Haproxy+yassl experimental

[Emeric BRUN]

Hi guys,

It is experimental and missing a lot of features vs openssl stuff (for
benchers only)

Multiprocess needs a cyassl patch, i need to clean it and i currently
discuss with yassl guys for merge it

On monoprocess i observe on AMD Geode LX 800 (500MHz) with TLSv1.1 AES-SHA
cipher and 1024 rsa key:

520 con/s (220 for openssl)
37 key/s (29 for openssl)

https://github.com/EmericBr/haproxy-yassl/network

Regards,
Emeric

[PATCH] MEDIUM: tcp: add a v6only option for TCP sockets

[Vincent Bernat]

With this option enabled, a TCPv6 socket will only listen for IPv6
packets. With this option absent, a TCPv6 socket will accept both IPv6
and IPv4 packets.

The system setting (net.ipv6.bindv6only) is ignored because many
people disagree with the default proposed by RFC 3493 (which is to
listen to both IPv4 and IPv6 by default) because this makes difficult
to write a server socket in a truly protocol-independent way. So, on
any system, haproxy will bind to both IPv4 and IPv6 sockets by
default, unless the v6only option is specified.
---
 doc/configuration.txt|7 +++
 include/types/listener.h |1 +
 src/proto_tcp.c  |   40 +++-
 3 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index f409407..bd721c8 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -7170,6 +7170,13 @@ user user
   setting except that the user name is used instead of its uid. This setting is
   ignored by non UNIX sockets.
 
+v6only
+  This setting will make the socket listening for IPv6 packets. Another socket
+  or program can be configured to handle IPv4 packets on the same port. Without
+  this option, a socket will be able to handle both IPv4 and IPv6 packets,
+  whatever the default system setting is. This option is ignored if the socket
+  is configured to listen to an IPv4 address.
+
 verify [none|optional|required]
   This setting is only available when support for OpenSSL was built in. If set
   to 'none', client certificate is not requested. This is the default. In other
diff --git a/include/types/listener.h b/include/types/listener.h
index 0f16986..824956f 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -90,6 +90,7 @@ enum {
 #define LI_O_ACC_PROXY  0x0040  /* find the proxied address in the first 
request line */
 #define LI_O_UNLIMITED  0x0080  /* listener not subject to global limits 
(peers  stats socket) */
 #define LI_O_TCP_FO 0x0100  /* enable TCP Fast Open (linux = 3.6) */
+#define LI_O_IPV6_ONLY  0x0200  /* listen only on IPv6 */
 
 /* Note: if a listener uses LI_O_UNLIMITED, it is highly recommended that it 
adds its own
  * maxconn setting to the global.maxsock value so that its resources are 
reserved.
diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 2b8d148..eb831f0 100644
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -699,6 +699,26 @@ int tcp_bind_listener(struct listener *listener, char 
*errmsg, int errlen)
}
}
 #endif
+#if defined(IPV6_V6ONLY)
+   switch (listener-addr.ss_family) {
+   case AF_INET: break;
+   case AF_INET6:
+   if (listener-options  LI_O_IPV6_ONLY) {
+   int on = 1;
+   if (setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, on, 
sizeof(on)) == -1) {
+   msg = cannot enable IPV6_V6ONLY;
+   err |= ERR_WARN;
+   }
+   } else {
+   int off = 0;
+   if (setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, off, 
sizeof(off)) == -1) {
+   msg = cannot disable IPV6_V6ONLY;
+   err |= ERR_WARN;
+   }
+   }
+   break;
+   }
+#endif
if (bind(fd, (struct sockaddr *)listener-addr, 
listener-proto-sock_addrlen) == -1) {
err |= ERR_RETRYABLE | ERR_ALERT;
msg = cannot bind socket;
@@ -1751,7 +1771,7 @@ static int bind_parse_defer_accept(char **args, int 
cur_arg, struct proxy *px, s
 #endif
 
 #ifdef TCP_FASTOPEN
-/* parse the defer-accept bind keyword */
+/* parse the tfo bind keyword */
 static int bind_parse_tfo(char **args, int cur_arg, struct proxy *px, struct 
bind_conf *conf, char **err)
 {
struct listener *l;
@@ -1765,6 +1785,21 @@ static int bind_parse_tfo(char **args, int cur_arg, 
struct proxy *px, struct bin
 }
 #endif
 
