Hello all,
we see some strange errors in our logs after having introduced HAProxy
1.5 snapshot 20130611 before our nginx.
It seems like HAProxy sometimes (seldom) inserts a rather random byte as
the second byte of a GET request line on SSL requests. Some (anonymized)
log lines follow:
1.1.1.1:30893 [13/Jun/2013:08:41:50.443] front~ master/gemini
369/0/0/500/869 500 817 - - ---- 3/2/0/0/0 0/0 "GNET /login HTTP/1.1"
2.2.2.2:50771 [13/Jun/2013:16:03:17.488] front~ special/gemini
184/0/0/-1/184 502 4410 - - PH-- 0/0/0/0/0 0/0 "G3ET /foo HTTP/1.1"
3.3.3.3:37310 [13/Jun/2013:16:13:52.495] front~ master/gemini
911/0/0/-1/911 502 4410 - - PH-- 0/0/0/0/0 0/0 "GqET / HTTP/1.1"
and more of that. Inserted characters that I have seen include
A J H I U Q N 3 % ~ + ! $ . ' o z q
They are always inserted before the E in GET. We have only seen this
behavior on GET requests. All other HTTP verbs are completely unaffected.
I can reproduce this error every time with the following conditions:
* HAProxy is compiled with a self-compiled openssl 1.0.1d
* The client is an IE on Windows 7
Other browsers don't show this issue. Also, when I compile HAProxy
against the default OpenSSL 0.9.8o in Debian Squeeze, it works fine too.
I can reproduce the issue with even the most simple (ssl-) configs, on
the current snapshot, dev18 and dev17.
I'm a bit worried that this might be the symptom of a larger issue. But
it might just be that I'm not competent enough to compile my own
OpenSSL. I would appreciate, if someone could give me some input here.
# uname -a
Linux gemini 2.6.32-5-amd64 #1 SMP Fri May 10 08:43:19 UTC 2013 x86_64
GNU/Linux
# cat /etc/debian_version
6.0.7
I compiled openssl 1.0.1d with
./config no-idea no-mdc2 no-rc5 zlib enable-tlsext no-ssl2
--openssldir=/opt/haproxy/openssl
make
make test
make install
Haproxy is compiled as follows (using
https://github.com/meineerde-cookbooks/haproxy/blob/master/recipes/source.rb):
# haproxy -vv
HA-Proxy version 1.5-dev18 2013/04/03
Copyright 2000-2013 Willy Tarreau <w...@1wt.eu>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.3.4
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1d 5 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1d 5 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.02 2010-03-19
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
The full make line is this:
make TARGET=linux2628 USE_PCRE=1 CPU=generic ARCH=x86_64
PREFIX=/opt/haproxy/haproxy USE_OPENSSL=1 USE_ZLIB=1
PCREDIR="/opt/haproxy/openssl/lib -L/usr" DEFINE=
SILENT_DEFINE=-I/opt/haproxy/openssl/include ADDLIB=-lz -ldl ADDINC=
Any hints or help would be greatly appreciated.
Regards,
Holger
