Willy Tarreau [Wed, 6 Jun 2012 23:03:16 +0000 (01:03 +0200)]
MEDIUM: stats/cli: add support for "set table key" to enter values
This is used to enter values for stick tables. The most likely usage
is to set gpc0 for a specific IP address in order to block traffic
for abusers without having to reload. Since all data types are
supported, other usages are possible (eg: replace a users's assigned
server).
Willy Tarreau [Wed, 6 Jun 2012 21:37:08 +0000 (23:37 +0200)]
MINOR: stats/cli: add plans to support more stick-table actions
Right now we only support show/clear on a table. In order to introduce
the "set" keyword we need to get rid of the "show" boolean arg. There
is no functional change up to this commit.
Willy Tarreau [Thu, 30 Aug 2012 20:52:28 +0000 (22:52 +0200)]
BUG: stktable: tcp_src_to_stktable_key() must return NULL on invalid families
Source addresses of non-TCP families were not correctly handled by
tcp_src_to_stktable_key() as it forgot to return NULL and instead left
the previous value in the stick-table buffer.
This bug is 1.5-specific and was introduced by commit 4f92d320 in 1.5-dev6
so it does not need any backport.
BUG/MINOR: polling: some events were not set in various pollers
fdtab[].ev was only set in ev_sepoll. Unfortunately, some I/O handling
functions now rely on this, so depending on the polling mechanism, some
useless operations might have been performed, such as performing a useless
recv() when a HUP was reported.
This is a very old issue, the flags were only added to the fdtab and not
propagated into any poller. Then they were used in ev_sepoll which needed
them for the cache. It is unsure whether a backport to 1.4 is appropriate
or not.
BUG/MINOR: tarpit: fix condition to return the HTTP 500 message
Commit fa7e1025 (1.3.16-rc1) introduced a minor bug by comparing req->flags
with BF_READ_ERROR instead of checking for the bit. The result is that the
error message is always returned even in case of client error. This has no
real impact but this must be fixed.
Willy Tarreau [Mon, 18 Jun 2012 18:01:30 +0000 (20:01 +0200)]
OPTIM: i386: make use of kernel-mode-linux when available
If haproxy is built with support for USE_VSYSCALL_DLSYM, it's very
easy to check for KML availability. So let's enable it. Tests show
a small overall performance improvement around 1%. Other tests show
that the syscall overhead is divided by 4 on a Geode LX using this
method.
MEDIUM: pattern: add the "base" sample fetch method
This one returns the concatenation of the first Host header entry with
the path. It can make content-switching rules easier, help with fighting
DDoS on certain URLs and improve shared caches efficiency.
MINOR: replace acl_fetch_{path,url}* with smp_fetch_*
Doing so allows us to support sticking on URL, URL's IP, URL's port and
path.
Both fetch functions should be improved to support an optional depth
allowing to stick to a server depending on just a few directory
components. This would help with portals, some prefetch-capable
caches and with outgoing connections using multiple internet links.
Vincent Bernat [Wed, 27 Jun 2012 15:18:30 +0000 (17:18 +0200)]
DOC: specify the default value for maxconn in the context of a proxy
Default value for maxconn in the context of a proxy is 2000 and is
unrelated to any other value (like global ulimit-n or global
maxconn). Without an explicit a user may think that the default value
is either no limit or equal to the global maxconn value.
Willy Tarreau [Fri, 15 Jun 2012 06:02:34 +0000 (08:02 +0200)]
BUG/MINOR: ACL implicit arguments must be created with unresolved flag
Commit 496aa0 fixed a design issue by adding an "unresolved" flag to the
ACL arguments. Unfortunately this unresolved flag was not set when building
the fake argument some ACL need when using an implicit argument pointing to
the local proxy.
Special thanks to Michael Kearey who reported the issue with a reproducer
and the commit introducing the bug.
Willy Tarreau [Tue, 12 Jun 2012 07:16:56 +0000 (09:16 +0200)]
OPTIM: halog: improve cold-cache behaviour when loading a file
Using posix_fadvise() it is possible to tell the system that we're
going to read a whole file at once. The kernel then doubles the
read-ahead size for this file. On Linux with an SSD, this has improved
cold-cache performance by around 20%. Hot-cache is not affected at all.
Willy Tarreau [Tue, 12 Jun 2012 06:52:22 +0000 (08:52 +0200)]
OPTIM: halog: make use of memchr() on platforms which provide a fast one
glibc-2.11 on x86_64 provides a machine-specific memchr() which is faster
than the generic C implementation by around 40%, so let's make it possible
to use it instead of the hand-coded version.
Willy Tarreau [Sat, 9 Jun 2012 13:43:36 +0000 (15:43 +0200)]
BUG/MEDIUM: ebtree: ebmb_insert() must not call cmp_bits on full-length matches
Otherwise we end up comparing the byte past the end, resulting
in duplicate values still being inserted into the tree even if
undesired.
This generally has low impact, though it can sometimes cause one new entry
to be added next to an existing one for stick tables, preventing the results
from being merged.
Willy Tarreau [Sat, 9 Jun 2012 07:44:03 +0000 (09:44 +0200)]
MINOR: halog: use the more recent dual-mode fgets2 implementation
This version implements both 32 and 64 bit versions at once, it
avoids the need to have two separate output files. It also improves
efficiency on i386 platforms by adding a little bit of assembly where
gcc isn't efficient.
Willy Tarreau [Fri, 8 Jun 2012 20:57:36 +0000 (22:57 +0200)]
MEDIUM: fd/si: move peeraddr from struct fdinfo to struct connection
The destination address is purely a connection thing and not an fd thing.
It's also likely that later the address will be stored into the connection
and linked to by the SI.
struct fdinfo only keeps the pointer to the port range and the local port
for now. All of this also needs to move to the connection but before this
the release of the port range must move from fd_delete() to a new function
dedicated to the connection.
Willy Tarreau [Wed, 6 Jun 2012 14:07:00 +0000 (16:07 +0200)]
BUG/MAJOR: cookie prefix doesn't support cookie-less servers
Commit 827aee91 merged in 1.5-dev5 introduced a regression causing
the srv pointer to be tested twice instead of srv then srv->cookie.
