1.7.6 redirect regression (commit 73d071ecc84e0f26ebe1b9576fffc1ed0357ef32)
Hi, 1.7.6 gives me errors (in log) with redirect rules. Example config that produces 503 errors in logs and curl -v complains: < HTTP/1.1 301 Moved Permanently < Content-length: 0 < Location: https://127.0.0.1:8080/ < * Excess found in a non pipelined read: excess = 212 url = / * (zero-length body) * Connection #0 to host 127.0.0.1 left intact Example config: frontend test bind ipv4@127.0.0.1:8080 redirect scheme https code 301 if { dst_port 8080 } # this also gives 503 #http-request redirect scheme https code 301 if { dst_port 8080 } default_backend test_be2 backend test_be2 server wp1 ip.add.re.ss:80 id 1 (I have quite a few redirect rules in prod. config and all seem to produce 503 in logs). git bisect gives this commit as "bad": commit 73d071ecc84e0f26ebe1b9576fffc1ed0357ef32 BUG/MINOR: http: Fix conditions to clean up a txn and to handle the next req If I revert this commit then the example config gives 301 in log and curl doesn't complain about read. -Jarno -- Jarno Huuskonen
BUG: frontend IP/port logging broken since 9b061e332
Hello, as per Mathias Weiersmueller's report on discourse [1], there is a bug in TCP logging when using a custom log-format, accessing the frontend IP or port (%fi/%fp or the deprecated form %Fi/%Fp) in conjunction with other log variables like %Tw or %B. Repro config: global log syslog debug defaults log global log-format %Fi/%B listen Test bind :80 server test-src2 10.0.0.254:80 If the %B variable is removed from the above config, logging also works fine. This is broken since commit 9b061e332 ("MEDIUM: bstream_sock: add a get_src and get_dst callback and remove SN_FRT_ADDR_SET"), which is in 1.5-dev9, so this is broken for some time now. Gonna need someone smarter than me for this one. cheers, lukas [1] http://discourse.haproxy.org/t/frontend-ip-and-ports-not-logged-in-tcp-mode-custom-log-format-fi-fp/1353/1
Re: [PR] Update transparent_proxy.cfg
On Tue, Jun 20, 2017 at 07:29:29PM +0200, PR Bot wrote: > Dear list! > > Author: hflamboauto1> Number of patches: 1 > > This is an automated relay of the Github pull request: >Update transparent_proxy.cfg > > Patch title(s): >Update transparent_proxy.cfg > > Link: >https://github.com/haproxy/haproxy/pull/79 > > Edit locally: >wget https://github.com/haproxy/haproxy/pull/79.patch && vi 79.patch > > Apply locally: >curl https://github.com/haproxy/haproxy/pull/79.patch | git am - > > Description: >This is basically a question regarding this value. >Everywhere on >"internet resources" i see *clientip* ... which one is correct? This >example ? Both are valid, have a look at doc/configuration.txt. In short : - "client" asks to reuse both the client's address and port. This is the most transparent mode, when you know what you're doing, and the one with the least risk of running out of source ports. But it requires that you properly configure your timeouts. - "clientip" only reuses the source address, and lets the system allocate a spare port. Willy
[PR] Update transparent_proxy.cfg
Dear list! Author: hflamboauto1Number of patches: 1 This is an automated relay of the Github pull request: Update transparent_proxy.cfg Patch title(s): Update transparent_proxy.cfg Link: https://github.com/haproxy/haproxy/pull/79 Edit locally: wget https://github.com/haproxy/haproxy/pull/79.patch && vi 79.patch Apply locally: curl https://github.com/haproxy/haproxy/pull/79.patch | git am - Description: This is basically a question regarding this value. Everywhere on "internet resources" i see *clientip* ... which one is correct? This example ? Instructions: This github pull request will be closed automatically; patch should be reviewed on the haproxy mailing list (haproxy@formilux.org). Everyone is invited to comment, even the patch's author. Please keep the author and list CCed in replies. Please note that in absence of any response this pull request will be lost.
