Re: [PATCH] MINOR: support for http-request set-timeout client

[Christopher Faulet]

Le 27/09/2023 à 16:43, Vladimir Vdovin a écrit :

Added set-timeout for frontend side of session, so it can be used to set
custom per-client timeouts if needed. Added cur_client_timeout to fetch
client timeout samples.


Thanks Vladimir! The patch is merged now.

--
Christopher Faulet

Re: haproxy.org bug pages broken (missing html headers and footer?)

[Willy Tarreau]

Hi Lukas,

On Wed, Sep 27, 2023 at 09:49:53PM +, Lukas Tribus wrote:
> Hello,
> 
> looks like the bug pages are broken; they contain the table of bugs
> but there is really no formatting happening and it appears the entire
> HTML header and footer is missing:
> 
> Example:
> http://www.haproxy.org/bugs/bugs-2.4.html
> http://www.haproxy.org/bugs/bugs-2.6.2.html

Argh, thanks for notifying us! Haproxy dev5 crashed leaving a huge core
that filled the FS (I hope it's complete, not checked yet), and the cron
job that rebuilds the bugs page miserably failed as you can see :-/

That's now fixed, thank you!
Willy

Session means differently between frontend and backends?

[Abhijeet Rastogi]

i HAProxy community,

As a new user of HAproxy, I'm puzzled by the definition of "sessions"
in HAproxy. I can't seem to find it anywhere in docs.

Test setup:-

- HAproxy instance with one frontend, one backend and a stats frontend.
- Backend connects to a custom Go program that supports persistent connections.
- Load-testing program "hey" doing "1 req per sec" over "1 tcp connection".

Full configs are available here:
https://gist.github.com/shadyabhi/fc511449600092364b08e58e2b07079f

After 10s of starting the experiment, this is what I see on stats page:-

- On "http frontend", the stats page shows "0 session rate", which
makes sense because "hey" is reusing TCP connections for multiple HTTP
requests.
- On "default_backend backend", it appears that the session is
incremented on each HTTP transaction. Wait, does a session on frontend
doesn't mean the same session at backend?
- Session reuse seems to be 90%, so it's unlikely that the backend is
creating a new TCP connection (aka session??) to serve every request
initiated by "hey".

I see sessions being used here
(https://www.haproxy.com/documentation/hapee/latest/configuration/variables/syntax/#scoping),
and it seems to suggest that session signifies a "tcp session". That
holds true for frontend, but not for backend as per the above
experiment. So, what really is a session?

Stats page link:
https://gist.github.com/shadyabhi/fc511449600092364b08e58e2b07079f

-- 
Cheers,
Abhijeet (https://abhi.host)

OCSP update restarts all proxies

[Shawn Heisey]

The haproxy -vv output is at the end of this message.

I got the built-in OCSP udpating mechanism working.  Works beautifully.

Today I discovered that once an hour when the OCSP gets updated, haproxy 
stops all its proxies and starts them back up. syslog:


Sep 27 15:00:01 - haproxy[3520801] Proxy web80 stopped (cumulated conns: 
FE: 42, BE: 0).
Sep 27 15:00:01 - haproxy[3520801] Proxy web stopped (cumulated conns: 
FE: 1403, BE: 0).
Sep 27 15:00:01 - haproxy[3520801] Proxy be_deny stopped (cumulated 
conns: FE: 0, BE: 122).
Sep 27 15:00:01 - haproxy[3520801] Proxy be_raspi1_81 stopped (cumulated 
conns: FE: 0, BE: 0).
Sep 27 15:00:01 - haproxy[3520801] Proxy be_raspi2_81 stopped (cumulated 
conns: FE: 0, BE: 0).
Sep 27 15:00:01 - haproxy[3520801] Proxy be_raspi3_81 stopped (cumulated 
conns: FE: 0, BE: 0).
Sep 27 15:00:01 - haproxy[3520801] Proxy be_smeagol_81 stopped 
(cumulated conns: FE: 0, BE: 700).
Sep 27 15:00:01 - haproxy[3520801] Proxy be_plex_32400_tls stopped 
(cumulated conns: FE: 0, BE: 0).
Sep 27 15:00:01 - haproxy[3520801] Proxy be_gitlab_8881 stopped 
(cumulated conns: FE: 0, BE: 235).
Sep 27 15:00:01 - haproxy[3520801] Proxy be_gitlab2_8881 stopped 
(cumulated conns: FE: 0, BE: 180).
Sep 27 15:00:01 - haproxy[3520801] Proxy be_artifactory_8082 stopped 
(cumulated conns: FE: 0, BE: 0).
Sep 27 15:00:01 - haproxy[3520801] Proxy be_zabbix_81 stopped (cumulated 
conns: FE: 0, BE: 969).
Sep 27 15:00:01 - haproxy[3545799] -:- [27/Sep/2023:15:00:01.668] 
 /etc/ssl/certs/local/REDACTED_org.wildcards.combined

