Suggestion: Customisable style sheet

[Balcoes]

Hi.  I am sorry if this subject has been discussed before... I have
dedicated one monitor to HAproxy's status page. However as it is now the
name given in the config file's listen line is dark red. And red is usually
associated with problem situations. So at a quick glance I have many times
thought that some server is down.

It would be easy for Willy to change the color but to cater for all needs, I
believe that a better solution would be a customizable style sheet???

B 
 

__ Information from ESET NOD32 Antivirus, version of virus signature
database 4953 (20100317) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 

[ANNOUNCE] haproxy-1.4.2

[Willy Tarreau]

Hi all,

While things are calming down with 1.4, quite a bunch of issues
were reported and fixed, so it was time to release 1.4.2 without
waiting for any more new issue to come by surprise.

Those running on 1.4 should really upgrade as there is a risk of
response truncation when using the chunked transfer encoding,
the anonymous ACLs don't work as expected, the on-error server
check speedup may be trigger by clients, the url_param hash may
return a dead server, and it's possible to sometimes keep an
erroneous connection forever when using keep-alive and pipelining.
That's a lot of issues, and there were other ones, please check
the changelog.

User reports have been invaluable, and I particularly want to
thank the ones who sent me network captures and strace outputs.

There were some improvements too, especially related to the
checks. We can now check servers which return their response
in multiple packets.

In my opinion, all pending issues on 1.4 are closed, so I think
that distro packagers may reasonably start to open the branch
(I've seen that some have already started). I don't intend to
release 1.4.3 immediately afterwards, because right now I have
nothing else to fix. However I hope that we'll find some time
to work on the ECV patch and get it merged into 1.4.3. Nick
has fixed many issues from the initial one but a few ones still
remain.

Last, I have not yet opened the knownbugs-1.4 page, but I will
have to do so  soon.

As usual everything's here :
   site index : http://haproxy.1wt.eu/
   sources: http://haproxy.1wt.eu/download/1.4/src/
   changelog  : http://haproxy.1wt.eu/download/1.4/src/CHANGELOG
   binaries   : http://haproxy.1wt.eu/download/1.4/bin/

I wish you only good experience with this one !

Willy

Re: Truncated health check response from real servers

[Willy Tarreau]

On Wed, Mar 17, 2010 at 09:48:42PM +0100, Cyril Bonté wrote:
> Le Mercredi 17 Mars 2010 21:12:45, Willy Tarreau a écrit :
> > (...) I don't
> > agree with restting the buffer or even considering we have an error
> > when a session does not close, because it is a regression. For instance,
> > all people using HTTP/1.1 checks will see a problem here.
> 
> hey right, I suddenly realize I forgot to recheck that !

and I found that it broke SMTP checks too !

Here's the fix, it works for all cases I could find (SMTP, HTTP,
multi-byte responses, ...). It starts parsing responses as soon
as enough bytes are available or waits for more data if required.
In fact the code to test the length was already present to detect
short responses. I have just added a test to know if we can hope
for more data or not.

I'll also apply your previous patch about the buffer allocation.

Thanks!
Willy

>From 039381855dd2cefa4e0c827514c0124728030c65 Mon Sep 17 00:00:00 2001
From: Willy Tarreau 
Date: Wed, 17 Mar 2010 21:52:07 +0100
Subject: [PATCH] [BUG] checks: don't wait for a close to start parsing the 
response
MIME-Version: 1.0
Content-Type: text/plain; charset=latin1
Content-Transfer-Encoding: 8bit

Cyril Bonté reported a regression introduced with very last changes
on the checks code, which causes failed checks on if the server does
not close the connection in time. This happens on HTTP/1.1 checks or
on SMTP checks for instance.

