Multiple balance statements in a backend
Hi all, Probably another quite basic question that I can't find an example of in the docs (at least as a warning not to do that as it does not make sense or bad practise) or on the net. It is regarding the usage of multiple balance statements in a backend like this: balance leastconn balance hdr(Authorization) So basically is this a valid use case where we can expect both options to get considered when load balancing or one is ignored as a duplicate (in which case which one)? And in general how are duplicate statements being handled in the code, .i.e. the first one or the last one is considered as valid, and are there maybe any special statements that are exempt from the rule (like hopefully balance :-) ) Thanks in advance. Igor
TLV problem after updating to 2.1.14
Hello, after updating HAProxy from 2.1.13 to 2.1.14 the TCP check with my dovecot setup doesn't work anymore. Nothing changed except the update. In dovecot I get the following errors: > Apr 03 00:21:28 srv1 dovecot[1378]: submission-login: Error: > haproxy(v2): Client disconnected: Invalid TLV: get_tlv(0) > failed:Truncated data (cmd=00, rip=) > Apr 03 00:21:28 srv1 dovecot[1378]: managesieve-login: Error: > haproxy(v2): Client disconnected: Invalid TLV: get_tlv(0) > failed:Truncated data (cmd=00, rip=) > Apr 03 00:21:28 srv1 dovecot[1378]: imap-login: Error: haproxy(v2): > Client disconnected: Invalid TLV: get_tlv(0) failed:Truncated data > (cmd=00, rip=) HAProxy log: > Apr 03 00:13:10 srv1 haproxy[3774]: [ALERT] 093/001310 (3777) : proxy > 'msa1-smtps' has no server available! > Apr 03 00:13:10 srv1 haproxy[3774]: [WARNING] 093/001310 (3777) : > Backup Server msa1-smtps/msa1-2 is DOWN, reason: Socket error, info: > "SSL handshake failure (Connection reset by peer) at step 1 of tcp- > check (conn > Apr 03 00:13:10 srv1 haproxy[3774]: [WARNING] 093/001310 (3777) : > Server msa1-smtps/msa1-1 is DOWN, reason: Socket error, info: "SSL > handshake failure (Connection reset by peer) at step 1 of tcp-check > (connect por > Apr 03 00:13:10 srv1 haproxy[3774]: [ALERT] 093/001310 (3777) : proxy > 'mda1-managesieve' has no server available! > Apr 03 00:13:10 srv1 haproxy[3774]: [WARNING] 093/001310 (3777) : > Backup Server mda1-managesieve/mda1-2 is DOWN, reason: Socket error, > info: "SSL handshake failure (Connection reset by peer) at step 1 of > tcp-check > Apr 03 00:13:10 srv1 haproxy[3774]: [WARNING] 093/001310 (3777) : > Server mda1-managesieve/mda1-1 is DOWN, reason: Socket error, info: > "SSL handshake failure (Connection reset by peer) at step 1 of tcp- > check (conne > Apr 03 00:13:10 srv1 haproxy[3774]: [ALERT] 093/001310 (3777) : proxy > 'mda1-imaps' has no server available! > Apr 03 00:13:10 srv1 haproxy[3774]: [WARNING] 093/001310 (3777) : > Backup Server mda1-imaps/mda1-2 is DOWN, reason: Socket error, info: > "SSL handshake failure (Connection reset by peer) at step 1 of tcp- > check (conn > Apr 03 00:13:10 srv1 haproxy[3774]: [WARNING] 093/001310 (3777) : > Server mda1-imaps/mda1-1 is DOWN, reason: Socket error, info: "SSL > handshake failure (Connection reset by peer) at step 1 of tcp-check > (connect por > Apr 03 00:13:10 srv1 haproxy[3774]: [NOTICE] 093/001309 (3774) : New > worker #1 (3777) forked > Apr 03 00:13:09 srv1 systemd[1]: Started HAProxy Load Balancer. > Apr 03 00:13:09 srv1 systemd[1]: Starting HAProxy Load Balancer... Example HAProxy config for IMAP: > listen mda1-imapsbind :993bind :993 > balance leastconn > option tcp-checktcp-check connect port 993 send-proxy > ssltcp-check expect string * OK > option tcpkaoption tcplog > stick-table type ip size 200k expire 30mstick on src > server mda1-1 mda1-1.example.com:993 ca-file /etc/ssl/certs/ca- > certificates.crt check resolvers dns send-proxy-v2server mda1-2 > mda1-2.example.com:993 ca-file /etc/ssl/certs/ca-certificates.crt > check resolvers dns send-proxy-v2 backup > timeout connect 5s > timeout client 30m > timeout server 30m When commenting out these lines it's up again: > option tcp-check > tcp-check connect port 993 send-proxy ssl > tcp-check expect string * OK Any ideas what's wrong? -- Greetings Hativ
[PATCH] add DEBUG_STRICT to travis, upgrade openssl to 1.1.1f
Hello, patch is urgent. openssl has changed download path, I guess it was done in purpose (to signal people that they download outdated openssl) so ... we need to upgrade to 1.1.1f Cheers, Ilya Shipitcin From a21479ae91ad2c43dbe14d7d119eedc2363e0f49 Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin Date: Fri, 3 Apr 2020 00:07:17 +0500 Subject: [PATCH 1/3] CI: travis-ci: enable DEBUG_STRICT=1 for CI builds DEBUG_STRICT enables the BUG_ON() macro which validates some developers' assertions in the code that are not enabled for production build but may sometimes help catch certain rare bugs. DEBUG_STRICT is set to all builds except one --- .travis.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 525021cfb..e64bc86f9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -16,6 +16,7 @@ env: - SSL_INC=${HOME}/opt/include - TMPDIR=/tmp - FIFTYONEDEGREES_SRC="contrib/51d/src/pattern" +- DEBUG_OPTIONS="DEBUG_STRICT=1" addons: apt: @@ -73,6 +74,7 @@ matrix: compiler: clang env: TARGET=linux-glibc LIBRESSL_VERSION=3.0.2 CC=clang-9 - os: linux +env: DEBUG_OPTIONS="" if: type == cron compiler: clang env: TARGET=linux-glibc LIBRESSL_VERSION=2.9.2 CC=clang-9 @@ -109,7 +111,7 @@ install: script: - if [ "${CC%-*}" = "clang" ]; then export FLAGS="$FLAGS USE_OBSOLETE_LINKER=1" DEBUG_CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address"; fi - make -C contrib/wurfl - - make -j3 CC=$CC V=1 ERR=1 TARGET=$TARGET $FLAGS DEBUG_CFLAGS="$DEBUG_CFLAGS" LDFLAGS="$LDFLAGS" ADDLIB="-Wl,-rpath,$SSL_LIB" 51DEGREES_SRC="$FIFTYONEDEGREES_SRC" EXTRA_OBJS="$EXTRA_OBJS" + - make -j3 CC=$CC V=1 ERR=1 TARGET=$TARGET $FLAGS DEBUG_CFLAGS="$DEBUG_CFLAGS" LDFLAGS="$LDFLAGS" ADDLIB="-Wl,-rpath,$SSL_LIB" 51DEGREES_SRC="$FIFTYONEDEGREES_SRC" EXTRA_OBJS="$EXTRA_OBJS" $DEBUG_OPTIONS - ./haproxy -vv - if [ "${TRAVIS_OS_NAME}" = "linux" ]; then ldd haproxy; fi - if [ "${TRAVIS_OS_NAME}" = "osx" ]; then otool -L haproxy; fi -- 2.25.1 From 54297dd35abad7fad270867bc99432a41084f421 Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin Date: Fri, 3 Apr 2020 00:20:46 +0500 Subject: [PATCH 2/3] CI: travis-ci: upgrade openssl to 1.1.1f openssl has changed download path after 1.1.1f release --- .travis.yml | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.travis.yml b/.travis.yml index e64bc86f9..a28cc5dcd 100644 --- a/.travis.yml +++ b/.travis.yml @@ -42,23 +42,23 @@ matrix: arch: amd64 if: type == push compiler: clang -env: TARGET=linux-glibc OPENSSL_VERSION=1.1.1d CC=clang-9 +env: TARGET=linux-glibc OPENSSL_VERSION=1.1.1f CC=clang-9 ## ## temporarily disabled, until arm64 runners become stable # - os: linux #arch: arm64 #if: type == push #compiler: clang -#env: TARGET=linux-glibc OPENSSL_VERSION=1.1.1d CC=clang-9 +#env: TARGET=linux-glibc OPENSSL_VERSION=1.1.1f CC=clang-9 - os: linux arch: s390x if: type == push compiler: gcc -env: TARGET=linux-glibc OPENSSL_VERSION=1.1.1d +env: TARGET=linux-glibc OPENSSL_VERSION=1.1.1f - os: linux if: type == cron compiler: clang -env: TARGET=linux-glibc OPENSSL_VERSION=1.1.1d COVERITY_SCAN_PROJECT_NAME="Haproxy" COVERITY_SCAN_BRANCH_PATTERN="*" COVERITY_SCAN_NOTIFICATION_EMAIL="chipits...