The result is that if a server has no cookie in prefix mode, haproxy
will crash when trying to modify it.
Such a config is very unlikely to happen, except maybe with a backup
server, which would cause haproxy to die with the last server in the
farm.
Willy Tarreau [Sun, 3 Jun 2012 22:43:45 +0000 (00:43 +0200)]
[RELEASE] Released version 1.5-dev11
Released version 1.5-dev11 with the following main changes :
- BUG/MEDIUM: option forwardfor if-none doesn't work with some configurations
- BUG/MAJOR: trash must always be the size of a buffer
- DOC: fix minor regex example issue and improve doc on stats
- MINOR: stream_interface: add a pointer to the listener for TARG_TYPE_CLIENT
- MEDIUM: protocol: add a pointer to struct sock_ops to the listener struct
- MINOR: checks: add on-marked-up option
- MINOR: balance uri: added 'whole' parameter to include query string in hash calculation
- MEDIUM: stream_interface: remove the si->init
- MINOR: buffers: add a rewind function
- BUG/MAJOR: fix regression on content-based hashing and http-send-name-header
- MAJOR: http: stop using msg->sol outside the parsers
- CLEANUP: http: make it more obvious that msg->som is always null outside of chunks
- MEDIUM: http: get rid of msg->som which is not used anymore
- MEDIUM: http: msg->sov and msg->sol will never wrap
- BUG/MAJOR: checks: don't call set_server_status_* when no LB algo is set
- BUG/MINOR: stop connect timeout when connect succeeds
- REORG: move the send-proxy code to tcp_connect_write()
- REORG/MINOR: session: detect the TCP monitor checks at the protocol accept
- MINOR: stream_interface: introduce a new "struct connection" type
- REORG/MINOR: stream_interface: move si->fd to struct connection
- REORG/MEDIUM: stream_interface: move applet->state and private to connection
- MINOR: stream_interface: add a data channel close function
- MEDIUM: stream_interface: call si_data_close() before releasing the si
- MINOR: peers: use the socket layer operations from the peer instead of sock_raw
- BUG/MINOR: checks: expire on timeout.check if smaller than timeout.connect
- MINOR: add a new function call tracer for debugging purposes
- BUG/MINOR: perform_http_redirect also needs to rewind the buffer
- BUG/MAJOR: b_rew() must pass a signed offset to b_ptr()
- BUG/MEDIUM: register peer sync handler in the proper order
- BUG/MEDIUM: buffers: fix bi_putchr() to correctly advance the pointer
- BUG/MINOR: fix option httplog validation with TCP frontends
- BUG/MINOR: log: don't report logformat errors in backends
- REORG/MINOR: use dedicated proxy flags for the cookie handling
- BUG/MINOR: config: do not report twice the incompatibility between cookie and non-http
- MINOR: http: add support for "httponly" and "secure" cookie attributes
- BUG/MEDIUM: ensure that unresolved arguments are freed exactly once
- BUG/MINOR: commit 196729ef used wrong condition resulting in freeing constants
- MEDIUM: stats: add support for soft stop/soft start in the admin interface
- MEDIUM: stats: add the ability to kill sessions from the admin interface
- BUILD: add support for linux kernels >= 2.6.28
Willy Tarreau [Sun, 3 Jun 2012 22:26:23 +0000 (00:26 +0200)]
MEDIUM: stats: add the ability to kill sessions from the admin interface
It was not possible to kill remaining sessions from the admin interface,
which is annoying especially when switching to maintenance mode. Now it's
possible.
Justin Karneges [Thu, 24 May 2012 22:28:52 +0000 (15:28 -0700)]
MINOR: checks: add on-marked-up option
This implements the feature discussed in the earlier thread of killing
connections on backup servers when a non-backup server comes back up. For
example, you can use this to route to a mysql master & slave and ensure
clients don't stay on the slave after the master goes from down->up. I've done
some minimal testing and it seems to work.
[WT: added session flag & doc, moved the killing after logging the server UP,
and ensured that the new server is really usable]
Willy Tarreau [Fri, 1 Jun 2012 08:38:29 +0000 (10:38 +0200)]
BUG/MEDIUM: ensure that unresolved arguments are freed exactly once
When passing arguments to ACLs and samples, some types are stored as
strings then resolved later after config parsing is done. Upon exit,
the arguments need to be freed only if the string was not resolved
yet. At the moment we can encounter double free during deinit()
because some arguments (eg: userlists) are freed once as their own
type and once as a string.
The solution consists in adding an "unresolved" flag to the args to
say whether the value is still held in the <str> part or is final.
This could be debugged thanks to a useful bug report from Sander Klein.
Willy Tarreau [Thu, 31 May 2012 19:02:17 +0000 (21:02 +0200)]
MINOR: http: add support for "httponly" and "secure" cookie attributes
httponly This option tells haproxy to add an "HttpOnly" cookie attribute
when a cookie is inserted. This attribute is used so that a
user agent doesn't share the cookie with non-HTTP components.
Please check RFC6265 for more information on this attribute.
secure This option tells haproxy to add a "Secure" cookie attribute when
a cookie is inserted. This attribute is used so that a user agent
never emits this cookie over non-secure channels, which means
that a cookie learned with this flag will be presented only over
SSL/TLS connections. Please check RFC6265 for more information on
this attribute.
Willy Tarreau [Thu, 31 May 2012 18:40:20 +0000 (20:40 +0200)]
REORG/MINOR: use dedicated proxy flags for the cookie handling
Cookies were mixed with many other options while they're not used as options.
Move them to a dedicated bitmask (ck_opts). This has released 7 flags in the
proxy options and leaves some room for new proxy flags.
Willy Tarreau [Thu, 31 May 2012 17:30:26 +0000 (19:30 +0200)]
BUG/MINOR: fix option httplog validation with TCP frontends
Option httplog needs to be checked only once the proxy has been validated,
so that its final mode (tcp/http) can be used. Also we need to check for
httplog before checking the log format, so that we can report a warning
about this specific option and not about the format it implies.
Willy Tarreau [Thu, 31 May 2012 14:37:11 +0000 (16:37 +0200)]
BUG/MEDIUM: buffers: fix bi_putchr() to correctly advance the pointer
bi_putchr() failed to move the buffer pointer forward. The only user
was the peer handler which was broken, it failed to sync. Thanks to
Hervé Commowick for reporting the issue.
