Emeric Brun [Thu, 29 Jun 2017 13:40:33 +0000 (15:40 +0200)]
BUG/MAJOR: map: fix segfault during 'show map/acl' on cli.
The reference of the current map/acl element to dump could
be destroyed if map is updated from an 'http-request del-map'
configuration rule or throught a 'del map/acl' on CLI.
We use a 'back_refs' chaining element to fix this. As it
is done to dump sessions.
This patch needs also fix:
'BUG/MAJOR: cli: fix custom io_release was crushed by NULL.'
To clean the back_ref and avoid a crash on a further
del/clear map operation.
Those fixes should be backported on mainline branches 1.7 and 1.6.
Willy Tarreau [Tue, 27 Jun 2017 13:47:56 +0000 (15:47 +0200)]
BUG/MAJOR: frontend: don't dereference a null conn on outgoing connections
Recently merged commit 0cfe388 ("MINOR: frontend: retrieve the ALPN name when
available") assumed that the connection is always known in frontend_accept()
which is not true for outgoing peers connections for example.
It's more efficient this way, as it allows to flush a send buffer before
receiving data in the other one. This can lead to a slightly faster buffer
recycling, thus slightly less memory and a small performance increase by
using a hotter cache.
Willy Tarreau [Tue, 13 Dec 2016 14:26:56 +0000 (15:26 +0100)]
MINOR: stream: don't set backend's nor response analysers on SF_TUNNEL
In order to implement hot-pluggable applets like we'll need for HTTP/2
which will speak a different protocol than the expected one, it will be
mandatory to be able to clear all analysers from the request and response
channel and/or to keep only the ones the applet initializer installed.
Unfortunately for now in sess_establish() we systematically place a number
of analysers inherited from the frontend, backend and some hard-coded ones.
This patch reuses the now unused SF_TUNNEL flag on the stream to indicate
we're dealing with a tunnel and don't want to add more analysers anymore.
It will be usable to install such a specific applet.
Ideally over the long term it might be nice to be able to set the mode on
the stream instead of the proxy so that we can decide to change a stream's
mode (eg: TCP, HTTP, HTTP/2) at run time. But it would require many more
changes for a gain which is not yet obvious.
Willy Tarreau [Sun, 4 Dec 2016 17:44:29 +0000 (18:44 +0100)]
MINOR: ssl: add a get_alpn() method to ssl_sock
This is used to retrieve the TLS ALPN information from a connection. We
also support a fallback to NPN if ALPN doesn't find anything or is not
available on the existing implementation. It happens that depending on
the library version, either one or the other is available. NPN was
present in openssl 1.0.1 (very common) while ALPN is in 1.0.2 and onwards
(still uncommon at the time of writing). Clients are used to send either
one or the other to ensure a smooth transition.
Willy Tarreau [Sun, 4 Dec 2016 17:42:09 +0000 (18:42 +0100)]
MINOR: connection: add a .get_alpn() method to xprt_ops
This will be used to retrieve the ALPN negociated over SSL (or possibly
via the proxy protocol later). It's likely that this information should
be stored in the connection itself, but it requires adding an extra
pointer and an extra integer. Thus better rely on the transport layer
to pass this info for now.
Willy Tarreau [Sun, 4 Dec 2016 17:39:22 +0000 (18:39 +0100)]
MINOR: frontend: initialize HTTP layer after the debugging code
For HTTP/2 we'll have to choose the upper layer based on the
advertised protocol name here and we want to keep debugging,
so let's move debugging earlier.
Willy Tarreau [Sun, 4 Dec 2016 23:26:31 +0000 (00:26 +0100)]
MEDIUM: stream: make stream_new() always set the target and analysers
It doesn't make sense that stream_new() doesn't sets the target nor
analysers and that the caller has to do it even if it doesn't know
about streams (eg: in session_accept_fd()). This causes trouble for
H2 where the applet handling the protocol cannot properly change
these information during its init phase.
Let's ensure it's always set and that the callers don't set it anymore.
Note: peers and lua don't use analysers and that's properly handled.
Emeric Brun [Mon, 29 May 2017 13:26:51 +0000 (15:26 +0200)]
MINOR: task/stream: tasks related to a stream must be init by the caller.
The task_wakeup was called on stream_new, but the task/stream
wasn't fully initialized yet. The task_wakeup must be called
explicitly by the caller once the task/stream is initialized.
Emeric Brun [Thu, 30 Mar 2017 13:37:25 +0000 (15:37 +0200)]
MAJOR: task: task scheduler rework.
In order to authorize call of task_wakeup on running task:
- from within the task handler itself.
- in futur, from another thread.
The lookups on runqueue and waitqueue are re-worked
to prepare multithread stuff.
