[PATCH] BUG/MINOR: ssl_sock.c: use PATH_MAX only when defined

[Apollon Oikonomopoulos]

Hi Willy,

We are seeing build failures of 1.5 w/ SSL on Debian's Hurd builder machines
due to the use of PATH_MAX (which is undefined in Hurd) when loading SSL
certificates. You can see the build log here:

https://buildd.debian.org/status/fetch.php?pkg=haproxyarch=hurd-i386ver=1.5%7Edev19-1stamp=1372199388

The attached patch should fix this issue, by modifying the code in 
question to use a dynamically allocated buffer while checking against 
PATH_MAX if appropriate.

Regards,
Apollon
From 865e8c1ed5bc8dfa61eff6c33e5b59b6a554db96 Mon Sep 17 00:00:00 2001
From: Apollon Oikonomopoulos apoi...@gmail.com
Date: Mon, 12 Aug 2013 12:22:26 +0300
Subject: [PATCH] BUG/MINOR: ssl_sock.c: use PATH_MAX only when defined

bind_parse_crt() unconditionally uses PATH_MAX, which is not guaranteed to be
defined by POSIX. In fact, GNU Hurd does not have a limit on path sizes and
thus leaves PATH_MAX undefined, causing OpenSSL-enabled builds on Hurd to fail.

We fix this by using dynamic allocation of the path buffer and checking the
actual path length whenever PATH_MAX is defined.
---
 src/ssl_sock.c |   12 ++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index ce1712d..655dc77 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2543,17 +2543,25 @@ static int bind_parse_ciphers(char **args, int cur_arg, struct proxy *px, struct
 /* parse the crt bind keyword */
 static int bind_parse_crt(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
-	char path[PATH_MAX];
+	char *path;
+	size_t path_length;
 	if (!*args[cur_arg + 1]) {
 		memprintf(err, '%s' : missing certificate location, args[cur_arg]);
 		return ERR_ALERT | ERR_FATAL;
 	}
 
 	if ((*args[cur_arg + 1] != '/' )  global.crt_base) {
-		if ((strlen(global.crt_base) + 1 + strlen(args[cur_arg + 1]) + 1)  PATH_MAX) {
+		path_length = strlen(global.crt_base) + 1 + strlen(args[cur_arg + 1]) + 1;
+#ifdef PATH_MAX
+		if (path_length  PATH_MAX) {
 			memprintf(err, '%s' : path too long, args[cur_arg]);
 			return ERR_ALERT | ERR_FATAL;
 		}
+#endif
+		if ((path = malloc(path_length)) == NULL) {
+			memprintf(err, '%s' : unable to allocate path buffer, args[cur_arg]);
+			return ERR_ALERT | ERR_FATAL;
+		}
 		sprintf(path, %s/%s,  global.crt_base, args[cur_arg + 1]);
 		if (ssl_sock_load_cert(path, conf, px, err)  0)
 			return ERR_ALERT | ERR_FATAL;
-- 
1.7.10.4

Re: [PATCH] BUG/MINOR: ssl_sock.c: use PATH_MAX only when defined

[Willy Tarreau]

Hi Apollon,

On Mon, Aug 12, 2013 at 01:07:57PM +0300, Apollon Oikonomopoulos wrote:
 Hi Willy,
 
 We are seeing build failures of 1.5 w/ SSL on Debian's Hurd builder machines
 due to the use of PATH_MAX (which is undefined in Hurd) when loading SSL
 certificates. You can see the build log here:
 
 https://buildd.debian.org/status/fetch.php?pkg=haproxyarch=hurd-i386ver=1.5%7Edev19-1stamp=1372199388
 
 The attached patch should fix this issue, by modifying the code in 
 question to use a dynamically allocated buffer while checking against 
 PATH_MAX if appropriate.

Unfortunately, this patch introduces a memory leak. Since the path
variable is just a temporary one, better use alloca() instead in
order to dynamically allocate on the stack.

Anyway I'd prefer something simpler : let's define PATH_MAX in compat.h
if it is not defined.

Thanks,
Willy

Re: [PATCH] BUG/MINOR: ssl_sock.c: use PATH_MAX only when defined

[Apollon Oikonomopoulos]

On 12:34 Mon 12 Aug , Willy Tarreau wrote:
 Hi Apollon,
 
 Unfortunately, this patch introduces a memory leak. Since the path
 variable is just a temporary one, better use alloca() instead in
 order to dynamically allocate on the stack.

