Willy Tarreau [Sun, 20 Mar 2011 09:16:46 +0000 (10:16 +0100)]
[MEDIUM] stream_sock: add support for sending the proxy protocol header line
Upon connection establishment, stream_sock is now able to send a PROXY
line before sending any data. Since it's possible that the buffer is
already full, and we don't want to allocate a block for that line, we
compute it on-the-fly when we need it. We just store the offset from
which to (re-)send from the end of the line, since it's assumed that
multiple outputs of the same proxy line will be strictly equivalent. In
practice, one call is enough. We just make sure to handle the case where
the first send() would indicate an incomplete output, eventhough it's
very unlikely to ever happen.
Willy Tarreau [Sun, 13 Mar 2011 21:15:02 +0000 (22:15 +0100)]
[RELEASE] Released version 1.5-dev4
Released version 1.5-dev4 with the following main changes :
- [MINOR] cfgparse: Check whether the path given for the stats socket actually fits into the sockaddr_un structure to avoid truncation.
- [MINOR] unix sockets : inherits the backlog size from the listener
- [CLEANUP] unix sockets : move create_uxst_socket() in uxst_bind_listener()
- [DOC] fix a minor typo
- [DOC] fix ignore-persist documentation
- [MINOR] add warnings on features not compatible with multi-process mode
- [BUG] http: fix http-pretend-keepalive and httpclose/tunnel mode
- [MINOR] stats: add support for several packets in stats admin
- [BUG] stats: admin commands must check the proxy state
- [BUG] stats: admin web interface must check the proxy state
- [MINOR] http: add pattern extraction method to stick on query string parameter
- [MEDIUM] add internal support for IPv6 server addresses
- [MINOR] acl: add be_id/srv_id to match backend's and server's id
- [MINOR] log: add support for passing the forwarded hostname
- [MINOR] log: ability to override the syslog tag
- [MINOR] checks: add PostgreSQL health check
- [DOC] update ROADMAP file
- [BUILD] pattern: use 'int' instead of 'int32_t'
- [OPTIM] linux: add support for bypassing libc to force using vsyscalls
- [BUG] debug: report the correct poller list in verbose mode
- [BUG] capture: do not capture a cookie if there is no memory left
- [BUG] appsession: fix possible double free in case of out of memory
- [CRITICAL] cookies: mixing cookies in indirect mode and appsession can crash the process
- [BUG] http: correctly update the header list when removing two consecutive headers
- [BUILD] add the CPU=native and ARCH=32/64 build options
- [BUILD] add -fno-strict-aliasing to fix warnings with gcc >= 4.4
- [CLEANUP] hash: move the avalanche hash code globally available
- [MEDIUM] hash: add support for an 'avalanche' hash-type
- [DOC] update roadmap file
- [BUG] http: do not re-enable the PROXY analyser on keep-alive
- [OPTIM] http: don't send each chunk in a separate packet
- [DOC] fix minor typos reported recently in the peers section
- [DOC] fix another typo in the doc
- [MINOR] stats: report HTTP message state and buffer flags in error dumps
- [BUG] http chunking: don't report a parsing error on connection errors
- [BUG] stream_interface: truncate buffers when sending error messages
- [MINOR] http: support wrapping messages in error captures
- [MINOR] http: capture incorrectly chunked message bodies
- [MINOR] stats: add global event ID and count
- [BUG] http: analyser optimizations broke pipelining
- [CLEANUP] frontend: only apply TCP-specific settings to TCP/TCP6 sockets
- [BUG] http: fix incorrect error reporting during data transfers
- [CRITICAL] session: correctly leave turn-around and queue states on abort
- [BUG] session: release slot before processing pending connections
- [MINOR] tcp: add support for dynamic MSS setting
- [BUG] stick-table: correctly terminate string keys during lookups
- [BUG] acl: fix handling of empty lines in pattern files
- [BUG] stick-table: use the private buffer when padding strings
- [BUG] ebtree: fix ebmb_lookup() with len smaller than the tree's keys
- [OPTIM] ebtree: ebmb_lookup: reduce stack usage by moving the return code out of the loop
- [OPTIM] ebtree: inline ebst_lookup_len and ebis_lookup_len
- [REVERT] undo the stick-table string key lookup fixes
- [MINOR] http: improve url_param pattern extraction to ignore empty values
- [BUILD] frontend: shut a warning with TCP_MAXSEG
- [BUG] http: update the header list's tail when removing the last header
- [DOC] fix minor typo in the proxy protocol doc
- [DOC] fix typos (http-request instead of http-check)
- [BUG] http: use correct ACL pointer when evaluating authentication
- [BUG] cfgparse: correctly count one socket per port in ranges
- [BUG] startup: set the rlimits before binding ports, not after.
