Multiple balance statements in a backend

2020-04-02 Thread Igor Cicimov 
Hi all,

Probably another quite basic question that I can't find an example of in
the docs (at least as a warning not to do that as it does not make sense or
bad practise) or on the net. It is regarding the usage of multiple balance
statements in a backend like this:

balance leastconn
balance hdr(Authorization)

So basically is this a valid use case where we can expect both options to
get considered when load balancing or one is ignored as a duplicate (in
which case which one)?

And in general how are duplicate statements being handled in the code,
.i.e. the first one or the last one is considered as valid, and are there
maybe any special statements that are exempt from the rule (like hopefully
balance :-) )

Thanks in advance.

Igor

TLV problem after updating to 2.1.14

2020-04-02 Thread Hativ 
Hello,

after updating HAProxy from 2.1.13  to 2.1.14 the TCP check with my
dovecot setup doesn't work anymore. Nothing changed except the update.

In dovecot I get the following errors:

> Apr 03 00:21:28 srv1 dovecot[1378]: submission-login: Error:
> haproxy(v2): Client disconnected: Invalid TLV: get_tlv(0)
> failed:Truncated data (cmd=00, rip=)
> Apr 03 00:21:28 srv1 dovecot[1378]: managesieve-login: Error:
> haproxy(v2): Client disconnected: Invalid TLV: get_tlv(0)
> failed:Truncated data (cmd=00, rip=)
> Apr 03 00:21:28 srv1 dovecot[1378]: imap-login: Error: haproxy(v2):
> Client disconnected: Invalid TLV: get_tlv(0) failed:Truncated data
> (cmd=00, rip=)

HAProxy log:

> Apr 03 00:13:10 srv1 haproxy[3774]: [ALERT] 093/001310 (3777) : proxy
> 'msa1-smtps' has no server available!
> Apr 03 00:13:10 srv1 haproxy[3774]: [WARNING] 093/001310 (3777) :
> Backup Server msa1-smtps/msa1-2 is DOWN, reason: Socket error, info:
> "SSL handshake failure (Connection reset by peer) at step 1 of tcp-
> check (conn
> Apr 03 00:13:10 srv1 haproxy[3774]: [WARNING] 093/001310 (3777) :
> Server msa1-smtps/msa1-1 is DOWN, reason: Socket error, info: "SSL
> handshake failure (Connection reset by peer) at step 1 of tcp-check
> (connect por
> Apr 03 00:13:10 srv1 haproxy[3774]: [ALERT] 093/001310 (3777) : proxy
> 'mda1-managesieve' has no server available!
> Apr 03 00:13:10 srv1 haproxy[3774]: [WARNING] 093/001310 (3777) :
> Backup Server mda1-managesieve/mda1-2 is DOWN, reason: Socket error,
> info: "SSL handshake failure (Connection reset by peer) at step 1 of
> tcp-check
> Apr 03 00:13:10 srv1 haproxy[3774]: [WARNING] 093/001310 (3777) :
> Server mda1-managesieve/mda1-1 is DOWN, reason: Socket error, info:
> "SSL handshake failure (Connection reset by peer) at step 1 of tcp-
> check (conne
> Apr 03 00:13:10 srv1 haproxy[3774]: [ALERT] 093/001310 (3777) : proxy
> 'mda1-imaps' has no server available!
> Apr 03 00:13:10 srv1 haproxy[3774]: [WARNING] 093/001310 (3777) :
> Backup Server mda1-imaps/mda1-2 is DOWN, reason: Socket error, info:
> "SSL handshake failure (Connection reset by peer) at step 1 of tcp-
> check (conn
> Apr 03 00:13:10 srv1 haproxy[3774]: [WARNING] 093/001310 (3777) :
> Server mda1-imaps/mda1-1 is DOWN, reason: Socket error, info: "SSL
> handshake failure (Connection reset by peer) at step 1 of tcp-check
> (connect por
> Apr 03 00:13:10 srv1 haproxy[3774]: [NOTICE] 093/001309 (3774) : New
> worker #1 (3777) forked
> Apr 03 00:13:09 srv1 systemd[1]: Started HAProxy Load Balancer.
> Apr 03 00:13:09 srv1 systemd[1]: Starting HAProxy Load Balancer...

Example HAProxy config for IMAP:

> listen mda1-imapsbind :993bind :993
> balance leastconn
> option tcp-checktcp-check connect port 993 send-proxy
> ssltcp-check expect string * OK
> option tcpkaoption tcplog
> stick-table type ip size 200k expire 30mstick on src
> server mda1-1 mda1-1.example.com:993 ca-file /etc/ssl/certs/ca-
> certificates.crt check resolvers dns send-proxy-v2server mda1-2
> mda1-2.example.com:993 ca-file /etc/ssl/certs/ca-certificates.crt
> check resolvers dns send-proxy-v2 backup
> timeout connect 5s
> timeout client 30m
> timeout server 30m

When commenting out these lines it's up again:

> option tcp-check
> tcp-check connect port 993 send-proxy ssl
> tcp-check expect string * OK

Any ideas what's wrong?

--
Greetings

Hativ

[PATCH] add DEBUG_STRICT to travis, upgrade openssl to 1.1.1f

2020-04-02 Thread Илья Шипицин 
Hello,

patch is urgent.
openssl has changed download path, I guess it was done in purpose (to
signal people that they download outdated openssl)

so ... we need to upgrade to 1.1.1f


Cheers,
Ilya Shipitcin
From a21479ae91ad2c43dbe14d7d119eedc2363e0f49 Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin 
Date: Fri, 3 Apr 2020 00:07:17 +0500
Subject: [PATCH 1/3] CI: travis-ci: enable DEBUG_STRICT=1 for CI builds

DEBUG_STRICT enables the BUG_ON() macro which validates some developers'
assertions in the code that are not enabled for production build but
may sometimes help catch certain rare bugs.

DEBUG_STRICT is set to all builds except one
---
 .travis.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 525021cfb..e64bc86f9 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -16,6 +16,7 @@ env:
 - SSL_INC=${HOME}/opt/include
 - TMPDIR=/tmp
 - FIFTYONEDEGREES_SRC="contrib/51d/src/pattern"
+- DEBUG_OPTIONS="DEBUG_STRICT=1"
 
 addons:
   apt:
@@ -73,6 +74,7 @@ matrix:
 compiler: clang
 env: TARGET=linux-glibc LIBRESSL_VERSION=3.0.2 CC=clang-9
   - os: linux
+env: DEBUG_OPTIONS=""
 if: type == cron
 compiler: clang
 env: TARGET=linux-glibc LIBRESSL_VERSION=2.9.2 CC=clang-9
@@ -109,7 +111,7 @@ install:
 script:
   - if [ "${CC%-*}"  = "clang" ]; then export FLAGS="$FLAGS USE_OBSOLETE_LINKER=1" DEBUG_CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address"; fi
   - make -C contrib/wurfl
-  - make -j3 CC=$CC V=1 ERR=1 TARGET=$TARGET $FLAGS DEBUG_CFLAGS="$DEBUG_CFLAGS" LDFLAGS="$LDFLAGS" ADDLIB="-Wl,-rpath,$SSL_LIB" 51DEGREES_SRC="$FIFTYONEDEGREES_SRC" EXTRA_OBJS="$EXTRA_OBJS"
+  - make -j3 CC=$CC V=1 ERR=1 TARGET=$TARGET $FLAGS DEBUG_CFLAGS="$DEBUG_CFLAGS" LDFLAGS="$LDFLAGS" ADDLIB="-Wl,-rpath,$SSL_LIB" 51DEGREES_SRC="$FIFTYONEDEGREES_SRC" EXTRA_OBJS="$EXTRA_OBJS" $DEBUG_OPTIONS
   - ./haproxy -vv
   - if [ "${TRAVIS_OS_NAME}" = "linux" ]; then ldd haproxy; fi
   - if [ "${TRAVIS_OS_NAME}" = "osx" ]; then otool -L haproxy; fi
-- 
2.25.1