If task_wakeup is called on a running task, the woken
message flags are savec in the 'pending_state' attribute of
the state. The real wakeup is postponed at the end of the handler
process and the woken messages are copied from pending_state
to the state attribute of the task.
It's important to note that this change will cause a very minor
(though measurable) performance loss but it is necessary to make
forward progress on a multi-threaded scheduler. Most users won't
ever notice.
Emeric Brun [Fri, 31 Mar 2017 10:04:09 +0000 (12:04 +0200)]
BUG/MINOR: stream: flag TASK_WOKEN_RES not set if task in runqueue
Under certain circumstances, if a stream's task is first woken up
(eg: I/O event) then notified of the availability of a buffer it
was waiting for via stream_res_wakeup(), this second event is lost
because the flags are only merged after seeing that the task is
running. At the moment it seems that the TASK_WOKEN_RES event is
not explicitly checked for, but better fix this before getting
reports of lost events.
This fix removes this "task running" test which is properly
performed in task_wakeup(), while the flags are properly merged.
Willy Tarreau [Fri, 23 Jun 2017 09:23:43 +0000 (11:23 +0200)]
BUG/MINOR: log: pin the front connection when front ip/ports are logged
Mathias Weiersmueller reported an interesting issue with logs which Lukas
diagnosed as dating back from commit 9b061e332 (1.5-dev9). When front
connection information (ip, port) are logged in TCP mode and the log is
emitted at the end of the connection (eg: because %B or any log tag
requiring LW_BYTES is set), the log is emitted after the connection is
closed, so the address and ports cannot be retrieved anymore.
It could be argued that we'd make a special case of these to immediatly
retrieve the source and destination addresses from the connection, but it
seems cleaner to simply pin the front connection, marking it "tracked" by
adding the LW_XPRT flag to mention that we'll need some of these elements
at the last moment. Only LW_FRTIP and LW_CLIP are affected. Note that after
this change, LW_FRTIP could simply be removed as it's not used anywhere.
Note that the problem doesn't happen when using %[src] or %[dst] since
all sample expressions set LW_XPRT.
BUG/MINOR: cfgparse: Check if tune.http.maxhdr is in the range 1..32767
We cannot store more than 32K headers in the structure hdr_idx, because
internaly we use signed short integers. To avoid any bugs (due to an integers
overflow), a check has been added on tune.http.maxhdr to be sure to not set a
value greater than 32767 and lower than 1 (because this is a nonsense to set
this parameter to a value <= 0).
BUG/MINOR: Wrong peer task expiration handling during synchronization processing.
When a peer task has sent a synchronization request to remote peers
its next expiration date was updated based on a resynchronization timeout
value which itself may have already expired leading the underlying
poller to wait for 0ms during a fraction of second (consuming high CPU
resources).
With this patch we update such peer task expiration dates only if
the resynchronization timeout is not already expired.
Thanks to Patrick Hemmer who reported an issue with nice traces
which helped in finding this one.
BUG/MEDIUM: mworker: don't reuse PIDs passed to the master
When starting the master worker with -sf or -st, the PIDs will be reused
on the next reload, which is a problem if new processes on the system
took those PIDs.
This patch ensures that we don't register old PIDs in the reload system
when launching the master worker.
Willy Tarreau [Fri, 16 Jun 2017 08:34:20 +0000 (10:34 +0200)]
BUG/MEDIUM: unix: never unlink a unix socket from the file system
James Brown reported some cases where a race condition happens between
the old and the new processes resulting in the leaving process removing
a newly bound unix socket. Jeff gave all the details he observed here :
The unix socket removal was an attempt at an optimal cleanup, which
almost never works anyway since the process is supposed to be chrooted.
And in the rare cases where it works it occasionally creates trouble.
There was already a workaround in place to avoid removing this socket
when it's been inherited from a parent's file descriptor.
So let's finally kill this useless stuff now to definitely get rid of
this persistent problem.
This fix should be backported to all stable releases.
A peer session which has just been created upon reconnect timeout expirations,
could be right after shutdown (at peer session level) because the remote
side peer could also righ after have connected. In such a case the underlying
TCP session was still running (connect()/accept()) and finally left in CLOSE_WAIT
state after the remote side stopped writting (shutdown(SHUT_WR)).
Now on, with this patch we never shutdown such peer sessions wich have just
been created. We leave them connect to the remote peer which is already
connected and must shutdown its own peer session.
Thanks to Patric Hemmer and Yves Lafon at w3.org for reporting this issue,
and for having tested this patch on the field.
Thanks also to Willy and Yelp blogs which helped me a lot in fixing it
(see https://www.haproxy.com/blog/truly-seamless-reloads-with-haproxy-no-more-hacks/ and
https://engineeringblog.yelp.com/2015/04/true-zero-downtime-haproxy-reloads.htmll).