- [BUG] acl: srv_id must return no match when the server is NULL
- [MINOR] acl: add ability to check for internal response-only parameters
- [MINOR] acl: srv_id is only valid in responses
- [MINOR] config: warn if response-only conditions are used in "redirect" rules
- [BUG] acl: fd leak when reading patterns from file
- [DOC] fix minor typo in "usesrc"
- [BUG] http: fix possible incorrect forwarded wrapping chunk size
- [BUG] http: fix computation of message body length after forwarding has started
- [BUG] http: balance url_param did not work with first parameters on POST
- [TESTS] update the url_param regression test to test check_post too
- [DOC] update ROADMAP
- [DOC] internal: reflect the fact that SI_ST_ASS is transient
- [BUG] config: don't crash on empty pattern files.
- [MINOR] stream_interface: make use of an applet descriptor for IO handlers
- [REORG] stream_interface: move the st0, st1 and private members to the applet
- [REORG] stream_interface: split the struct members in 3 parts
- [REORG] session: move client and server address to the stream interface
- [REORG] tcp: make tcpv4_connect_server() take the target address from the SI
- [MEDIUM] stream_interface: store the target pointer and type
- [CLEANUP] stream_interface: remove the applet.handler pointer
- [MEDIUM] log: take the logged server name from the stream interface
- [CLEANUP] session: remove data_source from struct session
- [CLEANUP] stats: make all dump functions only rely on the stream interface
- [REORG] session: move the data_ctx struct to the stream interface's applet
- [MINOR] proxy: add PR_O2_DISPATCH to detect dispatch mode
- [MINOR] cfgparse: only keep one of dispatch, transparent, http_proxy
- [MINOR] session: add a pointer to the new target into the session
- [MEDIUM] session: remove s->prev_srv which is not needed anymore
- [CLEANUP] stream_interface: use inline functions to manipulate targets
- [MAJOR] session: remove the ->srv pointer from struct session
- [MEDIUM] stats: split frontend and backend stats
- [MEDIUM] http: always evaluate http-request rules before stats http-request
- [REORG] http: move the http-request rules to proto_http
- [BUG] http: stats were not incremented on http-request deny
- [MINOR] checks: report it if checks fail due to socket creation error
Willy Tarreau [Wed, 9 Mar 2011 19:38:33 +0000 (20:38 +0100)]
[MINOR] checks: report it if checks fail due to socket creation error
If the check fails for a low-level socket error (eg: address family not
supportd), we currently ignore the status. We must report the error and
declare a failed health check in this case. The only real reason for this
would be when an IPv6 check is required on an IPv4-only system.
Willy Tarreau [Thu, 6 Jan 2011 16:51:27 +0000 (17:51 +0100)]
[REORG] http: move the http-request rules to proto_http
And also rename "req_acl_rule" "http_req_rule". At the beginning that
was a bit confusing to me, especially the "req_acl" list which in fact
holds what we call rules. After some digging, it appeared that some
part of the code is 100% HTTP and not just related to authentication
anymore, so let's move that part to HTTP and keep the auth-only code
in auth.c.
Willy Tarreau [Thu, 6 Jan 2011 15:53:21 +0000 (16:53 +0100)]
[MEDIUM] http: always evaluate http-request rules before stats http-request
Right now, http-request rules are not evaluated if the URL matches the
stats request. This is quite unexpected. For instance, in the config
below, an abuser present in the abusers list will not be prevented access
to the stats.
listen pub
bind :8181
acl abuser src -f abusers.lst
http-request deny if abuser
stats uri /stats
It is not a big deal but it's not documented as such either. For 1.5, let's
have both lists be evaluated in turn, until one blocks. For 1.4 we'll simply
update the doc to indicate that.
Also instead of duplicating the code, the patch factors out the list walking
code. The HTTP auth has been moved slightly earlier, because it was set after
the header addition code, but we don't need to add headers to a request we're
dropping.
Willy Tarreau [Thu, 10 Mar 2011 22:25:56 +0000 (23:25 +0100)]
[MEDIUM] stats: split frontend and backend stats
It's very annoying that frontend and backend stats are merged because we
don't know what we're observing. For instance, if a "listen" instance
makes use of a distinct backend, it's impossible to know what the bytes_out
means.
Some points take care of not updating counters twice if the backend points
to the frontend, indicating a "listen" instance. The thing becomes more
complex when we try to add support for server side keep-alive, because we
have to maintain a pointer to the backend used for last request, and to
update its stats. But we can't perform such comparisons anymore because
the counters will not match anymore.