+#ifdef IPV6_V6ONLY
+/* parse the v6only bind keyword */
+static int bind_parse_v6only(char **args, int cur_arg, struct proxy *px, 
struct bind_conf *conf, char **err)
+{
+   struct listener *l;
+
+   list_for_each_entry(l, conf-listeners, by_bind) {
+   if (l-addr.ss_family == AF_INET || l-addr.ss_family == 
AF_INET6)
+   l-options |= LI_O_IPV6_ONLY;
+   }
+
+   return 0;
+}
+#endif
+
 #ifdef TCP_MAXSEG
 /* parse the mss bind keyword */
 static int bind_parse_mss(char **args, int cur_arg, struct proxy *px, struct 
bind_conf *conf, char **err)
@@ -1874,6 +1909,9 @@ static struct bind_kw_list bind_kws = { TCP, { }, {
 #ifdef TCP_FASTOPEN
{ tfo,   bind_parse_tfo,  0 }, /* enable TCP_FASTOPEN 
of listening socket */
 #endif
+#ifdef IPV6_V6ONLY
+   { v6only,bind_parse_v6only,   0 }, /* enable IPV6_V6ONLY 
of listening socket */
+#endif
 #ifdef CONFIG_HAP_LINUX_TPROXY
{ transparent,   

Re: [PATCH] MEDIUM: tcp: add a v6only option for TCP sockets

[Vincent Bernat]

 ❦ 24 novembre 2012 12:01 CET, Vincent Bernat ber...@luffy.cx :

  #ifdef TCP_FASTOPEN
 -/* parse the defer-accept bind keyword */
 +/* parse the tfo bind keyword */
  static int bind_parse_tfo(char **args, int cur_arg, struct proxy *px, struct 
 bind_conf *conf, char **err)

I have embedded this change on purpose. Feel free to strip it.
-- 
Make input easy to proofread.
- The Elements of Programming Style (Kernighan  Plauger)

Re: IPv6 bind

[Willy Tarreau]

Hi Vincent,

I'm cc-ing Marcus Rueckert who first asked me for the feature.

On Sat, Nov 24, 2012 at 12:07:23PM +0100, Vincent Bernat wrote:
 Hi Willy!
 
 Since it was an easy one, I have sent you a proposal.

Grrr... I just did it too a few minutes ago, sorry for that :-/

 The difficulty is
 to agree on the default behavior. In my patch, I propose an option which
 enables v6 only when present and v4 and v6 when absent. Other
 possibilities are :
 
  - v6only and v4v6 options which override system defaults and we
keep system defaults if we don't have any keyword. A configuration
working on distribution X won't work on distribution Y.

That's what I've done too. Remember that we don't want to break existing
setups, so it is out of question to suddenly change the way configs have
been working for years.

  - v4v6 option and when absent, bind on IPv6 only.
 
 I like the later option better but this is the opposite of what we have
 now. I feel this is risky to let users upgrade and have a V6 only server
 while they expected to have a V4+V6 server. By doing v4+v6 by default,
 we break setups relying on system-wide default of v6only but this will
 be a visible change (HAproxy won't be able to bind the socket).

I really want to let the system-wide configuration decide when no option
is set, that's the philosophy we've always followed. We add options to
force a desired behaviour and without any option, the system sets defaults.

 However, I will be happy to update the patch to have v4v6 keyword
 instead of v6only.

I did not know it was possible to revert the system behaviour, so yes
please feel free to send such a patch to let the user force IPV6_V6ONLY
to zero ! v4v6 seems appropriate to me too.

Thanks,
Willy

Re: problem with sort of caching of use_backend with socket.io and apache

[Willy Tarreau]

Hi David,

On Sat, Nov 24, 2012 at 09:26:56AM -0300, david rene comba lareu wrote:
 Hi everyone,
 
 i'm little disappointed with a problem i'm having trying to configure
 HAproxy in the way i need, so i need a little of help of you guys,
 that knows a lot more than me about this, as i reviewed all the
 documentation and tried several things but nothing worked :(.
 
 basically, my structure is:
 
 HAproxy as frontend, in 80 port - forwards by default to webserver
 (in this case is apache, in other machines could be nginx)
  - depending the domain
 and the request, forwards to an Node.js app
 
 so i have something like this:
 
 global
 log 127.0.0.1   local0
 log 127.0.0.1   local1 notice
 maxconn 4096
 user haproxy
 group haproxy
 daemon
 
   defaults
 log global
 modehttp
 maxconn 2000
 contimeout  5000
 clitimeout  5
 srvtimeout  5
 
 
 frontend all 0.0.0.0:80
 timeout client 5000
 default_backend www_backend
 
 acl is_soio url_dom(host) -i socket.io #if the request contains socket.io
 
 acl is_chat hdr_dom(host) -i chaturl #if the request comes from chaturl.com
 
 use_backend chat_backend if is_chat is_soio
 
 backend www_backend
 balance roundrobin
 option forwardfor # This sets X-Forwarded-For
 timeout server 5000
 timeout connect 4000
 server server1 localhost:6060 weight 1 maxconn 1024 check #forwards to apache2
 
 backend chat_backend
 balance roundrobin
 option forwardfor # This sets X-Forwarded-For
 timeout queue 5
 timeout server 5
 timeout connect 5
 server server1 localhost:5558 weight 1 maxconn 1024 check #forward to
 node.js app
 
 my application uses socket.io, so anything that match the domain and
 has socket.io in the request, should forward to the chat_backend.
 