Willy Tarreau [Thu, 31 May 2012 12:16:59 +0000 (14:16 +0200)]
BUG/MEDIUM: register peer sync handler in the proper order
Hervé Commowick reported a failure to resync upon restart caused by a
segfault on the old process. This is due to the data_ctx of the connection
being initialized after the stream interface.
Willy Tarreau [Thu, 31 May 2012 09:33:42 +0000 (11:33 +0200)]
BUG/MAJOR: b_rew() must pass a signed offset to b_ptr()
Commit 13e66da introduced b_rew() but passes -adv which is an unsigned
quantity on 64-bit platforms, causing the buffer to advance in the wrong
direction.
Willy Tarreau [Wed, 30 May 2012 05:59:54 +0000 (07:59 +0200)]
BUG/MINOR: perform_http_redirect also needs to rewind the buffer
Commit d1de8af362905d43bcd96e7522fcee62a93a53bf was incomplete, because
perform_http_redirect() also needs to rewind the buffer since it's called
after data are scheduled for forwarding.
Cyril Bonté [Tue, 29 May 2012 21:27:41 +0000 (23:27 +0200)]
BUG/MEDIUM: option forwardfor if-none doesn't work with some configurations
When "option forwardfor" is enabled in a frontend that uses backends,
"if-none" ignores the header name provided in the frontend.
This prevents haproxy to add the X-Forwarded-For header if the option is not
used in the backend.
This may introduce security issues for servers/applications that rely on the
header provided by haproxy.
A minimal configuration which can reproduce the bug:
defaults
mode http
Willy Tarreau [Fri, 25 May 2012 21:53:16 +0000 (23:53 +0200)]
MINOR: add a new function call tracer for debugging purposes
This feature relies on GCC's ability to call helpers at function entry/exit
points. We define these helpers to quickly dump the minimum info into a trace
file that can be converted to a human readable format using a script in the
contrib/trace directory. This has only been implemented in the GNU makefile
for now on as it is unsure whether it's supported on all OSes.
The feature is enabled by building with "TRACE=1". The performance impact is
huge, so this feature should only be used when debugging. To limit the loss
of performance, fprintf() has been disabled and the output is hand-crafted
and emitted using fwrite(), resulting in doubling the performance. Using the
TSC instead of gettimeofday() also doubles the performance. Around 1200 conns/s
may be achieved on a Pentium-M 1.7 GHz which leads to around 50 MB/s of traces.
The entry and exits of all functions will be dumped into a file designated
by the HAPROXY_TRACE environment variable, or by default "trace.out". If the
trace file name is empty or "/dev/null", then traces are disabled. If
opening the trace file fails, then stderr is used. If HAPROXY_TRACE_FAST is
used, then the time is taken from the global <now> variable. Last, if
HAPROXY_TRACE_TSC is used, then the machine's TSC is used instead of the
real time (almost twice as fast).
A nice improvement would possibly consist in trying to get the function's
arguments in the stack and to dump a few more infor for some well-known
functions (eg: the session's status for process_session).
Willy Tarreau [Fri, 25 May 2012 05:41:38 +0000 (07:41 +0200)]
BUG/MINOR: checks: expire on timeout.check if smaller than timeout.connect
It happens that haproxy doesn't displace the task in the wait queue when
validating a connection, so if the check timeout is set to a smaller value
than timeout.connect, it will not strike before timeout.connect.
The bug is present at least in 1.4.15..1.4.21, so the fix must be backported.
Oskar Stolc [Sat, 19 May 2012 09:19:54 +0000 (10:19 +0100)]
MINOR: balance uri: added 'whole' parameter to include query string in hash calculation
This patch brings a new "whole" parameter to "balance uri" which makes
the hash work over the whole uri, not just the part before the query
string. Len and depth parameter are still honnored.
The reason for this new feature is explained below.
I have 3 backend servers, each accepting different form of HTTP queries:
Each backend server returns a different response based on either:
- the URI path (the left part of the URI before the question mark)
- the query string (the right part of the URI after the question mark)
- or the combination of both
I wanted to set up a common caching cluster (using 6 Squid servers, each
configured as reverse proxy for those 3 backends) and have HAProxy balance
the queries among the Squid servers based on URL. I also wanted to achieve
hight cache hit ration on each Squid server and send the same queries to
the same Squid servers. Initially I was considering using the 'balance uri'
algorithm, but that would not work as in case of backend2 all queries would
go to only one Squid server. The 'balance url_param' would not work either
as it would send the backend3 queries to only one Squid server.
So I thought the simplest solution would be to use 'balance uri', but to
calculate the hash based on the whole URI (URI path + query string),
instead of just the URI path.
Emeric Brun [Fri, 18 May 2012 16:30:29 +0000 (18:30 +0200)]
MEDIUM: protocol: add a pointer to struct sock_ops to the listener struct
The listener struct is now aware of the socket layer to use upon accept().
At the moment, only sock_raw is supported so this patch should not change
anything.
Emeric Brun [Fri, 18 May 2012 14:32:13 +0000 (16:32 +0200)]
MINOR: stream_interface: add a pointer to the listener for TARG_TYPE_CLIENT
When the target is a client, it will be convenient to have a pointer to the
original listener so that we can retrieve some configuration information at
the stream interface level.
Willy Tarreau [Mon, 21 May 2012 20:18:17 +0000 (22:18 +0200)]
MINOR: peers: use the socket layer operations from the peer instead of sock_raw
At the moment, all the peers are initialized to use sock_raw as the socket
layer, so use this info in peers_session_create() instead of the hard-coded
sock_raw.
Willy Tarreau [Mon, 21 May 2012 15:28:50 +0000 (17:28 +0200)]
MINOR: stream_interface: add a data channel close function
This function will be called later when splitting the shutdown in two
steps. It will be needed by SSL and for remote socket operations to
release unused contexts.
Willy Tarreau [Mon, 21 May 2012 15:09:48 +0000 (17:09 +0200)]
REORG/MEDIUM: stream_interface: move applet->state and private to connection
The state and the private pointer are not specific to the applets, since SSL
will require exactly both of them. Move them to the connection layer now and
rename them. We also now ensure that both are NULL on first call.