@gmail.com" COVERITY_SCAN_BUILD_COMMAND="make CC=clang TARGET=$TARGET $FLAGS 51DEGREES_SRC=$FIFTYONEDEGREES_SRC" +env: TARGET=linux-glibc OPENSSL_VERSION=1.1.1f COVERITY_SCAN_PROJECT_NAME="Haproxy" COVERITY_SCAN_BRANCH_PATTERN="*" COVERITY_SCAN_NOTIFICATION_EMAIL="chipits...@gmail.com" COVERITY_SCAN_BUILD_COMMAND="make CC=clang TARGET=$TARGET $FLAGS 51DEGREES_SRC=$FIFTYONEDEGREES_SRC" script: - | if [ ! -z ${COVERITY_SCAN_TOKEN+x} ]; then @@ -93,7 +93,7 @@ matrix: - os: osx if: type == push compiler: clang -env: TARGET=osx FLAGS="USE_OPENSSL=1" OPENSSL_VERSION=1.1.1d +env: TARGET=osx FLAGS="USE_OPENSSL=1" OPENSSL_VERSION=1.1.1f - os: linux if: type == cron compiler: clang -- 2.25.1
Re: haproxy 2.0.14 failing to bind peer sockets
I reverted that commit, but it doesn't appear to have fixed the issue. I also tried adding a stick-table using this peers group to my config (this test cluster didn't actually have any stick-tables), but it still fails at startup with the same error. On Thu, Apr 2, 2020 at 11:28 AM Tim Düsterhus wrote: > James, > > Am 02.04.20 um 19:53 schrieb James Brown: > > I'm upgrading one of our test clusters from 2.0.13 to 2.0.14 and our > > regular graceful-restart process is failing with: > > > > [ALERT] 092/174647 (114374) : [/usr/sbin/haproxy.main()] Some protocols > > failed to start their listeners! Exiting. > > I suppose this commit might be at fault here: > > https://github.com/haproxy/haproxy/commit/a2cfd7e356f4d744294b510b05d88bf58304db25 > > Try reverting it to see whether it fixes the issue. > > Best regards > Tim Düsterhus > -- James Brown Engineer
[PATCH] CI: minor cleanup on SSL linking
Hello, this PR cleans up SSL linking. it is very well aligned to "how to link to custom openssl" documentation. Cheers, Ilya Shipitcin From 8fd3b9165558c4d0e3bc837df1ba8caca67ed059 Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin Date: Thu, 2 Apr 2020 23:34:47 +0500 Subject: [PATCH] CI: use better SSL library definition SSL_LIB is already added to LDFLAGS in Makefile, no need to define it rpath better be defined using ADDLIB variable --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index f500e02d3..525021cfb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -109,7 +109,7 @@ install: script: - if [ "${CC%-*}" = "clang" ]; then export FLAGS="$FLAGS USE_OBSOLETE_LINKER=1" DEBUG_CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address"; fi - make -C contrib/wurfl - - make -j3 CC=$CC V=1 ERR=1 TARGET=$TARGET $FLAGS DEBUG_CFLAGS="$DEBUG_CFLAGS" LDFLAGS="$LDFLAGS -L$SSL_LIB -Wl,-rpath,$SSL_LIB" 51DEGREES_SRC="$FIFTYONEDEGREES_SRC" EXTRA_OBJS="$EXTRA_OBJS" + - make -j3 CC=$CC V=1 ERR=1 TARGET=$TARGET $FLAGS DEBUG_CFLAGS="$DEBUG_CFLAGS" LDFLAGS="$LDFLAGS" ADDLIB="-Wl,-rpath,$SSL_LIB" 51DEGREES_SRC="$FIFTYONEDEGREES_SRC" EXTRA_OBJS="$EXTRA_OBJS" - ./haproxy -vv - if [ "${TRAVIS_OS_NAME}" = "linux" ]; then ldd haproxy; fi - if [ "${TRAVIS_OS_NAME}" = "osx" ]; then otool -L haproxy; fi -- 2.25.1
Re: haproxy 2.0.14 failing to bind peer sockets
James, Am 02.04.20 um 19:53 schrieb James Brown: > I'm upgrading one of our test clusters from 2.0.13 to 2.0.14 and our > regular graceful-restart process is failing with: > > [ALERT] 092/174647 (114374) : [/usr/sbin/haproxy.main()] Some protocols > failed to start their listeners! Exiting. I suppose this commit might be at fault here: https://github.com/haproxy/haproxy/commit/a2cfd7e356f4d744294b510b05d88bf58304db25 Try reverting it to see whether it fixes the issue. Best regards Tim Düsterhus
haproxy 2.0.14 failing to bind peer sockets
I'm upgrading one of our test clusters from 2.0.13 to 2.0.14 and our regular graceful-restart process is failing with: [ALERT] 092/174647 (114374) : [/usr/sbin/haproxy.main()] Some protocols failed to start their listeners! Exiting. Looking at strace, it looks like the bind(2) call for the peer socket is failing. Did something change about the order in which peer sockets are bound? Our peers block is pretty straightforward and hasn't changed in several years. peers lb peer devlb1west 10.132.46.130:7778 peer devlb2west 10.132.37.135:7778 Our graceful restart command looks like /usr/sbin/haproxy -f /path/to/haproxy.config -p /home/srvelb/run/haproxy.pid -sf 70409 -x /path/to/admin/mode/socket and also hasn't changed since the addition of domain-socket FD passing in 1.8. I notice a bunch of peer-related commits got pulled into 2.0.14... Anyone else seen this? -- James Brown Engineer
Re: [ANNOUNCE] haproxy-2.1.4
On 02 Apr 15:27, Julien Pivotto wrote: > On 02 Apr 15:03, Willy Tarreau wrote: > > Hi, > > > > HAProxy 2.1.4 was released on 2020/04/02. It added 99 new commits > > after version 2.1.3. > > > > The main driver for this release is that it contains a fix for a serious > > vulnerability that was responsibly reported last week by Felix Wilhelm > > from Google Project Zero, affecting the HPACK decoder used for HTTP/2. > > CVE-2020-11100 was assigned to this issue. > > > > There is no configuration-based workaround for 2.1 and above. > > > Is disabling HTTP2 a workaround? > > Thanks. Sorry, I have only read the 2.1 mail. Thanks > > > > > This vulnerability makes it possible under certain circumstances to write > > to a wide range of memory locations within the process' heap, with the > > limitation that the attacker doesn't control the absolute address, so the > > most likely result and by a far margin will be a process crash, but it is > > not possible to completely rule out the faint possibility of a remote code > > execution, at least in a lab-controlled environment. Felix was kind enough > > to agree to delay the publication of his findings to the 20th of this month > > in order to leave enough time to haproxy users to apply updates. But please > > do not wait, as it is not very difficult to figure how to exploit the bug > > based on the fix. Distros were notified and will also have fixes available > > very shortly. > > > > Three other important fixes are present