BUG/MINOR: http/filters: Be sure to wait if a filter loops in HTTP_MSG_ENDING
A filter can choose to loop when a HTTP message is in the state
HTTP_MSG_ENDING. But the transaction is terminated with an error if the input is
closed (CF_SHUTR set on the channel). At this step, we have received all data,
so we can wait.
So now, we also check the parser state before leaving. This fix only affects
configs that use a filter that can wait in http_forward_data or http_end
callbacks, when all data were parsed.
BUG/MINOR: ssl: Be sure that SSLv3 connection methods exist for openssl < 1.1.0
For openssl 1.0.2, SSLv3_server_method and SSLv3_client_method are undefined if
OPENSSL_NO_SSL3_METHOD is set. So we must add a check on this macro before using
these functions.
BUG/MINOR: acls: Set the right refflag when patterns are loaded from a map
For an ACL, we can load patterns from a map using the flag -M. For example:
acl test hdr(host) -M -f hosts.map
The file is parsed as a map et the ACL will be executed as expected. But the
reference flag is wrong. It is set to PAT_REF_ACL. So the map will never be
listed by a "show map" on the stat socket. Setting the reference flag to
PAT_REF_ACL|PAT_REF_MAP fixes the bug.
CONTRIB: plug qdiscs: Plug queuing disciplines mini HOWTO.
Add plug_qdisc.c source file which may help in how to programatically
use plug queueing disciplines with its README file.
Such code may be useful to reproduce painful network application bugs.
BUG/MINOR: buffers: Fix bi/bo_contig_space to handle full buffers
These functions was added in commit 637f8f2c ("BUG/MEDIUM: buffers: Fix how
input/output data are injected into buffers").
This patch fixes hidden bugs. When a buffer is full (buf->i + buf->o ==
buf->size), instead of returning 0, these functions can return buf->size. Today,
this never happens because callers already check if the buffer is full before
calling bi/bo_contig_space. But to avoid possible bugs if calling conditions
changed, we slightly refactored these functions.
Willy Tarreau [Sun, 11 Jun 2017 15:56:27 +0000 (17:56 +0200)]
BUG/MAJOR: http: call manage_client_side_cookies() before erasing the buffer
Jean Lubatti reported a crash on haproxy using a config involving cookies
and tarpit rules. It just happens that since 1.7-dev3 with commit 83a2c3d
("BUG/MINOR : allow to log cookie for tarpit and denied request"), function
manage_client_side_cookies() was called after erasing the request buffer in
case of a tarpit action. The problem is that this function must absolutely
not be called with an empty buffer since it moves parts of it. A typical
reproducer consists in sending :
"GET / HTTP/1.1\r\nCookie: S=1\r\n\r\n"
On such a config :
listen crash
bind :8001
mode http
reqitarpit .
cookie S insert indirect
server s1 127.0.0.1:8000 cookie 1
The fix simply consists in moving the call to the function before the call
to buffer_erase().
Many thanks to Jean for testing instrumented code and providing a usable
core.
This fix must be backported to all stable versions since the fix introducing
this bug was backported as well.
Willy Tarreau [Fri, 9 Jun 2017 13:54:39 +0000 (15:54 +0200)]
BUILD: scripts: add an automatic mode for publish-release
Passing "-a" will make it easier to automatically create archives from
tagged repositories. It doesn't ask any question and doesn't return an
error when the current branch is not tagged nor if the release already
exists.
Willy Tarreau [Fri, 9 Jun 2017 13:36:02 +0000 (15:36 +0200)]
BUILD: scripts: make publish-release support bare repositories
First we must not report an error when "git diff HEAD" fails. Second, we
don't want to "cd" to the home dir when "git rev-parse --show-toplevel"
returns an empty string. Third, we definitely want to check that a master
branch really exists in the current directory to avoid mistakes.
Commit cb11fd2 ("MEDIUM: mworker: wait mode on reload failure")
introduced a regression, when HAProxy is used in daemon mode, it exits 1
after forking its children.
HAProxy should exit(0), the exit(EXIT_FAILURE) was expected to be use
when the master fail in master-worker mode.
Thanks to Emmanuel Hocdet for reporting this bug. No backport needed.
BUG/MINOR: warning: â\80\98need_resendâ\80\99 may be used uninitialized
The commit 201c07f68 ("MAJOR/REORG: dns: DNS resolution task and
requester queues") introduces a warning during compilation:
src/dns.c: In function â\80\98dns_resolve_recvâ\80\99:
src/dns.c:487:6: warning: â\80\98need_resendâ\80\99 may be used uninitialized in this function [-Wmaybe-uninitialized]
if (need_resend) {
^
This patch initialize the variable and remove the comment about it.
Emeric Brun [Tue, 6 Jun 2017 12:35:14 +0000 (12:35 +0000)]
BUG/MAJOR: ssl: buffer overflow using offloaded ciphering on async engine
The Openssl's ASYNC API does'nt support moving buffers on SSL_read/write
This patch disables the ASYNC mode dynamically when the handshake
is left and re-enables it on reneg.