Willy Tarreau [Mon, 21 May 2012 14:31:45 +0000 (16:31 +0200)]
MINOR: stream_interface: introduce a new "struct connection" type
We start to move everything needed to manage a connection to a special
entity "struct connection". We have the data layer operations and the
control operations there. We'll also have more info in the future such
as file descriptors and applet contexts, so that in the end it becomes
detachable from the stream interface, which will allow connections to
be reused between sessions.
Willy Tarreau [Sun, 20 May 2012 17:22:25 +0000 (19:22 +0200)]
REORG/MINOR: session: detect the TCP monitor checks at the protocol accept
It does not make sense anymore to wait for a session creation to process
a TCP monitor check which only closes the connection and returns. Better
to process this immediately after the accept() return. It also saves us
from counting a connection for monitor checks, which is much more logical.
Willy Tarreau [Sun, 20 May 2012 16:35:19 +0000 (18:35 +0200)]
REORG: move the send-proxy code to tcp_connect_write()
It is much better and more efficient to consider that the send-proxy
feature is part of the protocol layer than part of the data layer.
Now the connection is considered established once the send-proxy line
has been sent.
This way the data layer doesn't have to care anymore about this specific
part.
The tcp_connect_write() function now automatically calls the data layer
write() function once the connection is established, which saves calls
to epoll_ctl/epoll_wait/process_session.
It's starting to look more and more obvious that tcp_connect_read() and
tcp_connect_write() are not TCP-specific but only socket-specific and as
such should probably move, along with some functions from protocol.c, to
a socket-specific file (eg: stream_sock).
It would be nice to be able to support autonomous listeners to parse the
proxy protocol before accepting a connection, so that we get rid of it
at the session layer and to support using these informations in the
tcp-request connection rules.
Willy Tarreau [Sun, 20 May 2012 08:38:46 +0000 (10:38 +0200)]
BUG/MINOR: stop connect timeout when connect succeeds
If the connect succeeds exactly at the same millisecond as the connect
timeout is supposed to strike, the timeout is still considered while
data may have already be sent. This results in a new connection attempt
with no data and with the response being lost.
Note that in practice the only real-world situation where this is observed
is when connect timeouts are extremely low, too low for safe operations.
This bug was encountered with a 1ms connect timeout.
It is also present on 1.4 and needs to be fixed there too.
Willy Tarreau [Sat, 19 May 2012 17:07:40 +0000 (19:07 +0200)]
BUG/MAJOR: checks: don't call set_server_status_* when no LB algo is set
David Touzeau reported that haproxy dies when a server is checked and is
used in a farm with only "option transparent" and no LB algo. This is
because the LB params are NULL, the functions should be checked before
being called.
The same bug is present in 1.4 so this patch must be backported.
Willy Tarreau [Fri, 18 May 2012 21:22:52 +0000 (23:22 +0200)]
MEDIUM: http: get rid of msg->som which is not used anymore
msg->som was zero before the body and was used to carry the beginning
of a chunk size for chunked-encoded messages, at a moment when msg->sol
is always zero.
Remove msg->som and replace it with msg->sol where needed.
Willy Tarreau [Fri, 18 May 2012 21:04:32 +0000 (23:04 +0200)]
CLEANUP: http: make it more obvious that msg->som is always null outside of chunks
Since the recent buffer reorg, msg->som is redundant with buf->p but still
appears at a number of places. This tiny patch allows to confirm that som
follows two states :
- 0 from the moment the message starts to be parsed
- relative offset to ->p for start of chunk when parsing chunks
During this second state, ->sol is never used, so we should probably merge
the two.
Willy Tarreau [Fri, 18 May 2012 20:36:34 +0000 (22:36 +0200)]
MAJOR: http: stop using msg->sol outside the parsers
This is a left-over from the buffer changes. Msg->sol is always null at the
end of the parsing, so we must not use it anymore to read headers or find
the beginning of a message. As a side effect, the dump of the request in
debug mode is working again because it was relying on msg->sol not being
null.
Maybe it will even be mergeable with another of the message pointers.
Willy Tarreau [Fri, 18 May 2012 20:12:14 +0000 (22:12 +0200)]
BUG/MAJOR: fix regression on content-based hashing and http-send-name-header
The recent split between the buffers and HTTP messages in 1.5-dev9 caused
a major trouble : in the past, we used to keep a pointer to HTTP data in the
buffer struct itself, which was the cause of most of the pain we had to deal
with buffers.
Now the two are split but we lost the information about the beginning of
the HTTP message once it's being forwarded. While it seems normal, it happens
that several parts of the code currently rely on this ability to inspect a
buffer containing old contents :
- balance uri
- balance url_param
- balance url_param check_post
- balance hdr()
- balance rdp-cookie()
- http-send-name-header
All these happen after the data are scheduled for being forwarded, which
also causes a server to be selected. So for a long time we've been relying
on supposedly sent data that we still had a pointer to.
Now that we don't have such a pointer anymore, we only have one possibility :
when we need to inspect such data, we have to rewind the buffer so that ->p
points to where it previously was. We're lucky, no data can leave the buffer
before it's being connecting outside, and since no inspection can begin until
it's empty, we know that the skipped data are exactly ->o. So we rewind the
buffer by ->o to get headers and advance it back by the same amount.
Proceeding this way is particularly important when dealing with chunked-
encoded requests, because the ->som and ->sov fields may be reused by the
chunk parser before the connection attempt is made, so we cannot rely on
them.
Also, we need to be able to come back after retries and redispatches, which
might change the size of the request if http-send-name-header is set. All of
this is accounted for by the output queue so in the end it does not look like
a bad solution.
Willy Tarreau [Fri, 18 May 2012 13:15:26 +0000 (15:15 +0200)]
MEDIUM: stream_interface: remove the si->init
Calling the init() function in sess_establish was a bad idea, it is
too late to allow it to fail on lack of resource and does not help at
all. Remove it for now before it's used.
BUG/MAJOR: trash must always be the size of a buffer
Before it was possible to resize the buffers using global.tune.bufsize,
the trash has always been the size of a buffer by design. Unfortunately,
the recent buffer sizing at runtime forgot to adjust the trash, resulting
in it being too short for content rewriting if buffers were enlarged from
the default value.
