Re: Log Backend call

2020-04-18 Thread Aleksandar Lazic 
I have created a issue for this.

https://github.com/haproxy/haproxy/issues/589

On 19.04.20 00:15, Aleksandar Lazic wrote:
> Hi.
> 
> I haven't seen any option to log the request after the `http-request set-... 
> ` phase.
> 
> Is this covered in %HP or is this the request from the client?
> 
> That's the code and it looks to me that this isn't set after the rewrite 
> phase.
> 
> http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/log.c;hb=dfad6a41ad9f012671b703788dd679cf24eb8c5a#l2693
> 
> The use case is that I need to know how the http request looks to the backend 
> after the backend.
> 
> A tcpdump isn't possible because the backend is a TLS one.
> 
> It would be nice to have also a similar output in the debug mode as for the 
> client request.
> 
> ```
> 
> 0002:https-in.accept(0009)=002b from [:::Client-IP:34452] ALPN=h2
> 0002:https-in.clireq[002b:]: GET 
> https://DOMAIN.com/img/logo-entrypages.png HTTP/2.0
> 0002:https-in.clihdr[002b:]: user-agent: curl/7.65.3
> 0002:https-in.clihdr[002b:]: accept: */*
> 0002:https-in.clihdr[002b:]: host: DOMAIN.com
> 
> Suggested output after rewrite
> 
> 0002:https-out.connect(0010)=002b from [:::DEST-IP:DEST-PORT] ALPN=h1
> 0002:https-out.srvreq[002b:]: GET 
> https://REWRITTEN.com/NEW_PATH/img/logo-entrypages.png HTTP/2.0
> 0002:https-out.srvhdr[002b:]: user-agent: curl/7.65.3
> 0002:https-out.srvhdr[002b:]: accept: */*
> 0002:https-out.srvhdr[002b:]: host: REWRITTEN.com
> 
> 0002:be_static.srvrep[002b:002c]: HTTP/1.1 401 Unauthorized
> 0002:be_static.srvhdr[002b:002c]: content-length: 131
> 0002:be_static.srvhdr[002b:002c]: content-type: text/html; charset=UTF-8
> 0002:be_static.srvhdr[002b:002c]: www-authenticate: Swift realm="Client"
> 0002:be_static.srvhdr[002b:002c]: www-authenticate: Keystone 
> uri="https://auth.cloud.ovh.net/;
> 0002:be_static.srvhdr[002b:002c]: x-trans-id: tx011f76ce9d9f43a09dcea-...
> 0002:be_static.srvhdr[002b:002c]: x-openstack-request-id: 
> tx011f76ce9d9f43a09dcea-...
> 0002:be_static.srvhdr[002b:002c]: date: Sat, 18 Apr 2020 21:59:48 GMT
> 0002:be_static.srvhdr[002b:002c]: x-iplb-instance: ...
> 0002:be_static.srvcls[002b:002c]
> 0002:be_static.clicls[002b:002c]
> 0002:be_static.closed[002b:002c]
> 
> ```
> 
> Opinions?
> 
> Regards
> 
> Aleks
>

Log Backend call

2020-04-18 Thread Aleksandar Lazic 
Hi.

I haven't seen any option to log the request after the `http-request set-... ` 
phase.

Is this covered in %HP or is this the request from the client?

That's the code and it looks to me that this isn't set after the rewrite phase.

http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/log.c;hb=dfad6a41ad9f012671b703788dd679cf24eb8c5a#l2693

The use case is that I need to know how the http request looks to the backend 
after the backend.

A tcpdump isn't possible because the backend is a TLS one.

It would be nice to have also a similar output in the debug mode as for the 
client request.

```

0002:https-in.accept(0009)=002b from [:::Client-IP:34452] ALPN=h2
0002:https-in.clireq[002b:]: GET 
https://DOMAIN.com/img/logo-entrypages.png HTTP/2.0
0002:https-in.clihdr[002b:]: user-agent: curl/7.65.3
0002:https-in.clihdr[002b:]: accept: */*
0002:https-in.clihdr[002b:]: host: DOMAIN.com

Suggested output after rewrite

0002:https-out.connect(0010)=002b from [:::DEST-IP:DEST-PORT] ALPN=h1
0002:https-out.srvreq[002b:]: GET 
https://REWRITTEN.com/NEW_PATH/img/logo-entrypages.png HTTP/2.0
0002:https-out.srvhdr[002b:]: user-agent: curl/7.65.3
0002:https-out.srvhdr[002b:]: accept: */*
0002:https-out.srvhdr[002b:]: host: REWRITTEN.com

0002:be_static.srvrep[002b:002c]: HTTP/1.1 401 Unauthorized
0002:be_static.srvhdr[002b:002c]: content-length: 131
0002:be_static.srvhdr[002b:002c]: content-type: text/html; charset=UTF-8
0002:be_static.srvhdr[002b:002c]: www-authenticate: Swift realm="Client"
0002:be_static.srvhdr[002b:002c]: www-authenticate: Keystone 
uri="https://auth.cloud.ovh.net/;
0002:be_static.srvhdr[002b:002c]: x-trans-id: tx011f76ce9d9f43a09dcea-...
0002:be_static.srvhdr[002b:002c]: x-openstack-request-id: 
tx011f76ce9d9f43a09dcea-...
0002:be_static.srvhdr[002b:002c]: date: Sat, 18 Apr 2020 21:59:48 GMT
0002:be_static.srvhdr[002b:002c]: x-iplb-instance: ...
0002:be_static.srvcls[002b:002c]
0002:be_static.clicls[002b:002c]
0002:be_static.closed[002b:002c]

```

Opinions?