Emeric Brun [Wed, 31 May 2017 10:02:53 +0000 (10:02 +0000)]
BUG/MAJOR: ssl: fix segfault on connection close using async engines.
This patch ensure that the ASYNC fd handlers won't be wake up
too early, disabling the event cache for this fd on connection close
and when a WANT_ASYNC is rised by Openssl.
The calls to SSL_read/SSL_write/SSL_do_handshake before rising a real read
event from the ASYNC fd, generated an EAGAIN followed by a context switch
for some engines, or a blocked read for the others.
On connection close it resulted in a too early call to SSL_free followed
by a segmentation fault.
Emmanuel Hocdet [Thu, 18 May 2017 10:46:50 +0000 (12:46 +0200)]
MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list
SSL/TLS version can be changed per certificat if and only if openssl lib support
earlier callback on handshake and, of course, is implemented in haproxy. It's ok
for BoringSSL. For Openssl, version 1.1.1 have such callback and could support it.
Emmanuel Hocdet [Thu, 18 May 2017 10:33:19 +0000 (12:33 +0200)]
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table
This patch cleanup the usage of set_version func with a more suitable name:
ctx_set_version. It introduce ssl_set_version func (unused for the moment).
Willy Tarreau [Fri, 2 Jun 2017 13:59:51 +0000 (15:59 +0200)]
[RELEASE] Released version 1.8-dev2
Released version 1.8-dev2 with the following main changes :
- CLEANUP: server: moving netinet/tcp.h inclusion
- DOC: changed "block"(deprecated) examples to http-request deny
- DOC: add few comments to examples.
- DOC: update sample code for PROXY protocol
- DOC: mention lighttpd 1.4.46 implements PROXY
- MINOR server: Restrict dynamic cookie check to the same proxy.
- DOC: stick-table is available in frontend sections
- BUG/MINOR: server : no transparent proxy for DragonflyBSD
- BUILD/MINOR: stats: remove unexpected argument to stats_dump_json_header()
- BUILD/MINOR: tools: fix build warning in debug_hexdump()
- BUG/MINOR: dns: Wrong address family used when creating IPv6 sockets.
- BUG/MINOR: config: missing goto out after parsing an incorrect ACL character
- BUG/MINOR: arg: don't try to add an argument on failed memory allocation
- MEDIUM: server: Inherit CLI weight changes and agent-check weight responses
- BUG/MEDIUM: arg: ensure that we properly unlink unresolved arguments on error
- BUG/MEDIUM: acl: don't free unresolved args in prune_acl_expr()
- BUG/MEDIUM: servers: unbreak server weight propagation
- MINOR: lua: ensure the memory allocator is used all the time
- MINOR: cli: Add a command to send listening sockets.
- MINOR: global: Add an option to get the old listening sockets.
- MINOR: tcp: When binding socket, attempt to reuse one from the old proc.
- MINOR: doc: document the -x flag
- MINOR: proxy: Don't close FDs if not our proxy.
- MINOR: socket transfer: Set a timeout on the socket.
- MINOR: systemd wrapper: add support for passing the -x option.
- BUG/MINOR: server: Fix a wrong error message during 'usesrc' keyword parsing.
- BUG/MAJOR: Broken parsing for valid keywords provided after 'source' setting.
- CLEANUP: logs: typo: simgle => single
- BUG/MEDIUM: acl: proprely release unused args in prune_acl_expr()
- MEDIUM: config: don't check config validity when there are fatal errors
- BUG/MAJOR: Use -fwrapv.
- BUG/MINOR: server: don't use "proxy" when px is really meant.
- BUG/MEDIUM: http: Drop the connection establishment when a redirect is performed
- BUG/MINOR: server: missing default server 'resolvers' setting duplication.
- MINOR: server: Extract the code responsible of copying default-server settings.
- MINOR: server: Extract the code which finalizes server initializations after 'server' lines parsing.
- MINOR: server: Add 'server-template' new keyword supported in backend sections.
- MINOR: server: Add server_template_init() function to initialize servers from a templates.
- DOC: Add documentation for new "server-template" keyword.
- DOC: add layer 4 links/cross reference to "block" keyword.
- DOC: errloc/errorloc302/errorloc303 missing status codes.
- BUG/MEDIUM: lua: memory leak
- CLEANUP: lua: remove test
- BUG/MINOR: hash-balance-factor isn't effective in certain circumstances
- BUG/MINOR: change header-declared function to static inline
- REORG: spoe: move spoe_encode_varint / spoe_decode_varint from spoe to common
- MINOR: Add binary encoding request header sample fetch
- MINOR: proto-http: Add sample fetch wich returns all HTTP headers
- MINOR: Add ModSecurity wrapper as contrib
- BUG/MINOR: ssl: fix warnings about methods for opensslv1.1.
