Hi Pieter,
On Thu, Nov 29, 2018 at 10:52:29PM +0100, PiBa-NL wrote:
> Hi Olivier, List,
>
> It seems one of the reg-tests /connection/b00000.vtc is failing after this
> recent commit.
>
> http://git.haproxy.org/?p=haproxy.git;a=commit;h=3e1f68bcf9adfcd30e3316b0822c2626cc2a6a84
>
> Using HA-Proxy version 1.9-dev8-3e1f68b 2018/11/29 Some of the output looks
> like this:
>
> *** h1 0.0 debug|Using kqueue() as the polling mechanism.
> **** Slog_1 0.0 syslog|<133>Nov 29 22:44:25 haproxy[79765]: Proxy http
> started.
> **** Slog_1 0.0 syslog|<133>Nov 29 22:44:25 haproxy[79765]: Proxy
> ssl-offload-http started.
> *** h1 0.0 debug|00000000:ssl-offload-http.accept(0005)=000d from
> [::1:59078] ALPN=h2
> *** h1 0.0 debug|00000000:ssl-offload-http.clireq[000d:ffffffff]: POST
> /1 HTTP/1.1
> *** h1 0.0 debug|00000000:ssl-offload-http.clihdr[000d:ffffffff]:
> user-agent: curl/7.60.0
> *** h1 0.0 debug|00000000:ssl-offload-http.clihdr[000d:ffffffff]:
> accept: */*
> *** h1 0.0 debug|00000000:ssl-offload-http.clihdr[000d:ffffffff]:
> content-length: 3
> *** h1 0.0 debug|00000000:ssl-offload-http.clihdr[000d:ffffffff]:
> content-type: application/x-www-form-urlencoded
> *** h1 0.0 debug|00000000:ssl-offload-http.clihdr[000d:ffffffff]: host:
> [::1]:37611
> *** h1 0.0 debug|00000000:ssl-offload-http.srvcls[000d:adfd]
> *** h1 0.0 debug|00000000:ssl-offload-http.clicls[000d:adfd]
> *** h1 0.0 debug|00000000:ssl-offload-http.closed[000d:adfd]
> **** Slog_1 0.0 syslog|<134>Nov 29 22:44:25 haproxy[79765]: ::1:59078
> [29/Nov/2018:22:44:25.752] ssl-offload-http~ ssl-offload-http/http
> 0/0/0/-1/1 400 187 - - CH-- 1/1/0/0/0 0/0 "POST /1 HTTP/1.1"
> ** Slog_1 0.0 === expect ~ "Connect from .* to
> ${h1_ssl_addr}:${h1_ssl_port}"
> ---- Slog_1 0.0 EXPECT FAILED ~ "Connect from .* to ::1:37611"
> ...
> **** top 0.1 shell_out| % Total % Received % Xferd Average Speed
> Time Time Time Current
> **** top 0.1 shell_out| Dload Upload
> Total Spent Left Speed
> **** top 0.1 shell_out|\r 0 0 0 0 0 0 0 0 --:--:--
> --:--:-- --:--:-- 0\r100 93 0 90 100 3 5625 187
> --:--:-- --:--:-- --:--:-- 5812
> **** top 0.1 shell_out|HTTP/2 400 \r
> **** top 0.1 shell_out|cache-control: no-cache\r
> **** top 0.1 shell_out|content-type: text/html\r
> **** top 0.1 shell_out|\r
> **** top 0.1 shell_out|<html><body><h1>400 Bad request</h1>
> **** top 0.1 shell_out|Your browser sent an invalid request.
> **** top 0.1 shell_out|</body></html>
>
>
> While it should look like this where offloaded traffic is forwarded to a
> second http frontend:
>
> *** h1 0.0 debug|00000000:ssl-offload-http.accept(0005)=000d from
> [::1:48710] ALPN=h2
> *** h1 0.0 debug|00000000:ssl-offload-http.clireq[000d:ffffffff]: POST
> /1 HTTP/1.1
> *** h1 0.0 debug|00000000:ssl-offload-http.clihdr[000d:ffffffff]:
> user-agent: curl/7.60.0
> *** h1 0.0 debug|00000000:ssl-offload-http.clihdr[000d:ffffffff]:
> accept: */*
> *** h1 0.0 debug|00000000:ssl-offload-http.clihdr[000d:ffffffff]:
> content-length: 3
> *** h1 0.0 debug|00000000:ssl-offload-http.clihdr[000d:ffffffff]:
> content-type: application/x-www-form-urlencoded
> *** h1 0.0 debug|00000000:ssl-offload-http.clihdr[000d:ffffffff]: host:
> [::1]:48188
> *** h1 0.0 debug|00000001:http.accept(0008)=0017 from [::1:48710]
> ALPN=<none>
> *** h1 0.0 debug|00000001:http.clireq[0017:ffffffff]: POST /1 HTTP/1.1
> *** h1 0.0 debug|00000001:http.clihdr[0017:ffffffff]: user-agent:
> curl/7.60.0
> *** h1 0.0 debug|00000001:http.clihdr[0017:ffffffff]: accept: */*
> *** h1 0.0 debug|00000001:http.clihdr[0017:ffffffff]: content-length: 3
> *** h1 0.0 debug|00000001:http.clihdr[0017:ffffffff]: content-type:
> application/x-www-form-urlencoded
> *** h1 0.0 debug|00000001:http.clihdr[0017:ffffffff]: host: [::1]:48188
> **** Slog_1 0.0 syslog|<134>Nov 29 22:18:35 haproxy[70605]: Connect from
> ::1:48710 to ::1:48188 (http/HTTP)
> ** Slog_1 0.0 === expect ~ "Connect from .* to
> ${h1_ssl_addr}:${h1_ssl_port}"
>
> Do you see the same? Is more info needed?
>
Ooops, no more info needed, I can reproduce it, and the attached patch should
fix it.
Thanks a lot for reporting !
Olivier
>From da1571bcd1cc288a907d40fc3bd146c3896446bf Mon Sep 17 00:00:00 2001
From: Olivier Houchard <ohouch...@haproxy.com>
Date: Fri, 30 Nov 2018 13:17:48 +0100
Subject: [PATCH] BUG/MEDIUM: mux_pt: Don't try to send if handshake is not
done.
While it is true the SSL code will do the right thing if the SSL handshake
is not done, we have other types of handshake to deal with (proxy protocol,
netscaler, ...). For those we definitively don't want to try to send data
before it's done. All handshakes but SSL will go through the mux_pt, so in
mux_pt_snd_buf, don't try to send while a handshake is pending.
---
src/mux_pt.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/mux_pt.c b/src/mux_pt.c
index 1f0f3e5a0..9dec13216 100644
--- a/src/mux_pt.c
+++ b/src/mux_pt.c
@@ -253,7 +253,11 @@ static size_t mux_pt_rcv_buf(struct conn_stream *cs,
struct buffer *buf, size_t
/* Called from the upper layer, to send data */
static size_t mux_pt_snd_buf(struct conn_stream *cs, struct buffer *buf,
size_t count, int flags)
{
- size_t ret = cs->conn->xprt->snd_buf(cs->conn, buf, count, flags);
+ size_t ret;
+
+ if (cs->conn->flags & CO_FL_HANDSHAKE)
+ return 0;
+ ret = cs->conn->xprt->snd_buf(cs->conn, buf, count, flags);
if (ret > 0)
b_del(buf, ret);
--
2.17.1
