[PATCH] cirrus-ci: choose proper openssl package name

2020-01-07 Thread Илья Шипицин 
hello,


freebsd-11.3 names package "openssl"
freebsd-12.1 names package "openssl111"

I added switch for that

Cheers,
Ilya Shipitcin
From 614d7497641f0a2459c5f0b584fc84345ba5aeee Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin 
Date: Tue, 7 Jan 2020 23:41:24 +0500
Subject: [PATCH] BUILD: cirrus-ci: choose proper openssl package name

freebsd-11.3 and 12.1 comes with different openssl naming
let us add proper switch to cirrus-ci script
---
 .cirrus.yml | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.cirrus.yml b/.cirrus.yml
index d14678111..4143e687b 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -5,7 +5,13 @@ FreeBSD_task:
   image_family: freebsd-11-3-snap
   only_if: $CIRRUS_BRANCH =~ 'master|next'
   install_script:
-- pkg install -y openssl111 git gmake lua53 socat
+- case `uname -r` in
+11.3*)
+  export SSL=openssl;;
+12.1*)
+  export SSL=openssl111;;
+  esac
+- pkg install -y $SSL git gmake lua53 socat
   script:
 - git clone https://github.com/VTest/VTest.git ../vtest
 - make -C ../vtest
-- 
2.24.1

Re: Fwd: BUG/MEDIUM: http: res redir not work coz exist res contents not truncate

2020-01-07 Thread Christopher Faulet 

Le 02/01/2020 à 10:58, Willy Tarreau a écrit :

Thanks Kevin, it seems I missed this one.

On Fri, Dec 27, 2019 at 05:38:15PM +0800, Kevin Zhu wrote:

global
log 127.0.0.1 local4 info

defaults
mode http
timeout connect 10s
timeout client 300s
timeout server 300s

listen inhttp
option httplog
log global
bind ipv4@:80
log-format %ci:%cp/%b/%si:%sp\ %ST\ %ts\ %U/%B\ %{+Q}r\ %sslv\ %hr
http-response redirect location https://www.google.com if TRUE
use_backend be_1

backend be_1
server out 10.20.136.221:8080
source 0.0.0.0 usesrc 10.20.136.225
[root@localhost haproxy]#
[root@localhost haproxy]# ./haproxy-master -f haproxy.conf.master

HAProxy log:
Dec 27 03:23:56 127.0.0.1 haproxy-master[19682]: Proxy inhttp started.
Dec 27 03:24:10 127.0.0.1 haproxy-master[19682]:
10.20.136.222:63654/be_1/10.20.136.221:8080 302 LR 89/404 "GET /ping
HTTP/1.1"

Client host:
[root@localhost ~]# curl http://10.20.136.225/ping -v
*   Trying 10.20.136.225...
* TCP_NODELAY set
* Connected to 10.20.136.225 (10.20.136.225) port 80 (#0)

GET /ping HTTP/1.1
Host: 10.20.136.225
User-Agent: curl/7.29.0
Accept: */*


< HTTP/1.1 200 OK
< content-type: text/plain; charset=utf-8
< date: Thu, 26 Dec 2019 19:24:10 GMT
< content-length: 23
<
This is response body.
* Curl_http_done: called premature == 0
* Connection #0 to host 10.20.136.225 left intact
[root@localhost ~]#

The config file have rule:
http-response redirect location https://www.google.com if TRUE
and HAProxy log show the response code is 302, but client got server's
response, not redirect.


OK that's clearer now. I tried your config and the results vary a lot
depending on versions, I think there were multiple breakage stages:

   - 1.8 works as expected
   - 1.9 and 2.0 in legacy mode returns 200 but apparently limited to the
 size of the redirect so it misses some headers and the final CRLF,
 and hangs till the client timeout strikes
   - 1.9 and 2.0 in HTX mode returns the whole 200 response
   - 2.1 and above only support HTX and behave like 2.0 for this

I'll rather wait for Christopher next week to double-check your patch and
to see if the issue is deeper or just related to this, especially for the
HTX case which looks odd.


Hi Kevin,

Indeed there is a bug in HTX mode when a redirect is performed on the response 
path. The response is not truncated. So your fix is valid. I've attached an 
updated patch with a commit message to describe the bug.


On the legacy mode (<= 2.0), there is also a bug but not in the HTTP part. It is 
a bug in co_inject(). It appends data at the end of input, not the end of 
output. The bug was introduced when the buffer API was refactored. The bug is 
also attached.


I'll push the patches and backport them as far as 1.9 very soon. Thanks.

--
Christopher Faulet
>From 96b363963f4a4a63823718966798f177a72936b6 Mon Sep 17 00:00:00 2001
From: Kevin Zhu 
Date: Tue, 7 Jan 2020 09:42:55 +0100
Subject: [PATCH 1/2] BUG/MEDIUM: http-ana: Truncate the response when a
 redirect rule is applied

When a redirect rule is executed on the response path, we must truncate the
received response. Otherwise, the redirect is appended after the response, which
is sent to the client. So it is obviously a bug because the redirect is not
performed. With bodyless responses, it is the "only" bug. But if the response
has a body, the result may be invalid. If the payload is not fully received yet
when the redirect is performed, an internal error is reported.