- DOC: update RFC references
- CONTRIB: tcploop: add action "X" to execute a command
- MINOR: server: cli: Add server FQDNs to server-state file and stats socket.
- BUG/MINOR: contrib/mod_security: fix build on FreeBSD
- BUG/MINOR: checks: don't send proxy protocol with agent checks
- MINOR: ssl: add prefer-client-ciphers
- MEDIUM: ssl: revert ssl/tls version settings relative to default-server.
- MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx
- MEDIUM: ssl: calculate the real min/max TLS version and find holes
- MINOR: ssl: support TLSv1.3 for bind and server
- MINOR: ssl: show methods supported by openssl
- MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server
- MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility.
- CLEANUP: retire obsoleted USE_GETSOCKNAME build option
- BUG/MAJOR: dns: Broken kqueue events handling (BSD systems).
- MINOR: sample: Add b64dec sample converter
- BUG/MEDIUM: lua: segfault if a converter or a sample doesn't return anything
- MINOR: cli: add ACCESS_LVL_MASK to store the access level
- MINOR: cli: add 'expose-fd listeners' to pass listeners FDs
- MEDIUM: proxy: zombify proxies only when the expose-fd socket is bound
- MEDIUM: ssl: add basic support for OpenSSL crypto engine
- MAJOR: ssl: add openssl async mode support
- MEDIUM: ssl: handle multiple async engines
- MINOR: boringssl: basic support for OCSP Stapling
- MEDIUM: mworker: replace systemd mode by master worker mode
- MEDIUM: mworker: handle reload and signals
- MEDIUM: mworker: wait mode on reload failure
- MEDIUM: mworker: try to guess the next stats socket to use with -x
- MEDIUM: mworker: exit-on-failure option
- MEDIUM: mworker: workers exit when the master leaves
- DOC: add documentation for the master-worker mode
- MEDIUM: systemd: Type=forking in unit file
- MAJOR: systemd-wrapper: get rid of the wrapper
- MINOR: log: Add logurilen tunable.
- CLEANUP: server.c: missing prototype of srv_free_dns_resolution
- MINOR: dns: smallest DNS fqdn size
- MINOR: dns: functions to manage memory for a DNS resolution structure
- MINOR: dns: parse_server() now uses srv_alloc_dns_resolution()
- REORG: dns: dns_option structure, storage of hostname_dn
- MINOR: dns: new snr_check_ip_callback function
- MAJOR: dns: save a copy of the DNS response in struct resolution
- MINOR: dns: implement a LRU cache for DNS resolutions
- MINOR: dns: make 'ancount' field to match the number of saved records
- MINOR: dns: introduce roundrobin into the internal cache (WIP)
- MAJOR/REORG: dns: DNS resolution task and requester queues
- BUILD: ssl: fix build with OPENSSL_NO_ENGINE
- MINOR: Add Mod Defender integration as contrib
- CLEANUP: str2mask return code comment: non-zero -> zero.
- MINOR: tools: make debug_hexdump() use a const char for the string
- MINOR: tools: make debug_hexdump() take a string prefix
- CLEANUP: connection: remove unused CO_FL_WAIT_DATA
Very early in the connection rework process leading to v1.5-dev12, commit 56a77e5 ("MEDIUM: connection: complete the polling cleanups") marked the
end of use for this flag which since was never set anymore, but it continues
to be tested. Let's kill it now.
MINOR: tools: make debug_hexdump() take a string prefix
When dumping data at various places in the code, it's hard to figure
what is present where. To make this easier, this patch slightly modifies
debug_hexdump() to take a prefix string which is prepended in front of
each output line.
Dragan Dosen [Fri, 2 Jun 2017 10:03:16 +0000 (12:03 +0200)]
MINOR: Add Mod Defender integration as contrib
This is a service that talks SPOE protocol and uses the Mod Defender (a
NAXSI clone) functionality to detect HTTP attacks. It returns a HTTP
status code to indicate whether the request is suspicious or not, based on
NAXSI rules. The value of the returned code can be used in HAProxy rules
to determine if the HTTP request should be blocked/rejected.
Baptiste Assmann [Mon, 22 May 2017 13:17:15 +0000 (15:17 +0200)]
MAJOR/REORG: dns: DNS resolution task and requester queues
This patch is a major upgrade of the internal run-time DNS resolver in
HAProxy and it brings the following 2 main changes:
1. DNS resolution task
Up to now, DNS resolution was triggered by the health check task.
From now, DNS resolution task is autonomous. It is started by HAProxy
right after the scheduler is available and it is woken either when a
network IO occurs for one of its nameserver or when a timeout is
matched.