From 54297dd35abad7fad270867bc99432a41084f421 Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin 
Date: Fri, 3 Apr 2020 00:20:46 +0500
Subject: [PATCH 2/3] CI: travis-ci: upgrade openssl to 1.1.1f

openssl has changed download path after 1.1.1f release
---
 .travis.yml | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index e64bc86f9..a28cc5dcd 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -42,23 +42,23 @@ matrix:
 arch: amd64
 if: type == push
 compiler: clang
-env: TARGET=linux-glibc OPENSSL_VERSION=1.1.1d CC=clang-9
+env: TARGET=linux-glibc OPENSSL_VERSION=1.1.1f CC=clang-9
 ##
 ## temporarily disabled, until arm64 runners become stable
 #  - os: linux
 #arch: arm64
 #if: type == push
 #compiler: clang
-#env: TARGET=linux-glibc OPENSSL_VERSION=1.1.1d CC=clang-9
+#env: TARGET=linux-glibc OPENSSL_VERSION=1.1.1f CC=clang-9
   - os: linux
 arch: s390x
 if: type == push
 compiler: gcc
-env: TARGET=linux-glibc OPENSSL_VERSION=1.1.1d
+env: TARGET=linux-glibc OPENSSL_VERSION=1.1.1f
   - os: linux
 if: type == cron
 compiler: clang
-env: TARGET=linux-glibc OPENSSL_VERSION=1.1.1d COVERITY_SCAN_PROJECT_NAME="Haproxy" COVERITY_SCAN_BRANCH_PATTERN="*" COVERITY_SCAN_NOTIFICATION_EMAIL="chipits...@gmail.com" COVERITY_SCAN_BUILD_COMMAND="make CC=clang TARGET=$TARGET $FLAGS 51DEGREES_SRC=$FIFTYONEDEGREES_SRC"
+env: TARGET=linux-glibc OPENSSL_VERSION=1.1.1f COVERITY_SCAN_PROJECT_NAME="Haproxy" COVERITY_SCAN_BRANCH_PATTERN="*" COVERITY_SCAN_NOTIFICATION_EMAIL="chipits...@gmail.com" COVERITY_SCAN_BUILD_COMMAND="make CC=clang TARGET=$TARGET $FLAGS 51DEGREES_SRC=$FIFTYONEDEGREES_SRC"
 script:
   - |
 if [ ! -z ${COVERITY_SCAN_TOKEN+x} ]; then
@@ -93,7 +93,7 @@ matrix:
   - os: osx
 if: type == push
 compiler: clang
-env: TARGET=osx FLAGS="USE_OPENSSL=1" OPENSSL_VERSION=1.1.1d
+env: TARGET=osx FLAGS="USE_OPENSSL=1" OPENSSL_VERSION=1.1.1f
   - os: linux
 if: type == cron
 compiler: clang
-- 
2.25.1

Re: haproxy 2.0.14 failing to bind peer sockets

2020-04-02 Thread James Brown 
I reverted that commit, but it doesn't appear to have fixed the issue.

I also tried adding a stick-table using this peers group to my config (this
test cluster didn't actually have any stick-tables), but it still fails at
startup with the same error.

On Thu, Apr 2, 2020 at 11:28 AM Tim Düsterhus  wrote:

> James,
>
> Am 02.04.20 um 19:53 schrieb James Brown:
> > I'm upgrading one of our test clusters from 2.0.13 to 2.0.14 and our
> > regular graceful-restart process is failing with:
> >
> > [ALERT] 092/174647 (114374) : [/usr/sbin/haproxy.main()] Some protocols
> > failed to start their listeners! Exiting.
>
> I suppose this commit might be at fault here:
>
> https://github.com/haproxy/haproxy/commit/a2cfd7e356f4d744294b510b05d88bf58304db25
>
> Try reverting it to see whether it fixes the issue.
>
> Best regards
> Tim Düsterhus
>


-- 
James Brown
Engineer

[PATCH] CI: minor cleanup on SSL linking

2020-04-02 Thread Илья Шипицин 
Hello,

this PR cleans up SSL linking.
it is very well aligned to "how to link to custom openssl" documentation.


Cheers,
Ilya Shipitcin
From 8fd3b9165558c4d0e3bc837df1ba8caca67ed059 Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin 
Date: Thu, 2 Apr 2020 23:34:47 +0500
Subject: [PATCH] CI: use better SSL library definition

SSL_LIB is already added to LDFLAGS in Makefile, no need to define it
rpath better be defined using ADDLIB variable
---
 .travis.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index f500e02d3..525021cfb 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -109,7 +109,7 @@ install:
 script:
   - if [ "${CC%-*}"  = "clang" ]; then export FLAGS="$FLAGS USE_OBSOLETE_LINKER=1" DEBUG_CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address"; fi
   - make -C contrib/wurfl
-  - make -j3 CC=$CC V=1 ERR=1 TARGET=$TARGET $FLAGS DEBUG_CFLAGS="$DEBUG_CFLAGS" LDFLAGS="$LDFLAGS -L$SSL_LIB -Wl,-rpath,$SSL_LIB" 51DEGREES_SRC="$FIFTYONEDEGREES_SRC" EXTRA_OBJS="$EXTRA_OBJS"
+  - make -j3 CC=$CC V=1 ERR=1 TARGET=$TARGET $FLAGS DEBUG_CFLAGS="$DEBUG_CFLAGS" LDFLAGS="$LDFLAGS" ADDLIB="-Wl,-rpath,$SSL_LIB" 51DEGREES_SRC="$FIFTYONEDEGREES_SRC" EXTRA_OBJS="$EXTRA_OBJS"
   - ./haproxy -vv
   - if [ "${TRAVIS_OS_NAME}" = "linux" ]; then ldd haproxy; fi
   - if [ "${TRAVIS_OS_NAME}" = "osx" ]; then otool -L haproxy; fi
-- 
2.25.1

Re: haproxy 2.0.14 failing to bind peer sockets

2020-04-02 Thread Tim Düsterhus 
James,

Am 02.04.20 um 19:53 schrieb James Brown:
> I'm upgrading one of our test clusters from 2.0.13 to 2.0.14 and our
> regular graceful-restart process is failing with:
> 
> [ALERT] 092/174647 (114374) : [/usr/sbin/haproxy.main()] Some protocols
> failed to start their listeners! Exiting.

