while migrating 1.4 => 1.5 i've came accross problem with regex lists,
which worked seamlessly before.
in every frontend there's a construct:
acl worms_path url_reg -f /etc/haproxy/lists/worms_regex.lst
acl invalid_path path_reg -f /etc/haproxy/lists/invalid_paths.lst
block if invalid_path or worms_path or HTTP_URL_STAR !METH_OPTIONS or
METH_OPTIONS !HTTP_1.1
and relevant files contain some lists of regexes:
==> /etc/haproxy/lists/worms_regex.lst <==
^/internal/
(\.|%2E|%2e)(\.|%2E|%2e)(%2F|%2f|%5C|%5c|/|\\\\)
([^\ ]*\ [^\ ]*\ |.*%00)
(<|%3C|%3c)(%73|s|S)(%63|c|C)(%72|r|R)(%69|i|I)(%70|p|P)(%74|t|T)
/(root\.exe\?|cmd\.exe\?|default\.ida\?)
==> /etc/haproxy/lists/invalid_paths.lst <==
# don't allow double slashes
//+
# don't allow %-encoding for [a-zA-Z0-9-~._]
%(2d|2e|30|31|32|33|34|35|36|37|38|39|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|5f|61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|7e)
when applied to 1.5, it causes 100% CPU use in seconds.
no matter how much cores i use (nbproc 1-8) it maxes them out.
is there any change in regex performance?
should i convert my acl or file lists somehow?
i use haproxy 1.5.8 compiled from
https://github.com/bluerail/haproxy-centos spec with centos 5.
this lb processes 2-8k connections.
--
konrad rzentarzewski -- System Administrator, Efigence S.A.
Office: +48.223801313 Off-hours: +48.222961020 EFI42-RIPE
<legal_blurb>
Ten mail nie stanowi pisma i zamówienia handlowego wg. Kodeksu spółek
handlowych (Dz.U. 2000 nr 94 poz. 1037)
Spółka wpisana do rejestru przedsiębiorców prowadzonego przez Sąd Rejonowy
dla m.st. Warszawy Wydział XIII Gospodarczy Krajowego Rejestru sądowego
pod numerem KRS 0000495808 NIP: 521-30-18-541 kapitał zakładowy: 103000 PLN
</legal_blurb>