in this version: > > - a non-portable way of calculating a list pointer that breaks with > > gcc 10 unless using -fno-tree-pta. This bug results in infinite loops > > at random places in the code depending how the compiler decides to > > optimize the code. > > > > - a bug in the way TLV fields are extracted from the PROXY protocol, as > > they could be mistakenly looked up in the subsequent payload, even > > though these would have limited effects since these ones would generally > > be meaningless for the transported protocol, but could be used to hide a > > source address from logging for example. > > > > - the "tarpit" rules were partially broken in that since 1.9 they wouldn't > > prevent a connection from being sent to a server while the 500 response > > is delivered to the client. Given that they are often used to block > > suspicious activity it's problematic. > > > > The rest is less important, but still relevant to some users. Among those > > noticeable I can enumerate: > > - the O(N^2) ACL unique-id allocator that could take several minutes to > > boot on certain very large configs was reworked to follow O(NlogN) > > instead. > > > > - the default global maxconn setting when not set in the configuration was > > incorrectly set to the process' soft limit instead of the hard limit, > > resulting in much lower connection counts on some setups after upgrade > > from 1.x to 2.x. It now properly follows the hard limit. > > > > - a new thread-safe random number generator that will avoid the risk that > > the "uuid" sample fetch function returns the exact same UUID in several > > threads. > > > > - issues in HTX mode affecting filters, namely cache and compression, that > > could lead to data corruption. > > > > - alignment issues causing bus error on Sparc64 were addressed > > > > - fixed a rare case of possible segfault on soft-stop when a finishing > > thread > > flushes its pools while another one is freeing some elements. > > > > > > Please have a look at the changelog below for a more detailed list of fixes, > > and do not forget to update, either from the sources or from your regular > > distro channels. > > > > Please find the usual URLs below : > >Site index : http://www.haproxy.org/ > >Discourse: http://discourse.haproxy.org/ > >Slack channel: https://slack.haproxy.org/ > >Issue tracker: https://github.com/haproxy/haproxy/issues > >Sources : http://www.haproxy.org/download/2.1/src/ > >Git repository : http://git.haproxy.org/git/haproxy-2.1.git/ > >Git Web browsing : http://git.haproxy.org/?p=haproxy-2.1.git > >Changelog: http://www.haproxy.org/download/2.1/src/CHANGELOG > >Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ > > > > Willy > > --- > > Complete changelog : > > Balvinder Singh Rawat (1): > > DOC: correct typo in alert message about rspirep > > > > Bjoern Jacke (1): > > DOC: fix typo about no-tls-tickets > > > > Björn Jacke (1): > > DOC: improve description of no-tls-tickets > > > > Carl Henrik Lunde (1): > > OPTIM: startup: fast unique_id allocation for acl. > > > > Christopher Faulet (26): > > BUG/MINOR: mux-fcgi: Forbid special characters when matching > > PATH_INFO param > > MINOR: mux-fcgi: Make the capture of the path-info optional in > > pathinfo regex > > MINOR: http-htx:
Re: [ANNOUNCE] haproxy-2.1.4
On Thu, Apr 02, 2020 at 03:27:07PM +0200, Julien Pivotto wrote: > On 02 Apr 15:03, Willy Tarreau wrote: > > Hi, > > > > HAProxy 2.1.4 was released on 2020/04/02. It added 99 new commits > > after version 2.1.3. > > > > The main driver for this release is that it contains a fix for a serious > > vulnerability that was responsibly reported last week by Felix Wilhelm > > from Google Project Zero, affecting the HPACK decoder used for HTTP/2. > > CVE-2020-11100 was assigned to this issue. > > > > There is no configuration-based workaround for 2.1 and above. > > > Is disabling HTTP2 a workaround? When possible yes, but in 2.1 and above you cannot as it's native, hence "no config workaround" :-( Willy
Re: [PATCH] assorted typo fixes (6th iteration)
On Thu, Apr 02, 2020 at 03:27:26PM +0500, ??? wrote: > Hello, > > ongoing typo fixes. Merged, thanks! Willy
Re: [ANNOUNCE] haproxy-2.1.4
On 02 Apr 15:03, Willy Tarreau wrote: > Hi, > > HAProxy 2.1.4 was released on 2020/04/02. It added 99 new commits > after version 2.1.3. > > The main driver for this release is that it contains a fix for a serious > vulnerability that was responsibly reported last week by Felix Wilhelm > from Google Project Zero, affecting the HPACK decoder used for HTTP/2. > CVE-2020-11100 was assigned to this issue. > > There is no configuration-based workaround for 2.1 and above. Is disabling HTTP2 a workaround? Thanks. > > This vulnerability makes it possible under certain circumstances to write > to a wide range of memory locations within the process' heap, with the > limitation that the attacker doesn't control the absolute address, so the > most likely result and by a far margin will be a process crash, but it is > not possible to completely rule out the faint possibility of a remote code > execution, at least in a lab-controlled environment. Felix was kind enough > to agree to delay the publication of his findings to the 20th of this month > in order to leave enough time to haproxy users to apply updates. But please > do not wait, as it is not very difficult to figure how to exploit the bug > based on the fix. Distros were notified and will also have fixes available > very shortly. > > Three other important fixes are present in this version: > - a non-portable way of calculating a list pointer that breaks with > gcc 10 unless using -fno-tree-pta. This bug results in infinite loops > at random places in the code depending how the compiler decides to > optimize the code. > > - a bug in the way TLV fields are extracted from the PROXY protocol, as > they could be mistakenly looked up in the subsequent payload, even > though these would have limited effects since these ones would generally > be meaningless for the transported protocol, but could be used to hide a > source address from logging for example. > > - the "tarpit" rules were partially broken in that since 1.9 they wouldn't > prevent a connection from being sent to a server while the 500 response > is delivered to the client. Given that they are often used to block > suspicious activity it's problematic. > > The rest is less important, but still relevant to some users. Among those > noticeable I can enumerate: > - the O(N^2) ACL unique-id allocator that could take several minutes to > boot on certain very large configs was reworked to follow O(NlogN) > instead. > > - the default global maxconn