The bug was encountered in 1.4 so the fix must be backported there.
Willy Tarreau [Mon, 14 May 2012 05:26:56 +0000 (07:26 +0200)]
[RELEASE] Released version 1.5-dev10
Released version 1.5-dev10 with the following main changes :
- BUG/MINOR: stats admin: "Unexpected result" was displayed unconditionally
- BUG/MAJOR: acl: http_auth_group() must not accept any user from the userlist
- CLEANUP: auth: make the code build again with DEBUG_AUTH
- BUG/MEDIUM: config: don't crash at config load time on invalid userlist names
- REORG: use the name sock_raw instead of stream_sock
- MINOR: stream_interface: add a client target : TARG_TYPE_CLIENT
- BUG/MEDIUM: stream_interface: restore get_src/get_dst
- CLEANUP: sock_raw: remove last references to stream_sock
- CLEANUP: stream_interface: stop exporting socket layer functions
- MINOR: stream_interface: add an init callback to sock_ops
- MEDIUM: stream_interface: derive the socket operations from the target
- MAJOR: fd: remove the need for the socket layer to recheck the connection
- MINOR: session: call the socket layer init function when a session establishes
- MEDIUM: session: add support for tunnel timeouts
- MINOR: standard: add a new debug macro : fddebug()
- CLEANUP: fd: remove unused cb->b pointers in the struct fdtab
- OPTIM: proto_http: don't enable quick-ack on empty buffers
- OPTIM/MAJOR: ev_sepoll: process spec events after polled events
- OPTIM/MEDIUM: stream_interface: add a new SI_FL_NOHALF flag
Willy Tarreau [Sun, 13 May 2012 12:48:59 +0000 (14:48 +0200)]
OPTIM/MEDIUM: stream_interface: add a new SI_FL_NOHALF flag
This flag indicates that we're not interested in keeping half-open
connections on a stream interface. It has the benefit of allowing
the socket layer to cause an immediate write close when detecting
an incoming read close. This releases resources much faster and
saves one syscall (either a shutdown or setsockopt).
This flag is only set by HTTP on the interface going to the server
since we don't want to continue pushing data there when it has
closed.
Another benefit is that it responds with a FIN to a server's FIN
instead of responding with an RST as it used to, which is much
cleaner.
Performance gains of 7.5% have been measured on HTTP connection
rate on empty objects.
Willy Tarreau [Sun, 13 May 2012 07:42:26 +0000 (09:42 +0200)]
OPTIM/MAJOR: ev_sepoll: process spec events after polled events
A suboptimal behaviour was appearing quite often with sepoll. When a
speculative write failed after a connect(), the socket was added to
the poll list using epoll_ctl(ADD). Then when epoll_wait() returned a
write event, the send() was performed and write event disabled, causing
it to get back to the spec list in order to be disabled later. But if
some new accept() did succeed in the same run, then fd_created was not
null, causing a new run of the spec list to happen. This run would then
detect the old event in STOP state and would remove it from the poll
list using epoll_ctl(DEL).
After this, process_session() enables reading on the FD, attempting
an speculative recv() which fails then adds it again using epoll_ctl(ADD)
to do it again. So the total sequence of syscalls looked like this :
In order to fix this stupid situation, we must compute the epoll_ctl()
parameters at the last moment, just before doing epoll_wait(). This is
what was done except that the spec events were processed just before doing
that without leaving time for the tasks to adjust the FDs if needed. This
is also the reason we have the re_poll_once label to try to catch new
events in case of a successful accept().
This significantly reduces the number of iterations on the spec events
and avoids a huge number of epoll_ctl() ping/pongs. The new sequence
above simply becomes :
Also, there is no need to re-run the spec events after an accept() as
it will automatically be detected in the spec list after a return from
polled events.
The gains are important, with up to 4.5% global performance increase in
connection rate on HTTP with small objects. The code is less tricky and
does not need anymore to skip epoll_wait() every other call, nor to
track the number of FDs newly created.
Willy Tarreau [Sun, 13 May 2012 06:44:16 +0000 (08:44 +0200)]
OPTIM: proto_http: don't enable quick-ack on empty buffers
Commit 5e205524 was a bit overzealous by inconditionally enabling
quick ack when a request is not yet in the buffer, because it also
does so when nothing has been received yet, causing a useless ACK
to be emitted.
Improve the situation by doing this only if the input buffer is
empty (indicating that nothing was sent by the client).
In case of keep-alive, an empty buffer means we already have a
response in flight which will serve as an ACK.
Willy Tarreau [Sat, 12 May 2012 22:35:44 +0000 (00:35 +0200)]
CLEANUP: fd: remove unused cb->b pointers in the struct fdtab
These pointers were used to hold pointers to buffers in the past, but
since we introduced the stream interface, they're no longer used but
they were still sometimes set.
Removing them shrink the struct fdtab from 32 to 24 bytes on 32-bit machines,
and from 52 to 36 bytes on 64-bit machines, which is a significant saving. A
quick tests shows a steady 0.5% performance gain, probably due to the better
cache efficiency.
Willy Tarreau [Sat, 12 May 2012 22:21:17 +0000 (00:21 +0200)]
MINOR: standard: add a new debug macro : fddebug()
This macro is usable like printf but sends messages to fd #-1, which has no
visible effect but is easy to spot in strace. This is very useful to put
tracers at many points during debugging sessions.
Willy Tarreau [Sat, 12 May 2012 10:50:00 +0000 (12:50 +0200)]
MEDIUM: session: add support for tunnel timeouts
Tunnel timeouts are used when TCP connections are forwarded, or
when forwarding upgraded HTTP connections (WebSocket) as well as
CONNECT requests to proxies.
This timeout allows long-lived sessions to be supported without
having to set large timeouts to normal requests.
Willy Tarreau [Sat, 12 May 2012 06:08:09 +0000 (08:08 +0200)]
MINOR: session: call the socket layer init function when a session establishes
In sess_establish, once we've prepared everythin, we can call the socket layer
init function. We pass an argument for targets which have one (eg: servers). At
the moment, the existing socket layers don't have init functions, but SSL will
need one.