It must be backported as far as 1.9.
---
 src/http_ana.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/src/http_ana.c b/src/http_ana.c
index ee00d2c76..268796d2e 100644
--- a/src/http_ana.c
+++ b/src/http_ana.c
@@ -2526,6 +2526,8 @@ int http_apply_redirect_rule(struct redirect_rule *rule, struct stream *s, struc
 		close = 1;
 
 	htx = htx_from_buf(&res->buf);
+	/* Trim any possible response */
+	channel_htx_truncate(&s->res, htx);
 	flags = (HTX_SL_F_IS_RESP|HTX_SL_F_VER_11|HTX_SL_F_XFER_LEN|HTX_SL_F_BODYLESS);
 	sl = htx_add_stline(htx, HTX_BLK_RES_SL, flags, ist("HTTP/1.1"), status, reason);
 	if (!sl)
@@ -2553,6 +2555,8 @@ int http_apply_redirect_rule(struct redirect_rule *rule, struct stream *s, struc
 	if (!htx_add_endof(htx, HTX_BLK_EOH) || !htx_add_endof(htx, HTX_BLK_EOM))
 		goto fail;
 
+	htx_to_buf(htx, &res->buf);
+
 	/* let's log the request time */
 	s->logs.tv_request = now;
 
-- 
2.24.1

>From 584348be636fcc9f41b80ef0fde03c7899d75cd7 Mon Sep 17 00:00:00 2001
From: Christopher Faulet 
Date: Tue, 7 Jan 2020 10:01:57 +0100
Subject: [PATCH 2/2] BUG/MINOR: channel: inject output data at the end of
 output

In co_inject(), data must be inserted at the end of output, not the end of
input. For the record, this function does not take care of input data which are
supposed to not exist. But the caller may reset input data after or before the
call. It is its own choice.

This bug, among other effects, is visible when a redirect is performed on
the response path, on legacy HTTP mode (so for HAProxy <

Re: [HELP] slim is being set to 1

2020-01-07 Thread Aleksandar Lazic 

Hi.

On 07.01.20 07:27, Shah, Aman wrote:

Hello all,

We have an haproxy server and we are getting some odd values. Value of slim is 
coming as 1 for most of the domains. The value is nowhere being set and maxconn 
is being set to 2000. Can you please help me to figure out what could be the 
actual reason behind the slim value coming as 1. Do we have to manually enforce 
it? How slim value is actually being set ?


Here's the full output from haproxy -vv:

root@haproxy01:~# haproxy -vv
HA-Proxy version 1.8.8-1ubuntu0.1 2018/05/29
Copyright 2000-2018 Willy Tarreau 

Build options :
   TARGET  = linux2628
   CPU = generic
   CC  = gcc
   CFLAGS  = -g -O2 -fdebug-prefix-map=/build/haproxy-VmwZ9X/haproxy-1.8.8=. 
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time 
-D_FORTIFY_SOURCE=2
   OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 
USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_NS=1


Default settings :
   maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.0g  2 Nov 2017
Running on OpenSSL version : OpenSSL 1.1.0g  2 Nov 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
IP_FREEBIND

Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")

Built with network namespace support.

Available polling systems :
   epoll : pref=300,  test result OK
    poll : pref=200,  test result OK
  select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
     [SPOE] spoe
     [COMP] compression
     [TRACE] trace


And also one of the sample output of haproxy stats for the reference:


# haproxyctl show stat
# 
pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq,dresp,ereq,econ,eresp,wretr,wredis,status,weight,act,bck,chkfail,chkdown,lastchg,downtime,qlimit,pid,iid,sid,throttle,lbtot,tracked,type,rate,rate_lim,rate_max,check_status,check_code,check_duration,hrsp_1xx,hrsp_2xx,hrsp_3xx,hrsp_4xx,hrsp_5xx,hrsp_other,hanafail,req_rate,req_rate_max,req_tot,cli_abrt,srv_abrt,comp_in,comp_out,comp_byp,comp_rsp,lastsess,last_chk,last_agt,qtime,ctime,rtime,ttime,agent_status,agent_code,agent_duration,check_desc,agent_desc,check_rise,check_fall,check_health,agent_rise,agent_fall,agent_health,addr,cookie,mode,algo,conn_rate,conn_rate_max,conn_tot,intercepted,dcon,dses, 



abc,BACKEND,0,0,0,1,1,1,216,1407,0,0,,0,0,0,0,UP,1,1,0,,0,6783,0,,1,5,0,,1,,1,0,,10,1,0,0,0,01,0,0,0,0,0,0,3086,,,0,0,1,1,,http,roundrobin,,, 


Have you set anywhere maxconn or fullconn because this are the parameters which 
are used for slim.


http://git.haproxy.org/?p=haproxy-1.8.git&a=search&h=HEAD&st=grep&s=ST_F_SLIM

What's your output of `show info`?
Can you share a minimal config.


Thanks,
Aman


Regards
Aleks