setting when not set in the configuration was > incorrectly set to the process' soft limit instead of the hard limit, > resulting in much lower connection counts on some setups after upgrade > from 1.x to 2.x. It now properly follows the hard limit. > > - a new thread-safe random number generator that will avoid the risk that > the "uuid" sample fetch function returns the exact same UUID in several > threads. > > - issues in HTX mode affecting filters, namely cache and compression, that > could lead to data corruption. > > - alignment issues causing bus error on Sparc64 were addressed > > - fixed a rare case of possible segfault on soft-stop when a finishing > thread > flushes its pools while another one is freeing some elements. > > > Please have a look at the changelog below for a more detailed list of fixes, > and do not forget to update, either from the sources or from your regular > distro channels. > > Please find the usual URLs below : >Site index : http://www.haproxy.org/ >Discourse: http://discourse.haproxy.org/ >Slack channel: https://slack.haproxy.org/ >Issue tracker: https://github.com/haproxy/haproxy/issues >Sources : http://www.haproxy.org/download/2.1/src/ >Git repository : http://git.haproxy.org/git/haproxy-2.1.git/ >Git Web browsing : http://git.haproxy.org/?p=haproxy-2.1.git >Changelog: http://www.haproxy.org/download/2.1/src/CHANGELOG >Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ > > Willy > --- > Complete changelog : > Balvinder Singh Rawat (1): > DOC: correct typo in alert message about rspirep > > Bjoern Jacke (1): > DOC: fix typo about no-tls-tickets > > Björn Jacke (1): > DOC: improve description of no-tls-tickets > > Carl Henrik Lunde (1): > OPTIM: startup: fast unique_id allocation for acl. > > Christopher Faulet (26): > BUG/MINOR: mux-fcgi: Forbid special characters when matching PATH_INFO > param > MINOR: mux-fcgi: Make the capture of the path-info optional in pathinfo > regex > MINOR: http-htx: Add a function to retrieve the headers size of an HTX > message > MINOR: filters: Forward data only if the last filter forwards something > BUG/MINOR: filters: Count HTTP headers as filtered data but don't > forward them > BUG/MINOR: http-htx: Don't return error if authority is
Re: [PATCH] ignore setsockopt return value in src/fd.c
On Thu, Apr 02, 2020 at 03:26:31PM +0500, ??? wrote: > forgot to attach a ptach itself )) Normally this tradition is reserved to me :-) Now applied, thank you Ilya! Willy
[ANNOUNCE] haproxy-1.8.25
Hi, HAProxy 1.8.25 was released on 2020/04/02. It added 37 new commits after version 1.8.24. The main driver for this release is that it contains a fix for a serious vulnerability that was responsibly reported last week by Felix Wilhelm from Google Project Zero, affecting the HPACK decoder used for HTTP/2. CVE-2020-11100 was assigned to this issue. For version 1.8 it is enough to remove "npn h2" and "alpn h2" on "bind" lines to disable HTTP/2 support and stay away from the issue. But upgrading will be way easier and safer! This vulnerability makes it possible under certain circumstances to write to a wide range of memory locations within the process' heap, with the limitation that the attacker doesn't control the absolute address, so the most likely result and by a far margin will be a process crash, but it is not possible to completely rule out the faint possibility of a remote code execution, at least in a lab-controlled environment. Felix was kind enough to agree to delay the publication of his findings to the 20th of this month in order to leave enough time to haproxy users to apply updates. But please do not wait, as it is not very difficult to figure how to exploit the bug based on the fix. Distros were notified and will also have fixes available very shortly. Two other important fixes are present in this version: - a non-portable way of calculating a list pointer that breaks with gcc 10 unless using -fno-tree-pta. This bug results in infinite loops at random places in the code depending how the compiler decides to optimize the code. - a bug in the way TLV fields are extracted from the PROXY protocol, as they could be mistakenly looked up in the subsequent payload, even though these would have limited effects since these ones would generally be meaningless for the transported protocol, but could be used to hide a source address from logging for example. The rest is less important, but still relevant to some users. Please have a look at the changelog below for a more detailed list of fixes, and do not forget to update, either from the sources or from your regular distro channels. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse: http://discourse.haproxy.org/ Slack channel: https://slack.haproxy.org/ Issue tracker: https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/1.8/src/ Git repository : http://git.haproxy.org/git/haproxy-1.8.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git Changelog: http://www.haproxy.org/download/1.8/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Bjoern Jacke (1): DOC: fix typo about no-tls-tickets Björn Jacke (1): DOC: improve description of no-tls-tickets Christopher Faulet (8): BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action BUG/MINOR: http-rules: Fix a typo in the reject action function BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action BUG/MINOR: rules: Increment be_counters if backend is assigned for a silent-drop MINOR: http-rules: Add a flag on redirect rules to know the rule direction MINOR: http-rules: Handle the rule direction when a redirect is evaluated BUG/MINOR: http-ana: Reset request analysers on error when waiting for response Daniel Corbett (1): BUG/MINOR: stats: Fix color of draining servers on stats page Ilya Shipitsin (1): DOC: assorted typo fixes in the documentation Jerome Magnin (1): BUG/MINOR: http_ana: make sure redirect flags don't have overlapping bits Lukas Tribus (1): DOC: ssl: clarify security implications of TLS tickets Miroslav Zagorac (1): DOC: internals: Fix spelling errors in filters.txt Tim Duesterhus (3): BUG/MINOR: sample: Make sure to return stable IDs in the unique-id fetch BUG/MAJOR: proxy_protocol: Properly validate TLV lengths DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID William Dauchy (1): BUG/MINOR: namespace: avoid closing fd when socket failed in my_socketat William Lallemand (2): BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL Willy Tarreau (16): SCRIPTS: announce-release: use mutt -H instead of -i to include the draft CONTRIB: debug: add the possibility to decode the value as certain types only CONTRIB: debug: support reporting multiple values at once CONTRIB: debug: also support reading values from stdin BUG/MEDIUM: shctx: make sure to keep all blocks aligned MINOR: compiler: move CPU capabilities definition from config.h and complete them BUG/MEDIUM: ebtree: don't set attribute packed without unaligned
