "tcp-req" }, function(txn)
  local line = txn.req:getline();

  txn:Info("connect-ssh");

  if line == nil then
txn:Debug("Got nil, skipping...");
return
  elseif not line:starts("CONNECT 127.0.0.1:22 HTTP/1.1") then
txn:Debug("No match, got " .. line .. ", skipping...");
return
  end

  repeat -- skip headers
txn:Debug(line);
line = txn.req:getline();
  until line == nil or line == "";

  return

end);

King regards
Florian Aßmann

[PATCH 1/4]: BUG/MINOR : server: risk of over reading the pref_net array.

[David CARLIER]

Hi,

here a first patch among a small patchset.

Kind regards.
From 65b5807cfbdebf28f01695fa02a34cd0353d4212 Mon Sep 17 00:00:00 2001
From: David Carlier 
Date: Fri, 8 Apr 2016 10:26:44 +0100
Subject: [PATCH 1/4] BUG/MINOR: server: risk of over reading the pref_net
 array.

dns_option struct pref_net field is an array of 5. The issue
here shows that pref_net_nb can go up to 5 as well which might lead
to read outside of this array.
---
 src/server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/server.c b/src/server.c
index 72799bb..5a2c58a 100644
--- a/src/server.c
+++ b/src/server.c
@@ -1116,7 +1116,7 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 e = p;
 while (*p != '\0') {
 	/* If no room avalaible, return error. */
-	if (opt->pref_net_nb > SRV_MAX_PREF_NET) {
+	if (opt->pref_net_nb >= SRV_MAX_PREF_NET) {
 		Alert("parsing [%s:%d]: '%s' exceed %d networks.\n",
 		  file, linenum, args[cur_arg], SRV_MAX_PREF_NET);
 		err_code |= ERR_ALERT | ERR_FATAL;
-- 
2.5.0

[PATCH 4/4]: CLEANUP: proto_uxst: initialize socket before setting.

[David CARLIER]

Hi,

This one might not find this way as it might then having a performance hit,
I was outweighting the outcome for this patch myself ... We ll see.

Regards.
From f8713e332f99aee682ef12c7bbbc39766be3d3ff Mon Sep 17 00:00:00 2001
From: David Carlier 
Date: Fri, 8 Apr 2016 10:44:08 +0100
Subject: [PATCH 4/4] CLEANUP: proto_uxst: initialize socket before setting.

Initializes the socket before usage. However, there might
be then a slight impact performance hit.
---
 src/proto_uxst.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/proto_uxst.c b/src/proto_uxst.c
index b2a7fe2..3fa9504 100644
--- a/src/proto_uxst.c
+++ b/src/proto_uxst.c
@@ -131,6 +131,7 @@ static void destroy_uxst_socket(const char *path)
 	if (sock < 0)
 		return;
 
+	memset(, 0, sizeof(addr));
 	addr.sun_family = AF_UNIX;
 	strncpy(addr.sun_path, path, sizeof(addr.sun_path));
 	addr.sun_path[sizeof(addr.sun_path) - 1] = 0;
@@ -191,6 +192,7 @@ static int uxst_bind_listener(struct listener *listener, char *errmsg, int errle
 	if (ext)
 		goto fd_ready;
 
+	memset(, 0, sizeof(addr));
 	if (path[0]) {
 		ret = snprintf(tempname, MAXPATHLEN, "%s.%d.tmp", path, pid);
 		if (ret < 0 || ret >= MAXPATHLEN) {
-- 
2.5.0

CIDR Notation in ACL -- silent failure

[Daniel Schneller]

Hi!

I noticed that while this ACL matches my source IP of 192.168.42.123:

acl src_internal_net src 192.168.42.0/24

this one does _not_:

acl src_internal_net src 192.168.42/24

While not strictly part of RFC 4632 (yet), leaving out trailing .0 
octets is a very common notation and is probably going to be included 
in a future RFC update (as per Errata 1577): 
https://www.rfc-editor.org/errata_search.php?rfc=4632=1577

If there are concerns against this notation, the config parser should 
at least issue a WARNING or even ERROR about this, because I found it 
it quite confusing. Especially if ACLs are used for actual access 
control, this can have nasty consequences.

What do you think?

Cheers,
Daniel


-- 
Daniel Schneller
Principal Cloud Engineer
CenterDevice GmbH 

Re: ssl offloading

[Gerd Mueller]

wow!

Thanks, again

Gerd


 Weitergeleitete Nachricht 
Von: Pavlos Parissis 
An: Andrew Hayworth , Gerd Mueller 
Kopie: haproxy@formilux.org 
Betreff: Re: ssl offloading
Datum: Sun, 3 Apr 2016 22:37:41 +0200

On 01/04/2016 04:20 μμ, Andrew Hayworth wrote:
> 
> Hi there -
> 
> Have you considered HAProxy in multiprocess mode? You could have a
> frontend spread across multiple threads that terminates SSL. We're
> experimenting with such a design here.
> 
It has been mentioned before that you can increase capacity[1] by
using:
- latest Intel CPUs
- Openssl 1.0.2g version or higher
- enable multiprocess mode
- PIN HAProxy to CPU processes
- stop irqbalancer and PIN network interrupt queues to CPUs, using
Intel
10GbE cards makes this very easy
- tune HAProxy and OS
- Enable RFC5077 TLS Session Resumption, tricky in distributed setup
- Deploy ECC certificates and enable ECC ciphers.

I managed to achieve 450K HTTPS/sec with object size 1K using 22 cores
out of 24. Disabling HT and use 10cores gave me 370K HTTPS/sec. HT is
disabled for now in our systems.


I wouldn't offload ssl to hardware as they are like blackbox. You don't
know what they do and how vulnerable they are.

Cheers,
Pavlos


[1] number of https/sec while CPU utilization(user+sys level) <=70%
why 70%? because you want to have some room to handle attacks, failures
on other nodes/DCs, mistakes by devs( a typo somewhere can increase
number of requests and cause a DDOS...)



signature.asc
Description: This is a digitally signed message part