stable-bot: WARNING: 21 bug fixes in queue for next release - 1.8

[stable-bot]

Hi,

This is a friendly bot that watches fixes pending for the next haproxy-stable 
release!  One such e-mail is sent periodically once patches are waiting in the 
last maintenance branch, and an ideal release date is computed based on the 
severity of these fixes and their merge date.  Responses to this mail must be 
sent to the mailing list.

Last release 1.8.20 was issued on 2019/04/25.  There are currently 21 patches 
in the queue cut down this way:
- 2 MAJOR, first one merged on 2019/04/30
- 14 MEDIUM, first one merged on 2019/04/29
- 5 MINOR, first one merged on 2019/04/29

Thus the computed ideal release date for 1.8.21 would be 2019/05/14, which was 
seven weeks ago.

The current list of patches in the queue is:
- MAJOR   : lb/threads: make sure the avoided server is not full on second 
pass
- MAJOR   : map/acl: real fix segfault during show map/acl on CLI
- MEDIUM  : contrib/modsecurity: If host header is NULL, don't try to 
strdup it
- MEDIUM  : mux-h2: make sure the connection timeout is always set
- MEDIUM  : listener: Fix how unlimited number of consecutive accepts is 
handled
- MEDIUM  : spoe: arg len encoded in previous frag frame but len changed
- MEDIUM  : http: fix "http-request reject" when not final
- MEDIUM  : lb_fwlc: Don't test the server's lb_tree from outside the lock
- MEDIUM  : connection: fix multiple handshake polling issues
- MEDIUM  : lb_fas: Don't test the server's lb_tree from outside the lock
- MEDIUM  : compression: Set Vary: Accept-Encoding for compressed responses
- MEDIUM  : vars: make sure the scope is always valid when accessing vars
- MEDIUM  : spoe: Don't use the SPOE applet after releasing it
- MEDIUM  : vars: make the tcp/http unset-var() action support conditions
- MEDIUM  : port_range: Make the ring buffer lock-free.
- MEDIUM  : dns: make the port numbers unsigned
- MINOR   : http_fetch: Rely on the smp direction for "cookie()" and "hdr()"
- MINOR   : ssl_sock: Fix memory leak when disabling compression
- MINOR   : deinit/threads: make hard-stop-after perform a clean exit
- MINOR   : http-rules: mention "deny_status" for "deny" in the error 
message
- MINOR   : http: Call stream_inc_be_http_req_ctr() only one time per 
request

---
The haproxy stable-bot is freely provided by HAProxy Technologies to help 
improve the quality of each HAProxy release.  If you have any issue with these 
emails or if you want to suggest some improvements, please post them on the 
list so that the solutions suiting the most users can be found.

stable-bot: NOTICE: 22 bug fixes in queue for next release - 2.0

[stable-bot]

Hi,

This is a friendly bot that watches fixes pending for the next haproxy-stable 
release!  One such e-mail is sent periodically once patches are waiting in the 
last maintenance branch, and an ideal release date is computed based on the 
severity of these fixes and their merge date.  Responses to this mail must be 
sent to the mailing list.

Last release 2.0.1 was issued on 2019/06/26.  There are currently 22 patches in 
the queue cut down this way:
- 13 MEDIUM, first one merged on 2019/07/01
- 9 MINOR, first one merged on 2019/07/01

Thus the computed ideal release date for 2.0.2 would be 2019/07/29, which is in 
three weeks or less.