I suppose this commit might be at fault here:
https://github.com/haproxy/haproxy/commit/a2cfd7e356f4d744294b510b05d88bf58304db25

Try reverting it to see whether it fixes the issue.

Best regards
Tim Düsterhus

haproxy 2.0.14 failing to bind peer sockets

2020-04-02 Thread James Brown 
I'm upgrading one of our test clusters from 2.0.13 to 2.0.14 and our
regular graceful-restart process is failing with:

[ALERT] 092/174647 (114374) : [/usr/sbin/haproxy.main()] Some protocols
failed to start their listeners! Exiting.

Looking at strace, it looks like the bind(2) call for the peer socket is
failing. Did something change about the order in which peer sockets are
bound?

Our peers block is pretty straightforward and hasn't changed in several
years.

peers lb
peer devlb1west 10.132.46.130:7778
peer devlb2west 10.132.37.135:7778

Our graceful restart command looks like

/usr/sbin/haproxy -f /path/to/haproxy.config -p
/home/srvelb/run/haproxy.pid -sf 70409 -x /path/to/admin/mode/socket

and also hasn't changed since the addition of domain-socket FD passing in
1.8.

I notice a bunch of peer-related commits got pulled into 2.0.14...

Anyone else seen this?
-- 
James Brown
Engineer

Re: [ANNOUNCE] haproxy-2.1.4

2020-04-02 Thread Julien Pivotto 
On 02 Apr 15:27, Julien Pivotto wrote:
> On 02 Apr 15:03, Willy Tarreau wrote:
> > Hi,
> > 
> > HAProxy 2.1.4 was released on 2020/04/02. It added 99 new commits
> > after version 2.1.3.
> > 
> > The main driver for this release is that it contains a fix for a serious
> > vulnerability that was responsibly reported last week by Felix Wilhelm
> > from Google Project Zero, affecting the HPACK decoder used for HTTP/2.
> > CVE-2020-11100 was assigned to this issue.
> > 
> > There is no configuration-based workaround for 2.1 and above.
> 
> 
> Is disabling HTTP2 a workaround?
> 
> Thanks.

Sorry, I have only read the 2.1 mail.

Thanks

> 
> > 
> > This vulnerability makes it possible under certain circumstances to write
> > to a wide range of memory locations within the process' heap, with the
> > limitation that the attacker doesn't control the absolute address, so the
> > most likely result and by a far margin will be a process crash, but it is
> > not possible to completely rule out the faint possibility of a remote code
> > execution, at least in a lab-controlled environment. Felix was kind enough
> > to agree to delay the publication of his findings to the 20th of this month
> > in order to leave enough time to haproxy users to apply updates. But please
> > do not wait, as it is not very difficult to figure how to exploit the bug
> > based on the fix. Distros were notified and will also have fixes available
> > very shortly.
> > 
> > Three other important fixes are present in this version:
> >   - a non-portable way of calculating a list pointer that breaks with
> > gcc 10 unless using -fno-tree-pta. This bug results in infinite loops
> > at random places in the code depending how the compiler decides to
> > optimize the code.
> > 
> >   - a bug in the way TLV fields are extracted from the PROXY protocol, as
> > they could be mistakenly looked up in the subsequent payload, even
> > though these would have limited effects since these ones would generally
> > be meaningless for the transported protocol, but could be used to hide a
> > source address from logging for example.
> > 
> >   - the "tarpit" rules were partially broken in that since 1.9 they wouldn't
> > prevent a connection from being sent to a server while the 500 response
> > is delivered to the client. Given that they are often used to block
> > suspicious activity it's problematic.
> > 
> > The rest is less important, but still relevant to some users. Among those
> > noticeable I can enumerate:
> >   - the O(N^2) ACL unique-id allocator that could take several minutes to
> > boot on certain very large configs was reworked to follow O(NlogN)
> > instead.
> > 
> >   - the default global maxconn setting when not set in the configuration was
> > incorrectly set to the process' soft limit instead of the hard limit,
> > resulting in much lower connection counts on some setups after upgrade
> > from 1.x to 2.x. It now properly follows the hard limit.
> > 
> >   - a new thread-safe random number generator that will avoid the risk that
> > the "uuid" sample fetch function returns the exact same UUID in several
> > threads.
> > 
> >   - issues in HTX mode affecting filters, namely cache and compression, that
> > could lead to data corruption.
> > 
> >   - alignment issues causing bus error on Sparc64 were addressed
> > 
> >   - fixed a rare case of possible segfault on soft-stop when a finishing 
> > thread
> > flushes its pools while another one is freeing some elements.
> > 
> > 
> > Please have a look at the changelog below for a more detailed list of fixes,
> > and do not forget to update, either from the sources or from your regular
> > distro channels.
> > 
> > Please find the usual URLs below :
> >Site index   : http://www.haproxy.org/
> >Discourse: http://discourse.haproxy.org/
> >Slack channel: https://slack.haproxy.org/
> >Issue tracker: https://github.com/haproxy/haproxy/issues
> >Sources  : http://www.haproxy.org/download/2.1/src/
> >Git repository   : http://git.haproxy.org/git/haproxy-2.1.git/
> >Git Web browsing : http://git.haproxy.org/?p=haproxy-2.1.git
> >Changelog: http://www.haproxy.org/download/2.1/src/CHANGELOG
> >Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
> > 
> > Willy
> > ---
> > Complete changelog :
> > Balvinder Singh Rawat (1):
> >   DOC: correct typo in alert message about rspirep
> > 
> > Bjoern Jacke (1):
> >   DOC: fix typo about no-tls-tickets
> > 
> > Björn Jacke (1):
> >   DOC: improve description of no-tls-tickets
> > 
> > Carl Henrik Lunde (1):
> >   OPTIM: startup: fast unique_id allocation for acl.
> > 
> > Christopher Faulet (26):
> >   BUG/MINOR: mux-fcgi: Forbid special characters when matching 
> > PATH_INFO param
> >   MINOR: mux-fcgi: Make the capture of the path-info optional in 
> > pathinfo regex
> >   MINOR: http-htx:

Re: [ANNOUNCE] haproxy-2.1.4

2020-04-02 Thread Willy Tarreau 
On Thu, Apr 02, 2020 at 03:27:07PM +0200, Julien Pivotto wrote:
> On 02 Apr 15:03, Willy Tarreau wrote:
> > Hi,
> > 
> > HAProxy 2.1.4 was released on 2020/04/02. It added 99 new commits
> > after version 2.1.3.
> > 
> > The main driver for this release is that it contains a fix for a serious
> > vulnerability that was responsibly reported last week by Felix Wilhelm
> > from Google Project Zero, affecting the HPACK decoder used for HTTP/2.
> > CVE-2020-11100 was assigned to this issue.
> > 
> > There is no configuration-based workaround for 2.1 and above.
> 
> 
> Is disabling HTTP2 a workaround?

When possible yes, but in 2.1 and above you cannot as it's native,
hence "no config workaround" :-(

Willy

Re: [PATCH] assorted typo fixes (6th iteration)

2020-04-02 Thread Willy Tarreau 
On Thu, Apr 02, 2020 at 03:27:26PM +0500,  ??? wrote:
> Hello,
> 
> ongoing typo fixes.