Re: HAProxy 1.5.18 - rare handshake failure - Bad Record MAC
Hello, Am 20.06.2017 um 17:00 schrieb Teichmann, Janek: >> I'm not sure if this was backported in RedHat/CentOS. Is the package >> uptodate (should be openssl-1.0.1e-60.el7.x86_64 afaik)? > By now openssl is recent (your version is right), but there are for long no > openssl bugfixes. I couldn't find one in the Release Note of RHEL 7.0-3. > Actually the bug I mentioned was fixed in openssl-1.0.1e-34.el7_0.3 back in 2014: https://rhn.redhat.com/errata/RHSA-2014-0679.html So that is actually not the root cause, but going to OpenSSL 1.0.2k is definitely the way to go forward in this issue. cheers, lukas
AW: HAProxy 1.5.18 - rare handshake failure - Bad Record MAC
Hello Lukas, thank you very much. Tomorrow I will migrate the configuration to a tcp load balancer until CentOS 7.4 is coming. There will be OpenSSL 1.0.2k included. See: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_security.html#BZ1276310 > I'm not sure if this was backported in RedHat/CentOS. Is the package uptodate > (should be openssl-1.0.1e-60.el7.x86_64 afaik)? By now openssl is recent (your version is right), but there are for long no openssl bugfixes. I couldn't find one in the Release Note of RHEL 7.0-3. Regards Janek
Re: master-worker and seamless reload (bug)
On Tue, Jun 20, 2017 at 02:41:51PM +0200, William Lallemand wrote: > Willy, could you merge them? thanks done, thanks! willy
Re: master-worker and seamless reload (bug)
On Mon, Jun 19, 2017 at 03:35:08PM +0200, Emmanuel Hocdet wrote: > In case of upgrade from haproxy without -x option to -x, i suppose it will do > cleanly. > I try to play with -x, multi-proc (add and remove), upgrade pre -x without > master-worker and is painful. > Perhaps i misunderstood (and i used multi -x). Now, i only test from legacy > to -x with master-worker. > > > I think that's just a matter of documentation, maybe I can write a longer > > paragraph in the management.txt doc explaining how to upgrade for the legacy > > mode, and what changed between this one and the master worker. > > Yes, documentation must be sufficient to avoid bad usages. What about case of > multi -x? > Well, the -x should be unique, you don't need several -x, one socket is enough because you have access to every FD of every processes from it. I add a warning about that. I fixed the few issues you had in the attached patches. Willy, could you merge them? thanks -- William Lallemand >From 9927f4a1e864638e16dcb3c61de23bcc8f256a91 Mon Sep 17 00:00:00 2001 From: William LallemandDate: Mon, 19 Jun 2017 15:57:55 +0200 Subject: [PATCH 1/4] BUG/MEDIUM: fix segfault when no argument to -x option This patch fixes a segfault in the command line parser. When haproxy is launched with -x with no argument and -x is the latest option in argv it segfaults. Use usage() insteads of exit() on error. --- src/haproxy.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/haproxy.c b/src/haproxy.c index d64058da..2fd387f3 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -1279,9 +1279,9 @@ static void init(int argc, char **argv) else if (*flag == 'q') arg_mode |= MODE_QUIET; else if (*flag == 'x') { -if (argv[1][0] == '-') { - Alert("Unix socket path expected with the -x flag\n"); - exit(1); +if (argc <= 1 || argv[1][0] == '-') { + Alert("Unix socket path expected with the -x flag\n\n"); + usage(progname); } old_unixsocket = argv[1]; argv++; -- 2.13.0 >From 0dc2e1f497f475e541056e0769431528a6edb39c Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Mon, 19 Jun 2017 16:37:19 +0200 Subject: [PATCH 2/4] MINOR: warning on multiple -x Multiple use of the -x option is useless, emit a warning. --- src/haproxy.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/haproxy.c b/src/haproxy.c index 2fd387f3..1eabb552 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -1283,7 +1283,10 @@ static void init(int argc, char **argv) Alert("Unix socket path expected with the -x flag\n\n"); usage(progname); } +if (old_unixsocket) + Warning("-x option already set, overwriting the value\n"); old_unixsocket = argv[1]; + argv++; argc--; } -- 2.13.0 >From 17f2decfe5d667d77415d390c61f839db8470065 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Tue, 20 Jun 2017 11:20:23 +0200 Subject: [PATCH 3/4] MINOR: mworker: don't copy -x argument anymore in copy_argv() Don't copy the -x argument anymore in copy_argv() since it's already allocated in mworker_reload(). Make the copy_argv() more consistent when used with multiple arguments to strip. It prevents multiple -x on reload, which is not supported. --- src/haproxy.c | 36 +--- 1 file changed, 13 insertions(+), 23 deletions(-) diff --git a/src/haproxy.c b/src/haproxy.c index 1eabb552..cdb6066b 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -596,23 +596,12 @@ static void mworker_reload() } next_argv[next_argc] = NULL; - /* if -x was used, try to update the stat socket if not available anymore */ + /* add the -x option with the stat socket */ if (cur_unixsocket) { - if (old_unixsocket) { - - /* look for -x */ - for (j = 0; next_argv[j]; j++) { -if (!strcmp(next_argv[j], "-x")) - next_argv[j + 1] = (char *)cur_unixsocket; - } - } else { - /* if -x is not specified