[ANNOUNCE] haproxy-1.9.15
Hi, HAProxy 1.9.15 was released on 2020/04/02. It added 53 new commits after version 1.9.14. The main driver for this release is that it contains a fix for a serious vulnerability that was responsibly reported last week by Felix Wilhelm from Google Project Zero, affecting the HPACK decoder used for HTTP/2. CVE-2020-11100 was assigned to this issue. In 1.9, it is possible to work around this issue by removing "npn h2", "alpn h2" or "proto h2" on "bind" lines, which will result in disabling HTTP/2 support.. But upgrading will be way easier and safer! This vulnerability makes it possible under certain circumstances to write to a wide range of memory locations within the process' heap, with the limitation that the attacker doesn't control the absolute address, so the most likely result and by a far margin will be a process crash, but it is not possible to completely rule out the faint possibility of a remote code execution, at least in a lab-controlled environment. Felix was kind enough to agree to delay the publication of his findings to the 20th of this month in order to leave enough time to haproxy users to apply updates. But please do not wait, as it is not very difficult to figure how to exploit the bug based on the fix. Distros were notified and will also have fixes available very shortly. Three other important fixes are present in this version: - a non-portable way of calculating a list pointer that breaks with gcc 10 unless using -fno-tree-pta. This bug results in infinite loops at random places in the code depending how the compiler decides to optimize the code. - a bug in the way TLV fields are extracted from the PROXY protocol, as they could be mistakenly looked up in the subsequent payload, even though these would have limited effects since these ones would generally be meaningless for the transported protocol, but could be used to hide a source address from logging for example. - the "tarpit" rules were partially broken in that since 1.9 they wouldn't prevent a connection from being sent to a server while the 500 response is delivered to the client. Given that they are often used to block suspicious activity it's problematic. The rest is less important, but still relevant to some users. Please have a look at the changelog below for a more detailed list of fixes, and do not forget to update, either from the sources or from your regular distro channels. Important note: let me remind that we're almost 18 months after 1.9 was released, that in December we said it would live for another 3-4 months, and that now it's about time to see it disappear. Thus barring any other major issue requiring a quick fix in the forthcoming weeks/months, it's unlikely that there will be another 1.9 version. I'm not suggesting to rush an upgrade especially when dealing with a security issue, but keep somewhere in your head that you'll really need to migrate to 2.0 or newer soon. I'll purposely mark it "End of life" on the site, even though I'm still open to a few extras if really needed and justified. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse: http://discourse.haproxy.org/ Slack channel: https://slack.haproxy.org/ Issue tracker: https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/1.9/src/ Git repository : http://git.haproxy.org/git/haproxy-1.9.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-1.9.git Changelog: http://www.haproxy.org/download/1.9/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Bjoern Jacke (1): DOC: fix typo about no-tls-tickets Björn Jacke (1): DOC: improve description of no-tls-tickets Christopher Faulet (16): MINOR: http-htx: Add a function to retrieve the headers size of an HTX message MINOR: filters: Forward data only if the last filter forwards something BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward them BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered BUG/MINOR: http-ana: Reset request analysers on a response side error BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action BUG/MINOR: http-rules: Fix a typo in the reject action function BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action BUG/MINOR: rules: Increment be_counters if backend is assigned for a silent-drop MINOR: http-rules: Add a flag on redirect rules to know the rule direction MINOR: http-rules: Handle the rule direction when a redirect is evaluated BUG/MINOR: filters: Use filter offset to decude the amount of forwarded data BUG/MINOR: filters: Forward
[ANNOUNCE] haproxy-2.0.14
Hi, HAProxy 2.0.14 was released on 2020/04/02. It added 86 new commits after version 2.0.13. The main driver for this release is that it contains a fix for a serious vulnerability that was responsibly reported last week by Felix Wilhelm from Google Project Zero, affecting the HPACK decoder used for HTTP/2. CVE-2020-11100 was assigned to this issue. There is no configuration-based workaround when HTX is used, thus for 2.1 and above, or for 2.0 when server-side H2 or L7 retries are enabled. In 2.0 HTX is enabled by default, and disabling it requires to add "no option http-use-htx" in every proxy. When in legacy mode (non-HTX), disabling H2 by removing "npn h2", "alpn h2" and "proto h2" on bind lines will be enough. But upgrading will be way easier and safer! This vulnerability makes it possible under certain circumstances to write to a wide range of memory locations within the process' heap, with the limitation that the attacker doesn't control the absolute address, so the most likely result and by a far margin will be a process crash, but it is not possible to completely rule out the faint possibility of a remote code execution, at least in a lab-controlled environment. Felix was kind enough to agree to delay the publication of his findings to the 20th of this month in order to leave enough time to haproxy users to apply updates. But please do not wait, as it is not very difficult to figure how to exploit the bug based on the fix. Distros were notified and will also have fixes available very shortly. Three other important fixes are present in this version: - a non-portable way of calculating a list pointer that breaks with gcc 10 unless using -fno-tree-pta. This bug results in infinite loops at random places in the code depending how the compiler decides to optimize the code. - a bug in the way TLV fields are extracted from the PROXY protocol, as