This fix consists in restoring the old behaviour of parsing as soon
as something is available in the response buffer, and waiting for
more data if some are missing. This also helps releasing connections
earlier (eg: a GET check will not have to download the whole object).
---
 src/checks.c |   45 -
 1 files changed, 32 insertions(+), 13 deletions(-)

diff --git a/src/checks.c b/src/checks.c
index 82939dc..e6fec7d 100644
--- a/src/checks.c
+++ b/src/checks.c
@@ -865,6 +865,7 @@ static int event_srv_chk_r(int fd)
struct task *t = fdtab[fd].owner;
struct server *s = t->context;
char *desc;
+   int done;
 
if (unlikely((s->result & SRV_CHK_ERROR) || (fdtab[fd].state == 
FD_STERROR))) {
/* in case of TCP only, this tells us if the connection failed 
*/
@@ -884,24 +885,22 @@ static int event_srv_chk_r(int fd)
 * with running the checks without attempting another socket read.
 */
 
+   done = 0;
for (len = 0; s->check_data_len < BUFSIZE; s->check_data_len += len) {
len = recv(fd, s->check_data + s->check_data_len, BUFSIZE - 
s->check_data_len, 0);
if (len <= 0)
break;
}
 
-   if (len < 0) {  /* recv returned an error */
-   if (errno == EAGAIN) {
-   /* not ready, we want to poll first */
-   fdtab[fd].ev &= ~FD_POLL_IN;
-   return 0;
-   }
-
+   if (len == 0)
+   done = 1; /* connection hangup received */
+   else if (len < 0 && errno != EAGAIN) {
/* Report network errors only if we got no other data. Otherwise
 * we'll let the upper layers decide whether the response is OK
 * or not. It is very common that an RST sent by the server is
 * reported as an error just after the last data chunk.
 */
+   done = 1;
if (!s->check_data_len) {
if (!(s->result & SRV_CHK_ERROR))
set_server_check_status(s, HCHK_STATUS_SOCKERR, 
NULL);
@@ -909,18 +908,21 @@ static int event_srv_chk_r(int fd)
}
}
 
-   /* Full response received.
-* Terminate string in check_data buffer... */
+   /* Intermediate or complete response received.
+* Terminate string in check_data buffer.
+*/
if (s->check_data_len < BUFSIZE)
s->check_data[s->check_data_len] = '\0';
-   else
+   else {
s->check_data[s->check_data_len - 1] = '\0';
-
-   /* Close the connection... */
-   shutdown(fd, SHUT_RDWR);
+   done = 1; /* buffer full, don't wait for more data */
+   }
 
/* Run the checks... */
if (s->proxy->options & PR_O_HTTP_CHK) {
+   if (!done && s->check_data_len < strlen("HTTP/1.0 000\r"))
+   goto wait_more_data;
+
/* Check if the server speaks HTTP 1.X */
if ((s->check_data_len < strlen("HTTP/1.0 000\r")) ||
(memcmp(s->check_data, "HTTP/1.", 7) != 0 ||
@@ -955,6 +957,9 @@ static int event_srv_chk_r(int fd)
}
}
else if (s->proxy->options & PR_O_SSL3_CHK) {
+   if (!done && s->check_data_len < 5)
+   goto wait_more_data;
+
/* Check for SSLv3 alert or handshake */
if 

Re: Truncated health check response from real servers

[Cyril Bonté]

Le Mercredi 17 Mars 2010 21:12:45, Willy Tarreau a écrit :
> (...) I don't
> agree with restting the buffer or even considering we have an error
> when a session does not close, because it is a regression. For instance,
> all people using HTTP/1.1 checks will see a problem here.

hey right, I suddenly realize I forgot to recheck that !

> Rather, I
> think we should start the parsing as soon as the response is large
> enough to be parsed, and only declare a parse error if we reach the
> end of response on a closed response. That way we can still parse
> status codes as soon as we get the first packet for most cases, but
> we can also wait for more data. It means that for some rare cases,
> we can parse the response multiple times waiting for it to be complete,
> but that's rather rare and right now those cases don't work at all.
> 
> I'll see what can be done.

That looks much better, no need to wait for a complete response if only the 
status is checked :)
And the resource will be released faster in most of the cases.

-- 
Cyril Bonté

Re: Truncated health check response from real servers

[Willy Tarreau]

Hi Cyril,

On Wed, Mar 17, 2010 at 06:56:31PM +0100, Cyril Bonté wrote:
> Hi all,
> 
> Le Mardi 16 Mars 2010 21:35:10, Willy Tarreau a écrit :
> > I'm now gathering my changes and committing your patch with the small
> > fixes above. That way we can concentrate on ECV.
> 
> I've played a little with this commits.
> I added some traces to see what happens when a timeout occurs and noticed 
> that the response is concatenated after the response of the previous timed 
> out check, until the buffer is full.
> This can occur when the server started to send a response but was too long to 
> finish or if a check uses HTTP/1.1 on a server with a HTTP Keep-Alive longer 
> than the check timeout (adding "Connection: close" could help prevent this, 
> maybe it should be added in the "option httpchk" documentation).