Merged, thanks!
Willy

Re: [ANNOUNCE] haproxy-2.1.4

2020-04-02 Thread Julien Pivotto 
On 02 Apr 15:03, Willy Tarreau wrote:
> Hi,
> 
> HAProxy 2.1.4 was released on 2020/04/02. It added 99 new commits
> after version 2.1.3.
> 
> The main driver for this release is that it contains a fix for a serious
> vulnerability that was responsibly reported last week by Felix Wilhelm
> from Google Project Zero, affecting the HPACK decoder used for HTTP/2.
> CVE-2020-11100 was assigned to this issue.
> 
> There is no configuration-based workaround for 2.1 and above.


Is disabling HTTP2 a workaround?

Thanks.

> 
> This vulnerability makes it possible under certain circumstances to write
> to a wide range of memory locations within the process' heap, with the
> limitation that the attacker doesn't control the absolute address, so the
> most likely result and by a far margin will be a process crash, but it is
> not possible to completely rule out the faint possibility of a remote code
> execution, at least in a lab-controlled environment. Felix was kind enough
> to agree to delay the publication of his findings to the 20th of this month
> in order to leave enough time to haproxy users to apply updates. But please
> do not wait, as it is not very difficult to figure how to exploit the bug
> based on the fix. Distros were notified and will also have fixes available
> very shortly.
> 
> Three other important fixes are present in this version:
>   - a non-portable way of calculating a list pointer that breaks with
> gcc 10 unless using -fno-tree-pta. This bug results in infinite loops
> at random places in the code depending how the compiler decides to
> optimize the code.
> 
>   - a bug in the way TLV fields are extracted from the PROXY protocol, as
> they could be mistakenly looked up in the subsequent payload, even
> though these would have limited effects since these ones would generally
> be meaningless for the transported protocol, but could be used to hide a
> source address from logging for example.
> 
>   - the "tarpit" rules were partially broken in that since 1.9 they wouldn't
> prevent a connection from being sent to a server while the 500 response
> is delivered to the client. Given that they are often used to block
> suspicious activity it's problematic.
> 
> The rest is less important, but still relevant to some users. Among those
> noticeable I can enumerate:
>   - the O(N^2) ACL unique-id allocator that could take several minutes to
> boot on certain very large configs was reworked to follow O(NlogN)
> instead.
> 
>   - the default global maxconn setting when not set in the configuration was
> incorrectly set to the process' soft limit instead of the hard limit,
> resulting in much lower connection counts on some setups after upgrade
> from 1.x to 2.x. It now properly follows the hard limit.
> 
>   - a new thread-safe random number generator that will avoid the risk that
> the "uuid" sample fetch function returns the exact same UUID in several
> threads.
> 
>   - issues in HTX mode affecting filters, namely cache and compression, that
> could lead to data corruption.
> 
>   - alignment issues causing bus error on Sparc64 were addressed
> 
>   - fixed a rare case of possible segfault on soft-stop when a finishing 
> thread
> flushes its pools while another one is freeing some elements.
> 
> 
> Please have a look at the changelog below for a more detailed list of fixes,
> and do not forget to update, either from the sources or from your regular
> distro channels.
> 
> Please find the usual URLs below :
>Site index   : http://www.haproxy.org/
>Discourse: http://discourse.haproxy.org/
>Slack channel: https://slack.haproxy.org/
>Issue tracker: https://github.com/haproxy/haproxy/issues
>Sources  : http://www.haproxy.org/download/2.1/src/
>Git repository   : http://git.haproxy.org/git/haproxy-2.1.git/
>Git Web browsing : http://git.haproxy.org/?p=haproxy-2.1.git
>Changelog: http://www.haproxy.org/download/2.1/src/CHANGELOG
>Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
> 
> Willy
> ---
> Complete changelog :
> Balvinder Singh Rawat (1):
>   DOC: correct typo in alert message about rspirep
> 
> Bjoern Jacke (1):
>   DOC: fix typo about no-tls-tickets
> 
> Björn Jacke (1):
>   DOC: improve description of no-tls-tickets
> 
> Carl Henrik Lunde (1):
>   OPTIM: startup: fast unique_id allocation for acl.
> 
> Christopher Faulet (26):
>   BUG/MINOR: mux-fcgi: Forbid special characters when matching PATH_INFO 
> param
>   MINOR: mux-fcgi: Make the capture of the path-info optional in pathinfo 
> regex
>   MINOR: http-htx: Add a function to retrieve the headers size of an HTX 
> message
>   MINOR: filters: Forward data only if the last filter forwards something
>   BUG/MINOR: filters: Count HTTP headers as filtered data but don't 
> forward them
>   BUG/MINOR: http-htx: Don't return error if authority is

Re: [PATCH] ignore setsockopt return value in src/fd.c

2020-04-02 Thread Willy Tarreau 
On Thu, Apr 02, 2020 at 03:26:31PM +0500,  ??? wrote:
> forgot to attach a ptach itself ))

Normally this tradition is reserved to me :-)
Now applied, thank you Ilya!
Willy

[ANNOUNCE] haproxy-1.8.25

2020-04-02 Thread Willy Tarreau 
Hi,

HAProxy 1.8.25 was released on 2020/04/02. It added 37 new commits
after version 1.8.24.

The main driver for this release is that it contains a fix for a serious
vulnerability that was responsibly reported last week by Felix Wilhelm
from Google Project Zero, affecting the HPACK decoder used for HTTP/2.
CVE-2020-11100 was assigned to this issue.

For version 1.8 it is enough to remove "npn h2" and "alpn h2" on "bind"
lines to disable HTTP/2 support and stay away from the issue. But upgrading
will be way easier and safer!

This vulnerability makes it possible under certain circumstances to write
to a wide range of memory locations within the process' heap, with the
limitation that the attacker doesn't control the absolute address, so the
most likely result and by a far margin will be a process crash, but it is
not possible to completely rule out the faint possibility of a remote code
execution, at least in a lab-controlled environment. Felix was kind enough
to agree to delay the publication of his findings to the 20th of this month
in order to leave enough time to haproxy users to apply updates. But please
do not wait, as it is not very difficult to figure how to exploit the bug
based on the fix. Distros were notified and will also have fixes available
very shortly.

Two other important fixes are present in this version:
  - a non-portable way of calculating a list pointer that breaks with
gcc 10 unless using -fno-tree-pta. This bug results in infinite loops
at random places in the code depending how the compiler decides to
optimize the code.

  - a bug in the way TLV fields are extracted from the PROXY protocol, as
they could be mistakenly looked up in the subsequent payload, even
though these would have limited effects since these ones would generally
be meaningless for the transported protocol, but could be used to hide a
source address from logging for example.

The rest is less important, but still relevant to some users. Please have a
look at the changelog below for a more detailed list of fixes, and do not
forget to update, either from the sources or from your regular distro channels.