but we know the socket, add -x with it */ - next_argv[next_argc++] = "-x"; - next_argv[next_argc++] = (char *)cur_unixsocket; - next_argv[next_argc++] = NULL; - - } + next_argv[next_argc++] = "-x"; + next_argv[next_argc++] = (char *)cur_unixsocket; + next_argv[next_argc++] = NULL; } deinit(); /* we don't want to leak FD there */ @@ -1101,7 +1090,7 @@ out: static char **copy_argv(int argc, char **argv) { char **newargv; - int i, j; + int i = 0, j = 0; newargv = calloc(argc + 2, sizeof(char *)); if (newargv == NULL) { @@ -1109,19 +1098,20 @@ static char **copy_argv(int argc, char **argv) return NULL; } - for (i = 0, j = 0; i < argc; i++, j++) { - char *flag = *(argv + i) + 1; - - /* -sf or -st */ - if (*flag == 's' && (flag[1] == 'f' || flag[1] == 't')) { - /* list of pids to finish ('f') or terminate ('t') */ + while (i < argc) { + /* -sf or -st or -x */ + if ((argv[i][1] == 's' && (argv[i][2] == 'f' || argv[i][2] == 't')) ||
Re: LoadBalance whole subnet
On Tue, Jun 20, 2017 at 12:49:32PM +0200, Aleksandar Lazic wrote: > Hi Anamarija. > > ?! > > Do you plan to make the mailing list out of support?! > > Best Regards > aleks > Hi Aleksandar, Don't worry that's a mistake, Sarunas put cont...@haproxy.com in copy to his mail which lead to this. Please don't continue this thread on the mailing list, thanks. -- William Lallemand
Re: LoadBalance whole subnet
Title: Re: LoadBalance whole subnet Hi Anamarija. ?! Do you plan to make the mailing list out of support?! Best Regards aleks Anamarija Murgic wrote on 20.06.2017: Hello Sarunas, Thank you very much for considering HAProxy products and solutions for your business. If you are looking for help with HAProxy Community Edition then we recommend looking at our community support pages http://discourse.haproxy.org/. They are very active and many experts, including our own developers, get involved. Obviously, answers are given on a voluntary basis so there are no guaranteed responses times. If however, you are interested in commercial solutions we do offer support, consulting and training on all our products. Notably, HAProxy Enterprise Edition (HAPEE), which is a commercially supported version of HAProxy. It comes as an annual subscription per server and provides you with 3 primary features: 1) unlimited access to our support team (offered in Premium 24/7 or Business Hour levels); 2) the Enterprise version of our HAProxy Load Balancer (still GPL) 3) our Enterprise Suite of commercial modules offering additional functionality, availability and security. Would you be interested in talking more about our solution or seeing a 1 year quote? Looking forward to talking to you. Kind Regards, Anamarija On 20/06/2017 8:49 AM, Sarunas Rakauskas wrote: Hello, Is it possible to configure HaProxy to automatically balance traffic to all subnet VM's(Virtual Machine)? The only answer I found is that you need to reconfigure haproxy.cfg file after VM creation and restart haproxy service. Best regards from Lithuania, Sarunas -- Anamarija Murgic Account Manager Tel. +1 (844) 222-4340 / ext.no. 7506 Mobile: +385 99 44 11 521 Email: amur...@haproxy.com Website: www.haproxy.com HAProxy Technologies | Powering Your Uptime ! -- Best Regards Aleks
Re: LoadBalance whole subnet
Hello Sarunas, Thank you very much for considering HAProxy products and solutions for your business. If you are looking for help with HAProxy Community Edition then we recommend looking at our community support pages http://discourse.haproxy.org/. They are very active and many experts, including our own developers, get involved. Obviously, answers are given on a voluntary basis so there are no guaranteed responses times. If however, you are interested in commercial solutions we do offer support, consulting and training on all our products. Notably, HAProxy Enterprise Edition (HAPEE), which is a commercially supported version of HAProxy.It comes as an annual subscription per server and provides you with 3 primary features: 1) unlimited access to our support team (offered in Premium 24/7 or Business Hour levels); 2) the Enterprise version of our HAProxy Load Balancer (still GPL) 3) our Enterprise Suite of commercial modules offering additional functionality, availability and security. Would you be interested in talking more about our solution or seeing a 1 year quote? Looking forward to talking to you. Kind Regards, Anamarija On 20/06/2017 8:49 AM, Sarunas Rakauskas wrote: Hello, Is it possible to configure HaProxy to automatically balance traffic to all subnet VM's(Virtual Machine)? The only answer I found is that you need to reconfigure haproxy.cfg file after VM creation and restart haproxy service. Best regards from Lithuania, Sarunas -- Anamarija Murgic Account Manager Tel. +1 (844) 222-4340 / ext.no. 7506 Mobile: +385 99 44 11 521 Email: amur...@haproxy.com Website: www.haproxy.com HAProxy Technologies | Powering Your Uptime !
LoadBalance whole subnet
Hello, Is it possible to configure HaProxy to automatically balance traffic to all subnet VM's(Virtual Machine)? The only answer I found is that you need to reconfigure haproxy.cfg file after VM creation and restart haproxy service. Best regards from Lithuania, Sarunas