You make a good point.

The initial code was not sensible to such connections that were left
open, and it used to parse the response upon the first packet. I don't
agree with restting the buffer or even considering we have an error
when a session does not close, because it is a regression. For instance,
all people using HTTP/1.1 checks will see a problem here. Rather, I
think we should start the parsing as soon as the response is large
enough to be parsed, and only declare a parse error if we reach the
end of response on a closed response. That way we can still parse
status codes as soon as we get the first packet for most cases, but
we can also wait for more data. It means that for some rare cases,
we can parse the response multiple times waiting for it to be complete,
but that's rather rare and right now those cases don't work at all.

I'll see what can be done.

(...)
> Also, to save a little memory, the check_data buffer is only allocated for 
> the servers that are checked.

Ah, that's a good point, thanks :-)

Regards,
Willy

Re: Truncated health check response from real servers

[Cyril Bonté]

Hi all,

Le Mardi 16 Mars 2010 21:35:10, Willy Tarreau a écrit :
> I'm now gathering my changes and committing your patch with the small
> fixes above. That way we can concentrate on ECV.

I've played a little with this commits.
I added some traces to see what happens when a timeout occurs and noticed that 
the response is concatenated after the response of the previous timed out 
check, until the buffer is full.
This can occur when the server started to send a response but was too long to 
finish or if a check uses HTTP/1.1 on a server with a HTTP Keep-Alive longer 
than the check timeout (adding "Connection: close" could help prevent this, 
maybe it should be added in the "option httpchk" documentation).

The "expect" option from the ECV patch can be affected by this.

The patch provided in attachment resets the buffer after a timeout bur I wonder 
if it can't be done in set_server_check_status().
Also, to save a little memory, the check_data buffer is only allocated for the 
servers that are checked.

-- 
Cyril Bonté
diff -Naur haproxy-ss-20100317/src/cfgparse.c haproxy-ss-20100317-checks/src/cfgparse.c
--- haproxy-ss-20100317/src/cfgparse.c	2010-03-16 22:57:27.0 +0100
+++ haproxy-ss-20100317-checks/src/cfgparse.c	2010-03-17 18:37:21.0 +0100
@@ -3116,12 +3116,6 @@
 			newsrv->curfd = -1;		/* no health-check in progress */
 			newsrv->health = newsrv->rise;	/* up, but will fall down at first failure */
 
-			/* Allocate buffer for partial check results... */
-			if ((newsrv->check_data = calloc(BUFSIZE, sizeof(char))) == NULL) {
-Alert("parsing [%s:%d] : out of memory while allocating check buffer.\n", file, linenum);
-err_code |= ERR_ALERT | ERR_ABORT;
-goto out;
-			}
 			cur_arg = 3;
 		} else {
 			newsrv = &curproxy->defsrv;
@@ -3563,6 +3557,13 @@
 goto out;
 			}
 
+			/* Allocate buffer for partial check results... */
+			if ((newsrv->check_data = calloc(BUFSIZE, sizeof(char))) == NULL) {
+Alert("parsing [%s:%d] : out of memory while allocating check buffer.\n", file, linenum);
+err_code |= ERR_ALERT | ERR_ABORT;
+goto out;
+			}
+
 			newsrv->check_status = HCHK_STATUS_INI;
 			newsrv->state |= SRV_CHECKED;
 		}
diff -Naur haproxy-ss-20100317/src/checks.c haproxy-ss-20100317-checks/src/checks.c
--- haproxy-ss-20100317/src/checks.c	2010-03-16 22:57:27.0 +0100
+++ haproxy-ss-20100317-checks/src/checks.c	2010-03-17 18:43:12.0 +0100
@@ -1345,6 +1345,9 @@
 	else	/* HTTP, SMTP */
 		set_server_check_status(s, HCHK_STATUS_L7TOUT, NULL);
 }
+/* Reset the check buffer... */
+*s->check_data = '\0';
+s->check_data_len = 0;
 			}
 
