Fails to build HAProxy 1.8.10 without USE_THREAD

2018-06-23 Thread Zero King 

Hi,

I tried to update haproxy to 1.8.10 in MacPorts, but it fails to build
from source with the following error (without USE_THREAD):

/usr/bin/clang -arch x86_64 -Iinclude -Iebtree -Wall  -O2 -g -fno-strict-aliasing 
-Wdeclaration-after-statement -fwrapv -fno-strict-overflow  -Wno-address-of-packed-member 
-Wno-null-dereference -Wno-unused-label   -DTPROXY -DCONFIG_HAP_CRYPT -DUSE_ZLIB  -DENABLE_POLL 
-DENABLE_KQUEUE -DCONFIG_REGPARM=3 -DUSE_OPENSSL  -DUSE_PCRE -I/opt/local/include  
-DCONFIG_HAPROXY_VERSION=\"1.8.10-ec17d7a\" 
-DCONFIG_HAPROXY_DATE=\"2018/06/22\" -c -o src/log.o src/log.c
src/haproxy.c:2475:16: error: cannot take the address of an rvalue of type 
'unsigned long'
   HA_ATOMIC_AND(_threads_mask, ~tid_bit);
 ^
include/common/hathreads.h:41:42: note: expanded from macro 'HA_ATOMIC_AND'
#define HA_ATOMIC_AND(val, flags)({*(val) &= (flags);})
^~~
1 error generated.

--
Zero

Re: cookie insert method secure

2018-06-23 Thread Aleksandar Lazic 

On 23/06/2018 14:42, mlist wrote:

You can use the `cookie` keyword and then remove the cookie with
http-request before you send it to the backend
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request



e.g.:



# untested
cookie  insert indirect preserve nocache httponly
http-request replace-header Cookie cokie_name=([^~]*)(.*) cokie_name=\2



Maybe you can take a look into the code how the cookie is created ;-)


It is necessary to "not set Cookie secure" (in response to the client)
not deleting secure on the request.

cookie inserted for session management by "cookie 
insert..." keyword is managed directly by haproxy.

Without possibility to add "secure" flag with condition (or use other
haproxy mechanism) none can use haproxy being compliant with cookie
security without doing a separate backend for each special case
(impractical).


I don't know any other solution.
Can't you use ansible or any other tool to setup the backends
automatically?

Best regards
Aleks


[APK]

[Unione]


mlist


APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. 
IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 
- sede operativa Magenta (MI) via Milano 89/91 20013
www.apkappa.it






Ai sensi e per gli effetti della Legge sulla tutela della riservatezza 
personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle 
persone sopra indicate e le informazioni in essa contenute sono da considerarsi 
strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever 
nor disclose them to anyone else. If you are not the intended recipient, you 
should not copy, modify, distribute or take any action in reliance on it. If 
you have received this email in error, please notify the sender and delete this 
email from your system.





-Original Message-
From: Aleksandar Lazic 
Sent: martedì 12 giugno 2018 23:29
To: mlist 
Cc: haproxy@formilux.org
Subject: Re: cookie insert method secure

Hi.

On 12/06/2018 18:05, mlist wrote:

Hi Alekandar,

as I can see in the configuration documentation cookie command does not
seems to support 
As now I use HA-Proxy version 1.8-dev0-530141f 2017/03/02 if I set "if { ssl_fc 
}" condition I get:

[ALERT] 162/194855 (10704) : parsing [/etc/haproxy/haproxy.cfg:657] : 'cookie' 
supports 'rewrite', 'insert', 'prefix', 'indirect', 'nocache', 'postonly', 
'domain', 'maxidle, and 'maxlife' options.

Also on newer version documentation I cannot see support for 

http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#cookie%20(Alphabetically%20sorted%20keywords%20reference)


Ah you are right I haven't thought that this keyword can't work with
conditions.


What you wrote was exactly what I'm looking for !


There are also other cockie new security specifiers such as SameSite=... ?



Sorry I don't understand this sentence.


I mean one can use other options then only those specified in the alert above. 
ie:

cookie  insert indirect preserve nocache httponly SameSite=strict

We can "add" a flag to a cookie passing "through" haproxy with " rspirep 
^(set-cookie:.*) \1;\ SameSite=strict ..."

[backend set a cookie] -> [haproxy add SameSite=strict to passing cookie] -> 
[client get altered cookie]

How we can do that with cookie completely added by haproxy as we see
"cookie insert" command doesn's seems to support flags like
SameSite=strict:

DOESN'T WORK
[haproxy cookie insert SameSite=strict] -> [client get inserted cookie flag]


How about to handle this with http-request

https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-response

e. g.:
# The regex matches the first string before ';'
http-response replace-header Set-Cookie ([^;]*);(.*) "\1; HttpOnly; 
SameSite=strict" if !{ ssl_fc }
http-response replace-header Set-Cookie ([^;]*);(.*) "\1; HttpOnly; SameSite=strict; 
Secure" if { ssl_fc }

The insert, indirect, preserve and nocache is a little bit complicated.