Please find the usual URLs below :
   Site index   : http://www.haproxy.org/
   Discourse: http://discourse.haproxy.org/
   Slack channel: https://slack.haproxy.org/
   Issue tracker: https://github.com/haproxy/haproxy/issues
   Sources  : http://www.haproxy.org/download/1.8/src/
   Git repository   : http://git.haproxy.org/git/haproxy-1.8.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git
   Changelog: http://www.haproxy.org/download/1.8/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
Bjoern Jacke (1):
  DOC: fix typo about no-tls-tickets

Björn Jacke (1):
  DOC: improve description of no-tls-tickets

Christopher Faulet (8):
  BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not
  BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action
  BUG/MINOR: http-rules: Fix a typo in the reject action function
  BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action
  BUG/MINOR: rules: Increment be_counters if backend is assigned for a 
silent-drop
  MINOR: http-rules: Add a flag on redirect rules to know the rule direction
  MINOR: http-rules: Handle the rule direction when a redirect is evaluated
  BUG/MINOR: http-ana: Reset request analysers on error when waiting for 
response

Daniel Corbett (1):
  BUG/MINOR: stats: Fix color of draining servers on stats page

Ilya Shipitsin (1):
  DOC: assorted typo fixes in the documentation

Jerome Magnin (1):
  BUG/MINOR: http_ana: make sure redirect flags don't have overlapping bits

Lukas Tribus (1):
  DOC: ssl: clarify security implications of TLS tickets

Miroslav Zagorac (1):
  DOC: internals: Fix spelling errors in filters.txt

Tim Duesterhus (3):
  BUG/MINOR: sample: Make sure to return stable IDs in the unique-id fetch
  BUG/MAJOR: proxy_protocol: Properly validate TLV lengths
  DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID

William Dauchy (1):
  BUG/MINOR: namespace: avoid closing fd when socket failed in my_socketat

William Lallemand (2):
  BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized
  BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL

Willy Tarreau (16):
  SCRIPTS: announce-release: use mutt -H instead of -i to include the draft
  CONTRIB: debug: add the possibility to decode the value as certain types 
only
  CONTRIB: debug: support reporting multiple values at once
  CONTRIB: debug: also support reading values from stdin
  BUG/MEDIUM: shctx: make sure to keep all blocks aligned
  MINOR: compiler: move CPU capabilities definition from config.h and 
complete them
  BUG/MEDIUM: ebtree: don't set attribute packed without unaligned

[ANNOUNCE] haproxy-1.9.15

2020-04-02 Thread Willy Tarreau 
Hi,

HAProxy 1.9.15 was released on 2020/04/02. It added 53 new commits
after version 1.9.14.

The main driver for this release is that it contains a fix for a serious
vulnerability that was responsibly reported last week by Felix Wilhelm
from Google Project Zero, affecting the HPACK decoder used for HTTP/2.
CVE-2020-11100 was assigned to this issue.

In 1.9, it is possible to work around this issue by removing "npn h2",
"alpn h2" or "proto h2" on "bind" lines, which will result in disabling
HTTP/2 support.. But upgrading will be way easier and safer!

This vulnerability makes it possible under certain circumstances to write
to a wide range of memory locations within the process' heap, with the
limitation that the attacker doesn't control the absolute address, so the
most likely result and by a far margin will be a process crash, but it is
not possible to completely rule out the faint possibility of a remote code
execution, at least in a lab-controlled environment. Felix was kind enough
to agree to delay the publication of his findings to the 20th of this month
in order to leave enough time to haproxy users to apply updates. But please
do not wait, as it is not very difficult to figure how to exploit the bug
based on the fix. Distros were notified and will also have fixes available
very shortly.

Three other important fixes are present in this version:
  - a non-portable way of calculating a list pointer that breaks with
gcc 10 unless using -fno-tree-pta. This bug results in infinite loops
at random places in the code depending how the compiler decides to
optimize the code.

  - a bug in the way TLV fields are extracted from the PROXY protocol, as
they could be mistakenly looked up in the subsequent payload, even
though these would have limited effects since these ones would generally
be meaningless for the transported protocol, but could be used to hide a
source address from logging for example.

  - the "tarpit" rules were partially broken in that since 1.9 they wouldn't
prevent a connection from being sent to a server while the 500 response
is delivered to the client. Given that they are often used to block
suspicious activity it's problematic.

The rest is less important, but still relevant to some users. Please have a
look at the changelog below for a more detailed list of fixes, and do not
forget to update, either from the sources or from your regular distro channels.

Important note: let me remind that we're almost 18 months after 1.9 was
released, that in December we said it would live for another 3-4 months,
and that now it's about time to see it disappear. Thus barring any other
major issue requiring a quick fix in the forthcoming weeks/months, it's
unlikely that there will be another 1.9 version. I'm not suggesting to
rush an upgrade especially when dealing with a security issue, but keep
somewhere in your head that you'll really need to migrate to 2.0 or newer
soon. I'll purposely mark it "End of life" on the site, even though I'm
still open to a few extras if really needed and justified.

Please find the usual URLs below :
   Site index   : http://www.haproxy.org/
   Discourse: http://discourse.haproxy.org/
   Slack channel: https://slack.haproxy.org/
   Issue tracker: https://github.com/haproxy/haproxy/issues
   Sources  : http://www.haproxy.org/download/1.9/src/
   Git repository   : http://git.haproxy.org/git/haproxy-1.9.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-1.9.git
   Changelog: http://www.haproxy.org/download/1.9/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
Bjoern Jacke (1):
  DOC: fix typo about no-tls-tickets

Björn Jacke (1):
  DOC: improve description of no-tls-tickets

Christopher Faulet (16):
  MINOR: http-htx: Add a function to retrieve the headers size of an HTX 
message
  MINOR: filters: Forward data only if the last filter forwards something
  BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward 
them
  BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive
  BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered
  BUG/MINOR: http-ana: Reset request analysers on a response side error
  BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not
  BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action
  BUG/MINOR: http-rules: Fix a typo in the reject action function
  BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action
  BUG/MINOR: rules: Increment be_counters if backend is assigned for a 
silent-drop
  MINOR: http-rules: Add a flag on redirect rules to know the rule direction
  MINOR: http-rules: Handle the rule direction when a redirect is evaluated
  BUG/MINOR: filters: Use filter offset to decude the amount of forwarded 
data
  BUG/MINOR: filters: Forward

[ANNOUNCE] haproxy-2.0.14

2020-04-02 Thread Willy Tarreau 
Hi,

HAProxy 2.0.14 was released on 2020/04/02. It added 86 new commits
after version 2.0.13.

The main driver for this release is that it contains a fix for a serious
vulnerability that was responsibly reported last week by Felix Wilhelm
from Google Project Zero, affecting the HPACK decoder used for HTTP/2.
CVE-2020-11100 was assigned to this issue.

There is no configuration-based workaround when HTX is used, thus for 2.1
and above, or for 2.0 when server-side H2 or L7 retries are enabled. In 2.0
HTX is enabled by default, and disabling it requires to add
"no option http-use-htx" in every proxy. When in legacy mode (non-HTX),
disabling H2 by removing "npn h2", "alpn h2" and "proto h2" on bind lines
will be enough. But upgrading will be way easier and safer!

