When using 1.5Dev12 to gain SSL support, HAProxy crashes when using ssl_sni
on Ubuntu 12.04, compiled from source.
HAProxy only crashes when a requests is made over SSL, and an ssl_sni check
is enabled on the frontend to direct to the correct backend. If I use a
default backend, haproxy does not crash.
*GDB Output*
(gdb) run -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -db
Starting program: /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p
/var/run/haproxy.pid -db
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6f25d62 in ?? () from /lib/libc.so.6
(gdb) bt
#0 0x00007ffff6f25d62 in ?? () from /lib/libc.so.6
#1 0x0000000000457cc9 in smp_fetch_ssl_sni (px=<value optimized out>,
l4=<value optimized out>, l7=<value optimized out>, opt=<value optimized
out>, args=<value optimized out>,
smp=<value optimized out>) at src/ssl_sock.c:805
#2 0x0000000000452e35 in acl_exec_cond (cond=<value optimized out>,
px=<value optimized out>, l4=<value optimized out>, l7=0x7e03f8, opt=6) at
src/acl.c:1947
#3 0x000000000044f293 in process_switching_rules (t=<value optimized out>)
at src/session.c:1113
#4 process_session (t=<value optimized out>) at src/session.c:1694
#5 0x000000000040c988 in process_runnable_tasks (next=0x7fffffffe53c) at
src/task.c:238
#6 0x0000000000404229 in run_poll_loop () at src/haproxy.c:1161
#7 0x0000000000406333 in main (argc=<value optimized out>,
argv=0x7fffffffe748) at src/haproxy.c:1471
(gdb) list
1196 dequeue_all_listeners(&global_listener_queue);
1197
1198 out:
1199 t->expire = next;
1200 task_queue(t);
1201 return t;
1202 }
1203
1204 int main(int argc, char **argv)
1205 {
(gdb) backtrace full
#0 0x00007ffff6f25d62 in ?? () from /lib/libc.so.6
No symbol table info available.
*#1 0x0000000000457cc9 in smp_fetch_ssl_sni (px=<value optimized out>,
l4=<value optimized out>, l7=<value optimized out>, opt=<value optimized
out>, args=<value optimized out>,*
* smp=<value optimized out>) at src/ssl_sock.c:805*
No locals.
#2 0x0000000000452e35 in acl_exec_cond (cond=<value optimized out>,
px=<value optimized out>, l4=<value optimized out>, l7=0x7fd6b8, opt=6) at
src/acl.c:1947
suite = 0x6ccf70
term = 0x6cd090
expr = 0x6ccb20
acl = <value optimized out>
pattern = <value optimized out>
smp = {flags = 0, type = 7, data = {uint = 0, sint = 0, ipv4 =
{s_addr = 0}, ipv6 = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>,
__u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0},
__u6_addr32 = {0, 0, 0, 0}}}, str = {str = 0x0, size = 0,
len = 0}}, ctx = {p = 0x0, i = 0, ll = 0, d = 0, a = {0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}}}
acl_res = 0
suite_res = 3
cond_res = 0
#3 0x000000000044f293 in process_switching_rules (t=<value optimized out>)
at src/session.c:1113
ret = <value optimized out>
rule = 0x6ccfa0
prst_rule = <value optimized out>
#4 process_session (t=<value optimized out>) at src/session.c:1694
max_loops = <value optimized out>
ana_list = 16
ana_back = 16
srv = <value optimized out>
s = 0x7fd290
rqf_last = <value optimized out>
rpf_last = <value optimized out>
rq_prod_last = <value optimized out>
rq_cons_last = <value optimized out>
rp_cons_last = <value optimized out>
rp_prod_last = <value optimized out>
#5 0x000000000040c988 in process_runnable_tasks (next=0x7fffffffe53c) at
src/task.c:238
t = 0x7fd970
eb = 0x0
max_processed = 1
expire = -1062600847
#6 0x0000000000404229 in run_poll_loop () at src/haproxy.c:1161
next = -1062600847
#7 0x0000000000406333 in main (argc=<value optimized out>,
argv=0x7fffffffe748) at src/haproxy.c:1471
err = <value optimized out>
retry = <value optimized out>
limit = {rlim_cur = 8262, rlim_max = 8262}
errmsg =
"\000\346\377\377\377\177\000\000\000`g\000\000\000\000\000\006\000\000\000\000\000\000\000H\347\377\377\377\177\000\000\200\347\377\377\377\177\000\000\370\340@\000\000\000\000\000\200\347\377\377\377\177\000\000&\267E",
'\000' <repeats 13 times>, "p\266E", '\000' <repeats 13 times>, "{3@
\000\000\000\000\000\000\000\000"
pidfd = -1
*HAProxy -vv*
HA-Proxy version 1.5-dev12 2012/09/10
Copyright 2000-2012 Willy Tarreau <[email protected]>
Build options :
TARGET = linux2628
CPU = native
CC = gcc
CFLAGS = -O2 -march=native -g -fno-strict-aliasing
OPTIONS = USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with OpenSSL version : OpenSSL 0.9.8o 01 Jun 2010
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Available polling systems :
sepoll : pref=400, test result OK
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 4 (4 usable), will use sepoll.
*HAProxy Configuration*
global
stats socket /var/run/haproxy.stat mode 600 level admin
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 4096
tune.bufsize 655360
tune.maxrewrite 1024
user haproxy
group haproxy
defaults
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
maxconn 2000
timeout connect 15m
timeout client 15m
timeout server 15m
option http-server-close
option http-pretend-keepalive
frontend httpt_80
mode http
bind 0.0.0.0:443 ssl crt /opt/www/ssl/haproxy/ prefer-server-ciphers
use_backend domain if { ssl_sni domain.com }
default_backend http_80
backend domain
mode http
reqadd X-Forwarded-Proto:\ https
server w1 10.1.10.21:80 cookie w1 check# inter 2000 fall 3
server w2 10.1.10.22:80 cookie w2 check# inter 2000 fall 3
listen http_80 :80
mode http
stats enable
stats auth admin:password
capture request header Host len 50
balance roundrobin
option forwardfor
option redispatch
option httpchk HEAD /check.txt HTTP/1.0
reqadd X-Forwarded-Proto:\ http
server w1 10.1.10.21:80 cookie w1 check# inter 2000 fall 3
server w2 10.1.10.22:80 cookie w2 check# inter 2000 fall 3
capture cookie vgnvisitor= len 32
rspidel ^Set-cookie:\ IP= # do not let this cookie tell our internal IP
address
--
Thank you,
William Attwood
System Engineer, Co-Founder
Open Box I.T. Solutions, LLC
c. 801-634-6479