You can use the `cookie` keyword and then remove the cookie with http-request 
before you send it to the backend
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request

e.g.:

# untested
cookie  insert indirect preserve nocache httponly
http-request replace-header Cookie cokie_name=([^~]*)(.*) cokie_name=\2

Maybe you can take a look into the code how the cookie is created ;-)

http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/proto_http.c;hb=fd9655c54dc504f75afea9c45b3a34ffaba73db4#l5880

Best regards
Aleks


[APK]

[Unione]


mlist


APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. 
IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 
- sede operativa Magenta (MI) via Milano 89/91 20013
tel.  02 91712 000 | fax  02 91712 339 www.apkappa.it

Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
personale (DL.gs.

Variables

2018-06-23 Thread mlist 
Hi,



how to debug/show variables memory consumption to correctly tune size with:



tune.vars….



What are the default limits ?




[APK]

[Unione]


mlist


APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. 
IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 
- sede operativa Magenta (MI) via Milano 89/91 20013
www.apkappa.it






Ai sensi e per gli effetti della Legge sulla tutela della riservatezza 
personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle 
persone sopra indicate e le informazioni in essa contenute sono da considerarsi 
strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever 
nor disclose them to anyone else. If you are not the intended recipient, you 
should not copy, modify, distribute or take any action in reliance on it. If 
you have received this email in error, please notify the sender and delete this 
email from your system.

RE: cookie insert method secure

2018-06-23 Thread mlist 
>>> You can use the `cookie` keyword and then remove the cookie with 
>>> http-request before you send it to the backend
>>> https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request

>>> e.g.:

>>> # untested
>>> cookie  insert indirect preserve nocache httponly
>>> http-request replace-header Cookie cokie_name=([^~]*)(.*) cokie_name=\2

>>> Maybe you can take a look into the code how the cookie is created ;-)

It is necessary to "not set Cookie secure" (in response to the client) not 
deleting secure on the request.

cookie inserted for session management by "cookie  insert..." 
keyword is managed directly by haproxy. Without possibility to add "secure" 
flag with condition (or use other haproxy mechanism) none can use haproxy being 
compliant with cookie security without doing a separate backend for each 
special case (impractical).




[APK]

[Unione]


mlist


APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. 
IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 
- sede operativa Magenta (MI) via Milano 89/91 20013
www.apkappa.it






Ai sensi e per gli effetti della Legge sulla tutela della riservatezza 
personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle 
persone sopra indicate e le informazioni in essa contenute sono da considerarsi 
strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever 
nor disclose them to anyone else. If you are not the intended recipient, you 
should not copy, modify, distribute or take any action in reliance on it. If 
you have received this email in error, please notify the sender and delete this 
email from your system.





-Original Message-
From: Aleksandar Lazic 
Sent: martedì 12 giugno 2018 23:29
To: mlist 
Cc: haproxy@formilux.org
Subject: Re: cookie insert method secure

Hi.

On 12/06/2018 18:05, mlist wrote:
>Hi Alekandar,
>
>as I can see in the configuration documentation cookie command does not
>seems to support 
>As now I use HA-Proxy version 1.8-dev0-530141f 2017/03/02 if I set "if { 
>ssl_fc }" condition I get:
>
>[ALERT] 162/194855 (10704) : parsing [/etc/haproxy/haproxy.cfg:657] : 'cookie' 
>supports 'rewrite', 'insert', 'prefix', 'indirect', 'nocache', 'postonly', 
>'domain', 'maxidle, and 'maxlife' options.
>
>Also on newer version documentation I cannot see support for 
>
>http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#cookie%20(Alphabetically%20sorted%20keywords%20reference)

Ah you are right I haven't thought that this keyword can't work with
conditions.

>What you wrote was exactly what I'm looking for !
>
>>>There are also other cockie new security specifiers such as SameSite=... ?
>
>>Sorry I don't understand this sentence.
>
>I mean one can use other options then only those specified in the alert above. 
>ie:
>
> cookie  insert indirect preserve nocache httponly SameSite=strict
>
>We can "add" a flag to a cookie passing "through" haproxy with " rspirep 
>^(set-cookie:.*) \1;\ SameSite=strict ..."
>
>[backend set a cookie] -> [haproxy add SameSite=strict to passing cookie] -> 
>[client get altered cookie]
>
>How we can do that with cookie completely added by haproxy as we see
>"cookie insert" command doesn's seems to support flags like
>SameSite=strict:
>
>DOESN'T WORK
>[haproxy cookie insert SameSite=strict] -> [client get inserted cookie flag]

How about to handle this with http-request

https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-response

e. g.:
# The regex matches the first string before ';'
http-response replace-header Set-Cookie ([^;]*);(.*) "\1; HttpOnly; 
SameSite=strict" if !{ ssl_fc }
http-response replace-header Set-Cookie ([^;]*);(.*) "\1; HttpOnly; 
SameSite=strict; Secure" if { ssl_fc }

The insert, indirect, preserve and nocache is a little bit complicated.

