Quantcast
Channel: Serverphorums.com - HAProxy
Viewing all 5112 articles
Browse latest View live

Random crash (segfault, double free, ...) with a mix of SSL + cipherlist hash (1 reply)

0
0
Hi,

When I use SSL requests and the cipherlist hash enabled, HAProxy
randomly crash:

- segfault
- double free
- munmap_chunk(): invalid pointer

I think that is a memory crush.

I read the "cipherlist hash" code, and I put some printf, I do not
detect any memory override.

When I comment the following line, the bug disappear

SSL_set_ex_data(ssl, ssl_capture_ptr_index, capture);

The crash happens with many versions of openssl:

- 1.0.2j (home build)
- 1.0.1t-1+deb7u4
- 1.0.1t-1+deb8u8
- 1.0.2g-1ubuntu4.12

cipherlist hash is available from 1.8. The bug appears with current 1.8
and current 1.9dev.

I join some files:

- bug36.build.sh : build script
- bug36.run.sh : run haproxy command
- bug36.request.sh : curl request
- bug36.conf : minimal conf which reproduce the problem
- bug36.pem : ramdom self signed certificate

Just execute some requests, and the bug is reproduced.

BR,
Thierry

[PATCH] MINOR: crypto: Add digest and hmac converters (4 replies)

0
0
Make the digest and HMAC function of OpenSSL accesable to the user via
converters. e.g. They can be used to sign and validate cookies.
---
Makefile | 2 +-
src/crypto.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 85 insertions(+), 1 deletion(-)
create mode 100644 src/crypto.c

diff --git a/Makefile b/Makefile
index 5d170041..9a3a5024 100644
--- a/Makefile
+++ b/Makefile
@@ -609,7 +609,7 @@ OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto
ifneq ($(USE_DL),)
OPTIONS_LDFLAGS += -ldl
endif
-OPTIONS_OBJS += src/ssl_sock.o
+OPTIONS_OBJS += src/crypto.o src/ssl_sock.o
endif

# The private cache option affect the way the shctx is built
diff --git a/src/crypto.c b/src/crypto.c
new file mode 100644
index 00000000..dcb343dc
--- /dev/null
+++ b/src/crypto.c
@@ -0,0 +1,84 @@
+/*
+ * Crypto converters
+ *
+ * Copyright 2018 Patrick Gansterer <paroga@paroga.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ */
+
+#include <common/chunk.h>
+
+#include <proto/arg.h>
+#include <proto/sample.h>
+
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+
+static int sample_conv_crypto_digest(const struct arg *args, struct sample *smp, void *private)
+{
+ struct chunk *trash = get_trash_chunk();
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+ const EVP_MD *evp = EVP_get_digestbyname(args[0].data.str.str);
+ unsigned char *md = (unsigned char*) trash->str;
+ unsigned int md_len = trash->size;
+
+ if (!ctx)
+ return 0;
+ if (!evp)
+ return 0;
+
+ if (!EVP_DigestInit(ctx, evp) ||
+ !EVP_DigestUpdate(ctx, smp->data.u.str.str, smp->data.u.str.len) ||
+ !EVP_DigestFinal(ctx, md, &md_len)) {
+ EVP_MD_CTX_free(ctx);
+ return 0;
+ }
+
+ EVP_MD_CTX_free(ctx);
+
+ trash->len = md_len;
+ smp->data.u.str = *trash;
+ smp->data.type = SMP_T_BIN;
+ smp->flags &= ~SMP_F_CONST;
+ return 1;
+}
+
+static int sample_conv_crypto_hmac(const struct arg *args, struct sample *smp, void *private)
+{
+ struct chunk *trash = get_trash_chunk();
+ const EVP_MD *evp = EVP_get_digestbyname(args[0].data.str.str);
+ const char* key = args[1].data.str.str;
+ int key_len = args[1].data.str.len;
+ unsigned char *md = (unsigned char*) trash->str;
+ unsigned int md_len = trash->size;
+
+ trash->len = 0;
+
+ if (!evp)
+ return 0;
+
+ if (!HMAC(evp, key, key_len, (const unsigned char*) smp->data.u.str.str, smp->data.u.str.len, md, &md_len))
+ return 0;
+
+ trash->len = md_len;
+ smp->data.u.str = *trash;
+ smp->data.type = SMP_T_BIN;
+ smp->flags &= ~SMP_F_CONST;
+ return 1;
+}
+
+static struct sample_conv_kw_list sample_conv_kws = {ILH, {
+ { "digest", sample_conv_crypto_digest, ARG1(1,STR), NULL, SMP_T_BIN, SMP_T_BIN },
+ { "hmac", sample_conv_crypto_hmac, ARG2(2,STR,STR), NULL, SMP_T_BIN, SMP_T_BIN },
+ { /* END */ },
+}};
+
+__attribute__((constructor))
+static void __crypto_init(void)
+{
+ sample_register_convs(&sample_conv_kws);
+}
--
2.17.1