they could be mistakenly looked up in the subsequent payload, even though these would have limited effects since these ones would generally be meaningless for the transported protocol, but could be used to hide a source address from logging for example. - the "tarpit" rules were partially broken in that since 1.9 they wouldn't prevent a connection from being sent to a server while the 500 response is delivered to the client. Given that they are often used to block suspicious activity it's problematic. The rest is less important, but still relevant to some users. Among those noticeable I can enumerate: - the O(N^2) ACL unique-id allocator that could take several minutes to boot on certain very large configs was reworked to follow O(NlogN) instead. - the default global maxconn setting when not set in the configuration was incorrectly set to the process' soft limit instead of the hard limit, resulting in much lower connection counts on some setups after upgrade from 1.x to 2.x. It now properly follows the hard limit. - a new thread-safe random number generator that will avoid the risk that the "uuid" sample fetch function returns the exact same UUID in several threads. - issues in HTX mode affecting filters, namely cache and compression, that could lead to data corruption. - alignment issues causing bus error on Sparc64 were addressed - fixed a rare case of possible segfault on soft-stop when a finishing thread flushes its pools while another one is freeing some elements. Please have a look at the changelog below for a more detailed list of fixes, and do not forget to update, either from the sources or from your regular distro channels. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse: http://discourse.haproxy.org/ Slack channel: https://slack.haproxy.org/ Issue tracker: https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/2.0/src/ Git repository : http://git.haproxy.org/git/haproxy-2.0.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.0.git Changelog: http://www.haproxy.org/download/2.0/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Bjoern Jacke (1): DOC: fix typo about no-tls-tickets Björn Jacke (1): DOC: improve description of no-tls-tickets Carl Henrik Lunde (1): OPTIM: startup: fast unique_id allocation for acl. Christopher Faulet (21): MINOR: http-htx: Add a function to retrieve the headers size of an HTX message MINOR: filters: Forward data only if the last filter forwards something BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward them BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered MINOR: contrib/prometheus-exporter: Add heathcheck status/code in server metrics MINOR:
[ANNOUNCE] haproxy-2.1.4
Hi, HAProxy 2.1.4 was released on 2020/04/02. It added 99 new commits after version 2.1.3. The main driver for this release is that it contains a fix for a serious vulnerability that was responsibly reported last week by Felix Wilhelm from Google Project Zero, affecting the HPACK decoder used for HTTP/2. CVE-2020-11100 was assigned to this issue. There is no configuration-based workaround for 2.1 and above. This vulnerability makes it possible under certain circumstances to write to a wide range of memory locations within the process' heap, with the limitation that the attacker doesn't control the absolute address, so the most likely result and by a far margin will be a process crash, but it is not possible to completely rule out the faint possibility of a remote code execution, at least in a lab-controlled environment. Felix was kind enough to agree to delay the publication of his findings to the 20th of this month in order to leave enough time to haproxy users to apply updates. But please do not wait, as it is not very difficult to figure how to exploit the bug based on the fix. Distros were notified and will also have fixes available very shortly. Three other important fixes are present in this version: - a non-portable way of calculating a list pointer that breaks with gcc 10 unless using -fno-tree-pta. This bug results in infinite loops at random places in the code depending how the compiler decides to optimize the code. - a bug in the way TLV fields are extracted from the PROXY protocol, as they could be mistakenly looked up in the subsequent payload, even though these would have limited effects since these ones would generally be meaningless for the transported protocol, but could be used to hide a source address from logging for example. - the "tarpit" rules were partially broken in that since 1.9 they wouldn't prevent a connection from being sent to a server while the 500 response is delivered to the client. Given that they are often used to block suspicious activity it's problematic. The rest is less important, but still relevant to some users. Among those noticeable I can enumerate: - the O(N^2) ACL unique-id allocator that could take several minutes to boot on certain very large configs was reworked to follow O(NlogN) instead. - the default global maxconn setting when not set in the configuration was incorrectly set to the process' soft limit instead of the hard limit, resulting in much lower connection counts on some setups after upgrade from 1.x to 2.x. It now properly follows the hard limit. - a new thread-safe random number generator that will avoid the risk that the "uuid" sample fetch function returns the exact same UUID in several threads. - issues in HTX mode affecting filters, namely cache and compression, that could lead to data corruption. - alignment issues causing bus error on Sparc64 were addressed - fixed a rare case of possible segfault on soft-stop when a finishing thread flushes its pools while another one is freeing some elements. Please have a look at the changelog below for a more detailed list of fixes, and do not forget to update, either from the sources or from your regular distro channels. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse: http://discourse.haproxy.org/ Slack channel: https://slack.haproxy.org/ Issue tracker: https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/2.1/src/ Git repository : http://git.haproxy.org/git/haproxy-2.1.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.1.git Changelog: http://www.haproxy.org/download/2.1/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Balvinder Singh Rawat (1): DOC: correct typo in alert message about rspirep Bjoern Jacke (1): DOC: fix typo about no-tls-tickets Björn Jacke (1): DOC: improve description of no-tls-tickets Carl Henrik Lunde (1): OPTIM: startup: fast unique_id allocation for acl. Christopher Faulet (26): BUG/MINOR: mux-fcgi: Forbid special characters when matching PATH_INFO param MINOR: mux-fcgi: Make the capture of the path-info optional in pathinfo regex MINOR: http-htx: Add a function to retrieve the headers size of an HTX message MINOR: filters: Forward data only if the last filter forwards something BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward them BUG/MINOR: http-htx: Don't return error if authority is updated without changes BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive MINOR: http-ana: Match on the path if the monitor-uri starts by a / BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered BUG/MINOR: http-htx: Do case-insensive