Willy Tarreau [Fri, 11 May 2012 17:53:32 +0000 (19:53 +0200)]
MAJOR: fd: remove the need for the socket layer to recheck the connection
Up to now, if an outgoing connection had no data to send, the socket layer
had to perform a connect() again to check for establishment. This is not
acceptable for SSL, and will cause problems with socketpair(). Some socket
layers will also need an initializer before sending data (eg: SSL).
The solution consists in moving the connect() test to the protocol layer
(eg: TCP) and to make it hold the fd->write callback until the connection
is validated. At this point, it will switch the write callback to the
socket layer's write function. In fact we need to hold both read and write
callbacks to ensure the socket layer is never called before being initialized.
This intermediate callback is used only if there is a socket init function
or if there are no data to send.
The socket layer does not have any code to check for connection establishment
anymore, which makes sense.
Willy Tarreau [Fri, 11 May 2012 16:32:18 +0000 (18:32 +0200)]
MEDIUM: stream_interface: derive the socket operations from the target
Instead of hard-coding sock_raw in connect_server(), we set this socket
operation at config parsing time. Right now, only servers and peers have
it. Proxies are still hard-coded as sock_raw. This will be needed for
future work on SSL which requires a different socket layer.
Similarly to the previous patch, we don't need the socket-layer functions
outside of stream_interface. They could even move to a file dedicated to
applets, though that does not seem particularly useful at the moment.
Commit e164e7a removed get_src/get_dst setting in the stream interfaces but
forgot to set it in proto_tcp. Get the feature back because we need it for
logging, transparent mode, ACLs etc... We now rely on the stream interface
direction to know what syscall to use.
One benefit of doing it this way is that we don't use getsockopt() anymore
on outgoing stream interfaces nor on UNIX sockets.
Willy Tarreau [Fri, 11 May 2012 12:23:52 +0000 (14:23 +0200)]
REORG: use the name sock_raw instead of stream_sock
We'll soon have an SSL socket layer, and in order to ease the difference
between the two, we use the name "sock_raw" to designate the one which
directly talks to the sockets without any conversion.
Willy Tarreau [Thu, 10 May 2012 21:40:14 +0000 (23:40 +0200)]
BUG/MEDIUM: config: don't crash at config load time on invalid userlist names
Cyril Bonté reported that passing an invalid userlist name to
http_auth_group() caused haproxy to crash at load. This was due
to an attempt to use the unresolved userlist pointer later to
resolve auth groups since we report many errors before leaving
now.
This issue does not exist in earlier versions since they immediately
abort on the first error, so no backport is needed.
Willy Tarreau [Thu, 10 May 2012 21:18:26 +0000 (23:18 +0200)]
BUG/MAJOR: acl: http_auth_group() must not accept any user from the userlist
http_auth and http_auth_group used to share the same fetch function, while
they're doing very different things. The first one only checks whether the
supplied credentials are valid wrt a userlist while the second not only
checks this but also checks group ownership from a list of patterns.
Recent acl/pattern merge caused a simplification here by which the fetch
function would always return a boolean, so the group match was always fine
if the user:password was valid, regardless of the patterns provided with
the ACL.
The proper solution consists in splitting the function in two, depending
on what is desired.
It's also worth noting that check_user() would probably be split, one to
check user:password, and the other one to check for group ownership for
an already valid user:password combination. At this point it is not certain
if the group mask is still useful or not considering that the passwd check
is always made.
This bug was reported and diagnosed by Cyril Bonté. It first appeared
in 1.5-dev9 so it does not need any backporting.
Cyril Bonté [Thu, 10 May 2012 17:42:52 +0000 (19:42 +0200)]
BUG/MINOR: stats admin: "Unexpected result" was displayed unconditionally
I introduced a regression in commit 19979e176e while reworking the admin
actions results.
"Unexpected result" was displayed even if the action was applied due to a
misplaced initialization. This small patch should fix it.
Willy Tarreau [Tue, 8 May 2012 19:56:27 +0000 (21:56 +0200)]
[RELEASE] Released version 1.5-dev9
Released version 1.5-dev9 with the following main changes :
- MINOR: Add release callback to si_applet
- CLEANUP: Fix some minor typos
- MINOR: Add TO/FROM_SET flags to struct stream_interface
- CLEANUP: Fix some minor whitespace issues
- MINOR: stats admin: allow unordered parameters in POST requests
- CLEANUP: fix typo in findserver() log message
- MINOR: stats admin: use the backend id instead of its name in the form
- MINOR: stats admin: reduce memcmp()/strcmp() calls on status codes
- DOC: cleanup indentation, alignment, columns and chapters
- DOC: fix some keywords arguments documentation
- MINOR: cli: display the 4 IP addresses and ports on "show sess XXX"
- BUG/MAJOR: log: possible segfault with logformat
- MEDIUM: log: split of log_format generation
- MEDIUM: log: New format-log flags: %Fi %Fp %Si %Sp %Ts %rt %H %pid
- MEDIUM: log: Unique ID
- MINOR: log: log-format: usable without httplog and tcplog
- BUG/MEDIUM: balance source did not properly hash IPv6 addresses
- MINOR: contrib/iprange: add a network IP range to mask converter
- MEDIUM: session: implement the "use-server" directive
- MEDIUM: log: add a new cookie flag 'U' to report situations where cookie is not used
- MEDIUM: http: make extract_cookie_value() iterate over cookie values
- MEDIUM: http: add cookie and scookie ACLs
- CLEANUP: lb_first: add reference to a paper describing the original idea
- MEDIUM: stream_sock: add a get_src and get_dst callback and remove SN_FRT_ADDR_SET
- BUG/MINOR: acl: req_ssl_sni would randomly fail if a session ID is present
- BUILD: http: make extract_cookie_value() return an int not size_t
- BUILD: http: stop gcc-4.1.2 from complaining about possibly uninitialized values
- CLEANUP: http: message parser must ignore HTTP_MSG_ERROR
- MINOR: standard: add a memprintf() function to build formatted error messages
- CLEANUP: remove a few warning about unchecked return values in debug code
- MEDIUM: move message-related flags from transaction to message