So in order to get rid of this situation, let's have both frontend AND
backend stats in the "struct proxy". We simply update the relevant ones
during activity. Some of them are only accounted for in the backend,
while others are just for frontend. Maybe we can improve a bit on that
later, but the essential part is that those counters now reflect what
they really mean.
[MEDIUM] add internal support for IPv6 server addresses
This patch turns internal server addresses to sockaddr_storage to
store IPv6 addresses, and makes the connect() function use it. This
code already works but some caveats with getaddrinfo/gethostbyname
still need to be sorted out while the changes had to be merged at
this stage of internal architecture changes. So for now the config
parser will not emit an IPv6 address yet so that user experience
remains unchanged.
This change should have absolutely zero user-visible effect, otherwise
it's a bug introduced during the merge, that should be reported ASAP.
Willy Tarreau [Thu, 10 Mar 2011 10:42:13 +0000 (11:42 +0100)]
[MEDIUM] session: remove s->prev_srv which is not needed anymore
s->prev_srv is used by assign_server() only, but all code paths leading
to it now take s->prev_srv from the existing s->srv. So assign_server()
can do that copy into its own stack.
If at one point a different srv is needed, we still have a copy of the
last server on which we failed a connection attempt in s->target.
Willy Tarreau [Thu, 10 Mar 2011 10:38:29 +0000 (11:38 +0100)]
[MINOR] session: add a pointer to the new target into the session
When dealing with HTTP keep-alive, we'll have to know if we can reuse
an existing connection. For that, we'll have to check if the current
connection was made on the exact same target (referenced in the stream
interface).
Thus, we need to first assign the next target to the session, then
copy it to the stream interface upon connect(). Later we'll check for
equivalence between those two operations.
Willy Tarreau [Fri, 4 Mar 2011 16:30:54 +0000 (17:30 +0100)]
[MINOR] cfgparse: only keep one of dispatch, transparent, http_proxy
Since all of them are defined as proxy options, it's better to ensure
that at most one of them is enabled at once. The priority has been set
according to what is already performed in the backend :
Willy Tarreau [Fri, 4 Mar 2011 21:44:16 +0000 (22:44 +0100)]
[MINOR] proxy: add PR_O2_DISPATCH to detect dispatch mode
Till now we used the fact that the dispatch address was not null to use
the dispatch mode. This is very unconvenient, so let's have a dedicated
option.
Willy Tarreau [Thu, 10 Mar 2011 10:25:07 +0000 (11:25 +0100)]
[REORG] session: move the data_ctx struct to the stream interface's applet
This is in fact where those parts belong to. The old data_state was replaced
by applet.state and is now initialized when the applet is registered. It's
worth noting that the applet does not need to know the session nor the
buffer anymore since everything is brought by the stream interface.
It is possible that having a separate applet struct would simplify the
code but that's not a big deal.
Willy Tarreau [Sun, 13 Feb 2011 13:30:26 +0000 (14:30 +0100)]
[MEDIUM] log: take the logged server name from the stream interface
With HTTP keep-alive, logging the right server name will be quite
complex because the assigned server will possibly change before we log.
Also, when we want to log accesses to an applet, it's not easy because
the applet becomes NULL again before logging.
The logged server's name is now taken from the target stored in the
stream interface. That way we can log an applet, a server name, or we
could even log a proxy or anything else if we wanted to. Ideally the
session should contain a desired target which is the one which should
be logged.
Willy Tarreau [Thu, 10 Mar 2011 10:17:02 +0000 (11:17 +0100)]
[CLEANUP] stream_interface: remove the applet.handler pointer
Now that we have the target pointer and type in the stream interface,
we don't need the applet.handler pointer anymore. That makes the code
somewhat cleaner because we know we're dealing with an applet by checking
its type instead of checking the pointer is not null.
Willy Tarreau [Fri, 4 Mar 2011 21:04:29 +0000 (22:04 +0100)]
[MEDIUM] stream_interface: store the target pointer and type
When doing a connect() on a stream interface, some information is needed
from the server and from the backend. In some situations, we don't have
a server and only a backend (eg: peers). In other cases, we know we have
an applet and we don't want to connect to anything, but we'd still like
to have the info about the applet being used.
For this, we now store a pointer to the "target" into the stream interface.
The target describes what's on the other side before trying to connect. It
can be a server, a proxy or an applet for now. Later we'll probably have
descriptors for multiple-stage chains so that the final information may
still be found.
This will help removing many specific cases in the code. It already made
it possible to remove the "srv" and "be" parameters to tcpv4_connect_server().
Willy Tarreau [Thu, 3 Mar 2011 16:08:11 +0000 (17:08 +0100)]
[REORG] stream_interface: split the struct members in 3 parts
Those 3 parts are the buffer side, the remote side and the communication
functions. This change has no functional effect but is needed to proceed
further.