From now, this means we can enable DNS resolution for a server without
enabling health checking.
2. Introduction of a dns_requester structure
Up to now, DNS resolution was purposely made for resolving server
hostnames.
The idea, is to ensure that any HAProxy internal object should be able
to trigger a DNS resolution. For this purpose, 2 things has to be done:
- clean up the DNS code from the server structure (this was already
quite clean actually) and clean up the server's callbacks from
manipulating too much DNS resolution
- create an agnostic structure which allows linking a DNS resolution
and a requester of any type (using obj_type enum)
3. Manage requesters through queues
Up to now, there was an uniq relationship between a resolution and it's
owner (aka the requester now). It's a shame, because in some cases,
multiple objects may share the same hostname and may benefit from a
resolution being performed by a third party.
This patch introduces the notion of queues, which are basically lists of
either currently running resolution or waiting ones.
The resolutions are now available as a pool, which belongs to the resolvers.
The pool has has a default size of 64 resolutions per resolvers and is
allocated at configuration parsing.
MINOR: dns: introduce roundrobin into the internal cache (WIP)
This patch introduces a bit of roundrobin in the records stored in our
local cache.
Purpose is to allow some kind of distribution of the IPs found in a
response.
Note that distribution properly applies only when the IP used by many
requesters disappear and is replaced by an other one.
MINOR: dns: make 'ancount' field to match the number of saved records
ancount is the number of answers available in a DNS response.
Before this patch, HAProxy used to store the ancount found in the buffer
(sent by the DNS server).
Unfortunately, this is now inaccurate and does not correspond to the
number of records effectively stored in our local version of the
response. In Example, the CNAMEs are not stored.
This patch updates ancount field in to make it match what is effectively
stored in our version.
MINOR: dns: implement a LRU cache for DNS resolutions
Introduction of a DNS response LRU cache in HAProxy.
When a positive response is received from a DNS server, HAProxy stores
it in the struct resolution and then also populates a LRU cache with the
response.
For now, the key in the cache is a XXHASH64 of the hostname in the
domain name format concatened to the query type in string format.
Baptiste Assmann [Mon, 22 May 2017 13:13:10 +0000 (15:13 +0200)]
MAJOR: dns: save a copy of the DNS response in struct resolution
Prior this patch, the DNS responses were stored in a pre-allocated
memory area (allocated at HAProxy's startup).
The problem is that this memory is erased for each new DNS responses
received and processed.
This patch removes the global memory allocation (which was not thread
safe by the way) and introduces a storage of the dns response in the
struct
resolution.
The memory in the struct resolution is also reserved at start up and is
thread safe, since each resolution structure will have its own memory
area.
For now, we simply store the response and use it atomically per
response per server.
In the process of breaking links between dns_* functions and other
structures (mainly server and a bit of resolution), the function
dns_get_ip_from_response needs to be reworked: it now can call
"callback" functions based on resolution's owner type to allow modifying
the way the response is processed.
For now, main purpose of the callback function is to check that an IP
address is not already affected to an element of the same type.
REORG: dns: dns_option structure, storage of hostname_dn
This patch introduces a some re-organisation around the DNS code in
HAProxy.
1. make the dns_* functions less dependent on 'struct server' and 'struct resolution'.
With this in mind, the following changes were performed:
- 'struct dns_options' has been removed from 'struct resolution' (well,
we might need it back at some point later, we'll see)
==> we'll use the 'struct dns_options' from the owner of the resolution
- dns_get_ip_from_response(): takes a 'struct dns_options' instead of
'struct resolution'
==> so the caller can pass its own dns options to get the most
appropriate IP from the response
- dns_process_resolve(): struct dns_option is deduced from new
resolution->requester_type parameter
2. add hostname_dn and hostname_dn_len into struct server
In order to avoid recomputing a server's hostname into its domain name
format (and use a trash buffer to store the result), it is safer to
compute it once at configuration parsing and to store it into the struct
server.
In the mean time, the struct resolution linked to the server doesn't
need anymore to store the hostname in domain name format. A simple
pointer to the server one will make the trick.
The function srv_alloc_dns_resolution() properly manages everything for
us: memory allocation, pointer updates, etc...
3. move resolvers pointer into struct server
This patch makes the pointer to struct dns_resolvers from struct
dns_resolution obsolete.
Purpose is to make the resolution as "neutral" as possible and since the
requester is already linked to the resolvers, then we don't need this
information anymore in the resolution itself.
MINOR: dns: functions to manage memory for a DNS resolution structure
A couple of new functions to allocate and free memory for a DNS
resolution structure. Main purpose is to to make the code related to DNS
more consistent.
They allocate or free memory for the structure itself. Later, if needed,
they should also allocate / free the buffers, etc, used by this structure.
They don't set/unset any parameters, this is the role of the caller.
This patch also implement calls to these function eveywhere it is
required.
