[PATCH] BUG/MINOR: ssl_sock.c: use PATH_MAX only when defined
Hi Willy, We are seeing build failures of 1.5 w/ SSL on Debian's Hurd builder machines due to the use of PATH_MAX (which is undefined in Hurd) when loading SSL certificates. You can see the build log here: https://buildd.debian.org/status/fetch.php?pkg=haproxyarch=hurd-i386ver=1.5%7Edev19-1stamp=1372199388 The attached patch should fix this issue, by modifying the code in question to use a dynamically allocated buffer while checking against PATH_MAX if appropriate. Regards, Apollon From 865e8c1ed5bc8dfa61eff6c33e5b59b6a554db96 Mon Sep 17 00:00:00 2001 From: Apollon Oikonomopoulos apoi...@gmail.com Date: Mon, 12 Aug 2013 12:22:26 +0300 Subject: [PATCH] BUG/MINOR: ssl_sock.c: use PATH_MAX only when defined bind_parse_crt() unconditionally uses PATH_MAX, which is not guaranteed to be defined by POSIX. In fact, GNU Hurd does not have a limit on path sizes and thus leaves PATH_MAX undefined, causing OpenSSL-enabled builds on Hurd to fail. We fix this by using dynamic allocation of the path buffer and checking the actual path length whenever PATH_MAX is defined. --- src/ssl_sock.c | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index ce1712d..655dc77 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2543,17 +2543,25 @@ static int bind_parse_ciphers(char **args, int cur_arg, struct proxy *px, struct /* parse the crt bind keyword */ static int bind_parse_crt(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { - char path[PATH_MAX]; + char *path; + size_t path_length; if (!*args[cur_arg + 1]) { memprintf(err, '%s' : missing certificate location, args[cur_arg]); return ERR_ALERT | ERR_FATAL; } if ((*args[cur_arg + 1] != '/' ) global.crt_base) { - if ((strlen(global.crt_base) + 1 + strlen(args[cur_arg + 1]) + 1) PATH_MAX) { + path_length = strlen(global.crt_base) + 1 + strlen(args[cur_arg + 1]) + 1; +#ifdef PATH_MAX + if (path_length PATH_MAX) { memprintf(err, '%s' : path too long, args[cur_arg]); return ERR_ALERT | ERR_FATAL; } +#endif + if ((path = malloc(path_length)) == NULL) { + memprintf(err, '%s' : unable to allocate path buffer, args[cur_arg]); + return ERR_ALERT | ERR_FATAL; + } sprintf(path, %s/%s, global.crt_base, args[cur_arg + 1]); if (ssl_sock_load_cert(path, conf, px, err) 0) return ERR_ALERT | ERR_FATAL; -- 1.7.10.4
Re: [PATCH] BUG/MINOR: ssl_sock.c: use PATH_MAX only when defined
Hi Apollon, On Mon, Aug 12, 2013 at 01:07:57PM +0300, Apollon Oikonomopoulos wrote: Hi Willy, We are seeing build failures of 1.5 w/ SSL on Debian's Hurd builder machines due to the use of PATH_MAX (which is undefined in Hurd) when loading SSL certificates. You can see the build log here: https://buildd.debian.org/status/fetch.php?pkg=haproxyarch=hurd-i386ver=1.5%7Edev19-1stamp=1372199388 The attached patch should fix this issue, by modifying the code in question to use a dynamically allocated buffer while checking against PATH_MAX if appropriate. Unfortunately, this patch introduces a memory leak. Since the path variable is just a temporary one, better use alloca() instead in order to dynamically allocate on the stack. Anyway I'd prefer something simpler : let's define PATH_MAX in compat.h if it is not defined. Thanks, Willy
Re: [PATCH] BUG/MINOR: ssl_sock.c: use PATH_MAX only when defined
On 12:34 Mon 12 Aug , Willy Tarreau wrote: Hi Apollon, Unfortunately, this patch introduces a memory leak. Since the path variable is just a temporary one, better use alloca() instead in order to dynamically allocate on the stack. Ooops, completely forgot to free(). Never submit patches directly after vacation :-( Anyway I'd prefer something simpler : let's define PATH_MAX in compat.h if it is not defined. Yes, that's probably a cleaner solution. Thanks, Willy Thanks, Apollon
Re: HTTP Content-Check
On 12 August 2013 12:35, Wolfgang Routschka wolfgang.routsc...@drumedar.de wrote: Hi Guys, on question today about option httpchk in haproxy 1.5-dev19. Is it possible to check the content of URI in option httpchk? This is available in 1.4 and 1.5. Here're the 1.4 docs for the feature: http://cbonte.github.io/haproxy-dconv/configuration-1.4.html#http-check expect Regards, Jonathan -- Jonathan Matthews Oxford, London, UK http://www.jpluscplusm.com/contact.html