Willy Tarreau [Sun, 13 Feb 2011 12:16:36 +0000 (13:16 +0100)]
[MINOR] stream_interface: make use of an applet descriptor for IO handlers
I/O handlers are still delicate to manipulate. They have no type, they're
just raw functions which have no knowledge of themselves. Let's have them
declared as applets once for all. That way we can have multiple applets
share the same handler functions and we can store their names there. When
we later need to add more parameters (eg: usage stats), we'll be able to
do so in the applets themselves.
The CLI functions has been prefixed with "cli" instead of "stats" as it's
clearly what is going on there.
The applet descriptor in the stream interface should get all the applet
specific data (st0, ...) but this will be done in the next patch so that
we don't pollute this one too much.
Willy Tarreau [Wed, 9 Mar 2011 06:27:02 +0000 (07:27 +0100)]
[BUG] config: don't crash on empty pattern files.
Both Hank A. Paulson and Rob at pixsense reported a crash when
loading ACLs from a pattern file which contains empty lines.
From the tests, it appears that only files that contain nothing
but empty lines are causing that (in the past they would have had
their line feeds loaded as patterns).
The crash happens in the free_pattern() call which doesn't like to
be called with a NULL pattern. Let's make it accept it so that it's
more in line with the standard uses of free() which ignores NULLs.
Cyril Bonté [Thu, 3 Mar 2011 20:05:17 +0000 (21:05 +0100)]
[BUG] stats: admin web interface must check the proxy state
Similar to the stats socket bug, we must check that the proxy is not disabled
before trying to enable/disable a server.
Even if a disabled proxy is not displayed, someone can inject a faulty proxy
name in the POST parameters. So, we must ensure that no disabled proxy can be
used.
Willy Tarreau [Tue, 1 Mar 2011 19:35:49 +0000 (20:35 +0100)]
[BUG] http: balance url_param did not work with first parameters on POST
Bryan Talbot reported that POST requests with a query string were not
correctly processed if the hash parameter was the first one, because
the delimiter that was looked for to trigger the parsing was '&' instead
of '?'.
Also, while checking the code, it became apparent that it was enough for
a query string to be present in the request for POST parameters to be
ignored, even if the url_param was in the body and not in the URL.
The code has then been fixed like this :
1) look for URL param. If found, return it.
2) if no URL param was found and method is POST, then look it up into
the body
The code now seems to pass all request combinations.
This patch must be backported to 1.4 since 1.4 is equally broken right now.
Willy Tarreau [Tue, 1 Mar 2011 19:30:48 +0000 (20:30 +0100)]
[BUG] http: fix computation of message body length after forwarding has started
Till now, the forwarding code was making use of the hdr_content_len member
to hold the size of the last chunk parsed. As such, it was reset after being
scheduled for forwarding. The issue is that this entry was reset before the
data could be viewed by backend.c in order to parse a POST body, so the
"balance url_param check_post" did not work anymore.
In order to fix this, we need two things :
- the chunk size (reset upon every forward)
- the total body size (not reset)
hdr_content_len was thus replaced by the former (hence the size of the patch)
as it makes more sense to have it stored that way than the way around.
This patch should be backported to 1.4 with care, considering that it affects
the forwarding code.
Willy Tarreau [Tue, 1 Mar 2011 19:04:36 +0000 (20:04 +0100)]
[BUG] http: fix possible incorrect forwarded wrapping chunk size
It seems like if a response message is chunked and the chunk size wraps
at the end of the buffer and the crlf sequence is incomplete, then we
can forward a wrong chunk size due to incorrect handling of the wrapped
size. It seems extremely unlikely to occur on real traffic (no reason to
have half of the CRLF after a chunk) but nothing prevents it from being
possible.
Willy Tarreau [Wed, 16 Feb 2011 10:10:36 +0000 (11:10 +0100)]
[BUG] startup: set the rlimits before binding ports, not after.
As reported by the Loadbalancer.org team, it was not possible to bind
more than 1024 ports. This is because the process' limits were set after
trying to bind the sockets, which defeats their purpose.
Willy Tarreau [Wed, 16 Feb 2011 10:08:57 +0000 (11:08 +0100)]
[BUG] cfgparse: correctly count one socket per port in ranges
We used to only count one socket instead of one per listener. This makes
the socket count wrong, preventing from automatically computing the proper
number of sockets to bind.
Cyril Bonté [Thu, 10 Feb 2011 21:54:44 +0000 (22:54 +0100)]
[MINOR] stats: add support for several packets in stats admin
Some browsers send POST requests in several packets, which was not supported
by the "stats admin" function.
