From: Willy Tarreau Date: Tue, 2 Feb 2016 17:50:47 +0000 (+0100) Subject: BUG/MEDIUM: http-reuse: do not share private connections across backends X-Git-Tag: v1.7-dev2~126 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=53f9685b7288e78c80dea4741a6952809ba90c0f;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: http-reuse: do not share private connections across backends When working on the previous bug, it appeared that it the case that was triggering the bug would also work between two backends, one of which doesn't support http-reuse. The reason is that while the idle connection is moved to the private pool, upon reuse we only check if it holds the CO_FL_PRIVATE flag. And we don't set this flag when there's no reuse. So let's always set it in this case, it will guarantee that no undesired connection sharing may happen. This fix must be backported to 1.6. --- diff --git a/src/proto_http.c b/src/proto_http.c index 2f76afe022..247c3b6120 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -5257,6 +5257,10 @@ void http_end_txn_clean_session(struct stream *s) srv_conn->flags |= CO_FL_PRIVATE; } + /* Never ever allow to reuse a connection from a non-reuse backend */ + if (srv_conn && (be->options & PR_O_REUSE_MASK) == PR_O_REUSE_NEVR) + srv_conn->flags |= CO_FL_PRIVATE; + if (fe->options2 & PR_O2_INDEPSTR) s->si[1].flags |= SI_FL_INDEP_STR; @@ -5292,8 +5296,7 @@ void http_end_txn_clean_session(struct stream *s) srv = objt_server(srv_conn->target); if (!srv) si_idle_conn(&s->si[1], NULL); - else if ((srv_conn->flags & CO_FL_PRIVATE) || - ((be->options & PR_O_REUSE_MASK) == PR_O_REUSE_NEVR)) + else if (srv_conn->flags & CO_FL_PRIVATE) si_idle_conn(&s->si[1], &srv->priv_conns); else if (prev_flags & TX_NOT_FIRST) /* note: we check the request, not the connection, but