Ooops, completely forgot to free(). Never submit patches directly after 
vacation :-(

 Anyway I'd prefer something simpler : let's define PATH_MAX in compat.h
 if it is not defined.

Yes, that's probably a cleaner solution.

 Thanks,
 Willy

Thanks,
Apollon

Re: HTTP Content-Check

[Jonathan Matthews]

On 12 August 2013 12:35, Wolfgang Routschka
wolfgang.routsc...@drumedar.de wrote:
 Hi Guys,

 on question today about option httpchk  in haproxy 1.5-dev19.

 Is it possible to check the content of URI in option httpchk?

This is available in 1.4 and 1.5. Here're the 1.4 docs for the
feature: http://cbonte.github.io/haproxy-dconv/configuration-1.4.html#http-check
expect

Regards,
Jonathan
-- 
Jonathan Matthews
Oxford, London, UK
http://www.jpluscplusm.com/contact.html

Re: HTTP Content-Check

[Baptiste]

Hi Wolfgang,

The option you're looking for is http-check expect.

Baptiste

On Mon, Aug 12, 2013 at 1:35 PM, Wolfgang Routschka
wolfgang.routsc...@drumedar.de wrote:
 Hi Guys,

 on question today about option httpchk  in haproxy 1.5-dev19.

 Is it possible to check the content of URI in option httpchk?

 for example

 content of healthcheck.html = okay -- option httpchk /healthcheck.html
 okay === TEST OK
 or all other contenct == TEST is not OK

 I hope you can understand me

 Greetings Wolfgang

Re: TCP reject logging of request

[Ghislain]

Le 05/08/2013 10:44, Baptiste a écrit :

Hi Ghislain,

To log such rejected connection please ensure you don't have the
dontlognull option enabled and you're rejecting connections using
the tcp-request content statement.

Baptiste



thanks for the hint ,i was using dontlognull so i just removed it and 
added the no option in the frontend


I use a simple thing like this:


frontend ft_https
mode tcp
no option dontlognull
option tcplog
bind 0.0.0.0:443
stick-table type ip size 500k expire 30s store 
gpc0,http_req_rate(10s),conn_cur

tcp-request connection track-sc1 src
tcp-request connection reject if { src_get_gpc0 gt 0 } or { 
src_conn_cur ge 30 }


default_backend bk_https

backend bk_https
mode tcp
balance roundrobin
acl abuse src_http_req_rate(ft_https) ge 200
acl flag_abuser src_inc_gpc0(ft_https)
tcp-request content reject if abuse flag_abuser




 i cannot have any log for rejects, the same version in http mode gives 
me log with the PR-- flag which is good as it indicate a reject because 
of a deny rule but in TCP mode i am unable to get any logging of the 
denied connections. I use a simple 'ab' call to stress it.



regards,
Ghislain.




smime.p7s
Description: Signature cryptographique S/MIME

Call for Papers IJTEMT. Kindly impart in your University/Organization/College/Colleagues/Academia/Circle.

[Editor IJTEMT]

INTERNATIONAL JOURNAL OF TRENDS IN ECONOMICS MANAGEMENT  TECHNOLOGY IJTEMT invites you to submit your research paper for publishing in Volume II, Issue IV (August 2013). CALL FOR PAPERS VOLUME II, ISSUE IV (PUBLICATION FEE: 40USD Only)
(Separate Webpage and Life- Time Memberships for Prospective Authors)

ISSN: 2321-5518
INDEXED In (http://www.ijtemt.org/indexing.html) :Google Scholar, DOAJ,J-Gate,SlideShare,Scribd.,.Docstoc
ISSN: 2321-5518
www.ijtemt.org