The current list of patches in the queue is:
- MEDIUM  : stream-int: Don't rely on CF_WRITE_PARTIAL to unblock opposite 
si
- MEDIUM  : connections: Make sure we're unsubscribe before upgrading the 
mux.
- MEDIUM  : channel/htx: Use the total HTX size in channel_htx_recv_limit()
- MEDIUM  : http/applet: Finish request processing when a service is 
registered
- MEDIUM  : sessions: Don't keep an extra idle connection in sessions.
- MEDIUM  : checks: Make sure the tasklet won't run if the connection is 
closed.
- MEDIUM  : ssl: Don't attempt to set alpn if we're not using SSL.
- MEDIUM  : checks: unblock signals in external checks
- MEDIUM  : lb_fas: Don't test the server's lb_tree from outside the lock
- MEDIUM  : connections: Always call shutdown, with no linger.
- MEDIUM  : servers: Authorize tfo in default-server.
- MEDIUM  : mux-h1: Always release H1C if a shutdown for writes was reported
- MEDIUM  : mux-h1: Handle TUNNEL state when outgoing messages are formatted
- MINOR   : mworker/cli: don't output a \n before the response
- MINOR   : mux-h1: Skip trailers for non-chunked outgoing messages
- MINOR   : hlua: Don't use channel_htx_recv_max()
- MINOR   : contrib/prometheus-exporter: Respect the reserve when data are 
sent
- MINOR   : mux-h1: Don't return the empty chunk on HEAD responses
- MINOR   : contrib/prometheus-exporter: Don't try to add empty data blocks
- MINOR   : contrib/prometheus-exporter: Don't use channel_htx_recv_max()
- MINOR   : mux-h1: Don't process input or ouput if an error occurred
- MINOR   : hlua/htx: Respect the reserve when HTX data are sent

---
The haproxy stable-bot is freely provided by HAProxy Technologies to help 
improve the quality of each HAProxy release.  If you have any issue with these 
emails or if you want to suggest some improvements, please post them on the 
list so that the solutions suiting the most users can be found.

stable-bot: WARNING: 66 bug fixes in queue for next release - 1.9

[stable-bot]

Hi,

This is a friendly bot that watches fixes pending for the next haproxy-stable 
release!  One such e-mail is sent periodically once patches are waiting in the 
last maintenance branch, and an ideal release date is computed based on the 
severity of these fixes and their merge date.  Responses to this mail must be 
sent to the mailing list.

Last release 1.9.8 was issued on 2019/05/13.  There are currently 66 patches in 
the queue cut down this way:
- 2 MAJOR, first one merged on 2019/05/27
- 37 MEDIUM, first one merged on 2019/05/21
- 27 MINOR, first one merged on 2019/05/16

Thus the computed ideal release date for 1.9.9 would be 2019/06/10, which was 
four weeks ago.

The current list of patches in the queue is:
- MAJOR   : mux-h1: Don't crush trash chunk area when outgoing message is 
formatted
- MAJOR   : lb/threads: make sure the avoided server is not full on second 
pass
- MEDIUM  : proto_htx: Introduce the state ENDING during forwarding
- MEDIUM  : mux-h1: Use buf_room_for_htx_data() to detect too large messages
- MEDIUM  : mux-h2: make sure the connection timeout is always set
- MEDIUM  : lb_fwlc: Don't test the server's lb_tree from outside the lock
- MEDIUM  : dns: make the port numbers unsigned
- MEDIUM  : spoe: Don't use the SPOE applet after releasing it
- MEDIUM  : WURFL: segfault in wurfl-get() with missing info.
- MEDIUM  : http: fix "http-request reject" when not final
- MEDIUM  : queue: fix the tree walk in pendconn_redistribute.
- MEDIUM  : connections: Don't try to send early data if we have no mux.
- MEDIUM  : connections: Don't use ALPN to pick mux when in mode TCP.
- MEDIUM  : threads: Fix build for 32bits arch with dwcas.
- MEDIUM  : connection: Use the session to get the origin address if needed.
- MEDIUM  : h2/htx: Update data length of the HTX when the cookie list is 
built
- MEDIUM  : mux-h2: Reset padlen when several frames are demux
- MEDIUM  : mux-h1: Don't skip the TCP splicing when there is no more data 
to read
- MEDIUM  : connection: fix multiple handshake polling issues
- MEDIUM  : mworker: don't call the thread and fdtab deinit
- MEDIUM  : h2: Don't forget to set h2s->cs to NULL after having free'd cs.
- MEDIUM  : lb_fas: Don't test the server's lb_tree from outside the lock
- MEDIUM  : connections: Always call shutdown, with no linger.
- MEDIUM  : vars: make the tcp/http unset-var() action support conditions
- MEDIUM  : mux-h1: only check input data for the current stream, not next 
one
- MEDIUM  : streams: Don't switch from SI_ST_CON to SI_ST_DIS on read0.
- MEDIUM  : mux-h2: Remove the padding length when a DATA frame size is 
checked
- MEDIUM  : mux-h1: Don't switch the mux in BUSY mode on 1xx messages
- MEDIUM  : vars: make sure the scope is always valid when accessing vars
- MEDIUM  : threads: fix double-word CAS on non-optimized 32-bit platforms
- MEDIUM  : stream-int: Don't rely on CF_WRITE_PARTIAL to unblock opposite 
si
- MEDIUM  : compression: Set Vary: Accept-Encoding for compressed responses
- MEDIUM  : sessions: Don't keep an extra idle connection in sessions.
- MEDIUM  : compression/htx: Fix the adding of the last data block
- MEDIUM  : ssl: Don't attempt to set alpn if we're not using SSL.
- MEDIUM  : mux-h1: Always release H1C if a shutdown for writes was reported
- MEDIUM  : connections: Don't call shutdown() if we want to disable linger.
- MEDIUM  : proto-htx: Not forward too much data when 1xx reponses are 
handled
- MEDIUM  : checks: Make sure the tasklet won't run if the connection is 
closed.
- MINOR   : mworker/cli: don't output a \n before the response
- MINOR   : mux-h1: Don't return the empty chunk on HEAD responses
- MINOR   : mux-h1: Add the header connection in lower case in outgoing 
messages
- MINOR   : lua/htx: Make txn.req_req_* and txn.res_rep_* HTX aware
- MINOR   : http_fetch: Rely on the smp direction for "cookie()" and "hdr()"
- MINOR   : ssl_sock: Fix memory leak when disabling compression
- MINOR   : channel/htx: Don't alter channel during forward for empty HTX 
message
- MINOR   : deinit/threads: make hard-stop-after perform a clean exit
- MINOR   : fl_trace/htx: Be sure to always forward trailers and EOM
- MINOR   : spoe: Fix memory leak if failing to allocate memory
- MINOR   : mux-h1: Skip trailers for non-chunked outgoing messages
- MINOR   : 51d/htx: The _51d_fetch method, and the methods it calls are 
now HTX aware.
- MINOR   : htx: Remove a forgotten while loop in htx_defrag()
- MINOR   : mux-h1: Report EOI instead EOS on parsing error or H2 upgrade
- MINOR   : mux-h2: Count EOM in bytes sent when a HEADERS frame is 
formatted
- MINOR   : mux-h1: errflag must be set on H1S and not H1M during output 
processing
- MINOR   : time: make sure only one thread sets global_now at boot
- MIN