[PATCH] Converter to support Financial eXchange protocol
Hi here These patches introduce a few function to the ist API and also a converter to validate a FIX message and to extract data from a FIX payload. Thx at Christopher for his help during this dev. Baptiste From 4e9de7128c7065dc01b423dcce13b18487f1f353 Mon Sep 17 00:00:00 2001 From: Baptiste Assmann Date: Tue, 17 Mar 2020 10:18:41 +0100 Subject: [PATCH 4/4] MINOR: conv: parses Financial Information eXchange messages This patch implements a couple of converters to validate and extract data from a FIX message. The validation consists in a few checks such as mandatory fields and checksum computation. The extraction can get any tag value based on a tag string or tag id. --- doc/configuration.txt | 36 include/proto/fix.h | 200 ++ include/types/fix.h | 55 src/sample.c | 72 +++ 4 files changed, 363 insertions(+) create mode 100644 include/proto/fix.h create mode 100644 include/types/fix.h diff --git a/doc/configuration.txt b/doc/configuration.txt index 8347e8a4d..81b53c59f 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -13926,6 +13926,42 @@ field(,[,]) str(f1_f2_f3__f5),field(-2,_,3) # f2_f3_ str(f1_f2_f3__f5),field(-3,_,0) # f1_f2_f3 +fix_tag_value() + Parses a FIX (Financial Information eXchange) message and extracts the value + from the tag . + can be a string or an integer pointing to the desired tag. Any integer + value is accepted, but only the following strings are translated into their + integer equivalent: BeginString, BodyLength, MsgType, SenderComID, + TagetComID, CheckSum. If more are needed, we can add them in proto/fix.h + easily. + + Note: only the first message sent by the client and the server can be parsed. + + Example: + tcp-request inspect-delay 10s + acl data_in_buffer req.len gt 10 + # MsgType tag ID is 35, so both lines below will return the same content + tcp-request content set-var(txn.foo) req.payload(0,0),fix_tag_value(35) \ + if data_in_buffer + tcp-request content set-var(txn.bar) req.payload(0,0),fix_tag_value(MsgType) \ + if data_in_buffer + +fix_validate + Parses a binary payload and performs sanity checks regarding FIX (Financial + Information eXchange): + - checks the BeginString tag + - checks that all tag IDs are well numeric + - checks that last tag in the message is the CheckSum one + - validate the checksum is right + + This converter returns a boolean, true if the payload contains a valid FIX + message, right if not. + + Example: + tcp-request inspect-delay 10s + acl data_in_buffer req.len gt 10 + tcp-request content reject if data_in_buffer !{ req.payload(0,0),fix_validate } + hex Converts a binary input sample to a hex string containing two hex digits per input byte. It is used to log or transfer hex dumps of some binary input data diff --git a/include/proto/fix.h b/include/proto/fix.h new file mode 100644 index 0..e7b8cf5ac --- /dev/null +++ b/include/proto/fix.h @@ -0,0 +1,200 @@ +/* + * include/proto/fix.h + * This file contains functions and macros declarations for FIX protocol decoding. + * + * Copyright 2020 Baptiste Assmann + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation, version 2.1 + * exclusively. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef _PROTO_FIX_H +#define _PROTO_FIX_H + +#include +#include + +#include + + +/* + * Return a FIX tag ID ptr from if one found, NULL if not. + * + * full list of tag ID available here, just in case we need to support more "string" equivalent in the future: + * https://www.onixs.biz/fix-dictionary/4.2/fields_by_tag.html + */ +static inline struct ist fix_tagid(struct ist tag) +{ + if (istisnumeric(tag)) + return tag; + + else if (strcasecmp(tag.ptr, "BeginString") == 0) + return FIX_TAG_BeginString; + + else if (strcasecmp(tag.ptr, "BodyLength") == 0) + return FIX_TAG_BodyLength; + + else if (strcasecmp(tag.ptr, "CheckSum") == 0) + return FIX_TAG_CheckSum; + + else if (strcasecmp(tag.ptr, "MsgType") == 0) + return FIX_TAG_MsgType; + + else if (strcasecmp(tag.ptr, "SenderComID") == 0) + return FIX_TAG_SenderComID; + + else if (strcasecmp(tag.ptr, "TagetComID") == 0) + return FIX_TAG_TargetComID; + + return IST_NULL; +} + +/* + * Parse a FIX message and return the value of . + * + *
[PATCH] assorted typo fixes (6th iteration)
Hello, ongoing typo fixes. Ilya Shipitcin From f0ba77f8d64c301ac8877e3d2850a7966acea658 Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin Date: Thu, 2 Apr 2020 15:25:26 +0500 Subject: [PATCH] CLEANUP: assorted typo fixes in the code and comments This is sixth iteration of typo fixes --- contrib/debug/flags.c | 2 +- src/acl.c | 4 ++-- src/cache.c| 6 +++--- src/cfgparse.c | 4 ++-- src/flt_spoe.c | 8 src/h2.c | 6 +++--- src/http_ana.c | 24 src/lb_map.c | 2 +- src/listener.c | 4 ++-- src/mux_fcgi.c | 10 +- src/stream_interface.c | 2 +- 11 files changed, 36 insertions(+), 36 deletions(-) diff --git a/contrib/debug/flags.c b/contrib/debug/flags.c index d966650ee..ca7584e32 100644 --- a/contrib/debug/flags.c +++ b/contrib/debug/flags.c @@ -434,7 +434,7 @@ int main(int argc, char **argv) if (!value) break; - /* skip common leading delimitors that slip from copy-paste */ + /* skip common leading delimiters that slip from copy-paste */ while (*value == ' ' || *value == '\t' || *value == ':' || *value == '=') value++; diff --git a/src/acl.c b/src/acl.c index 1e32271be..f3d7af789 100644 --- a/src/acl.c +++ b/src/acl.c @@ -503,7 +503,7 @@ struct acl_expr *parse_acl_expr(const char **args, char **err, struct arg_list * expr->kw, file, line); trash.area[trash.size - 1] = '\0'; - /* Create new patern reference. */ + /* Create new pattern reference. */ ref = pat_ref_newid(unique_id, trash.area, PAT_REF_ACL); if (!ref) { memprintf(err, "memory error"); @@ -521,7 +521,7 @@ struct acl_expr *parse_acl_expr(const char **args, char **err, struct arg_list * /* Compatibility layer. Each pattern can parse only one string per pattern, * but the pat_parser_int() and pat_parse_dotted_ver() parsers were need - * optionnaly two operators. The first operator is the match method: eq, + * optionally