haproxy.com : Make a difference with better user experience (no replies)

0
0
Hi haproxy.com,

I would like to take this opportunity to share with you one of the most
important aspect about your website that should be really taken care of and
is popularly known as “User Experience Design”.

I am looking for an opportunity to assist you with all kinds of IT needs if
any related to your website. As a developer, I'm quite well-versed with
both web & mobile. I can give you some sample of works to demonstrate our
skills & experience.

Looking forward to hear from you.

Best Regards,
Dilip Kulkarni
-------------------------------------------------------------------------
Note: - If you are not interested then you can reply with a simple
\"NO\",We will never contact you again.
[image: beacon]

Haproxy 1.8 rpm for CentOS 6 (3 replies)

0
0
Hello,

Is there a particular reason for no standard rpm available of haproxy-1.8
on CentOS 6?

Any inputs will be appreciate.

Thanks,
Vijay B

[PATCH] MINOR: tests: First regression testing file. (1 reply)

0
0
Hello,

Here is a simple patch to add a Makefile target to run all "*.vtc"
regression testing files found in 'reg-tests' directory.

It comes with a first VTC file in relation with f874a83 bug fix commit
for LUA. This VTC file parent directory is 'reg-tests/lua'.

I have copied and pasted the commit log at the beginning of the vtc
file. I think this would be a good practice so that to link the vtc
files to the bug it is supposed to test for any regression.

Regards,

Fred.

Failed requests with SC + NOSRV, threads (no replies)

0
0
Hello,

I have some rare requests with logs like:
- Termination flags=SC
- Server=<NOSRV>
- Retries=0
- Th=0
- Ti=10-50 (just normal values)
- TR=0
- Other timings = -1

It happens in 2 cases
1. With remote backends, where it is probably a real problem (once for millions requests at average).
- According to docs, <NOSRV> means that request hasn't reached a server.
How may it stay together with server's timeout-or-refuse flag?

2. With local backends, where 99% that it is haproxy's error (once for dozens thousands requests).
- It must be a threads bug. I see it constantly when NBTHREAD is activated.

Haproxy 1.8.9-1e3c84, lua

--
Wert Revon

stable-bot: WARNING: 29 bug fixes in queue for next release (no replies)

0
0
Hi,

This is a friendly bot that watches fixes pending for the next haproxy-stable release! One such e-mail is sent every week once patches are waiting in the last maintenance branch, and an ideal release date is computed based on the severity of these fixes and their merge date. Responses to this mail must be sent to the mailing list.

Last release 1.8.9 was issued on 2018/05/18. There are currently 29 patches in the queue cut down this way:
- 2 BUILD, first one merged on 2018/05/23
- 2 MAJOR, first one merged on 2018/06/06
- 15 MEDIUM, first one merged on 2018/05/23
- 10 MINOR, first one merged on 2018/05/23

Thus the computed ideal release date for 1.8.10 would be 2018/06/20, which was within the last week.