- DOC: add a diagram to explain how circular buffers work
- MAJOR: buffer rework: replace ->send_max with ->o
- MAJOR: buffer: replace buf->l with buf->{o+i}
- MINOR: buffers: provide simple pointer normalization functions
- MINOR: buffers: remove unused function buffer_contig_data()
- MAJOR: buffers: replace buf->w with buf->p - buf->o
- MAJOR: buffers: replace buf->r with buf->p + buf->i
- MAJOR: http: move buffer->lr to http_msg->next
- MAJOR: http: change msg->{som,col,sov,eoh} to be relative to buffer origin
- CLEANUP: http: remove unused http_msg->col
- MAJOR: http: turn http_msg->eol to a buffer-relative offset
- MEDIUM: http: add a pointer to the buffer in http_msg
- MAJOR: http: make http_msg->sol relative to buffer's origin
- MEDIUM: http: http_send_name_header: remove references to msg and buffer
- MEDIUM: http: remove buffer arg in a few header manipulation functions
- MEDIUM: http: remove buffer arg in http_capture_bad_message
- MEDIUM: http: remove buffer arg in http_msg_analyzer
- MEDIUM: http: remove buffer arg in http_upgrade_v09_to_v10
- MEDIUM: http: remove buffer arg in http_buffer_heavy_realign
- MEDIUM: http: remove buffer arg in chunk parsing functions
- MINOR: http: remove useless wrapping checks in http_msg_analyzer
- MEDIUM: buffers: fix unsafe use of buffer_ignore at some places
- MEDIUM: buffers: add new pointer wrappers and get rid of almost all buffer_wrap_add calls
- MEDIUM: buffers: implement b_adv() to advance a buffer's pointer
- MEDIUM: buffers: rename a number of buffer management functions
- MEDIUM: http: add a prefetch function for ACL pattern fetch
- MEDIUM: http: make all ACL fetch function use acl_prefetch_http()
- BUG/MINOR: http_auth: ACLs are volatile, not permanent
- MEDIUM: http/acl: merge all request and response ACL fetches of headers and cookies
- MEDIUM: http/acl: make acl_fetch_hdr_{ip,val} rely on acl_fetch_hdr()
- MEDIUM: add a new typed argument list parsing framework
- MAJOR: acl: make use of the new argument parsing framework
- MAJOR: acl: store the ACL argument types in the ACL keyword declaration
- MEDIUM: acl: acl_find_target() now resolves arguments based on their types
- MAJOR: acl: make acl_find_targets also resolve proxy names at config time
- MAJOR: acl: ensure that implicit table and proxies are valid
- MEDIUM: acl: remove unused tests for missing args when args are mandatory
- MEDIUM: pattern: replace type pattern_arg with type arg
- MEDIUM: pattern: get rid of arg_i in all functions making use of arguments
- MEDIUM: pattern: use the standard arg parser
- MEDIUM: pattern: add an argument validation callback to pattern descriptors
- MEDIUM: pattern: report the precise argument parsing error when known.
- MEDIUM: acl: remove the ACL_TEST_F_NULL_MATCH flag
- MINOR: pattern: add a new 'sample' type to store fetched data
- MEDIUM: pattern: add new sample types to replace pattern types
- MAJOR: acl: make use of the new sample struct and get rid of acl_test
- MEDIUM: pattern/acl: get rid of temp_pattern in ACLs
- MEDIUM: acl: get rid of the SET_RES flags
- MEDIUM: get rid of SMP_F_READ_ONLY and SMP_F_MUST_FREE
- MINOR: pattern: replace struct pattern with struct sample
- MEDIUM: pattern: integrate pattern_data into sample and use sample everywhere
- MEDIUM: pattern: retrieve the sample type in the sample, not in the keyword description
- MEDIUM: acl/pattern: switch rdp_cookie functions stack up-down
- MEDIUM: acl: replace acl_expr with args in acl fetch_* functions
- MINOR: tcp: replace acl_fetch_rdp_cookie with smp_fetch_rdp_cookie
- MEDIUM: acl/pattern: use the same direction scheme
- MEDIUM: acl/pattern: start merging common sample fetch functions
- MEDIUM: pattern: ensure that sample types always cast into other types.
- MEDIUM: acl/pattern: factor out the src/dst address fetches
- MEDIUM: acl: implement payload and payload_lv
- CLEANUP: pattern: ensure that payload and payload_lv always stay in the buffer
- MINOR: stick_table: centralize the handling of empty keys
- MINOR: pattern: centralize handling of unstable data in pattern_process()
- MEDIUM: pattern: use smp_fetch_rdp_cookie instead of the pattern specific version
- MINOR: acl: set SMP_OPT_ITERATE on fetch functions
- MINOR: acl: add a val_args field to keywords
- MINOR: proto_tcp: validate arguments of payload and payload_lv ACLs
- MEDIUM: http: merge acl and pattern header fetch functions
- MEDIUM: http: merge ACL and pattern cookie fetches into a single one
- MEDIUM: acl: report parsing errors to the caller
- MINOR: arg: improve error reporting on invalid arguments
- MINOR: acl: report errors encountered when loading patterns from files
- MEDIUM: acl: extend the pattern parsers to report meaningful errors
- REORG: use the name "sample" instead of "pattern" to designate extracted data
- REORG: rename "pattern" files
- MINOR: acl: add types to ACL patterns
- MINOR: standard: add an IPv6 parsing function (str62net)
- MEDIUM: acl: support IPv6 address matching
- REORG: stream_interface: create a struct sock_ops to hold socket operations
- REORG/MEDIUM: move protocol->{read,write} to sock_ops
- REORG/MEDIUM: stream_interface: initialize socket ops from descriptors
- REORG/MEDIUM: replace stream interface protocol functions by a proto pointer
- REORG/MEDIUM: move the default accept function from sockstream to protocols.c
- MEDIUM: proto_tcp: remove src6 and dst6 pattern fetch methods
- BUG/MINOR: http: error snapshots are wrong if buffer wraps
- BUG/MINOR: http: ensure that msg->err_pos is always relative to buf->p
- MEDIUM: http: improve error capture reports
- MINOR: acl: add the cook_val() match to match a cookie against an integer
- BUG/MEDIUM: send_proxy: fix initialisation of send_proxy_ofs
- MEDIUM: memory: add the ability to poison memory at run time
- BUG/MEDIUM: log: ensure that unique_id is properly initialized
- MINOR: cfgparse: use a common errmsg pointer for all parsers
- MEDIUM: cfgparse: make backend_parse_balance() use memprintf to report errors
- MEDIUM: cfgparse: use the new error reporting framework for remaining cfg_keywords
- MINOR: http: replace http_message_realign() with buffer_slow_realign()
Willy Tarreau [Tue, 8 May 2012 18:40:09 +0000 (20:40 +0200)]
MINOR: http: replace http_message_realign() with buffer_slow_realign()
There is no more reason for the realign function being HTTP specific,
it only operates on a buffer now. Let's move it to buffers.c instead.