 			//fprintf(stderr, "process_chk: 10\n");
diff -Naur haproxy-ss-20100317/src/haproxy.c haproxy-ss-20100317-checks/src/haproxy.c
--- haproxy-ss-20100317/src/haproxy.c	2010-03-16 22:57:27.0 +0100
+++ haproxy-ss-20100317-checks/src/haproxy.c	2010-03-17 18:38:08.0 +0100
@@ -859,7 +859,9 @@
 
 			free(s->id);
 			free(s->cookie);
-			free(s->check_data);
+			if (s->check_data) {
+free(s->check_data);
+			}
 			free(s);
 			s = s_next;
 		}/* end while(s) */

Re: haproxy 1.4.1 port crashes

[Willy Tarreau]

Hey guys,

I've just checked and indeed recent FreeBSD systems now define
MSG_NOSIGNAL, which explains why the SIGPIPE is not caught anymore.
Maybe it does not always work as expected, but anyway the only systems
where the signal was not caught was linux <= 2.4. So now I have changed
this to unconditionnaly catch the signal. This should now fix the issue
for you.

Please use the latest snapshot (or wait to get it in the usual form tomorrow) :

   http://git.1wt.eu/web?p=haproxy-1.4.git;a=snapshot;sf=tgz

Regards,
Willy

Re: XML Output interrupt / P-FLAG

[Willy Tarreau]

On Wed, Mar 17, 2010 at 05:10:27PM +0100, Bernhard Krieger wrote:
> Hello Willi,
> 
> 
> 
> i applied the patch on our test system and it seems to be ok.

Perfect, thanks for confirming this !

> Every request was successfully. No interruptions occurred!!
> 
> Tomorrow i install the patched version on our live system.

Then better use the latest snapshot, which also contains other fixes :

   http://git.1wt.eu/web?p=haproxy-1.4.git;a=snapshot;sf=tgz

(it will also appear in the src/snapshot directory tomorrow morning).

I intend to release 1.4.2 very soon now. Either I get more info about
the FreeBSD crashes to fix them and I wait for that, or I release 1.4.2
without.

Regards,
Willy

Re: XML Output interrupt / P-FLAG

[Bernhard Krieger]

Hello Willi,



i applied the patch on our test system and it seems to be ok.
Every request was successfully. No interruptions occurred!!

Tomorrow i install the patched version on our live system.

Thank you

regards
Bernhard


- Nachricht von w...@1wt.eu -
 Datum: Wed, 17 Mar 2010 16:07:55 +0100
   Von: Willy Tarreau 
Antwort an: Willy Tarreau 
   Betreff: Re: XML Output interrupt / P-FLAG
An: Bernhard Krieger 
Cc: haproxy@formilux.org



Hi Bernhard,

thanks very much for your traces. They made it easier for me to
reproduce the issue. It happens when the chunked data are split
in chunks of a size which divides the buffer size. This causes
situations where the chunk parser tries to find a CRLF followed
by a chunk size and due to a wrong comparison, it checks for the
CRLF in data which are not yet received. It does not see it and
finds something else instead, so it concludes the response is
invalid.

I've fixed the check to consider only unparsed data instead of
the whole buffer, and it's now OK for me.

Here's the patch that I've merged, in case you want to try now.

Thanks again for your kind responsiveness,
Willy





- Ende der Nachricht von w...@1wt.eu -




This message was sent using IMP, the Internet Messaging Program.

Re: haproxy 1.4.1 port crashes

[Willy Tarreau]

Hi Angelo,

On Wed, Mar 17, 2010 at 04:14:28PM +0100, Angelo Höngens wrote:
> I upgraded haproxy from 1.3.2x to 1.4.1 on one of my production
> balancers this morning from the ports (yes, I was feeling lucky), and
> noticed after a while haproxy was stopped. Nothing in any logs (no debug
> settings), it just stopped after a few minutes. I'm running FreeBSD
> 7.2-RELEASE amd64 with a custom kernel (carp compiled in). Installed
> 1.3.22 from haproxy-devel, that works fine..
> 
> No time to dig deeper now, but if you need any help let me know, perhaps
> I can do some tests this week if needed.