The current list of patches in the queue is:
- BUILD : threads: unbreak build without threads
- BUILD : fd: fix typo causing a warning when threads are disabled
- MAJOR : map: fix a segfault when using http-request set-map
- MAJOR : lua: Dead lock with sockets
- MEDIUM : spoe: Return an error when the wrong ACK is received in sync mode
- MEDIUM : lua/socket: Sheduling error on write: may dead-lock
- MEDIUM : cache: don't cache when an Authorization header is present
- MEDIUM : threads: handle signal queue only in thread 0
- MEDIUM : contrib/modsecurity: Use network order to encode/decode flags
- MEDIUM : contrib/mod_defender: Use network order to encode/decode flags
- MEDIUM : fd: Only check update_mask against all_threads_mask.
- MEDIUM : spoe: Flags are not encoded in network order
- MEDIUM : stick-tables: Decrement ref_cnt in table_* converters
- MEDIUM : lua/socket: wrong scheduling for sockets
- MEDIUM : dns: Delay the attempt to run a DNS resolution on check failure.
- MEDIUM : lua/socket: Length required read doesn't work
- MEDIUM : lua/socket: Notification error
- MEDIUM : lua/socket: Buffer error, may segfault
- MEDIUM : servers: Add srv_addr default placeholder to the state file
- MINOR : contrib/mod_defender: update pointer on the end of the frame
- MINOR : lua: Socket.send threw runtime error: 'close' needs 1 arguments.
- MINOR : unix: Make sure we can transfer abns sockets on seamless reload.
- MINOR : contrib/mod_defender: Don't reset the status code during disconnect
- MINOR : don't ignore SIG{BUS,FPE,ILL,SEGV} during signal processing
- MINOR : contrib/modsecurity: Don't reset the status code during disconnect
- MINOR : signals: ha_sigmask macro for multithreading
- MINOR : contrib/modsecurity: update pointer on the end of the frame
- MINOR : ssl/lua: prevent lua from affecting automatic maxconn computation
- MINOR : contrib/spoa_example: Don't reset the status code during disconnect

---
The haproxy stable-bot is freely provided by HAProxy Technologies to help improve the quality of each HAProxy release. If you have any issue with these emails or if you want to suggest some improvements, please post them on the list so that the solutions suiting the most users can be found.

Issue with parsing DNS from AWS (no replies)

0
0
We have a setup with ECS and AWS's Service Discovery being load balanced by HAProxy in order to support sticky sessions for WebSocket handshakes, and we're working on making it more efficient by upgrading to 1.8.9 and taking advantage of seamless reloads and DNS service discovery. We have a solution almost working, however, we're seeing an issue during scaling when the DNS response crosses a certain size.


We're using the following config (anonymized): https://gist.github.com/jredville/523de951d5ab6b60a0d345516bcf46d4

What we're seeing is:
* if we bring up 3 target servers, they come up as healthy, and traffic is routed appropriately. If we restart haproxy, it comes up healthy
* if we then scale to 4 or more servers, the 4th and additional are never recognized, however, the first 3 stay healthy
* if we restart haproxy with 4 or more servers, no servers come up healthy

We've attempted to modify the init-addr setting, accepted_payload_size, check options, and we've tried with and without a server-template and this is the behavior we consistently see. If we run strace over haproxy, we see it making the DNS requests but never updating the state of the servers. At this point we're not sure if we have something wrong in config or if there is a bug in how haproxy parses responses from AWS. Johnathan (cc'd) has pcap's if that would be helpful as well.

Thanks,
Jim

[PATCH] REGTEST: stick-tables: Test expiration when used with table_* (2 replies)

0
0
Hello,

Thanks for adding this integration Fred.  Great job!

Attached is a new regression test to check for stick-tables expiration when
they are used with table_* converters as noted in commit id:
3e60b11100cbc812b77029ca142b83ac7a314db1


Thanks,

-- Daniel

how to run vtc files? (3 replies)