It's likely that buffer_bounce_realign is broken (not used), this will
have to be inspected. The function is worth rewriting as it can be
cheaper than buffer_slow_realign() to realign large wrapping buffers.
Willy Tarreau [Tue, 8 May 2012 17:47:01 +0000 (19:47 +0200)]
MEDIUM: cfgparse: use the new error reporting framework for remaining cfg_keywords
All keywords registered using a cfg_kw_list now make use of the new error reporting
framework. This allows easier and more precise error reporting without having to
deal with complex buffer allocation issues.
Willy Tarreau [Tue, 8 May 2012 13:51:44 +0000 (15:51 +0200)]
BUG/MEDIUM: log: ensure that unique_id is properly initialized
Last memory poisonning patch immediately made this issue appear.
The unique_id field is released but not properly initialized. The
feature was introduced very recently, no backport is needed.
Willy Tarreau [Tue, 8 May 2012 13:40:42 +0000 (15:40 +0200)]
MEDIUM: memory: add the ability to poison memory at run time
From time to time, some bugs are discovered that are caused by non-initialized
memory areas. It happens that most platforms return a zero-filled area upon
first malloc() thus hiding potential bugs. This patch also replaces malloc()
in pools with calloc() to ensure that all platforms exhibit the same behaviour
upon startup. In order to catch these bugs more easily, add a -dM command line
flag to enable memory poisonning. Optionally, passing -dM<byte> forces the
poisonning byte to <byte>.
Willy Tarreau [Tue, 8 May 2012 13:20:43 +0000 (15:20 +0200)]
BUG/MEDIUM: send_proxy: fix initialisation of send_proxy_ofs
Commit b22e55bc introduced send_proxy_ofs but forgot to initialize it,
which remained unnoticed since it's always at the same place in the
stream interface. On a machine with dirty RAM returned by malloc(),
some responses were holding a PROXY header, which normally is not
possible.
The problem goes away after properly initializing the field upon each
new session_accept().
This fix does not need to be backported except if any code makes use of
a backport of this feature.
Willy Tarreau [Tue, 8 May 2012 09:03:10 +0000 (11:03 +0200)]
MEDIUM: http: improve error capture reports
A number of important information were missing from the error captures, so
let's improve them. Now we also log source port, session flags, transaction
flags, message flags, pending output bytes, expected buffer wrapping position,
total bytes transferred, message chunk length, and message body length.
As such, the output format has slightly evolved and the source address moved
to the third line :
[08/May/2012:11:14:36.341] frontend echo (#1): invalid request
backend echo (#1), server <NONE> (#-1), event #1
src 127.0.0.1:40616, session #4, session flags 0x00000000
HTTP msg state 26, msg flags 0x00000000, tx flags 0x00000000
HTTP chunk len 0 bytes, HTTP body len 0 bytes
buffer flags 0x00909002, out 0 bytes, total 28 bytes
pending 28 bytes, wrapping at 8030, error at position 7:
00000 GET / /?t=20000 HTTP/1.1\r\n
00026 \r\n
[08/May/2012:11:13:13.426] backend echo (#1) : invalid response
frontend echo (#1), server local (#1), event #0
src 127.0.0.1:40615, session #1, session flags 0x0000044e
HTTP msg state 32, msg flags 0x0000000e, tx flags 0x08200000
HTTP chunk len 0 bytes, HTTP body len 20 bytes
buffer flags 0x00008002, out 81 bytes, total 92 bytes
pending 11 bytes, wrapping at 7949, error at position 9:
Willy Tarreau [Tue, 8 May 2012 07:44:41 +0000 (09:44 +0200)]
BUG/MINOR: http: ensure that msg->err_pos is always relative to buf->p
Since the beginning of buffer&msg changes, the error position (err_pos)
had not completely been converted and some offsets still appear wrong.
Now we ensure that everywhere msg->err_pos is relative to buf->p and
we always report buf->i bytes starting at buf->p in all error captures,
which ensures that err_pos is there.
This is not exactly a bug and is specific to latest changes so no backport
is needed.
Willy Tarreau [Tue, 8 May 2012 06:54:15 +0000 (08:54 +0200)]
BUG/MINOR: http: error snapshots are wrong if buffer wraps
Commit 81f2fb added support for wrapping buffer captures, but unfortunately
the code used to perform two memcpy() over the same destination, causing a
loss of the start of the buffer rendering some error snapshots unusable.
This bug is present in 1.4 too and must be backported.
Willy Tarreau [Mon, 7 May 2012 19:36:48 +0000 (21:36 +0200)]
MEDIUM: proto_tcp: remove src6 and dst6 pattern fetch methods
These methods have been superseded by src and dst which support
multiple families. There is no point keeping them since they appeared
in a development version anyway.
For configurations using "src6", please use "src" instead. For "dst6",
use "dst" instead.
Willy Tarreau [Mon, 7 May 2012 19:22:09 +0000 (21:22 +0200)]
REORG/MEDIUM: move the default accept function from sockstream to protocols.c
The previous sockstream_accept() function uses nothing from sockstream, and
is totally irrelevant to stream interfaces. Move this to the protocols.c
file which handles listeners and protocols, and call it listener_accept().
It now makes much more sense that the code dealing with listen() also handles
accept() and passes it to upper layers.
Willy Tarreau [Mon, 7 May 2012 14:50:03 +0000 (16:50 +0200)]
REORG: stream_interface: create a struct sock_ops to hold socket operations
These operators are used regardless of the socket protocol family. Move
them to a "sock_ops" struct. ->read and ->write have been moved there too
as they have no reason to remain at the protocol level.
projects / thirdparty / haproxy.git / log