This patch allows to wait for more data when they are not fully received
(we are still limited to a certain size defined by the buffer size minus its
reserved space).
It also adds support for the "Expect: 100-Continue" header.
Willy Tarreau [Sat, 12 Feb 2011 12:07:35 +0000 (13:07 +0100)]
[BUG] http: update the header list's tail when removing the last header
Stefan Behte reported a strange case where depending on the position of
the Connection header in the header list, some headers added after it
were or were not usable in "balance hdr()". The reason is that when the
last header is removed, the list's tail was not updated, so any header
added after that one was not visible from the list.
This fix must be backported to 1.4 and possibly 1.3.
Andreas Kohn [Wed, 19 Jan 2011 19:29:32 +0000 (20:29 +0100)]
[MINOR] cfgparse: Check whether the path given for the stats socket actually fits into the sockaddr_un structure to avoid truncation.
while working further on the changes to allow for dynamic
adding/removing of backend servers we noticed a potential problem: the
path given for the 'stats socket' global option may get truncated when
copying it into the sockaddr_un.sun_path field.
Attached patch checks the length, and reports an error if truncation
would happen.
This issue was noticed by Joerg Sonnenberger <joerg@NetBSD.org>.
Willy Tarreau [Tue, 4 Jan 2011 13:57:34 +0000 (14:57 +0100)]
[MINOR] http: improve url_param pattern extraction to ignore empty values
It's better to avoid sticking on empty parameter values, as this almost
always indicates a missing parameter. Otherwise it's easy to enter a
situation where all new visitors stick to the same server.
These fixes were wrong. They worked but they were fixing the symptom
instead of the root cause of the problem. The real issue was in the
ebtree lookup code and it has been fixed now so these patches are not
needed anymore. It's better not to copy memory blocks when we don't
need to, so let's revert them.
Willy Tarreau [Tue, 4 Jan 2011 13:33:13 +0000 (14:33 +0100)]
[OPTIM] ebtree: inline ebst_lookup_len and ebis_lookup_len
(from ebtree 6.0.5)
Both of them are very short and rely on another non-inlined lookup function,
so it's pointless to have them as pure functions, it wastes space.
(cherry picked from commit 1e68d6fef815f759304d4cc0e65f957689e19a7a)
Willy Tarreau [Tue, 4 Jan 2011 13:07:36 +0000 (14:07 +0100)]
[OPTIM] ebtree: ebmb_lookup: reduce stack usage by moving the return code out of the loop
(from ebtree 6.0.5)
Last bugfix has introduced a de-optimization in the lookup function because
it artificially extended the scope of some local variables, which resulted in
higher stack usage and more numerous moves between stack and registers.
We can reduce that by moving the return code out of the loop, because gcc
notices that it never needs both "troot" and "node" at the same time and
can use the same register for both. Doing so has reduced the code size by
39 bytes for the lookup function alone, and has sensibly reduced the
instruction dependencies caused by data moves.
(cherry picked from commit 59be3cdb96296b65a57aff30cc203269f9a94ebe)
It should be backported to 1.4 if previous ebtree fix is backported.
Willy Tarreau [Tue, 4 Jan 2011 12:21:06 +0000 (13:21 +0100)]
[BUG] ebtree: fix ebmb_lookup() with len smaller than the tree's keys
(from ebtree 6.0.5)
ebmb_lookup() is used by ebst_lookup_len() to lookup a string starting
with a known substring. Since the substring does not necessarily end
with a zero, we must absolutely ensure that the comparison stops at
<len> bytes, otherwise we can end up comparing crap and most often
returning the wrong node in case of multiple matches.
Willy Tarreau [Tue, 4 Jan 2011 05:29:44 +0000 (06:29 +0100)]
[BUG] stick-table: use the private buffer when padding strings
Commit 035da6d1b0c436b85add48bc22120aa814c9cab9 was incorrect as it
could modify a live buffer. We must first ensure that we're on the
private buffer or perform a copy before modifying the data.
Willy Tarreau [Mon, 3 Jan 2011 20:04:10 +0000 (21:04 +0100)]
[BUG] acl: fix handling of empty lines in pattern files
Gabriel Sosa reported that haproxy unexpectedly reports an error
when a pattern file loaded by an ACL contains an empty line. The
test was present but inefficient as it did not consider the '\n'
as the end of the line. This fix relies on the line length instead.
Willy Tarreau [Sun, 2 Jan 2011 18:31:23 +0000 (19:31 +0100)]
[BUG] stick-table: correctly terminate string keys during lookups
If a key to be looked up is extracted from data without being padded
and if it matches the beginning of another stored key, it is not
found in subsequent lookups because it does not end with a zero.