Those tests would be welcome. If you have the ability to start it
in a debugger and see where it stops, it will help a lot.

Thanks!

Willy

Re: haproxy 1.4.1 port crashes

[Angelo Höngens]

On 17-3-2010 16:10, Willy Tarreau wrote:
> Hello,
> 
> On Wed, Mar 17, 2010 at 09:59:41AM +0100, Pawel Jaskorzynski wrote:
>> Hello,
>> I would like to report instability of the recent stable branch port of 
>> haproxy-1.4.1. After some time of processing TCP requests in 
>> round-robin, haproxy dies with "broken pipe" in debug. Nothing else gets 
>> reported.
>> My systsem is i386 FreeBSD 8.0-STABLE #1: Mon Mar 15, GENERIC kernel.
>> The port has been cvsup'ed on the 16th of March.
>> Previously operated haproxy-1.2.X for long time with no problems. 
>> Currently reverted to haproxy-1.2.18, works as expected.
> 
> I already got one report of a crash on FreeBSD. The fact that you see
> a broken pipe lets me think that MSG_NOSIGNAL is defined, causing the
> sigpipe not to be caught, but it does not have the expected effect.
> Could you please remove the #if/#endif around signal(SIGPIPE, SIG_IGN)
> in src/haproxy.c and try again ?
> 
> Thanks,
> Willy
> 

Me too..

I upgraded haproxy from 1.3.2x to 1.4.1 on one of my production
balancers this morning from the ports (yes, I was feeling lucky), and
noticed after a while haproxy was stopped. Nothing in any logs (no debug
settings), it just stopped after a few minutes. I'm running FreeBSD
7.2-RELEASE amd64 with a custom kernel (carp compiled in). Installed
1.3.22 from haproxy-devel, that works fine..

No time to dig deeper now, but if you need any help let me know, perhaps
I can do some tests this week if needed.
-- 


With kind regards,


Angelo Höngens
systems administrator

MCSE on Windows 2003
MCSE on Windows 2000
MS Small Business Specialist
--
NetMatch
tourism internet software solutions

Ringbaan Oost 2b
5013 CA Tilburg
+31 (0)13 5811088
+31 (0)13 5821239

a.hong...@netmatch.nl
www.netmatch.nl
--

Re: haproxy 1.4.1 port crashes

[Willy Tarreau]

Hello,

On Wed, Mar 17, 2010 at 09:59:41AM +0100, Pawel Jaskorzynski wrote:
> Hello,
> I would like to report instability of the recent stable branch port of 
> haproxy-1.4.1. After some time of processing TCP requests in 
> round-robin, haproxy dies with "broken pipe" in debug. Nothing else gets 
> reported.
> My systsem is i386 FreeBSD 8.0-STABLE #1: Mon Mar 15, GENERIC kernel.
> The port has been cvsup'ed on the 16th of March.
> Previously operated haproxy-1.2.X for long time with no problems. 
> Currently reverted to haproxy-1.2.18, works as expected.

I already got one report of a crash on FreeBSD. The fact that you see
a broken pipe lets me think that MSG_NOSIGNAL is defined, causing the
sigpipe not to be caught, but it does not have the expected effect.
Could you please remove the #if/#endif around signal(SIGPIPE, SIG_IGN)
in src/haproxy.c and try again ?

Thanks,
Willy

Re: XML Output interrupt / P-FLAG

[Willy Tarreau]

Hi Bernhard,

thanks very much for your traces. They made it easier for me to
reproduce the issue. It happens when the chunked data are split
in chunks of a size which divides the buffer size. This causes
situations where the chunk parser tries to find a CRLF followed
by a chunk size and due to a wrong comparison, it checks for the
CRLF in data which are not yet received. It does not see it and
finds something else instead, so it concludes the response is
invalid.

I've fixed the check to consider only unparsed data instead of
the whole buffer, and it's now OK for me.

Here's the patch that I've merged, in case you want to try now.