Regards

Aleks

New color on www.haproxy.org

2020-04-18 Thread Aleksandar Lazic 
Hi.

I like the new table on https://www.haproxy.org/ . The color show now much 
easier which version is in which state ;-)

Regards

Aleks

Re: [PATCH] MINOR: version: Show uname output in display_version()

2020-04-18 Thread Willy Tarreau 
Hi Tim,

On Sat, Apr 18, 2020 at 04:02:47PM +0200, Tim Duesterhus wrote:
> Willy,
> 
> because we ask for the `uname -a` output on the bug tracker, users sometimes
> forget to give all the requested information and I'm tired of always having
> to redact my machine names I thought I'd combine the `haproxy -vv + uname -a`
> into just `uname -a` by adding the results of uname(2) to the version
> information within `haproxy -vv`. My understanding is that the uname(2)
> behavior is defined in POSIX, thus I expect this to be portable.

I think it's an excellent idea, I've just merged it.

Thanks!
Willy

[PATCH] MINOR: version: Show uname output in display_version()

2020-04-18 Thread Tim Duesterhus 
Willy,

because we ask for the `uname -a` output on the bug tracker, users sometimes
forget to give all the requested information and I'm tired of always having
to redact my machine names I thought I'd combine the `haproxy -vv + uname -a`
into just `uname -a` by adding the results of uname(2) to the version
information within `haproxy -vv`. My understanding is that the uname(2)
behavior is defined in POSIX, thus I expect this to be portable.

Best regards
Tim Düsterhus

Apply with `git am --scissors` to automatically cut the commit message.

-- >8 --
This patch adds the sysname, release, version and machine fields from
the uname results to the version output. It intentionally leaves out the
machine name, because it is usually not useful and users might not want to
expose their machine names for privacy reasons.

May be backported if it is considered useful for debugging.
---
 src/haproxy.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/src/haproxy.c b/src/haproxy.c
index d01ddfdab..60db73502 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -46,6 +46,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -541,6 +542,8 @@ void hap_register_per_thread_free(int (*fct)())
 
 static void display_version()
 {
+   struct utsname utsname;
+
printf("HA-Proxy version %s %s - https://haproxy.org/\n;
   PRODUCT_STATUS "\n", haproxy_version, haproxy_date);
 
@@ -563,6 +566,10 @@ static void display_version()
else
printf("Known bugs: " PRODUCT_URL_BUGS "\n", 
base_version);
}
+   
+   if (uname() == 0) {
+   printf("Running on: %s %s %s %s\n", utsname.sysname, 
utsname.release, utsname.version, utsname.machine);
+   }
 }
 
 static void display_build_opts()
-- 
2.26.1

Re: Problem with crl certificate

2020-04-18 Thread Marco Corte 

Hi!

Il 17/04/20 18:43, Davide Guarneri ha scritto:
crt /etc/haproxy/ssl/cert.pem ca-file /etc/haproxy/ssl/ca-chain.cert.pem 
verify required crl-file /etc/haproxy/ssl/intermediate.crl.pem


I would verify how the certificates and the keys are placed in the files.

/etc/haproxy/ssl/cert.pem must contain "both the required certificates 
and any associated private keys. [...] If your CA requires an 
intermediate certificate, this can also be concatenated into this file." 
(from HAProxy documentation)


The client certificate is checked against the signature of the CAs 
defined in /etc/haproxy/ssl/ca-chain.cert.pem


Moreover it is checked if the client certificate is listed in the 
certificate revocation list in /etc/haproxy/ssl/intermediate.crl.pem


Hope this helps
Ciao!

.marcoc

Re: HAProxy concurrent HTTP query limit based on header

2020-04-18 Thread Jarno Huuskonen 
Hi,

On Fri, 2020-04-17 at 20:22 +0200, Olivier D wrote:
> Hello everyone,
> I would like to implement a "max concurrent connection" in HAProxy.
> This is easy to do at TCP level : 
> 
> stick-table  type ipv6 size 100k  expire 30s  store conn_cur
> http-request track-sc0 src
> http-request deny deny_status 429 if { src_conn_cur ge 20 }
> 
> But now, I want to do the same for concurrent HTTP queries, based on
> header 'X-Forwarded-For'. For example, I want to send a 429 error
> code if someone is sending an HTTP query when he already have 20
> ongoing.
> 
> My first tries are based on something like this : 
>stick-table type ipv6 size 100k  expire 30s  store
> http_req_rate(10s)
>http-request track-sc0 req.hdr( X-Forwarded-For )

Does it work if you use:
http-request track-sc0 req.hdr_ip(X-Forwarded-For)
(
https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#7.3.6-req.hdr_ip
)

Do you get any entries in the stick-table (show table ... command to
stats socket).

-Jarno

>http-request deny deny_status 429 if { sc0_conn_cur ge 20 }
> 
> but it doesn't seem to work the way I want ...

-- 
Jarno Huuskonen