Stéphane Cottin [Thu, 18 May 2017 06:58:41 +0000 (08:58 +0200)]
MINOR: log: Add logurilen tunable.
The default len of request uri in log messages is 1024. In some use
cases, you need to keep the long trail of GET parameters. The only
way to increase this len is to recompile with DEFINE=-DREQURI_LEN=2048.
This commit introduces a tune.http.logurilen configuration directive,
allowing to tune this at runtime.
Adding Type=forking in the unit file ensure better monitoring from
systemd. During a systemctl start the tool is able to return an error if
it didn't work with this option.
MEDIUM: mworker: try to guess the next stats socket to use with -x
In master worker mode, you can't specify the stats socket where you get
your listeners FDs on a reload, because the command line of the re-exec
is launched by the master.
To solve the problem, when -x is found on the command line, its
parameter is rewritten on a reexec with the first stats socket with the
capability to send sockets. It tries to reuse the original parameter if
it has this capability.
In Master Worker mode, when the reloading of the configuration fail,
the process is exiting leaving the children without their father.
To handle this, we register an exit function with atexit(3), which is
reexecuting the binary in a special mode. This particular mode of
HAProxy don't reload the configuration, it only loops on wait().
The master-worker will reload itself on SIGUSR2/SIGHUP
It's inherited from the systemd wrapper, when the SIGUSR2 signal is
received, the master process will reexecute itself with the -sf flag
followed by the PIDs of the children.
In the systemd wrapper, the children were using a pipe to notify when
the config has been parsed and when the new process is ready. The goal
was to ensure that the process couldn't reload during the parsing of the
configuration, before signals were send to old process.
With the new mworker model, the master parses the configuration and is
aware of all the children. We don't need a pipe, but we need to block
those signals before the end of a reload, to ensure that the process
won't be killed during a reload.
The SIGUSR1 signal is forwarded to the children to soft-stop HAProxy.
The SIGTERM and SIGINT signals are forwarded to the children in order to
terminate them.
MEDIUM: mworker: replace systemd mode by master worker mode
This commit remove the -Ds systemd mode in HAProxy in order to replace
it by a more generic master worker system. It aims to replace entirely
the systemd wrapper in the near future.
The master worker mode implements a new way of managing HAProxy
processes. The master is in charge of parsing the configuration
file and is responsible for spawning child processes.
The master worker mode can be invoked by using the -W flag. It can be
used either in background mode (-D) or foreground mode. When used in
background mode, the master will fork to daemonize.
In master worker background mode, chroot, setuid and setgid are done in
each child rather than in the master process, because the master process
will still need access to filesystem to reload the configuration.
Grant Zhang [Sat, 14 Jan 2017 01:42:15 +0000 (01:42 +0000)]
MAJOR: ssl: add openssl async mode support
ssl-mode-async is a global configuration parameter which enables
asynchronous processing in OPENSSL for all SSL connections haproxy
handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a
retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous
capable engine is used to perform cryptographic operations. Currently
async mode only supports one async-capable engine.
This is the latest version of the patchset which includes Emeric's
updates :
- improved async fd cleaning when openssl reports an fd to delete
- prevent conn_fd_handler from calling SSL_{read,write,handshake} until
the async fd is ready, as these operations are very slow and waste CPU
- postpone of SSL_free to ensure the async operation can complete and
does not cause a dereference a released SSL.
- proper removal of async fd from the fdtab and removal of the unused async
flag.
MEDIUM: proxy: zombify proxies only when the expose-fd socket is bound
When HAProxy is running with multiple processes and some listeners
arebound to processes, the unused sockets were not closed in the other
processes. The aim was to be able to send those listening sockets using
the -x option.
However to ensure the previous behavior which was to close those
sockets, we provided the "no-unused-socket" global option.
This patch changes this behavior, it will close unused sockets which are
not in the same process as an expose-fd socket, making the
"no-unused-socket" option useless.
The "no-unused-socket" option was removed in this patch.
MINOR: cli: add 'expose-fd listeners' to pass listeners FDs
This patch changes the stats socket rights for allowing the sending of
listening sockets.
The previous behavior was to allow any unix stats socket with admin
level to send sockets. It's not possible anymore, you have to set this
option to activate the socket sending.
Example:
stats socket /var/run/haproxy4.sock mode 666 expose-fd listeners level user process 4
Thierry FOURNIER [Fri, 12 May 2017 14:32:20 +0000 (16:32 +0200)]
BUG/MEDIUM: lua: segfault if a converter or a sample doesn't return anything
In the case of a Lua sample-fetch or converter doesn't return any
value, an acces outside the Lua stack can be performed. This patch
check the stack size before converting the top value to a HAProxy
internal sample.
A workaround consist to check that a value value is always returned
with sample fetches and converters.