0
0
hi


[ilia@localhost haproxy]$ HAPROXY_PROGRAM=./haproxy varnishtest
reg-tests/ssl/h00000.vtc
**** top 0.0 extmacro def pwd=/home/ilia/xxx/haproxy
**** top 0.0 extmacro def localhost=127.0.0.1
**** top 0.0 extmacro def bad_backend=127.0.0.1 36769
**** top 0.0 extmacro def bad_ip=192.0.2.255
**** top 0.0 macro def tmpdir=/tmp/vtc.31222.33cfe809
* top 0.0 TEST reg-tests/ssl/h00000.vtc starting
** top 0.0 === varnishtest "OpenSSL bug: Random crashes"
* top 0.0 TEST OpenSSL bug: Random crashes
** top 0.0 === feature ignore_unknown_macro
** top 0.0 === haproxy h1 -conf {
---- top 0.0 Unknown command: "haproxy"
* top 0.0 RESETTING after reg-tests/ssl/h00000.vtc
* top 0.0 TEST reg-tests/ssl/h00000.vtc FAILED
# top TEST reg-tests/ssl/h00000.vtc FAILED (0.001) exit=2
[ilia@localhost haproxy]$

tcp-check expect with exclamation mark (1 reply)

0
0
Greetings

I’m using haproxy to load balance readonly queries between redis slaves.
I want to use health check system to exclude slaves from load balancing,
that are in a process of sync with master.
The idea is to look for a string “master_sync_in_progress:1” in response to
“info replication”.
If this string is found then backend should be marked as down.

I’m trying to use “tcp-check expect ! string” (with exclamation mark [!])
to get this working, but backends are permanently down regardless of sync
status.
During sync (slave’s response contains “master_sync_in_progress:1”) health
check status is “L7RSP,TCPCHK matched unwanted content
'master_sync_in_progress:1' at step 5”.
However, when slave’s response contains “master_sync_in_progress:0” (sync
finished) health check status is “L7TOUT, at step 5 of tcp-check (expect
string 'master_sync_in_progress:1’)”.

Does negation with exclamation mark (!) work with tcp-check at all?

I’ve observed this behaviour in haproxy 1.5.18, 1.7.11 and 1.8.9


Example configuration:

global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon

defaults
mode tcp
log global
option tcplog
option dontlognull
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend redis_reads_ft
bind /var/run/haproxy/redis_reads
use_backend redis_reads_bk

backend redis_reads_bk
option log-health-checks
balance roundrobin

option tcp-check
tcp-check connect
tcp-check send PING\r\n
tcp-check expect string +PONG
tcp-check send info\ replication\r\n
tcp-check expect ! string master_sync_in_progress:1
tcp-check send QUIT\r\n
tcp-check expect string +OK

server sc-redis1_63811 10.10.68.61:63811 check
server sc-redis1_63812 10.10.68.61:63812 check
server sc-redis1_63813 10.10.68.61:63813 check


Best regards,
Dmitriy Kuzmin

[PATCH] [MINOR] Some spelling cleanup in comments. (3 replies)

0
0
Some spelling cleanup in comments.

Signed-off-by: Dave Chiluk <chiluk+haproxy@indeed.com>
---
include/common/cfgparse.h | 2 +-
include/types/task.h | 2 +-
src/session.c | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/common/cfgparse.h b/include/common/cfgparse.h
index c3355ca4..3022b8d8 100644
--- a/include/common/cfgparse.h
+++ b/include/common/cfgparse.h
@@ -90,7 +90,7 @@ int parse_process_number(const char *arg, unsigned long *proc, int *autoinc, cha

/*
* Sends a warning if proxy <proxy> does not have at least one of the
- * capabilities in <cap>. An optionnal <hint> may be added at the end
+ * capabilities in <cap>. An optional <hint> may be added at the end
* of the warning to help the user. Returns 1 if a warning was emitted
* or 0 if the condition is valid.
*/
diff --git a/include/types/task.h b/include/types/task.h
index 991e3a46..ac8c4339 100644
--- a/include/types/task.h
+++ b/include/types/task.h
@@ -64,7 +64,7 @@ struct notification {
struct task {
struct eb32sc_node rq; /* ebtree node used to hold the task in the run queue */
unsigned short state; /* task state : bit field of TASK_* */
- unsigned short pending_state; /* pending states for running talk */
+ unsigned short pending_state; /* pending states for running task */
short nice; /* the task's current nice value from -1024 to +1024 */
unsigned int calls; /* number of times ->process() was called */
struct task * (*process)(struct task *t); /* the function which processes the task */
diff --git a/src/session.c b/src/session.c
index 318c1716..898dbaab 100644
--- a/src/session.c
+++ b/src/session.c
@@ -114,11 +114,11 @@ static void session_count_new(struct session *sess)
}