This vulnerability makes it possible under certain circumstances to write
to a wide range of memory locations within the process' heap, with the
limitation that the attacker doesn't control the absolute address, so the
most likely result and by a far margin will be a process crash, but it is
not possible to completely rule out the faint possibility of a remote code
execution, at least in a lab-controlled environment. Felix was kind enough
to agree to delay the publication of his findings to the 20th of this month
in order to leave enough time to haproxy users to apply updates. But please
do not wait, as it is not very difficult to figure how to exploit the bug
based on the fix. Distros were notified and will also have fixes available
very shortly.

Three other important fixes are present in this version:
  - a non-portable way of calculating a list pointer that breaks with
gcc 10 unless using -fno-tree-pta. This bug results in infinite loops
at random places in the code depending how the compiler decides to
optimize the code.

  - a bug in the way TLV fields are extracted from the PROXY protocol, as
they could be mistakenly looked up in the subsequent payload, even
though these would have limited effects since these ones would generally
be meaningless for the transported protocol, but could be used to hide a
source address from logging for example.

  - the "tarpit" rules were partially broken in that since 1.9 they wouldn't
prevent a connection from being sent to a server while the 500 response
is delivered to the client. Given that they are often used to block
suspicious activity it's problematic.

The rest is less important, but still relevant to some users. Among those
noticeable I can enumerate:
  - the O(N^2) ACL unique-id allocator that could take several minutes to
boot on certain very large configs was reworked to follow O(NlogN)
instead.

  - the default global maxconn setting when not set in the configuration was
incorrectly set to the process' soft limit instead of the hard limit,
resulting in much lower connection counts on some setups after upgrade
from 1.x to 2.x. It now properly follows the hard limit.

  - a new thread-safe random number generator that will avoid the risk that
the "uuid" sample fetch function returns the exact same UUID in several
threads.

  - issues in HTX mode affecting filters, namely cache and compression, that
could lead to data corruption.

  - alignment issues causing bus error on Sparc64 were addressed

  - fixed a rare case of possible segfault on soft-stop when a finishing thread
flushes its pools while another one is freeing some elements.

Please have a look at the changelog below for a more detailed list of fixes,
and do not forget to update, either from the sources or from your regular
distro channels.

Please find the usual URLs below :
   Site index   : http://www.haproxy.org/
   Discourse: http://discourse.haproxy.org/
   Slack channel: https://slack.haproxy.org/
   Issue tracker: https://github.com/haproxy/haproxy/issues
   Sources  : http://www.haproxy.org/download/2.0/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.0.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.0.git
   Changelog: http://www.haproxy.org/download/2.0/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
Bjoern Jacke (1):
  DOC: fix typo about no-tls-tickets

Björn Jacke (1):
  DOC: improve description of no-tls-tickets

Carl Henrik Lunde (1):
  OPTIM: startup: fast unique_id allocation for acl.

Christopher Faulet (21):
  MINOR: http-htx: Add a function to retrieve the headers size of an HTX 
message
  MINOR: filters: Forward data only if the last filter forwards something
  BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward 
them
  BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive
  BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered
  MINOR: contrib/prometheus-exporter: Add heathcheck status/code in server 
metrics
  MINOR:

[ANNOUNCE] haproxy-2.1.4

2020-04-02 Thread Willy Tarreau 
Hi,

HAProxy 2.1.4 was released on 2020/04/02. It added 99 new commits
after version 2.1.3.

The main driver for this release is that it contains a fix for a serious
vulnerability that was responsibly reported last week by Felix Wilhelm
from Google Project Zero, affecting the HPACK decoder used for HTTP/2.
CVE-2020-11100 was assigned to this issue.

There is no configuration-based workaround for 2.1 and above.

This vulnerability makes it possible under certain circumstances to write
to a wide range of memory locations within the process' heap, with the
limitation that the attacker doesn't control the absolute address, so the
most likely result and by a far margin will be a process crash, but it is
not possible to completely rule out the faint possibility of a remote code
execution, at least in a lab-controlled environment. Felix was kind enough
to agree to delay the publication of his findings to the 20th of this month
in order to leave enough time to haproxy users to apply updates. But please
do not wait, as it is not very difficult to figure how to exploit the bug
based on the fix. Distros were notified and will also have fixes available
very shortly.

Three other important fixes are present in this version:
  - a non-portable way of calculating a list pointer that breaks with
gcc 10 unless using -fno-tree-pta. This bug results in infinite loops
at random places in the code depending how the compiler decides to
optimize the code.

  - a bug in the way TLV fields are extracted from the PROXY protocol, as
they could be mistakenly looked up in the subsequent payload, even
though these would have limited effects since these ones would generally
be meaningless for the transported protocol, but could be used to hide a
source address from logging for example.

  - the "tarpit" rules were partially broken in that since 1.9 they wouldn't
prevent a connection from being sent to a server while the 500 response
is delivered to the client. Given that they are often used to block
suspicious activity it's problematic.

The rest is less important, but still relevant to some users. Among those
noticeable I can enumerate:
  - the O(N^2) ACL unique-id allocator that could take several minutes to
boot on certain very large configs was reworked to follow O(NlogN)
instead.

  - the default global maxconn setting when not set in the configuration was
incorrectly set to the process' soft limit instead of the hard limit,
resulting in much lower connection counts on some setups after upgrade
from 1.x to 2.x. It now properly follows the hard limit.

  - a new thread-safe random number generator that will avoid the risk that
the "uuid" sample fetch function returns the exact same UUID in several
threads.

  - issues in HTX mode affecting filters, namely cache and compression, that
could lead to data corruption.

  - alignment issues causing bus error on Sparc64 were addressed

  - fixed a rare case of possible segfault on soft-stop when a finishing thread
flushes its pools while another one is freeing some elements.


Please have a look at the changelog below for a more detailed list of fixes,
and do not forget to update, either from the sources or from your regular
distro channels.

Please find the usual URLs below :
   Site index   : http://www.haproxy.org/
   Discourse: http://discourse.haproxy.org/
   Slack channel: https://slack.haproxy.org/
   Issue tracker: https://github.com/haproxy/haproxy/issues
   Sources  : http://www.haproxy.org/download/2.1/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.1.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.1.git
   Changelog: http://www.haproxy.org/download/2.1/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
Balvinder Singh Rawat (1):
  DOC: correct typo in alert message about rspirep

Bjoern Jacke (1):
  DOC: fix typo about no-tls-tickets

Björn Jacke (1):
  DOC: improve description of no-tls-tickets

Carl Henrik Lunde (1):
  OPTIM: startup: fast unique_id allocation for acl.

Christopher Faulet (26):
  BUG/MINOR: mux-fcgi: Forbid special characters when matching PATH_INFO 
param
  MINOR: mux-fcgi: Make the capture of the path-info optional in pathinfo 
regex
  MINOR: http-htx: Add a function to retrieve the headers size of an HTX 
message
  MINOR: filters: Forward data only if the last filter forwards something
  BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward 
them
  BUG/MINOR: http-htx: Don't return error if authority is updated without 
changes
  BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive
  MINOR: http-ana: Match on the path if the monitor-uri starts by a /
  BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered
  BUG/MINOR: http-htx: Do case-insensive

[PATCH] Converter to support Financial eXchange protocol

2020-04-02 Thread Baptiste 
Hi here

These patches introduce a few function to the ist API and also a converter
to validate a FIX message and to extract data from a FIX payload.