.pem 1 "Update successful" 0 1
Sep 27 15:00:01 - haproxy[3545799] -:- [27/Sep/2023:15:00:01.795] 
 /etc/ssl/certs/local/REDACTED2.com.wildcards.combined.p

em 1 "Update successful" 0 1
Sep 27 15:00:01 - haproxy[3520801] -:- [27/Sep/2023:15:00:01.944] 
 /etc/ssl/certs/local/REDACTED_org.wildcards.combined

.pem 1 "Update successful" 0 2
Sep 27 15:00:02 - haproxy[3520801] -:- [27/Sep/2023:15:00:01.998] 
 /etc/ssl/certs/local/REDACTED2.com.wildcards.combined.p

em 1 "Update successful" 0 2

The really irritating effect is that once an hour, my Zabbix server 
records an event saying haproxy has been restarted:


https://imgur.com/a/WPkKoFa
(imgur will claim the image has mature content.  it doesn't.)

It looks like the only thing that resets back to zero on the stats page 
is the uptime in the "status" column for each backend.  That's good 
news, but I would hope for none of the data to be reset.


I have one big concern, which may be unfounded:  I'm worried that the 
proxies going down will mean that in-flight connections will be 
terminated.  I'm guessing that the work for seamless reloads will ensure 
that doesn't happen, I just want to be sure.


Not knowing a lot about how haproxy is architected, I do not know if 
there is some reason that the backends have to be cycled.  Seems like 
only frontends that listen with TLS would need that.  I would hope it 
would be possible to even avoid that ... maybe have OCSP data be copied 
from a certain memory location every time a frontend needs it, and when 
OCSP gets updated, overwrite the data in that memory location in a 
thread-safe way.  I know a fair amount about thread safety in Java, but 
nothing about it in C.


Final questions for today:

1) Can the OCSP update interval be changed?  I don't recall exactly what 
the validity for a LetsEncrypt OCSP response is, but I know it was at 
least 24 hours, and I think it might have even been as long as a week. I 
would like to increase the interval to 8-12 hours if I can.


2) There are two certs being used in my setup, and haproxy logs updates 
for both of them twice.  I would have hoped for that to only happen 
once.  I'm a bit mystified by the fact that it is done twice.  I would 
have expected either one time or four times ... I have one frontend that 
listens with TLS, with four bind lines all using exactly the same 
certificate list.  (one TCP, and three UDP)



-
HAProxy version 2.8.3-0499db-3 2023/09/14 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 
2028.

Known bugs: http://www.haproxy.org/bugs/bugs-2.8.3.html
Running on: Linux 6.1.0-1022-oem #22-Ubuntu SMP PREEMPT_DYNAMIC Wed Sep 
6 08:19:34 UTC 2023 x86_64

Build options :
  TARGET  = linux-glibc
  CPU = native
  CC  = cc
  CFLAGS  = -O2 -march=native -g -Wall -Wextra -Wundef 
-Wdeclaration-after-statement -Wfatal-errors -Wtype-limits 
-Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond 
-Wnull-dereference -fwrapv -Wno-address-of-packed-member 
-Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered 
-Wno-missing-field-initializers -Wno-cast-function-type 
-Wno-string-plus-int -Wno-atomic-alignment
  OPTIONS = USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1 USE_QUIC=1 
USE_PCRE2_JIT=1

  DEBUG   =

Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY 
+CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE 
-LIBATOMIC +LIBCR

Re: haproxy.org bug pages broken (missing html headers and footer?)

[Artur]

Hello,

And https://www.haproxy.org/bugs/index.html is an empty document.
There is a link for it on haproxy.org home page (as Known bugs).

Le 27/09/2023 à 23:49, Lukas Tribus a écrit :

Hello,

looks like the bug pages are broken; they contain the table of bugs
but there is really no formatting happening and it appears the entire
HTML header and footer is missing:

Example:
http://www.haproxy.org/bugs/bugs-2.4.html
http://www.haproxy.org/bugs/bugs-2.6.2.html


BR,

Lukas


--
Best regards,
Artur

haproxy.org bug pages broken (missing html headers and footer?)

[Lukas Tribus]

Hello,

looks like the bug pages are broken; they contain the table of bugs
but there is really no formatting happening and it appears the entire
HTML header and footer is missing:

Example:
http://www.haproxy.org/bugs/bugs-2.4.html
http://www.haproxy.org/bugs/bugs-2.6.2.html


BR,

Lukas

Global Sources Consumer Electronis Show 2023

[Ariana Reed]

Hi there,
I am pleased to inform you that Formilux - Global Sources Consumer Electronis 
Show 2023 Email list is available for the purchase with total 27417 Contacts at 
unlimited usage.
Please let me know if you are interested. So, that I will get back to you with 
the pricing and other information ASAP.
Your prompt reply would be appreciated.
Many thanks,
Ariana Reed - Demand Generation

[PATCH] MINOR: support for http-request set-timeout client

[Vladimir Vdovin]