This bug was discovered and diagnosed by David Cournapeau.
Kevinm [Wed, 22 Dec 2010 16:08:21 +0000 (16:08 +0000)]
[MINOR] log: ability to override the syslog tag
One of the requirements we have is to run multiple instances of haproxy on a
single host; this is so that we can split the responsibilities (and change
permissions) between product teams. An issue we ran up against is how we
would distinguish between the logs generated by each instance. The solution
we came up with (please let me know if there is a better way) is to override
the application tag written to syslog. We can then configure syslog to write
these to different files.
I have attached a patch adding a global option 'log-tag' to override the
default syslog tag 'haproxy' (actually defaults to argv[0]).
Willy Tarreau [Fri, 24 Dec 2010 14:26:39 +0000 (15:26 +0100)]
[MINOR] tcp: add support for dynamic MSS setting
By passing a negative value to the "mss" argument of "bind" lines, it
becomes possible to subtract this value to the MSS advertised by the
client, which results in segments smaller than advertised. The effect
is useful with some TCP stacks which ACK less often when segments are
not full, because they only ACK every other full segment as suggested
by RFC1122.
NOTE: currently this has no effect on Linux kernel 2.6, a kernel patch
is still required to change the MSS of established connections.
Joe Williams [Wed, 29 Dec 2010 16:05:48 +0000 (17:05 +0100)]
[MINOR] log: add support for passing the forwarded hostname
Haproxy does not include the hostname rather the IP of the machine in
the syslog headers it sends. Unfortunately this means that for each log
line rsyslog does a reverse dns on the client IP and in the case of
non-routable IPs one gets the public hostname not the internal one.
While this is valid according to RFC3164 as one might imagine this is
troublsome if you have some machines with public IPs, internal IPs, no
reverse DNS entries, etc and you want a standardized hostname based log
directory structure. The rfc says the preferred value is the hostname.
This patch adds a global "log-send-hostname" statement which accepts an
optional string to force the host name. If unset, the local host name
is used.
Cyril Bonté [Wed, 29 Dec 2010 08:36:56 +0000 (09:36 +0100)]
[BUG] http: fix http-pretend-keepalive and httpclose/tunnel mode
Since haproxy 1.4.9, combining option httpclose and option
http-pretend-keepalive can leave the connections opened until the backend
keep-alive timeout is reached, providing bad performances.
The same can occur when the proxy is in tunnel mode.
This patch ensures that the server side connection is closed after the
response and ignore http-pretend-keepalive in tunnel mode.
Willy Tarreau [Wed, 29 Dec 2010 13:32:28 +0000 (14:32 +0100)]
[BUG] session: release slot before processing pending connections
When a connection error is encountered on a server and the server's
connection pool is full, pending connections are not woken up because
the current connection is still accounted for on the server, so it
still appears full. This becomes visible on a server which has
"maxconn 1" because the pending connections will only be able to
expire in the queue.
Now we take care of releasing our current connection before trying to
offer it to another pending request, so that the server can accept a
next connection.
Willy Tarreau [Wed, 29 Dec 2010 13:03:02 +0000 (14:03 +0100)]
[CRITICAL] session: correctly leave turn-around and queue states on abort
When a client connection aborts while the server-side connection is in
turn-around after a failed connection attempt, the turn-around timeout
is reset in shutw() but the state is not changed. The session then
remains stuck in this state forever. Change the QUE and TAR states to
DIS just as we do for CER to fix this.
Willy Tarreau [Wed, 29 Dec 2010 10:23:27 +0000 (11:23 +0100)]
[BUG] http: fix incorrect error reporting during data transfers
We've had several issues related to data transfers. First, if a
client aborted an upload before the server started to respond, it
would get a 502 followed by a 400. The same was true (in the other
way around) if the server suddenly aborted while the client was
uploading the data.
The flags reported in the logs were misleading. Request errors could
be reported while the transfer was stopped during the data phase. The
status codes could also be overwritten by a 400 eventhough the start
of the response was transferred to the client.
The stats were also wrong in case of data aborts. The server or the
client could sometimes be miscredited for being the author of the
abort depending on where the abort was detected. Some client aborts
could also be accounted as request errors and some server aborts as
response errors.
Now it seems like all such issues are fixed. Since we don't have a
specific state for data flowing from the client to the server
before the server responds, we're still counting the client aborted
transfers as "CH", and they become "CD" when the server starts to
respond. Ideally a "P" state would be desired.
HTTP pipelining currently needs to monitor the response buffer to wait
for some free space to be able to send a response. It was not possible
for the HTTP analyser to be called based on response buffer activity.