prometheus service kills ssl handshake

[Aleksandar Lazic]

Hi.

I use HAP 2.0.1 with haproxy service with my image.
After some times (~several hours) the ssl handshake stops working for the https
frontend which offers the prom service.

The config is mainly the same as showing at the blog post

https://www.me2digital.com/blog/2019/05/haproxy-sni-routing/

I have just added this line.

```
http-request use-service prometheus-exporter if { path /mymetrics }
```

This is the prometheus config snipplet.

```
  - job_name: 'me2d-prom'
metrics_path: '/mymetrics'
scheme: 'https'

static_configs:
- targets: ['cloud.domain']

```

The lines in the logs does not show too much

```
:::85.10.XXX.XXX:40276 [05/Jul/2019:13:53:33.532] https-in/1: SSL handshake
failure
```

Have someone used this service in the main https config?
Which data (show ...) should I provide to debug this topic?

Best regards
Aleks

Re: Help with 1.8.1/4 and spoa_server/spoa_example

[Aleksandar Lazic]

Hi Christopher.

Am 05.07.2019 um 16:29 schrieb Christopher Faulet:
> Le 03/07/2019 à 16:16, Aleksandar Lazic a écrit :
>> I know this is a old haproxy version but I have not the option to update as 
>> it's
>> part of a vendor product.
>>
>> I need to bring the `[haproxy-2.0.git]/ contrib/spoa_server/` up and runnig 
>> or
>> `[haproxy-1.8.git]/contrib/spoa_example/` from 1.8.4 to be able to run a 
>> python
>> script.
>>
>> Any help is welcome and I can offer some money for the help. It's urgent so I
>> will need the help asap.
>>
>> You can contact me also off the list.
> 
> 
> Hi Aleks,
> 
> The spoa_example cannot run python script. But I take a look to the 
> spoa_server
> and it seems to usable with HAProxy 1.8 with a small patch. You must downgrade
> the SPOE version and change the encoding of the frame's flags. The example
> configuration must also be adapted because there is no debug converter in
> HAProxy 1.8.
> 
> But, as you said, HAProxy 1.8.4 is old, and many fixes was pushed on the SPOE
> since then. So you would experience some bugs. Be careful.
> 
> And I noticed a bug with the spoe_server, It seems to accept and process only
> one connection per worker because of a while loop to read frames. I'm cc'ing
> Thierry.
> 
> I attached a quick-and-dirty patch to downgrade SPOP version of the 
> spoa_server
> to 1.0.