Added set-timeout for frontend side of session, so it can be used to set
custom per-client timeouts if needed. Added cur_client_timeout to fetch
client timeout samples.
---
 doc/configuration.txt  | 17 +---
 include/haproxy/action-t.h |  1 +
 include/haproxy/action.h   |  6 +--
 reg-tests/http-set-timeout/set_timeout.vtc | 46 +-
 src/action.c   | 43 +---
 src/http_act.c | 13 +-
 src/stream.c   | 16 
 7 files changed, 105 insertions(+), 37 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 37f62da33..e98f571f3 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -7010,7 +7010,7 @@ http-request  [options...] [ { if | unless } 
 ]
 - set-query 
 - set-src 
 - set-src-port 
-- set-timeout { server | tunnel } {  |  }
+- set-timeout { client | server | tunnel } {  |  }
 - set-tos 
 - set-uri 
 - set-var([,...]) 
@@ -7925,10 +7925,10 @@ http-request set-src-port  [ { if | unless } 
 ]
   the address family supports a port, otherwise it forces the source address to
   IPv4 "0.0.0.0" before rewriting the port.
 
-http-request set-timeout { server | tunnel } {  |  }
+http-request set-timeout { client | server | tunnel } {  |  }
[ { if | unless }  ]
 
-  This action overrides the specified "server" or "tunnel" timeout for the
+  This action overrides the specified "client", "server" or "tunnel" timeout 
for the
   current stream only. The timeout can be specified in millisecond or with any
   other unit if the number is suffixed by the unit as explained at the top of
   this document. It is also possible to write an expression which must returns
@@ -7936,8 +7936,8 @@ http-request set-timeout { server | tunnel } {  
|  }
 
   Note that the server/tunnel timeouts are only relevant on the backend side
   and thus this rule is only available for the proxies with backend
-  capabilities. Also the timeout value must be non-null to obtain the expected
-  results.
+  capabilities. As well as client timeout is only relevant for frontend side.
+  Also the timeout value must be non-null to obtain the expected results.
 
   Example:
 http-request set-timeout tunnel 5s
@@ -20098,6 +20098,11 @@ cur_tunnel_timeout : integer
   In the default case, this will be equal to be_tunnel_timeout unless a
   "set-timeout" rule has been applied. See also "be_tunnel_timeout".
 
+cur_client_timeout : integer
+  Returns the currently applied client timeout in millisecond for the stream.
+  In the default case, this will be equal to fe_client_timeout unless a
+  "set-timeout" rule has been applied. See also "fe_client_timeout".
+
 dst : ip
   This is the destination IP address of the connection on the client side,
   which is the address the client connected to. Any tcp/http rules may alter
@@ -20353,7 +20358,7 @@ fe_name : string
 
 fe_client_timeout : integer
   Returns the configuration value in millisecond for the client timeout of the
-  current frontend.
+  current frontend. This timeout can be overwritten by a "set-timeout" rule.
 
 res.timer.data : integer
   this is the total transfer time of the response payload till the last byte
diff --git a/include/haproxy/action-t.h b/include/haproxy/action-t.h
index 7fafd612a..f77bdce5f 100644
--- a/include/haproxy/action-t.h
+++ b/include/haproxy/action-t.h
@@ -99,6 +99,7 @@ enum act_name {
 enum act_timeout_name {
ACT_TIMEOUT_SERVER,
ACT_TIMEOUT_TUNNEL,
+   ACT_TIMEOUT_CLIENT,
 };
 
 enum act_normalize_uri {
diff --git a/include/haproxy/action.h b/include/haproxy/action.h
index 8a35664f4..9511448e5 100644
--- a/include/haproxy/action.h
+++ b/include/haproxy/action.h
@@ -102,10 +102,8 @@ int check_trk_action(struct act_rule *rule, struct proxy 
*px, char **err);
  */
 int check_capture(struct act_rule *rule, struct proxy *px, char **err);
 
-int cfg_parse_rule_set_timeout(const char **args, int idx, int *out_timeout,
-   enum act_timeout_name *name,
-   struct sample_expr **expr, char **err,
-   const char *file, int line, struct arg_list 
*al);
+int cfg_parse_rule_set_timeout(const char **args, int idx, struct act_rule 
*rule,
+struct 
proxy *px, char **err);
 
 static inline void release_timeout_action(struct act_rule *rule)
 {
diff --git a/reg-tests/http-set-timeout/set_timeout.vtc 
b/reg-tests/http-set-timeout/set_timeout.vtc
index ebaa6a3b4..6fa0a35f1 100644
--- a/reg-tests/http-set-timeout/set_timeout.vtc
+++ b/reg-tests/http-set-timeout/set_timeout.vtc
@@ -4,7 +4,7 @@ feature ignore_unknown_macro
 
 #REQUIRE_VERSION=2.4
 
-server srv_h1 -repeat 3 {
+server srv_h1 -repeat 5 {
 rxreq
 txresp
 } -start
@@ -24,6 +2

Formilux - Global Sources Consumer Electronics Show 2023

[Annabelle Ross]

Hi there,
I am pleased to inform you that Global Sources Consumer Electronics Show 2023 
Email list is available for the purchase with total 60,137 Contacts at 
unlimited usage.
Please let me know if you are interested. So, that I will get back to you with 
the pricing and other information ASAP.
Your prompt reply would be appreciated.
Many thanks,
Annabelle Ross - Demand Generation