two operators. The first operator is the match method: eq, * le, lt, ge and gt. pat_parse_int() and pat_parse_dotted_ver() functions * can have a compatibility syntax based on ranges: * diff --git a/src/cache.c b/src/cache.c index 7d53b2d5d..3b248ef46 100644 --- a/src/cache.c +++ b/src/cache.c @@ -520,7 +520,7 @@ static void cache_free_blocks(struct shared_block *first, struct shared_block *b } /* - * This fonction will store the headers of the response in a buffer and then + * This function will store the headers of the response in a buffer and then * register a filter to store the data */ enum act_return http_action_store_cache(struct act_rule *rule, struct proxy *px, @@ -822,7 +822,7 @@ static size_t htx_cache_dump_msg(struct appctx *appctx, struct htx *htx, unsigne goto add_data_blk; } - /* Get info of the next HTX block. May be splitted on 2 shblk */ + /* Get info of the next HTX block. May be split on 2 shblk */ sz = MIN(4, shctx->block_size - offset); memcpy((char *), (const char *)shblk->data + offset, sz); offset += sz; @@ -888,7 +888,7 @@ static void http_cache_io_handler(struct appctx *appctx) if (unlikely(si->state == SI_ST_DIS || si->state == SI_ST_CLO)) goto out; - /* Check if the input buffer is avalaible. */ + /* Check if the input buffer is available. */ if (!b_size(>buf)) { si_rx_room_blk(si); goto out; diff --git a/src/cfgparse.c b/src/cfgparse.c index 9b4a0be37..993496192 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -91,7 +91,7 @@ * Check RFC 2246 (TLSv1.0) sections A.3 and A.4 for details. */ const char sslv3_client_hello_pkt[] = { - "\x16"/* ContentType : 0x16 = Hanshake */ + "\x16"/* ContentType : 0x16 = Handshake */ "\x03\x00"/* ProtocolVersion : 0x0300 = SSLv3*/ "\x00\x79"/* ContentLength : 0x79 bytes after this one */ "\x01"/* HanshakeType: 0x01 = CLIENT HELLO */ @@ -3830,7 +3830,7 @@ out_uri_auth_compat: * maximize the work at once, but in multi-process we want to keep * some fairness between processes, so we target half of the max * number of events to be balanced over all the processes the proxy - * is bound to. Rememeber that maxaccept = -1 must be kept as it is + * is bound to. Remember that maxaccept = -1 must be kept as it is * used to disable the limit. */ if (listener->maxaccept > 0 && nbproc > 1) { diff --git a/src/flt_spoe.c b/src/flt_spoe.c index 57c224644..9db2baa15 100644 --- a/src/flt_spoe.c +++ b/src/flt_spoe.c @@ -252,7 +252,7 @@ static const char *spoe_appctx_state_str[SPOE_APPCTX_ST_END+1] = { #endif /* Used to generates a unique id for an engine. On success, it returns a - * allocated string. So it is the caller's reponsibility to release it. If the + * allocated string. So it is the caller's responsibility to release it. If the * allocation
Re: [PATCH] ignore setsockopt return value in src/fd.c
forgot to attach a ptach itself )) чт, 2 апр. 2020 г. в 15:04, Илья Шипицин : > Hello, > > this patch should resolve https://github.com/haproxy/haproxy/issues/553 > > Cheers, > Ilya Shipitcin > From 36dec6691e98dd92760c1434411aab207e43b93b Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin Date: Thu, 2 Apr 2020 15:02:08 +0500 Subject: [PATCH] CLEANUP: src/fd.c: mask setsockopt with DISGUISE we do not care of what is returned, let static analyzers to know that --- src/fd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/fd.c b/src/fd.c index d026b15ee..1934bd0e7 100644 --- a/src/fd.c +++ b/src/fd.c @@ -314,8 +314,8 @@ static void fd_dodelete(int fd, int do_close) if (fdtab[fd].linger_risk) { /* this is generally set when connecting to servers */ - setsockopt(fd, SOL_SOCKET, SO_LINGER, - (struct linger *) , sizeof(struct linger)); + DISGUISE(setsockopt(fd, SOL_SOCKET, SO_LINGER, + (struct linger *) , sizeof(struct linger))); } if (cur_poller.clo) cur_poller.clo(fd); -- 2.25.1
[PATCH] ignore setsockopt return value in src/fd.c
Hello, this patch should resolve https://github.com/haproxy/haproxy/issues/553 Cheers, Ilya Shipitcin
Re: SameSite=None for persistent session cookie, problem with old browsers
Hi. On 02.04.20 09:36, Matthias Zepf wrote: Hi, for a client we develop a web shop application that handles payment by redirecting the user to a page of a payment service provider. After successful (or failed) payment the user is redirected back to our application with a post request. With Chrome 80 this began to be a problem because on cross-domain post requests the cookies are no longer transmitted. This can be fixed by setting SameSite=None on the cookies, what we did (also for the haproxy persistent session cookie) and it works fine. But there is a new problem: old browsers, especially Safari on macOS < 10.15 and iOS < 13. These browsers do not know of the value “None” for parameter “SameSite” and treat unknown values as “Strict”. So, no cookies for these browsers on the cross-domain post request. For the web application we fixed this by adding 2 cookies, one with SameSite=None and another (“legacy” cookie) without SameSite parameter. Any ideas on how to handle this problem for haproxy? Just an idea. You can try to use 2 backends as the cookie statement can be set per backend. use_backend leagcy_clients if { req.hdr(user-agent) -m sub ios } # or what ever the UA string is use_backend new_clients if !{ req.hdr(user-agent) -m sub ios } # or what ever the UA string is Examples are from here https://www.haproxy.com/blog/introduction-to-haproxy-acls/ This will be be changed when the UA is gone which is the plan from google. https://www.zdnet.com/article/google-to-phase-out-user-agent-strings-in-chrome/ https://wicg.github.io/ua-client-hints/ Thanks Matthias Regards Aleks
SameSite=None for persistent session cookie, problem with old browsers
Hi, for a client we develop a web shop application that handles payment by redirecting the user to a page of a payment service provider. After successful (or failed) payment the user is redirected back to our application with a post request. With Chrome 80 this began to be a problem because on cross-domain post requests the cookies are no longer transmitted. This can be fixed by setting SameSite=None on the cookies, what we did (also for the haproxy persistent session cookie) and it works fine. But there is a new problem: old browsers, especially Safari on macOS < 10.15 and iOS < 13. These browsers do not know of the value “None” for parameter “SameSite” and treat unknown values as “Strict”. So, no cookies for these browsers on the cross-domain post request. For the web application we fixed this by adding 2 cookies, one with SameSite=None and another (“legacy” cookie) without SameSite parameter. Any ideas on how to handle this problem for haproxy? Thanks Matthias