Now we introduce a new buffer flag BF_WAKE_ONCE which is set when the
HTTP request analyser is set on the response buffer and some activity
is detected. This is not clean at all but once of the only ways to fix
the issue before we make it possible to register events for analysers.
Also it appeared that one realign condition did not cover all cases.
Cyril Bonté [Tue, 14 Dec 2010 21:48:49 +0000 (22:48 +0100)]
[MINOR] add warnings on features not compatible with multi-process mode
Using haproxy in multi-process mode (nbproc > 1), some features can be
not fully compatible or not work at all. haproxy will now display a warning on
startup for :
- appsession
- sticking rules
- stats / stats admin
- stats socket
- peers (fatal error in that case)
Cyril Bonté [Tue, 14 Dec 2010 21:48:23 +0000 (22:48 +0100)]
[DOC] fix ignore-persist documentation
During the documentation of the "ignore-persist" keyword, I documented an
invalid "option ignore-persist" and forgot to remove it. It's time to fix it.
Willy Tarreau [Sun, 12 Dec 2010 13:00:34 +0000 (14:00 +0100)]
[MINOR] stats: add global event ID and count
This counter will help quickly spot whether there are new errors or not.
It is also assigned to each capture so that a script can keep trace of
which capture was taken when.
It is possible to block on incorrectly chunked requests or responses,
but this becomes very hard to debug when it happens once in a while.
This patch adds the ability to also capture incorrectly chunked requests
and responses. The chunk will appear in the error buffer and will be
verifiable with the usual "show errors". The incorrect byte will match
the error location.
Willy Tarreau [Sun, 12 Dec 2010 12:09:08 +0000 (13:09 +0100)]
[MINOR] http: support wrapping messages in error captures
Error captures did only support contiguous messages. This is annoying
for capturing chunking errors, so let's ensure the function is able to
copy wrapped messages.
Willy Tarreau [Sun, 12 Dec 2010 12:06:00 +0000 (13:06 +0100)]
[BUG] stream_interface: truncate buffers when sending error messages
When an error message is returned to a client, all buffer contents
were left intact. Since the analysers were removed, the potentially
invalid data that were read had a chance to be sent too.
Now we ensure we only keep the already scheduled data in the buffer
and we truncate it after that. That means that responses with data
that must be blocked will really be blocked, and that incorrectly
chunked data will be stopped at the point where the chunking fails.
Willy Tarreau [Sun, 12 Dec 2010 11:50:05 +0000 (12:50 +0100)]
[BUG] http chunking: don't report a parsing error on connection errors
When haproxy parses chunk-encoded data that are scheduled to be sent, it is
possible that the other end is closed (mainly due to a client abort returning
as an error). The message state thus changes to HTTP_MSG_ERROR and the error
is reported as a chunk parsing error ("PD--") while it is not. Detect this
case before setting the flags and set the appropriate flag in this case.
Willy Tarreau [Sun, 12 Dec 2010 11:46:33 +0000 (12:46 +0100)]
[MINOR] stats: report HTTP message state and buffer flags in error dumps
Debugging parsing errors can be greatly improved if we know what the parser
state was and what the buffer flags were (especially for closed inputs/outputs
and full buffers). Let's add that to the error snapshots.
Willy Tarreau [Wed, 1 Dec 2010 23:37:14 +0000 (00:37 +0100)]
[OPTIM] http: don't send each chunk in a separate packet
When forwarding chunk-encoded data, each chunk gets a TCP PUSH flag when
going onto the wire simply because the send() function does not know that
some data remain after it (next chunk). Now we set the BF_EXPECT_MORE flag
on the buffer if the chunk size is not null. That way we can reduce the
number of packets sent, which is particularly noticeable when forwarding
compressed data, especially as it requires less ACKs from the client.
Willy Tarreau [Wed, 24 Nov 2010 14:04:29 +0000 (15:04 +0100)]
[MEDIUM] hash: add support for an 'avalanche' hash-type
When the number of servers is a multiple of the size of the input set,
map-based hash can be inefficient. This typically happens with 64
servers when doing URI hashing. The "avalanche" hash-type applies an
avalanche hash before performing a map lookup in order to smooth the
distribution. The result is slightly less smooth than the map for small
numbers of servers, but still better than the consistent hashing.
Willy Tarreau [Wed, 24 Nov 2010 13:01:45 +0000 (14:01 +0100)]
[CLEANUP] hash: move the avalanche hash code globally available
We'll use this hash at other places, let's make it globally available.
The function has also been renamed because its "chash_hash" name was
not appropriate.