About IJTEMT
International Journal of Trends in Economics Management and Technology (IJTEMT) in an International Academic Journal e-published bimonthly in India and open to the world. In this present interdisciplinary era, here at IJTEMT, a group of intellectual came together to find a common platform for three major components of any economy i.e., Economics, Management and Technology. Here we provide a forum to bridge the gap between the brushed-up professional in their respective fields and the new researcher which will results in better understanding and fruitful outcomes.The focus of this journal is to publish paper on economics management and technology. Submitted papers are reviewed by a full double – blind manner by the technical committee of the journal. The audience for the journal is professionals from related fields, academicians and new students  research scholars.All submitted articles should report original, previously unpublished
research results, experimental or theoretical, and will be peer-reviewed. Articles submitted to the journal should meet these criteria and must not be under consideration for publication elsewhere. Manuscripts should follow the style of the journal and are subject to both review and editing.
Why Select IJTEMT Journal 
IJTEMT Provides E-Certificates to Author'sif Needed.IJTEMT is Globally Approved International Journal having Strong Editorial Board.This is Online Open Journal .Author's can Download Paper from Library of Journal at any Time from Anywhere.IJTEMT is a Association of Eminent Scientist, Researchers and Experienced Members of More than 20 Countries.IJTEMT Publishes High Quality Papers which are Peer Reviewed by International/National Reviewers. Author's Query can be solved within 18 Hours.
Subject Category: ECONOMICS, MANAGEMENT  TECHNOLOGY. 
Important Dates:
Paper Submission:15thAugust 2013
Review Results (Acceptance/Rejection) Notification: Within two weeks after submitting manuscript.. Guidelines for submission and Review Process:
IJTEMT welcomes author submission of papers concerning any branch of the economics, management and technology and their applications in business, industry and other subjects relevant. The review process goes through following phases which can take time from ten days to two months:a. Each manuscript will be initially evaluated by the editorial board / editor, who may make use of appropriate software to examine the originality of the contents of the manuscript.b. The manuscripts passed through screening at above noted level will be forwarded to two referees for blind peer review, each of whom will make a recommendation to publish the article in its present form/edit/reject. During this period referees shall treat the contents of papers under review as privileged information.c. The reviewers'
recommendations determine whether a paper will be accepted / accepted subject to change / subject to resubmission with significant changes / rejected.d. For papers which require changes, the same reviewers will be used to ensure that the quality of the revised paper is acceptable.e. All papers are refereed, and the Editor-in-Chief reserves the right to refuse any typescript, whether on invitation or otherwise, and to make suggestions and/or modifications before publication.
Submission of Paper will takes place in two phases:a. Initial Paper Submission: Prospective author (s) is/are encouraged to submit their manuscript including charts, tables, figures and appendixes in .pdf and .doc (both) format to e-mail: sub...@ijtemt.org. All submitted articles should report original, previously unpublished research results, experimental or theoretical. Articles submitted to the IJTEMT should meet these criteria and must not be under consideration for publication elsewhere.b. Camera Ready Paper Submission:On the acceptance of the paper after completion of the review process the author (s) is/are has to submit camera ready full text paper in .doc and .pdf (both) format to e-mail: submitfi...@ijtemt.org along with the corresponding signed copy of copyright transfer form and scanned copy of payment slip. 
Publication fees Each accepted paper will be charged, 40 USD per paper (for a maximum of 8 pages, above which 05 USD will be charged for every additional page) which is to be paid as per the instructions mentioned in the letter of acceptance of the manuscript submitted. Publication and paper handling fees for INDIAN AUTHORS is 2000 INR per paper(for a maximum of 8 pages, above 

RDP Session Broker Redirect Token

[Mathew Levett]

Hi all,

We seam to have an issue with haproxy where if we set our TS servers to use
Use Token Redirection instead of Use IP Redirection (recommended) it
does not work.

The configuration I am using is a follows

listen TS-Farm
bind 192.168.75.38:3389
mode tcp
balance leastconn
persist rdp-cookie
server backup 127.0.0.1:9081 backup  non-stick
option tcpka
tcp-request inspect-delay 5s
tcp-request content accept if RDP_COOKIE
timeout client 12h
timeout server 12h
option redispatch
option abortonclose
maxconn 4
log global
option tcplog
server TS01 192.168.75.36  weight 1  check port 3389  inter 2000
rise 2  fall 3 minconn 0  maxconn 0  on-marked-down shutdown-sessions
server TS02 192.168.75.37  weight 1  check port 3389  inter 2000
rise 2  fall 3 minconn 0  maxconn 0  on-marked-down shutdown-sessions

However what I have noticed in packet captures is there seams to be
both a mstshash=USERNAME first in the stream and then a msts=Encoded
IP after

It seams that 70% of the time a user is reconnected to his
disconnected session correctly but the other 30% of the time they end
up on any one of
the other servers.  I am wondering if haproxy is triggering on the
mstshash instead of the msts as that seams to be sent after the
mstnshash.

Any help would be greatly received.

Kind Regards.

HA Proxy Install Guide

[Uttla, Rao]

Hi ,

Can you please provide following info, Thanks in advance.

Where can I find HA Proxy Install guide, also can I install HA Proxy without 
root userid.

Thanks,
Jagadishwar Rao Uttla, Database Architect
Lockheed  Martin, ISGS, Contractor to EPA SEMS
703-647-5668  (Work)
703-647-5686  (Fax)
rao.ut...@lmco.commailto:rao.ut...@lmco.com