 The problem is that if i load directly from the browser, let say, the
 socket.io file (it will be something like
 http://www.chaturl.com/socket.io/socket.io.js) loads perfectly, but
 then when i try to load index.html (as
 http://www.chaturl.com/index.html) most of the times, is still
 redirect to socket.io. after refreshing a few time, it finally loads
 index.html, but then, doesn't load the socket.io.js file inserted in
 the file (why it redirect to the apache server, and not the node.js
 app). so as i said, it sort of caching the request.
 
 i tried several ACL combinations, i disabled the domain check, only
 checking for socket.io but is still the same. Reading again the
 documentation i tried to use hdr_dir, hdr_dom, with other headers as
 URI, url, Request (btw, where i can find a list of headers supported
 by the layer 7 ACL ?).
 
 so, nothing worked, if someone could help me, and point me to the
 right direction, i would be really grateful :D

You're missing option http-server-close in your config, so after
the first request is done, haproxy switches to tunnel mode and maintains
the client-server connection without inspecting anything in it.

Regards,
Willy

Re: IPv6 bind

[Marcus Rueckert]

+1 from me.

-- 
   openSUSE - SUSE Linux is my linux
   openSUSE is good for you
   www.opensuse.org

Re: Need more info on compression

[Willy Tarreau]

Hi Dmitry,

On Thu, Nov 22, 2012 at 08:03:26PM +0400, Dmitry Sivachenko wrote:
 Hello!
 
 I was reading docs about HTTP compression support in -dev13 and it is a bit
 unclear to me how it works.
 
 Imagine I have:
 compression algo gzip
 compression type text/html text/javascript text/xml text/plain
 
 in defaults section.
 
 What will haproxy do if:
 1) backend server does NOT support compression;

Haproxy will compress the matching responses.

 2) backend server does support compression;

You have two possibilities :
  - either you just have the lines above, and the server will see
the Accept-Encoding header from the client and will compress
the response ; in this case, haproxy will see the compressed
response and will not compress again ;

  - or you also have a compression offload line. In this case,
haproxy will remove the Accept-Encoding header before passing
the request to the server. The server will then *not* compress,
and haproxy will compress the response. This is what I'm doing
at home because the compressing server is bogus and sometimes
emits wrong chunked encoded data!

 3) backend server does support compression and there is no these two
 compression* lines in haproxy config.

Then haproxy's normal behaviour remains unchanged, the server compresses
if it wants to and haproxy transfers the response unmodified.

 I think documentation needs to clarify things a bit.

Possibly, however I don't know what to clarify nor how, it's always
difficult to guess how people will understand a doc :-(

Could you please propose some changes ? I would be happy to improve
the doc if it helps people understand it.

Thanks!
Willy

Re: IPv6 bind

[Guillaume Castagnino]

Hi,

Thanks a lot, this is working perfectly fine :)

Le samedi 24 novembre 2012 12:30:38 Willy Tarreau a écrit :
 Hi Vincent,
 
 I'm cc-ing Marcus Rueckert who first asked me for the feature.
 
 On Sat, Nov 24, 2012 at 12:07:23PM +0100, Vincent Bernat wrote:
  Hi Willy!
  
  Since it was an easy one, I have sent you a proposal.
 
 Grrr... I just did it too a few minutes ago, sorry for that :-/
 
  The difficulty is
  to agree on the default behavior. In my patch, I propose an option
  which enables v6 only when present and v4 and v6 when absent.
  Other 
  possibilities are :
   - v6only and v4v6 options which override system defaults and we
   
 keep system defaults if we don't have any keyword. A
 configuration
 working on distribution X won't work on distribution Y.
 
 That's what I've done too. Remember that we don't want to break
 existing setups, so it is out of question to suddenly change the way
 configs have been working for years.
 
   - v4v6 option and when absent, bind on IPv6 only.
  
  I like the later option better but this is the opposite of what we
  have now. I feel this is risky to let users upgrade and have a V6
  only server while they expected to have a V4+V6 server. By doing
  v4+v6 by default, we break setups relying on system-wide default of
  v6only but this will be a visible change (HAproxy won't be able to
  bind the socket).
 I really want to let the system-wide configuration decide when no
 option is set, that's the philosophy we've always followed. We add
 options to force a desired behaviour and without any option, the
 system sets defaults.
  However, I will be happy to update the patch to have v4v6 keyword
  instead of v6only.
 
 I did not know it was possible to revert the system behaviour, so yes
 please feel free to send such a patch to let the user force
 IPV6_V6ONLY to zero ! v4v6 seems appropriate to me too.
 
 Thanks,
 Willy
-- 
Guillaume Castagnino
ca...@xwing.info / guilla...@castagnino.org