You can use the `cookie` keyword and then remove the cookie with http-request 
before you send it to the backend
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request

e.g.:

# untested
cookie  insert indirect preserve nocache httponly
http-request replace-header Cookie cokie_name=([^~]*)(.*) cokie_name=\2

Maybe you can take a look into the code how the cookie is created ;-)

http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/proto_http.c;hb=fd9655c54dc504f75afea9c45b3a34ffaba73db4#l5880

Best regards
Aleks

>[APK]
>
>[Unione]
>
>
>mlist
>
>
>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. 
>IT-08543640158
>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 
>42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>tel.  02 91712 000 | fax  02 91712 339 www.apkappa.it
>
>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
>personale (DL.gs. 196/03 e collegate), questa mail ? destinata
>unicamente alle persone sopra indicate e le

http-response add-header

2018-06-23 Thread mlist 
Hi,

haproxy 1.8.10



using this config no header is added to client from haproxy:



acl is_test hdr_dom(host) -i www.url1.url2.com

http-response add-header X-Custom-Header YES if is_test



We are sure “acl is_test hdr_dom(host) -i 
www.url1.url2.com” is match as ssl redirect works for 
the same acl:



redirect scheme https code 301 if !is_test !{ ssl_fc }

if we change to:



http-response add-header X-Custom-Header YES if !is_test



haproxy add this header to all response regardless also for request from 
www.url1.url2.com








[APK]

[Unione]


mlist


APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. 
IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 
- sede operativa Magenta (MI) via Milano 89/91 20013
www.apkappa.it






Ai sensi e per gli effetti della Legge sulla tutela della riservatezza 
personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle 
persone sopra indicate e le informazioni in essa contenute sono da considerarsi 
strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever 
nor disclose them to anyone else. If you are not the intended recipient, you 
should not copy, modify, distribute or take any action in reliance on it. If 
you have received this email in error, please notify the sender and delete this 
email from your system.

Re: HAProxy 1.8 built with rpath'd openssl links ok; but `haproxy -vv` reports "Built with" and "Running on" conflict

2018-06-23 Thread Lukas Tribus 
On Sat, 23 Jun 2018 at 11:35, PGNet Dev  wrote:
>
> > Sure. Your attitude and threats are not helpful in this conversation though.
>
> Threats? WTF are you talking about?

Talking about:

> I'll have to decide whether I'm more interested in haproxy, or a consistently 
> 'modern/current' openssl api. Atm, I'm leaning to sticking with the openssl 
> api restriction(s).

Not sure how I'd have to interpret this other than a passive-aggressive threat.



> I was a having a constructive exchange with someone I thought was
> interested in addressing an issue, and looking into what I might
> contribute to address it.

I just said:

> And someone can step up and send a patch or it will
> be updated further down the line, but you are making a big deal out of
> it, which it really is not.

If you want to contribute, that's great and welcomed. A little less
confrontational and little more constructive language would certainly
not hurt this conversation is what I'm saying.


cheers,
lukas

Re: HAProxy 1.8 built with rpath'd openssl links ok; but `haproxy -vv` reports "Built with" and "Running on" conflict

2018-06-23 Thread PGNet Dev 

Sure. Your attitude and threats are not helpful in this conversation though.


Threats? WTF are you talking about?

I was a having a constructive exchange with someone I thought was 
interested in addressing an issue, and looking into what I might 
contribute to address it.


Guess not.

Good luck.

Re: [ANNOUNCE] haproxy-1.8.10

2018-06-23 Thread Aleksandar Lazic 
Am 22.06.2018 um 16:42 schrieb William Lallemand:
> Hi,
> 
> HAProxy 1.8.10 was released on 2018/06/22. It added 40 new commits
> after version 1.8.9.