/* This function is called from the protocol layer accept() in order to
- * instanciate a new session on behalf of a given listener and frontend. It
+ * instantiate a new session on behalf of a given listener and frontend. It
* returns a positive value upon success, 0 if the connection can be ignored,
* or a negative value upon critical failure. The accepted file descriptor is
* closed if we return <= 0. If no handshake is needed, it immediately tries
- * to instanciate a new stream. The created connection's owner points to the
+ * to instantiate a new stream. The created connection's owner points to the
* new session until the upper layers are created.
*/
int session_accept_fd(struct listener *l, int cfd, struct sockaddr_storage *addr)
--
2.17.1

HAProxy 1.8 built with rpath'd openssl links ok; but `haproxy -vv` reports "Built with" and "Running on" conflict (1 reply)

0
0
I'm building haproxy 1.8.0 from tarball source.

I'm linking against a specific, local build of openssl v1.1.0

Explicitly specifying SSL_INC & SSL_LIB with rpath,

make \
TARGET=linux2628 \
USE_SYSTEMD=1 \
USE_PCRE2=1 USE_PCRE2_JIT=1 \
USE_OPENSSL=1 \
SSL_INC=" -I/usr/local/openssl11/include" \
SSL_LIB=" -L/usr/local/openssl11/lib64 -Wl,-rpath,/usr/local/openssl11/lib64" \
ADDLIB="-ldl -lssl -lcrypto"
make install

it builds/installs with no error

which haproxy
/usr/local/sbin/haproxy

and the linked libs are as intended,

ldd /usr/local/sbin/haproxy | egrep "ssl|crypto"
libssl.so.1.1 => /usr/local/openssl11/lib64/libssl.so.1.1 (0x00007f071de04000)
libcrypto.so.1.1 => /usr/local/openssl11/lib64/libcrypto.so.1.1 (0x00007f071d969000)

but checking haproxy version,

haproxy -vv
HA-Proxy version 1.8.0 2017/11/26
Copyright 2000-2017 Willy Tarreau <willy@haproxy.org>

Build options :
TARGET = linux2628
...
OPTIONS = USE_OPENSSL=1 USE_SYSTEMD=1 USE_PCRE2=1 USE_PCRE2_JIT=1
...
Built with OpenSSL version : OpenSSL 1.1.0h-fips 27 Mar 2018
Running on OpenSSL version : OpenSSL 1.1.0h 27 Mar 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
...

references the wrong "Built with" OpenSSL version, namely the system installed version,

/usr/bin/openssl version
OpenSSL 1.1.0h-fips 27 Mar 2018

instead of my specified build

/usr/local/openssl11/bin/openssl version
OpenSSL 1.1.0h 27 Mar 2018

As the ldd linked libs look ok, I suspect this is just an artifact of the version check making (incorrect) assumptions about runtime bin path ...

*IS* it just an artifact? Or is it an indication of improper linking/use?

Haproxy 1.7.10 and 1.8.6 periodically sigfault (1 reply)

0
0
Once a week it restarts with sigfault

Jun 21 17:04:29 v54 kernel: haproxy[303]: segfault at 2670ff8 ip
00007f0c375824e1 sp 00007ffd2f8d7528 error 4 in libc-2.17.so
[7f0c37427000+1c3000]
Jun 21 17:04:29 v541 haproxy: [ALERT] 169/070052 (302) : Current worker 303
exited with code 139
Jun 21 17:04:29 v54haproxy: [ALERT] 169/070052 (302) : exit-on-failure:
killing every workers with SIGTERM
Jun 21 17:04:29 v54 haproxy: [WARNING] 169/070052 (302) : All workers
exited. Exiting... (139)


It's difficult to create dump because it's rare case.We use 5 instances of
haproxy. Only one fails. The main difference is that it has huge json
payloads. Other hosts serves web sites. This one - api.