Willy Tarreau [Sun, 28 Nov 2010 07:28:15 +0000 (08:28 +0100)]
[BUILD] add -fno-strict-aliasing to fix warnings with gcc >= 4.4
Gcc 4.4 enables strict aliasing by default, resuling in complaints
when casting struct sockaddr_storage to sockaddr_in. Not only doing
this does not provide any noticeable performance improvement, it also
presents a risk of strange bugs even when the compiler does not emit
a warning, so let's disable this optimization !
Willy Tarreau [Sun, 28 Nov 2010 06:41:00 +0000 (07:41 +0100)]
[BUILD] add the CPU=native and ARCH=32/64 build options
Hank A. Paulson suggested to add CPU=native to optimize the code for
the build machine. This makes sense in a lot of situations. Since it
is often possible to have both 32 and 64 bits supported on recent
systems, the ARCH=32 and ARCH=64 build options were also added.
Willy Tarreau [Sun, 28 Nov 2010 05:57:24 +0000 (06:57 +0100)]
[BUG] http: correctly update the header list when removing two consecutive headers
When a header is removed, the previous header's next pointer is updated
to reflect the next of the current header. However, when cycling through
the loop, we update the prev pointer to point to the deleted header, which
means that if we delete another header, it's the deleted header's next
pointer that will be updated, leaving the deleted header in the list with
a null length, which is forbidden.
We must just not update the prev pointer after a removal.
This bug was present when either "reqdel" and "rspdel" removed two consecutive
headers. It could also occur when removing cookies in either requests or
responses, but since headers were the last header processing, the issue
remained unnoticed.
Willy Tarreau [Wed, 24 Nov 2010 17:31:28 +0000 (18:31 +0100)]
[CRITICAL] cookies: mixing cookies in indirect mode and appsession can crash the process
Cookies in indirect mode are removed from the cookie header. Three pointers
ought to be updated when appsession cookies are processed next, but were not.
The result is that a memcpy() can be called with a negative value causing the
process to crash. It is not sure whether this can be remotely exploited or not.
(cherry picked from commit c5f3749aa3ccfdebc4992854ea79823d26f66213)
Willy Tarreau [Fri, 19 Nov 2010 10:29:06 +0000 (11:29 +0100)]
[BUG] appsession: fix possible double free in case of out of memory
In out of memory conditions, the ->destroy function would free all
possibly allocated pools from the current appsession, including those
that were not yet allocated nor assigned, which used to point to a
previous allocation, obviously resulting in a segfault.
(cherry picked from commit 75eae485921d3a6ce197915c769673834ecbfa5c)
Willy Tarreau [Fri, 19 Nov 2010 10:27:18 +0000 (11:27 +0100)]
[BUG] capture: do not capture a cookie if there is no memory left
In case of out of memory, it was possible to write to a null pointer
when capturing response cookies due to a missing "else" block. The
request handling was fine though.
(cherry picked from commit 62e3604d7dd27741c0b4c9e27d9e7c73495dfc32)
Willy Tarreau [Fri, 19 Nov 2010 09:20:36 +0000 (10:20 +0100)]
[BUG] debug: report the correct poller list in verbose mode
When running with -vv or -V -d, the list of usable polling systems
is reported. The final selection did not take into account the
possible failures during the tests, which is misleading and could
make one think that a non-working poller will be used, while it is
not the case. Fix that to really report the correct ones.
(cherry picked from commit 6d0e354e0171f08b7b3868ad2882c3663bd068a7)
Cyril Bonté [Sun, 14 Nov 2010 16:03:18 +0000 (17:03 +0100)]
[MINOR] unix sockets : inherits the backlog size from the listener
Since unix sockets are supported for bind, the default backlog size was not
enough to accept the traffic. The size is now inherited from the listener
to behave like the tcp listeners.
This also affects the "stats socket" backlog, which is now determined by
"stats maxconn".
Willy Tarreau [Sun, 14 Nov 2010 16:09:33 +0000 (17:09 +0100)]
[OPTIM] linux: add support for bypassing libc to force using vsyscalls
Some distros' libc are built for CPUs earlier than i686 and as such do
not offer support for Linux kernel's faster vsyscalls. This code adds
a new build option USE_VSYSCALLS to bypass libc for most commonly used
system calls. A net gain of about 10% can be observed with this change
alone.
It only works when /proc/sys/abi/vsyscall32 equals exactly 2. When it's
set to 1, the VDSO is randomized and cannot be used.
Willy Tarreau [Sun, 14 Nov 2010 13:24:27 +0000 (14:24 +0100)]
[BUILD] pattern: use 'int' instead of 'int32_t'
Ross West reported that int32_t breaks compilation on FreeBSD. Since an
int is 32-bit on all supported platforms and we already rely on that,
change the type.
projects / thirdparty / haproxy.git / log