Thank you very much.

Best regards
Aleks

Re: [RFC PATCH] BUG/MINOR: ssl: revert empty handshake detection in OpenSSL <= 1.0.2

[Илья Шипицин]

сб, 6 июл. 2019 г. в 16:09, Willy Tarreau :

> hi Guys,
>
> On Fri, Jul 05, 2019 at 05:07:27PM +0200, Emmanuel Hocdet wrote:
> >
> > > Le 4 juil. 2019 à 18:55,  ???  a écrit :
> > >
> > > can you provide some comment around code ?
> > >
> > > I think almost nobody can read such code
> > >
> > > ??, 4 ???. 2019 ?. ? 21:17, Emmanuel Hocdet  m...@gandi.net>>:
> > > Hi,
> > >
> > > This thread reminds me that with BoringSSL empty (and abort) handshake
> is not set.
> > > After tests BoringSSL seems to have simpler case.
> > > I sent a patch to fix that.
> > >
> > > For OpenSSL <= 1.0.2, revert is the thing to do.
> > > For LibreSSL, include it with BoringSSL case could be ok (with my
> patch).
> > > With time (no HB and better error report in libSSL), it seems code
> could simply look like:
> > >   if (!errno)
> > >   conn->err_code = CO_ER_SSL_EMPTY;
> > >   else
> > >   conn->err_code = CO_ER_SSL_ABORT;
> > >
> >
> > Only CO_ER_SSL_EMPTY and CO_ER_SSL_ABORT  can be set for conn->err_code
> > (it's the case for BoringSSL)
>
> Thanks Manu. Ilya and Lukas, just let me know if you still have any
> objection
> against this patch being merged, or if I should wait for Lukas' one first
> to
> be tested. Anything's fine for me, I'm just waiting for instructions.
>

Lukas gave very detailed description in mail.
however, code is not documented.

I'd like to have more comments around. Code itself is fine


>
> Willy
>

Re: [PATCH] DOC: Fix typo in intro.txt

[Willy Tarreau]

Hi Alain,

On Fri, Jul 05, 2019 at 02:51:38PM +0200, Alain Belkadi wrote:
> 
> Hello,
> 
> You will find as attachement my first ultra-small contribution to the
> documentation, a fix for a typo.

Applied, thanks! Note, there's no small, let alone ultra-small,
contribution :-)

Willy

Re: [RFC PATCH] BUG/MINOR: ssl: revert empty handshake detection in OpenSSL <= 1.0.2

[Willy Tarreau]

hi Guys,

On Fri, Jul 05, 2019 at 05:07:27PM +0200, Emmanuel Hocdet wrote:
> 
> > Le 4 juil. 2019 à 18:55,  ???  a écrit :
> > 
> > can you provide some comment around code ?
> > 
> > I think almost nobody can read such code
> > 
> > ??, 4 ???. 2019 ?. ? 21:17, Emmanuel Hocdet  > >:
> > Hi,
> > 
> > This thread reminds me that with BoringSSL empty (and abort) handshake is 
> > not set.
> > After tests BoringSSL seems to have simpler case.
> > I sent a patch to fix that.
> > 
> > For OpenSSL <= 1.0.2, revert is the thing to do.
> > For LibreSSL, include it with BoringSSL case could be ok (with my patch).
> > With time (no HB and better error report in libSSL), it seems code could 
> > simply look like:
> >   if (!errno)
> >   conn->err_code = CO_ER_SSL_EMPTY;
> >   else
> >   conn->err_code = CO_ER_SSL_ABORT;
> > 
> 
> Only CO_ER_SSL_EMPTY and CO_ER_SSL_ABORT  can be set for conn->err_code
> (it's the case for BoringSSL)

Thanks Manu. Ilya and Lukas, just let me know if you still have any objection
against this patch being merged, or if I should wait for Lukas' one first to
be tested. Anything's fine for me, I'm just waiting for instructions.

Willy