Thx at Christopher for his help during this dev.

Baptiste
From 4e9de7128c7065dc01b423dcce13b18487f1f353 Mon Sep 17 00:00:00 2001
From: Baptiste Assmann 
Date: Tue, 17 Mar 2020 10:18:41 +0100
Subject: [PATCH 4/4] MINOR: conv: parses Financial Information eXchange
 messages

This patch implements a couple of converters to validate and extract data from
a FIX message.
The validation consists in a few checks such as mandatory fields and
checksum computation.
The extraction can get any tag value based on a tag string or tag id.
---
 doc/configuration.txt |  36 
 include/proto/fix.h   | 200 ++
 include/types/fix.h   |  55 
 src/sample.c  |  72 +++
 4 files changed, 363 insertions(+)
 create mode 100644 include/proto/fix.h
 create mode 100644 include/types/fix.h

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 8347e8a4d..81b53c59f 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -13926,6 +13926,42 @@ field(,[,])
   str(f1_f2_f3__f5),field(-2,_,3) # f2_f3_
   str(f1_f2_f3__f5),field(-3,_,0) # f1_f2_f3
 
+fix_tag_value()
+  Parses a FIX (Financial Information eXchange) message and extracts the value
+  from the tag .
+   can be a string or an integer pointing to the desired tag. Any integer
+  value is accepted, but only the following strings are translated into their
+  integer equivalent: BeginString, BodyLength, MsgType, SenderComID,
+  TagetComID, CheckSum. If more are needed, we can add them in proto/fix.h
+  easily.
+
+  Note: only the first message sent by the client and the server can be parsed.
+
+  Example:
+  tcp-request inspect-delay 10s
+  acl data_in_buffer req.len gt 10
+  # MsgType tag ID is 35, so both lines below will return the same content
+  tcp-request content set-var(txn.foo) req.payload(0,0),fix_tag_value(35) \
+  if data_in_buffer
+  tcp-request content set-var(txn.bar) req.payload(0,0),fix_tag_value(MsgType) \
+  if data_in_buffer
+
+fix_validate
+  Parses a binary payload and performs sanity checks regarding FIX (Financial
+  Information eXchange):
+  - checks the BeginString tag
+  - checks that all tag IDs are well numeric
+  - checks that last tag in the message is the CheckSum one
+  - validate the checksum is right
+
+  This converter returns a boolean, true if the payload contains a valid FIX
+  message, right if not.
+
+  Example:
+  tcp-request inspect-delay 10s
+  acl data_in_buffer req.len gt 10
+  tcp-request content reject if data_in_buffer !{ req.payload(0,0),fix_validate }
+
 hex
   Converts a binary input sample to a hex string containing two hex digits per
   input byte. It is used to log or transfer hex dumps of some binary input data
diff --git a/include/proto/fix.h b/include/proto/fix.h
new file mode 100644
index 0..e7b8cf5ac
--- /dev/null
+++ b/include/proto/fix.h
@@ -0,0 +1,200 @@
+/*
+ * include/proto/fix.h
+ * This file contains functions and macros declarations for FIX protocol decoding.
+ *
+ * Copyright 2020 Baptiste Assmann 
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation, version 2.1
+ * exclusively.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef _PROTO_FIX_H
+#define _PROTO_FIX_H
+
+#include 
+#include 
+
+#include 
+
+
+/*
+ * Return a FIX tag ID ptr from  if one found, NULL if not.
+ *
+ * full list of tag ID available here, just in case we need to support more "string" equivalent in the future:
+ *   https://www.onixs.biz/fix-dictionary/4.2/fields_by_tag.html
+ */
+static inline struct ist fix_tagid(struct ist tag)
+{
+	if (istisnumeric(tag))
+		return tag;
+
+	else if (strcasecmp(tag.ptr, "BeginString") == 0)
+		return FIX_TAG_BeginString;
+
+	else if (strcasecmp(tag.ptr, "BodyLength") == 0)
+		return FIX_TAG_BodyLength;
+
+	else if (strcasecmp(tag.ptr, "CheckSum") == 0)
+		return FIX_TAG_CheckSum;
+
+	else if (strcasecmp(tag.ptr, "MsgType") == 0)
+		return FIX_TAG_MsgType;
+
+	else if (strcasecmp(tag.ptr, "SenderComID") == 0)
+		return FIX_TAG_SenderComID;
+
+	else if (strcasecmp(tag.ptr, "TagetComID") == 0)
+		return FIX_TAG_TargetComID;
+
+	return IST_NULL;
+}
+
+/*
+ * Parse a FIX message  and return the value of .
+ *
+ *

[PATCH] assorted typo fixes (6th iteration)

2020-04-02 Thread Илья Шипицин 
Hello,

ongoing typo fixes.

Ilya Shipitcin
From f0ba77f8d64c301ac8877e3d2850a7966acea658 Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin 
Date: Thu, 2 Apr 2020 15:25:26 +0500
Subject: [PATCH] CLEANUP: assorted typo fixes in the code and comments

This is sixth iteration of typo fixes
---
 contrib/debug/flags.c  |  2 +-
 src/acl.c  |  4 ++--
 src/cache.c|  6 +++---
 src/cfgparse.c |  4 ++--
 src/flt_spoe.c |  8 
 src/h2.c   |  6 +++---
 src/http_ana.c | 24 
 src/lb_map.c   |  2 +-
 src/listener.c |  4 ++--
 src/mux_fcgi.c | 10 +-
 src/stream_interface.c |  2 +-
 11 files changed, 36 insertions(+), 36 deletions(-)

diff --git a/contrib/debug/flags.c b/contrib/debug/flags.c
index d966650ee..ca7584e32 100644
--- a/contrib/debug/flags.c
+++ b/contrib/debug/flags.c
@@ -434,7 +434,7 @@ int main(int argc, char **argv)
 			if (!value)
 break;
 
-			/* skip common leading delimitors that slip from copy-paste */
+			/* skip common leading delimiters that slip from copy-paste */
 			while (*value == ' ' || *value == '\t' || *value == ':' || *value == '=')
 value++;
 
diff --git a/src/acl.c b/src/acl.c
index 1e32271be..f3d7af789 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -503,7 +503,7 @@ struct acl_expr *parse_acl_expr(const char **args, char **err, struct arg_list *
 		 expr->kw, file, line);
 	trash.area[trash.size - 1] = '\0';
 
-	/* Create new patern reference. */
+	/* Create new pattern reference. */
 	ref = pat_ref_newid(unique_id, trash.area, PAT_REF_ACL);
 	if (!ref) {
 		memprintf(err, "memory error");
@@ -521,7 +521,7 @@ struct acl_expr *parse_acl_expr(const char **args, char **err, struct arg_list *
 
 		/* Compatibility layer. Each pattern can parse only one string per pattern,
 		 * but the pat_parser_int() and pat_parse_dotted_ver() parsers were need
-		 * optionnaly two operators. The first operator is the match method: eq,
+		 * optionally two operators. The first operator is the match method: eq,
 		 * le, lt, ge and gt. pat_parse_int() and pat_parse_dotted_ver() functions
 		 * can have a compatibility syntax based on ranges:
 		 *
diff --git a/src/cache.c b/src/cache.c
index 7d53b2d5d..3b248ef46 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -520,7 +520,7 @@ static void cache_free_blocks(struct shared_block *first, struct shared_block *b
 }
 