Best regards, Alexey Gordeev
С уважением Гордеев А.Д.

Software Industry Leads (no replies)

0
0
Hi,



I was wondering if you were looking for more business customers?



Would you be interested in reaching out to Business Contacts of 2018?



I'd be able to generate leads for you if this is something you're interested
in.



We cater to: Software, Manufacturing, HR & Staffing Telecommunication,
Mining, Construction, Hospital, Retail, Finance, IT, Public Administration,
Transportation, Public Utilities and many more.

This list comes with full contact details like: Contact Name, Title, Company
Name, Size, Physical Address, Opt-In Email address, Phone & Fax numbers etc.



Please fill in your requirement below and we will revert to you with details
of the number of email contacts we can provide you.



Target Industry: _________

Target Geography: _______

Target Titles: _________



Thanks a lot for your time.



Regards,

Mike Berry

Online Marketing Manager

PATCHES: new resolve-accept-dup-ip server flag (no replies)

0
0
Hi,

Purpose of this flag is to allow IP address duplication in a backend (on a
per server basis) when the runtime resolver is in operation.
By default, the runtime resolver prevent an IP address being affected to 2
servers when they are resolved by the same hostname.

From the 4 patches in attachment, 3 of them can be backported. They are
more cosmetic than anything, but it took me some time to figure out who,
from the code or the comment was wrong...

This feature was requested by Ryuzaki on discource. I just provide him the
patches, so waiting for his feedback.

Baptiste

[ANNOUNCE] haproxy-1.8.10 (1 reply)

0
0
Hi,

HAProxy 1.8.10 was released on 2018/06/22. It added 40 new commits
after version 1.8.9.

This version fixes several bugs that were crashing haproxy, when using
http-request set-map with a wrong type or with the cirpherlist capture.
Some deadlocks and crashes were also fixed that were provoked by the lua.

There was also an issue with the poller which was using 100% of the CPU.

It fixes several issues where haproxy was not leaving anymore when asked for a
soft stop, or a reload in master-worker mode. These issues were amplified with
the use of nbthread.

The SPOP version has been upgraded to 2.0. Due to an inconsistency in the
examples and the reference implementation the 1.0 version is not supported
anymore. This new version is basically the 1.0 with a bugfix. If your SPOP
agent does not work anymore, you must upgrade the version and fix the SPOP
flags. See commits c4dcaff, 48d02d0, 633f3bf in the master.

Thanks to all people who reported and helped fix those issues.

Users are encouraged to update.

Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Sources : http://www.haproxy.org/download/1.8/src/
Git repository : http://git.haproxy.org/git/haproxy-1.8.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git
Changelog : http://www.haproxy.org/download/1.8/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/


---
Complete changelog :
Christopher Faulet (9):
BUG/MEDIUM: contrib/mod_defender: Use network order to encode/decode flags
BUG/MEDIUM: contrib/modsecurity: Use network order to encode/decode flags
BUG/MEDIUM: spoe: Return an error when the wrong ACK is received in sync mode
MAJOR: spoe: upgrade the SPOP version to 2.0 and remove the support for 1.0
BUG/MINOR: contrib/spoa_example: Don't reset the status code during disconnect
BUG/MINOR: contrib/mod_defender: Don't reset the status code during disconnect
BUG/MINOR: contrib/modsecurity: Don't reset the status code during disconnect
BUG/MEDIUM: threads: Use the sync point to check active jobs and exit
MINOR: threads: Be sure to remove threads from all_threads_mask on exit

Daniel Corbett (2):
BUG/MEDIUM: servers: Add srv_addr default placeholder to the state file
BUG/MEDIUM: stick-tables: Decrement ref_cnt in table_* converters

David Carlier (1):
DOC: contrib/modsecurity: few typo fixes

Dragan Dosen (2):
BUG/MINOR: contrib/mod_defender: update pointer on the end of the frame
BUG/MINOR: contrib/modsecurity: update pointer on the end of the frame

Frédéric Lécaille (1):
BUG/MINOR: lua: Segfaults with wrong usage of types.