This patch should be backported in the version 1.6 and 1.7
Holger Just [Fri, 5 May 2017 22:56:53 +0000 (00:56 +0200)]
MINOR: sample: Add b64dec sample converter
Add "b64dec" as a new converter which can be used to decode a base64
encoded string into its binary representation. It performs the inverse
operation of the "base64" converter.
Some DNS related network sockets were closed without unregistering their file
descriptors from their underlying kqueue event sets. This patch replaces calls to
close() by fd_delete() calls to that to delete such events attached to DNS
network sockets from the kqueue before closing the sockets.
The bug was introduced by commit 26c6eb8 ("BUG/MAJOR: dns: restart sockets
after fork()") which was backported in 1.7 so this fix has to be backported
there as well.
Thanks to Jim Pingle who reported it and indicated the faulty commit, and
to Lukas Tribus for the trace showing the bad file descriptor.
Emmanuel Hocdet [Fri, 5 May 2017 16:06:12 +0000 (18:06 +0200)]
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility.
In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x
is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when
ssl-min-ver or ssl-max-ver is used (with warning).
When all SSL/TLS versions are disable: generate an error, not a warning.
example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
Emmanuel Hocdet [Fri, 31 Mar 2017 13:02:54 +0000 (15:02 +0200)]
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server
'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2
or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver
and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning
and documentation are set accordingly.
Emmanuel Hocdet [Thu, 30 Mar 2017 17:25:07 +0000 (19:25 +0200)]
MEDIUM: ssl: calculate the real min/max TLS version and find holes
Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx.
Find the real min/max versions (openssl capabilities and haproxy configuration)
and generate warning with bad versions range.
'no-tlsxx' can generate 'holes':
"The list of protocols available can be further limited using the SSL_OP_NO_X
options of the SSL_CTX_set_options or SSL_set_options functions. Clients should
avoid creating 'holes' in the set of protocols they support, when disabling a
protocol, make sure that you also disable either all previous or all subsequent
protocol versions. In clients, when a protocol version is disabled without
disabling all previous protocol versions, the effect is to also disable all
subsequent protocol versions."
To not break compatibility, "holes" is authorized with warning, because openssl
1.1.0 and boringssl deal with it (keep the upper or lower range depending the
case and version).
Emmanuel Hocdet [Thu, 30 Mar 2017 17:19:37 +0000 (19:19 +0200)]
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx
Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx.
This patch introduce internal min/max and replace force-tlsxx implementation.
SSL method configuration is store in 'struct tls_version_filter'.
SSL method configuration to openssl setting is abstract in 'methodVersions' table.
With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max).
With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
Emmanuel Hocdet [Thu, 30 Mar 2017 12:43:31 +0000 (14:43 +0200)]
MEDIUM: ssl: revert ssl/tls version settings relative to default-server.
Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx.
min-tlsxx and max-tlsxx can be overwrite on local definition. This directives
should be the only ones needed in default-server.
To simplify next patches (rework of tls versions settings with min/max) all
ssl/tls version settings relative to default-server are reverted first:
remove: 'sslv3', 'tls*', 'no-force-sslv3', 'no-force-tls*'.
remove from default-server: 'no-sslv3', 'no-tls*'.
Note:
. force-tlsxx == min-tlsxx + max-tlsxx : would be ok in default-server.
. no-tlsxx is keep for compatibility: should not be propagated to default-server.
Lukas Tribus [Thu, 4 May 2017 15:45:40 +0000 (15:45 +0000)]
MINOR: ssl: add prefer-client-ciphers
Currently we unconditionally set SSL_OP_CIPHER_SERVER_PREFERENCE [1],
which may not always be a good thing.
The benefit of server side cipher prioritization may not apply to all
cases out there, and it appears that the various SSL libs are going away
from this recommendation ([2], [3]), as insecure ciphers suites are
properly blacklisted/removed and honoring the client's preference is
more likely to improve user experience (for example using SW-friendly
ciphers on devices without HW AES support).
This is especially true for TLSv1.3, which will restrict the cipher
suites to just AES-GCM and Chacha20/Poly1305.
Apache [4], nginx [5] and others give admins full flexibility, we should
as well.
The initial proposal to change the current default and add a
"prefer-server-ciphers" option (as implemented in e566ecb) has been
declined due to the possible security impact.
This patch implements prefer-client-ciphers without changing the defaults.
Willy Tarreau [Sat, 6 May 2017 06:45:28 +0000 (08:45 +0200)]
BUG/MINOR: checks: don't send proxy protocol with agent checks
James Brown reported that agent-check mistakenly sends the proxy
protocol header when it's configured. This is obviously wrong as
the agent is an independant servie and not a traffic port, let's
disable this.
This fix must be backported to 1.7 and possibly 1.6.
projects / thirdparty / haproxy.git / log
