From: Willy Tarreau Date: Fri, 12 Feb 2021 10:14:35 +0000 (+0100) Subject: BUG/MEDIUM: config: don't pick unset values from last defaults section X-Git-Tag: v2.4-dev8~48 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=937c3ead34becd6851572a8280831d760f612a09;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: config: don't pick unset values from last defaults section Since commit 1.3.14 with commit 1fa3126ec ("[MEDIUM] introduce separation between contimeout, and tarpit + queue"), check_config_validity() looks at the last defaults section to update all proxies' queue and tarpit timeouts if they were not set! This was apparently an attempt to properly set them on the fallback values, except that the fallback values were taken from the default proxy before looking at the current proxy itself. The worst part of it is that it might have randomly worked by accident for some configurations when there was a single defaults section, but has certainly caused too short queue expirations once another defaults section was added later in the file with these explicitly defined. Let's remove the defproxy part and keep only the curproxy ones. This could be backported everywhere, the bug has been there for 13 years. --- diff --git a/src/cfgparse.c b/src/cfgparse.c index 0dcb0a11ca..83530ae4ba 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -2998,33 +2998,10 @@ out_uri_auth_compat: * We must still support older configurations, so let's find out whether those * parameters have been set or must be copied from contimeouts. */ - if (curproxy != &defproxy) { - if (!curproxy->timeout.tarpit || - curproxy->timeout.tarpit == defproxy.timeout.tarpit) { - /* tarpit timeout not set. We search in the following order: - * default.tarpit, curr.connect, default.connect. - */ - if (defproxy.timeout.tarpit) - curproxy->timeout.tarpit = defproxy.timeout.tarpit; - else if (curproxy->timeout.connect) - curproxy->timeout.tarpit = curproxy->timeout.connect; - else if (defproxy.timeout.connect) - curproxy->timeout.tarpit = defproxy.timeout.connect; - } - if ((curproxy->cap & PR_CAP_BE) && - (!curproxy->timeout.queue || - curproxy->timeout.queue == defproxy.timeout.queue)) { - /* queue timeout not set. We search in the following order: - * default.queue, curr.connect, default.connect. - */ - if (defproxy.timeout.queue) - curproxy->timeout.queue = defproxy.timeout.queue; - else if (curproxy->timeout.connect) - curproxy->timeout.queue = curproxy->timeout.connect; - else if (defproxy.timeout.connect) - curproxy->timeout.queue = defproxy.timeout.connect; - } - } + if (!curproxy->timeout.tarpit) + curproxy->timeout.tarpit = curproxy->timeout.connect; + if ((curproxy->cap & PR_CAP_BE) && !curproxy->timeout.queue) + curproxy->timeout.queue = curproxy->timeout.connect; if ((curproxy->tcpcheck_rules.flags & TCPCHK_RULES_UNUSED_TCP_RS)) { ha_warning("config : %s '%s' uses tcp-check rules without 'option tcp-check', so the rules are ignored.\n",