Kevin Zhu (1):
DOC: SPOE.txt: fix a typo

Olivier Houchard (4):
BUG/MEDIUM: dns: Delay the attempt to run a DNS resolution on check failure.
BUG/MEDIUM: fd: Only check update_mask against all_threads_mask.
BUG/MINOR: unix: Make sure we can transfer abns sockets on seamless reload.
BUG/MEDIUM: fd: Don't modify the update_mask in fd_dodelete().

Thierry FOURNIER (11):
BUG/MEDIUM: spoe: Flags are not encoded in network order
BUG/MEDIUM: lua/socket: Length required read doesn't work
MINOR: task/notification: Is notifications registered ?
BUG/MEDIUM: lua/socket: wrong scheduling for sockets
BUG/MAJOR: lua: Dead lock with sockets
BUG/MEDIUM: lua/socket: Notification error
BUG/MEDIUM: lua/socket: Sheduling error on write: may dead-lock
BUG/MEDIUM: lua/socket: Buffer error, may segfault
MINOR: lua: Increase debug information
BUG/MAJOR: ssl: Random crash with cipherlist capture
BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot

William Lallemand (5):
BUG/MEDIUM: cache: don't cache when an Authorization header is present
BUG/MEDIUM: threads: handle signal queue only in thread 0
BUG/MINOR: don't ignore SIG{BUS,FPE,ILL,SEGV} during signal processing
BUG/MINOR: signals: ha_sigmask macro for multithreading
BUG/MAJOR: map: fix a segfault when using http-request set-map

Willy Tarreau (3):
BUG/MINOR: ssl/lua: prevent lua from affecting automatic maxconn computation
BUG/BUILD: threads: unbreak build without threads
BUG/BUILD: fd: fix typo causing a warning when threads are disabled

sada (1):
BUG/MINOR: lua: Socket.send threw runtime error: 'close' needs 1 arguments.

---

--
William Lallemand

Stats page access over SSL fails at "Error code: SSL_ERROR_NO_CYPHER_OVERLAP"; no-SSL, ok (no replies)

0
0
I've enabled stats on haproxy 1.8.10

With

haproxy.conf
...
listen stats
...
bind 192.0.2.1:1234
...

the non-ssl stats web page is fully accessible/functional.

If I enable ssl for it, 1st concatenating my crt & key

cat haproxy.crt.pem haproxy.key.pem > haproxy.CONCAT.crt.pem

Checking the cert, with my CA cert

openssl verify \
-CAfile /usr/local/etc/haproxy/ssl/myCA.CHAIN.crt.pem \
/usr/local/etc/haproxy/ssl/haproxy.CONCAT.pem
haproxy.CONCAT.crt.pem: OK

Verifying cipher support

openssl ciphers -tls1_2
...:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:...

then configuring

haproxy.conf
global
...
+ ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
+ ssl-default-bind-options force-tlsv12
...
listen stats
...
- bind 192.0.2.1:1234
+ bind 192.0.2.1:1234 ssl crt /usr/local/etc/haproxy/ssl/haproxy.CONCAT.crt.pem ca-file /usr/local/etc/haproxy/ssl/myCA.CHAIN.crt.pem
...

secure access to the stats page fails,

Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP

I regularly use my generated certs/keys with CHACHA20 ciphers elsewhere, so they're not _inherently_ the issue.

If not a simple config issue on my end, I suspect it's possible this is (?) related to the 'mystery' Openssl lib linking issue I've having, @ https://www.mail-archive.com/haproxy@formilux.org/msg30448.html

BUG: cannot take the address of an rvalue of type 'unsigned long' (no replies)