 /*
- * This fonction will store the headers of the response in a buffer and then
+ * This function will store the headers of the response in a buffer and then
  * register a filter to store the data
  */
 enum act_return http_action_store_cache(struct act_rule *rule, struct proxy *px,
@@ -822,7 +822,7 @@ static size_t htx_cache_dump_msg(struct appctx *appctx, struct htx *htx, unsigne
 			goto add_data_blk;
 		}
 
-		/* Get info of the next HTX block. May be splitted on 2 shblk */
+		/* Get info of the next HTX block. May be split on 2 shblk */
 		sz = MIN(4, shctx->block_size - offset);
 		memcpy((char *), (const char *)shblk->data + offset, sz);
 		offset += sz;
@@ -888,7 +888,7 @@ static void http_cache_io_handler(struct appctx *appctx)
 	if (unlikely(si->state == SI_ST_DIS || si->state == SI_ST_CLO))
 		goto out;
 
-	/* Check if the input buffer is avalaible. */
+	/* Check if the input buffer is available. */
 	if (!b_size(>buf)) {
 		si_rx_room_blk(si);
 		goto out;
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 9b4a0be37..993496192 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -91,7 +91,7 @@
  * Check RFC 2246 (TLSv1.0) sections A.3 and A.4 for details.
  */
 const char sslv3_client_hello_pkt[] = {
-	"\x16"/* ContentType : 0x16 = Hanshake   */
+	"\x16"/* ContentType : 0x16 = Handshake  */
 	"\x03\x00"/* ProtocolVersion : 0x0300 = SSLv3*/
 	"\x00\x79"/* ContentLength   : 0x79 bytes after this one */
 	"\x01"/* HanshakeType: 0x01 = CLIENT HELLO   */
@@ -3830,7 +3830,7 @@ out_uri_auth_compat:
 			 * maximize the work at once, but in multi-process we want to keep
 			 * some fairness between processes, so we target half of the max
 			 * number of events to be balanced over all the processes the proxy
-			 * is bound to. Rememeber that maxaccept = -1 must be kept as it is
+			 * is bound to. Remember that maxaccept = -1 must be kept as it is
 			 * used to disable the limit.
 			 */
 			if (listener->maxaccept > 0 && nbproc > 1) {
diff --git a/src/flt_spoe.c b/src/flt_spoe.c
index 57c224644..9db2baa15 100644
--- a/src/flt_spoe.c
+++ b/src/flt_spoe.c
@@ -252,7 +252,7 @@ static const char *spoe_appctx_state_str[SPOE_APPCTX_ST_END+1] = {
 #endif
 
 /* Used to generates a unique id for an engine. On success, it returns a
- * allocated string. So it is the caller's reponsibility to release it. If the
+ * allocated string. So it is the caller's responsibility to release it. If the
  * allocation

Re: [PATCH] ignore setsockopt return value in src/fd.c

2020-04-02 Thread Илья Шипицин 
forgot to attach a ptach itself ))

чт, 2 апр. 2020 г. в 15:04, Илья Шипицин :

> Hello,
>
> this patch should resolve https://github.com/haproxy/haproxy/issues/553
>
> Cheers,
> Ilya Shipitcin
>
From 36dec6691e98dd92760c1434411aab207e43b93b Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin 
Date: Thu, 2 Apr 2020 15:02:08 +0500
Subject: [PATCH] CLEANUP: src/fd.c: mask setsockopt with DISGUISE

we do not care of what is returned, let static analyzers to
know that
---
 src/fd.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/fd.c b/src/fd.c
index d026b15ee..1934bd0e7 100644
--- a/src/fd.c
+++ b/src/fd.c
@@ -314,8 +314,8 @@ static void fd_dodelete(int fd, int do_close)
 
 	if (fdtab[fd].linger_risk) {
 		/* this is generally set when connecting to servers */
-		setsockopt(fd, SOL_SOCKET, SO_LINGER,
-			   (struct linger *) , sizeof(struct linger));
+		DISGUISE(setsockopt(fd, SOL_SOCKET, SO_LINGER,
+			   (struct linger *) , sizeof(struct linger)));
 	}
 	if (cur_poller.clo)
 		cur_poller.clo(fd);
-- 
2.25.1

[PATCH] ignore setsockopt return value in src/fd.c

2020-04-02 Thread Илья Шипицин 
Hello,

this patch should resolve https://github.com/haproxy/haproxy/issues/553

Cheers,
Ilya Shipitcin

Re: SameSite=None for persistent session cookie, problem with old browsers

2020-04-02 Thread Aleksandar Lazic 

Hi.

On 02.04.20 09:36, Matthias Zepf wrote:

Hi,

for a client we develop a web shop application that handles payment by 
redirecting the user to a page of a payment service provider. After successful 
(or failed) payment the user is redirected back to our application with a post 
request. With Chrome 80 this began to be a problem because on cross-domain post 
requests the cookies are no longer transmitted. This can be fixed by setting 
SameSite=None on the cookies, what we did (also for the haproxy persistent 
session cookie) and it works fine.

But there is a new problem: old browsers, especially Safari on macOS < 10.15 and 
iOS < 13. These browsers do not know of the value “None” for parameter “SameSite” 
and treat unknown values as “Strict”. So, no cookies for these browsers on the 
cross-domain post request.

For the web application we fixed this by adding 2 cookies, one with 
SameSite=None and another (“legacy” cookie) without SameSite parameter.

Any ideas on how to handle this problem for haproxy?


Just an idea.

You can try to use 2 backends as the cookie statement can be set per backend.

use_backend leagcy_clients if { req.hdr(user-agent) -m sub ios } # or what ever 
the UA string is
use_backend new_clients if !{ req.hdr(user-agent) -m sub ios } # or what ever 
the UA string is

Examples are from here 
https://www.haproxy.com/blog/introduction-to-haproxy-acls/

This will be be changed when the UA is gone which is the plan from google.

https://www.zdnet.com/article/google-to-phase-out-user-agent-strings-in-chrome/
https://wicg.github.io/ua-client-hints/



Thanks
Matthias


Regards
Aleks

SameSite=None for persistent session cookie, problem with old browsers

2020-04-02 Thread Matthias Zepf 
Hi,

for a client we develop a web shop application that handles payment by 
redirecting the user to a page of a payment service provider. After successful 
(or failed) payment the user is redirected back to our application with a post 
request. With Chrome 80 this began to be a problem because on cross-domain post 
requests the cookies are no longer transmitted. This can be fixed by setting 
SameSite=None on the cookies, what we did (also for the haproxy persistent 
session cookie) and it works fine.

But there is a new problem: old browsers, especially Safari on macOS < 10.15 
and iOS < 13. These browsers do not know of the value “None” for parameter 
“SameSite” and treat unknown values as “Strict”. So, no cookies for these 
browsers on the cross-domain post request.

For the web application we fixed this by adding 2 cookies, one with 
SameSite=None and another (“legacy” cookie) without SameSite parameter.

Any ideas on how to handle this problem for haproxy?

Thanks
Matthias