Thanks again for your kind responsiveness,
Willy

>From bf3f1de5b58aa77c2a3da4e143d5a7b2f1056b53 Mon Sep 17 00:00:00 2001
From: Willy Tarreau 
Date: Wed, 17 Mar 2010 15:54:24 +0100
Subject: [BUG] http: fix truncated responses on chunk encoding when size 
divides buffer size

Bernhard Krieger reported truncated HTTP responses in presence of some
specific chunk-encoded data, and kindly offered complete traces of the
issue which made it easy to reproduce it.

Those traces showed that the chunks were of exactly 8192 bytes, chunk
size and CRLF included, which was exactly half the size of the buffer.
In this situation, the function http_chunk_skip_crlf() could erroneously
try to parse a CRLF after the chunk believing there were more data
pending, because the number of bytes present in the buffer was considered
instead of the number of remaining bytes to be parsed.
---
 src/proto_http.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/proto_http.c b/src/proto_http.c
index f1ec7cd..694e98d 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -2245,7 +2245,7 @@ int http_skip_chunk_crlf(struct buffer *buf, struct 
http_msg *msg)
ptr = buf->data;
}
 
-   if (buf->l < bytes)
+   if (bytes > buf->l - buf->send_max)
return 0;
 
if (*ptr != '\n')
-- 
1.5.3.3

haproxy 1.4.1 port crashes

[Pawel Jaskorzynski]

Hello,
I would like to report instability of the recent stable branch port of 
haproxy-1.4.1. After some time of processing TCP requests in 
round-robin, haproxy dies with "broken pipe" in debug. Nothing else gets 
reported.

My systsem is i386 FreeBSD 8.0-STABLE #1: Mon Mar 15, GENERIC kernel.
The port has been cvsup'ed on the 16th of March.
Previously operated haproxy-1.2.X for long time with no problems. 
Currently reverted to haproxy-1.2.18, works as expected.


Best Regards,
Pawel

Re: dynamic referer protecion

[Hervé COMMOWICK]

Hi Anze,

There is also the architecture guide, it is a little outdated but it
remains interesting :

http://haproxy.1wt.eu/download/1.3/doc/architecture.txt

Hervé.

On 03/17/2010 08:17 AM, Anze wrote:
> Hello Hervé,
>
> Thanks for the link, it reminded me to read it again and refresh my memory. 
> :) 
>
> The manual is a really good start to using haproxy, but it doesn't cover the 
> topics that Willy wrote in previous mail (maxconn, setting timeouts, 
> tarpit,...). I was thinking more about "what to do if..." kind of guide / 
> book 
> (depends on volume and the will to deal with publishers). 
>
> Thanks,
>
> Anze
>
>
>
>
> On Tuesday 16 March 2010, Hervé COMMOWICK wrote:
>   
>> Hello Anze,
>>
>> Willy already wrote this a while ago :
>>
>> http://1wt.eu/articles/2006_lb/
>>
>> Hervé
>>
>> On 03/16/2010 12:39 PM, Anze wrote:
>> 
>>> Willy: thanks for the explanation on tactics below! Ever thought of
>>> writing a book on the subject? I don't mean haproxy configuration but its
>>> possible deployments, common setups,...
>>>   
>> 
>
>   

-- 
Hervé COMMOWICK, EXOSEC (http://www.exosec.fr/)
ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS
Tel: +33 1 30 67 60 65  -  Fax: +33 1 75 43 40 70
mailto:hcommow...@exosec.fr

Re: dynamic referer protecion

[Anze]

Hello Hervé,

Thanks for the link, it reminded me to read it again and refresh my memory. :) 

The manual is a really good start to using haproxy, but it doesn't cover the 
topics that Willy wrote in previous mail (maxconn, setting timeouts, 
tarpit,...). I was thinking more about "what to do if..." kind of guide / book 
(depends on volume and the will to deal with publishers). 

Thanks,

Anze




On Tuesday 16 March 2010, Hervé COMMOWICK wrote:
> Hello Anze,
> 
> Willy already wrote this a while ago :
> 
> http://1wt.eu/articles/2006_lb/
> 
> Hervé
> 
> On 03/16/2010 12:39 PM, Anze wrote:
> > Willy: thanks for the explanation on tactics below! Ever thought of
> > writing a book on the subject? I don't mean haproxy configuration but its
> > possible deployments, common setups,...
>