0
0
Trying to compile current master on OS-X, and get:

gcc -Iinclude -Iebtree -Wall -O0 -g -fno-strict-aliasing
-Wdeclaration-after-statement -fwrapv -fno-strict-overflow
-Wno-address-of-packed-member -Wno-null-dereference
-Wno-unused-label -DTPROXY -DUSE_ZLIB -DENABLE_POLL
-DENABLE_KQUEUE -DUSE_OPENSSL
-I/Users/phemmer/git/haproxy/openssl-1.1.0h/include -DUSE_LUA
-I/Users/phemmer/git/haproxy/lua-5.3.4/src
-I/Users/phemmer/git/haproxy/lua-5.3.4/src -DUSE_PCRE
-I/opt/local/include -DCONFIG_HAPROXY_VERSION=\"1.9-dev0-ba86c6-462\"
-DCONFIG_HAPROXY_DATE=\"2018/06/22\" \
-DBUILD_TARGET='"osx"' \
-DBUILD_ARCH='""' \
-DBUILD_CPU='"generic"' \
-DBUILD_CC='"gcc"' \
-DBUILD_CFLAGS='"-O0 -g -fno-strict-aliasing
-Wdeclaration-after-statement -fwrapv -fno-strict-overflow
-Wno-address-of-packed-member -Wno-null-dereference -Wno-unused-label"' \
-DBUILD_OPTIONS='"USE_ZLIB=1 USE_OPENSSL=1
USE_LUA=1 USE_PCRE=1"' \
-c -o src/haproxy.o src/haproxy.c
clang: warning: argument unused during compilation:
'-fno-strict-overflow' [-Wunused-command-line-argument]
src/haproxy.c:2476:16: error: cannot take the address of an
rvalue of type 'unsigned long'
HA_ATOMIC_AND(&all_threads_mask, ~tid_bit);
^~~~~~~~~~~~~~~~~
include/common/hathreads.h:41:42: note: expanded from macro
'HA_ATOMIC_AND'
#define HA_ATOMIC_AND(val, flags) ({*(val) &= (flags);})
^~~
1 error generated.
make: *** [src/haproxy.o] Error 1

Built with: Apple LLVM version 9.0.0 (clang-900.0.39.2)

This broke in change ba86c6c:
commit ba86c6c25bf252e44589ae2b4d51a67c4f47d244 (HEAD -> master,
origin/master, origin/HEAD)
Author: Christopher Faulet <cfaulet@haproxy.com>
Date: Thu Jun 21 09:57:39 2018 +0200

MINOR: threads: Be sure to remove threads from all_threads_mask on exit

When HAProxy is started with several threads, Each running thread
holds a bit in
the bitfiled all_threads_mask. This bitfield is used here and there
to check
which threads are registered to take part in a specific processing.
So when a
thread exits, it seems normal to remove it from all_threads_mask.

No direct impact could be identified with this right now but it would
be better to backport it to 1.8 as a preventive measure to avoid complex
situations like the one in previous bug.



-Patrick

[PATCH] MINOR: systemd: consider exit status 143 as successful (3 replies)

0
0
The master process will exit with the status of the last worker. When
the worker is killed with SIGTERM, it is expected to get 143 as an
exit status. Therefore, we consider this exit status as normal from a
systemd point of view. If it happens when not stopping, the systemd
unit is configured to always restart, so it has no adverse effect.

This has mostly a cosmetic effect. Without the patch, stopping HAProxy
leads to the following status:

● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/lib/systemd/system/haproxy.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2018-06-22 20:35:42 CEST; 8min ago
Docs: man:haproxy(1)
file:/usr/share/doc/haproxy/configuration.txt.gz
Process: 32715 ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS (code=exited, status=143)
Process: 32714 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=0/SUCCESS)
Main PID: 32715 (code=exited, status=143)

After the patch:

● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/lib/systemd/system/haproxy.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:haproxy(1)
file:/usr/share/doc/haproxy/configuration.txt.gz
---
contrib/systemd/haproxy.service.in | 1 +
1 file changed, 1 insertion(+)

diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy..service.in
index 7a8b6bead2df..74e66e302065 100644
--- a/contrib/systemd/haproxy.service.in
+++ b/contrib/systemd/haproxy.service.in
@@ -10,6 +10,7 @@ ExecReload=@SBINDIR@/haproxy -f $CONFIG -c -q
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=mixed
Restart=always
+SuccessExitStatus=143
Type=notify

# The following lines leverage SystemD's sandboxing options to provide
--
2.18.0
Viewing all 5112 articles
Browse latest View live




Latest Images