The image is also updated.

https://hub.docker.com/r/me2digital/haproxy18/

###
$ docker run --rm --entrypoint /usr/local/sbin/haproxy me2digital/haproxy18 -vv
HA-Proxy version 1.8.10-ec17d7a 2018/06/22
Copyright 2000-2018 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv
-fno-strict-overflow -Wno-unused-label
  OPTIONS = USE_LINUX_SPLICE=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1
USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_TFO=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.4
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : yes
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"),
raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
###

Best regards
aleks

> This version fixes several bugs that were crashing haproxy, when using
> http-request set-map with a wrong type or with the cirpherlist capture.
> Some deadlocks and crashes were also fixed that were provoked by the lua.
> 
> There was also an issue with the poller which was using 100% of the CPU.
> 
> It fixes several issues where haproxy was not leaving anymore when asked for a
> soft stop, or a reload in master-worker mode. These issues were amplified with
> the use of nbthread.
> 
> The SPOP version has been upgraded to 2.0. Due to an inconsistency in the
> examples and the reference implementation the 1.0 version is not supported
> anymore. This new version is basically the 1.0 with a bugfix. If your SPOP
> agent does not work anymore, you must upgrade the version and fix the SPOP
> flags. See commits c4dcaff, 48d02d0, 633f3bf in the master.
> 
> Thanks to all people who reported and helped fix those issues.
> 
> Users are encouraged to update.
> 
> Please find the usual URLs below :
>Site index   : http://www.haproxy.org/
>Discourse: http://discourse.haproxy.org/
>Sources  : http://www.haproxy.org/download/1.8/src/
>Git repository   : http://git.haproxy.org/git/haproxy-1.8.git/
>Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git
>Changelog: http://www.haproxy.org/download/1.8/src/CHANGELOG
>Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
> 
> 
> ---
> Complete changelog :
> Christopher Faulet (9):
>   BUG/MEDIUM: contrib/mod_defender: Use network order to encode/decode 
> flags
>   BUG/MEDIUM: contrib/modsecurity: Use network order to encode/decode 
> flags
>   BUG/MEDIUM: spoe: Return an error when the wrong ACK is received in 
> sync mode
>   MAJOR: spoe: upgrade the SPOP version to 2.0 and remove the support for 
> 1.0
>   BUG/MINOR: contrib/spoa_example: Don't reset the status code during 
> disconnect
>   BUG/MINOR: contrib/mod_defender: Don't reset the status code during 
> disconnect
>   BUG/MINOR: contrib/modsecurity: Don't reset the status code during 
> disconnect
>   BUG/MEDIUM: threads: Use the sync point to check active jobs and exit
>   MINOR: threads: Be sure to remove threads from all_threads_mask on exit
> 
> Daniel Corbett (2):
>   BUG/MEDIUM: servers: Add srv_addr default placeholder to the state file
>   BUG/MEDIUM: stick-tables: Decrement ref_cnt in table_* converters
> 
> David Carlier (1):
>   DOC: contrib/modsecurity: few typo fixes
> 
> Dragan Dosen (2):
>   BUG/MINOR: contrib/mod_defender: update pointer on the end of the frame
>   BUG/MINOR: contrib/modsecurity: update pointer on the end of the frame
> 
> Frédéric Lécaille (1):
>   BUG/MINOR: lua: Segfaults with wrong usage of types.
> 
> Kevin Zhu (1):
>   DOC: SPOE.txt: fix a typo
> 
> Olivier Houchard (4):
>   BUG/MEDIUM: dns: Delay the attempt to run a DNS resolution on check 
> failure.
>   BUG/MEDIUM: fd: Only check update_mask against all_threads_mask.
>   BUG/MINOR: unix: Make sure we can

Re: HAProxy 1.8 built with rpath'd openssl links ok; but `haproxy -vv` reports "Built with" and "Running on" conflict

2018-06-23 Thread Lukas Tribus 
>> it's complicated to keep everything clean but any help is welcomed.
>
> Step 1 has been simply to understand the problem.

Sure. Your attitude and threats are not helpful in this conversation though.



> What I'm suggesting is that there's a possibility -- as per my other
> post, still unclear to me -- that openssl 1.1.1, with which tls1.3
> support will officially 'arrive', will have tighter restrictions on use
> of prior versions' APIs.

I already told you: both OpenSSL 1.1.1 and TLSv1.3 work fine.

While other projects fixed cosmetic API issues, we worked with the
OpenSSL team to find solutions for catastrophic failures in OpenSSL
1.1.1 alpha and beta, so they can fix it before the 1.1.1 release:

https://github.com/openssl/openssl/issues/5330
https://github.com/openssl/openssl/pull/6388
https://github.com/openssl/openssl/pull/6432

https://www.mail-archive.com/haproxy@formilux.org/msg29592.html
https://github.com/openssl/openssl/issues/6541


The priority being fixing actual bugs and compatibility issues, not
build issues that come up when OpenSSL is compiled with strict API's.



> Will use of v<1.1.0 apis still be just deprecated? or dropped?  And, in
> either case, how will downstream apps -- e.g., haproxy -- deal with it.

There is no change between 1.1.0 and 1.1.1 regarding the old API's
(which I already implied in my earlier email).



> Currently, apparently, haproxy doesn't deal with the legacy-free,
> current Openssl api, at all.

No, it does not. And someone can step up and send a patch or it will
be updated further down the line, but you are making a big deal out of
it, which it really is not.




cheers,
lukas