Re: HTTP Content-Check
Hi Wolfgang, The option you're looking for is http-check expect. Baptiste On Mon, Aug 12, 2013 at 1:35 PM, Wolfgang Routschka wolfgang.routsc...@drumedar.de wrote: Hi Guys, on question today about option httpchk in haproxy 1.5-dev19. Is it possible to check the content of URI in option httpchk? for example content of healthcheck.html = okay -- option httpchk /healthcheck.html okay === TEST OK or all other contenct == TEST is not OK I hope you can understand me Greetings Wolfgang
Re: TCP reject logging of request
Le 05/08/2013 10:44, Baptiste a écrit : Hi Ghislain, To log such rejected connection please ensure you don't have the dontlognull option enabled and you're rejecting connections using the tcp-request content statement. Baptiste thanks for the hint ,i was using dontlognull so i just removed it and added the no option in the frontend I use a simple thing like this: frontend ft_https mode tcp no option dontlognull option tcplog bind 0.0.0.0:443 stick-table type ip size 500k expire 30s store gpc0,http_req_rate(10s),conn_cur tcp-request connection track-sc1 src tcp-request connection reject if { src_get_gpc0 gt 0 } or { src_conn_cur ge 30 } default_backend bk_https backend bk_https mode tcp balance roundrobin acl abuse src_http_req_rate(ft_https) ge 200 acl flag_abuser src_inc_gpc0(ft_https) tcp-request content reject if abuse flag_abuser i cannot have any log for rejects, the same version in http mode gives me log with the PR-- flag which is good as it indicate a reject because of a deny rule but in TCP mode i am unable to get any logging of the denied connections. I use a simple 'ab' call to stress it. regards, Ghislain. smime.p7s Description: Signature cryptographique S/MIME
Call for Papers IJTEMT. Kindly impart in your University/Organization/College/Colleagues/Academia/Circle.
INTERNATIONAL JOURNAL OF TRENDS IN ECONOMICS MANAGEMENT TECHNOLOGY IJTEMT invites you to submit your research paper for publishing in Volume II, Issue IV (August 2013). CALL FOR PAPERS VOLUME II, ISSUE IV (PUBLICATION FEE: 40USD Only) (Separate Webpage and Life- Time Memberships for Prospective Authors) ISSN: 2321-5518 INDEXED In (http://www.ijtemt.org/indexing.html) :Google Scholar, DOAJ,J-Gate,SlideShare,Scribd.,.Docstoc ISSN: 2321-5518 www.ijtemt.org About IJTEMT International Journal of Trends in Economics Management and Technology (IJTEMT) in an International Academic Journal e-published bimonthly in India and open to the world. In this present interdisciplinary era, here at IJTEMT, a group of intellectual came together to find a common platform for three major components of any economy i.e., Economics, Management and Technology. Here we provide a forum to bridge the gap between the brushed-up professional in their respective fields and the new researcher which will results in better understanding and fruitful outcomes.The focus of this journal is to publish paper on economics management and technology. Submitted papers are reviewed by a full double – blind manner by the technical committee of the journal. The audience for the journal is professionals from related fields, academicians and new students research scholars.All submitted articles should report original, previously unpublished research results, experimental or theoretical, and will be peer-reviewed. Articles submitted to the journal should meet these criteria and must not be under consideration for publication elsewhere. Manuscripts should follow the style of the journal and are subject to both review and editing. Why Select IJTEMT Journal IJTEMT Provides E-Certificates to Author'sif Needed.IJTEMT is Globally Approved International Journal having Strong Editorial Board.This is Online Open Journal .Author's can Download Paper from Library of Journal at any Time from Anywhere.IJTEMT is a Association of Eminent Scientist, Researchers and Experienced Members of More than 20 Countries.IJTEMT Publishes High Quality Papers which are Peer Reviewed by International/National Reviewers. Author's Query can be solved within 18 Hours. Subject Category: ECONOMICS, MANAGEMENT TECHNOLOGY. Important Dates: Paper Submission:15thAugust 2013 Review Results (Acceptance/Rejection) Notification: Within two weeks after submitting manuscript.. Guidelines for submission and Review Process: IJTEMT welcomes author submission of papers concerning any branch of the economics, management and technology and their applications in business, industry and other subjects relevant. The review process goes through following phases which can take time from ten days to two months:a. Each manuscript will be initially evaluated by the editorial board / editor, who may make use of appropriate software to examine the originality of the contents of the manuscript.b. The manuscripts passed through screening at above noted level will be forwarded to two referees for blind peer review, each of whom will make a recommendation to publish the article in its present form/edit/reject. During this period referees shall treat the contents of papers under review as privileged information.c. The reviewers' recommendations determine whether a paper will be accepted / accepted subject to change / subject to resubmission with significant changes / rejected.d. For papers which require changes, the same reviewers will be used to ensure that the quality of the revised paper is acceptable.e. All papers are refereed, and the Editor-in-Chief reserves the right to refuse any typescript, whether on invitation or otherwise, and to make suggestions and/or modifications before publication. Submission of Paper will takes place in two phases:a. Initial Paper Submission: Prospective author (s) is/are encouraged to submit their manuscript including charts, tables, figures and appendixes in .pdf and .doc (both) format to e-mail: sub...@ijtemt.org. All submitted articles should report original, previously unpublished research results, experimental or theoretical. Articles submitted to the IJTEMT should meet these criteria and must not be under consideration for publication elsewhere.b. Camera Ready Paper Submission:On the acceptance of the paper after completion of the review process the author (s) is/are has to submit camera ready full text paper in .doc and .pdf (both) format to e-mail: submitfi...@ijtemt.org along with the corresponding signed copy of copyright transfer form and scanned copy of payment slip. Publication fees Each accepted paper will be charged, 40 USD per paper (for a maximum of 8 pages, above which 05 USD will be charged for every additional page) which is to be paid as per the instructions mentioned in the letter of acceptance of the manuscript submitted. Publication and paper handling fees for INDIAN AUTHORS is 2000 INR per paper(for a maximum of 8 pages, above
RDP Session Broker Redirect Token
Hi all, We seam to have an issue with haproxy where if we set our TS servers to use Use Token Redirection instead of Use IP Redirection (recommended) it does not work. The configuration I am using is a follows listen TS-Farm bind 192.168.75.38:3389 mode tcp balance leastconn persist rdp-cookie server backup 127.0.0.1:9081 backup non-stick option tcpka tcp-request inspect-delay 5s tcp-request content accept if RDP_COOKIE timeout client 12h timeout server 12h option redispatch option abortonclose maxconn 4 log global option tcplog server TS01 192.168.75.36 weight 1 check port 3389 inter 2000 rise 2 fall 3 minconn 0 maxconn 0 on-marked-down shutdown-sessions server TS02 192.168.75.37 weight 1 check port 3389 inter 2000 rise 2 fall 3 minconn 0 maxconn 0 on-marked-down shutdown-sessions However what I have noticed in packet captures is there seams to be both a mstshash=USERNAME first in the stream and then a msts=Encoded IP after It seams that 70% of the time a user is reconnected to his disconnected session correctly but the other 30% of the time they end up on any one of the other servers. I am wondering if haproxy is triggering on the mstshash instead of the msts as that seams to be sent after the mstnshash. Any help would be greatly received. Kind Regards.
HA Proxy Install Guide
Hi , Can you please provide following info, Thanks in advance. Where can I find HA Proxy Install guide, also can I install HA Proxy without root userid. Thanks, Jagadishwar Rao Uttla, Database Architect Lockheed Martin, ISGS, Contractor to EPA SEMS 703-647-5668 (Work) 703-647-5686 (Fax) rao.ut...@lmco.commailto:rao.ut...@lmco.com