tproxy bug in haproxy-1.5.10

[U.Mutlu]

Hi,
I wanted to report a nasty bug I discovered today:

Portforwarding to a different IP on the same haproxy-box causes haproxy behave 
buggy.

This error happens when one uses the TPROXY target for portforwarding,
ie. like this:

Let's say the IP of the main interface is 192.168.100.100,
and traffic from outside to port 1234 shall be forwarded
to a virtual IP 192.168.100.101 and port 5678 on the same host, ie:

auto eth0
allow-hotplug eth0
iface eth0 inet static
  address   192.168.100.100
  netmask   255.255.255.0
  broadcast 192.168.100.255
  gateway   192.168.100.254
  metric1
  up   ip addr add 192.168.100.101/32 dev eth0 label eth0:101
  down ip addr del 192.168.100.101/32 dev eth0 label eth0:101

...
iptables -t mangle -A PREROUTING -p tcp --dport 1234 -j TPROXY --tproxy-mark 
666 --on-ip 192.168.100.101 --on-port 5678



When REDIRECT instead of TPROXY is used then it works, but with that one can 
forward only to another port of the main IP (192.168.100.100) of the 
interface, ie. here eth0.


I can confirm this bug because putting a different transparent proxy program
(actually my own test program) at the same IP:Port works fine with such 
portforwardings.


My environment:
Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt2-1 (2014-12-08) x86_64 
GNU/Linux, ie. Debian 8

I compiled haproxy myself w/o any modifications:

# ./haproxy -vv
HA-Proxy version 1.5.10 2014/12/31
Copyright 2000-2014 Willy Tarreau w...@1wt.eu

Build options :
  TARGET  = linux26
  CPU = x86_64
  CC  = gcc
  CFLAGS  = -g -fno-strict-aliasing
  OPTIONS = USE_LINUX_TPROXY=1 USE_STATIC_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built without zlib support (USE_ZLIB not set)
Compression algorithms supported : identity
Built without OpenSSL support (USE_OPENSSL not set)
Built with PCRE version : 8.35 2014-04-04
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
IP_FREEBIND


Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Cookie persistence - what I am I doing wrong?

[Shawn Heisey]

I'm trying to ensure that multiple connections from the same browser end
up on the same back end server, and having lots of trouble.  All my work
with haproxy up to now has been with connections that don't need
persistence - everything relevant happens in one http request.

This is probably PEBCAK or ID10T ... but I am not seeing my mistake.

Here's the frontend and backend I've got:

frontend nc-80
   description Front end that accepts requests for production.
   bind X.X.X.72:80
   acl blockit path_beg-i /v2.0
   http-request deny if blockit
   default_backend nc-80-backend

backend nc-80-backend
description Back end for main site
cookie JSESSIONID prefix
server frontier 10.100.2.25:80 weight 100 track apache80/frontier
server fremont 10.100.2.26:80 weight 100 track apache80/fremont
server fiesta 10.100.2.29:80 weight 150 track apache80/fiesta

The log lines all have --NN in them with these settings, and requests
from a single browser page load are hitting all three webservers.

I also tried 'cookie SRV insert indirect nocache' with no better
results.  With this, the log lines all have --NI.

Here's the -vv output:

HA-Proxy version 1.5.8 2014/10/31
Copyright 2000-2014 Willy Tarreau w...@1wt.eu

Build options :
  TARGET  = linux26
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.3
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Running on OpenSSL version : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : no (version might be too old, 0.9.8f min
needed)
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 6.6 06-Feb-2006
PCRE library supports JIT : no (USE_PCRE_JIT not set)

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Thanks,
Shawn

Re: Cookie persistence - what I am I doing wrong?

[Cyril Bonté]

Hi Shawn,

Le 15/01/2015 01:59, Shawn Heisey a écrit :

I'm trying to ensure that multiple connections from the same browser end
up on the same back end server, and having lots of trouble.  All my work
with haproxy up to now has been with connections that don't need
persistence - everything relevant happens in one http request.

This is probably PEBCAK or ID10T ... but I am not seeing my mistake.

Here's the frontend and backend I've got:

frontend nc-80
description Front end that accepts requests for production.
bind X.X.X.72:80
acl blockit path_beg-i /v2.0
http-request deny if blockit
default_backend nc-80-backend

backend nc-80-backend
 description Back end for main site
 cookie JSESSIONID prefix
 server frontier 10.100.2.25:80 weight 100 track apache80/frontier
 server fremont 10.100.2.26:80 weight 100 track apache80/fremont
 server fiesta 10.100.2.29:80 weight 150 track apache80/fiesta


You need to specify a cookie value for each server, with the cookie 
keyword : 
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#cookie%20%28Server%20and%20default-server%20options%29


For example :
server frontier 10.100.2.25:80 weight 100 cookie frontier track 
apache80/frontier
server fremont 10.100.2.26:80 weight 100 cookie fremont track 
apache80/fremont
server fiesta 10.100.2.29:80 weight 150 cookie fiesta track 
apache80/fiesta


Use any value you want but keep them unique to have stickiness requests 
on a specific server.


For an application session JSESSIONID 12345678901234567890123456789012, 
from the client side it will result in cookies like :

JSESSIONID=frontier~12345678901234567890123456789012
JSESSIONID=fremont~12345678901234567890123456789012
JSESSIONID=fiesta~12345678901234567890123456789012



The log lines all have --NN in them with these settings, and requests
from a single browser page load are hitting all three webservers.

I also tried 'cookie SRV insert indirect nocache' with no better
results.  With this, the log lines all have --NI.


It will also work once cookie values are set.



Here's the -vv output:

HA-Proxy version 1.5.8 2014/10/31
Copyright 2000-2014 Willy Tarreau w...@1wt.eu

Build options :
   TARGET  = linux26
   CPU = generic
   CC  = gcc
   CFLAGS  = -O2 -g -fno-strict-aliasing
   OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
   maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.3
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Running on OpenSSL version : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : no (version might be too old, 0.9.8f min
needed)
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 6.6 06-Feb-2006
PCRE library supports JIT : no (USE_PCRE_JIT not set)

Available polling systems :
   epoll : pref=300,  test result OK
poll : pref=200,  test result OK
  select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Thanks,
Shawn




--
Cyril Bonté

Re: Haproxy SSL Redirection issue

[RAKESH P B]

Hi Cyrill,

Thanks for the update.

In Application  side we are not using any SSL offloading.  I have tested
with pound (for ssl termination)  haproxy (for load balancing) combination
and issue got resolved. But if i tried with haproxy only , then getting the
issue. I think there is some configuration changes need to made with
haproxy to support application side URL redirect. Please find the status
codes details. Please help me.

   1.

   haproxy (only)

   https://www.example.com/search/quotes? : 302
   http://www.example.com/search/quotes? : 301
   https://www.example.com/search/quotes? : 200
   2.

   Pound (termination )  haproxy ( loadbalancing)
   https://www.example.com/search/quotes? : 302
   https://www.example.com/search/quotes? : 200
   3.



On Tue, Jan 13, 2015 at 5:49 PM, RAKESH P B pb.rakes...@gmail.com wrote:

 Hi Cyrill,

 Thanks for the update.  I'll check with my developer and let you know how
 the way SSL offloading support in Application side.

 On Tue, Jan 13, 2015 at 3:14 AM, Cyril Bonté cyril.bo...@free.fr wrote:

 Hi,

 Le 12/01/2015 22:27, RAKESH P B a écrit :

 Hi All,

 Can I have an update on this.


 From what you describe and your configuration, this is not haproxy
 related but you should take a look on the application or on the server
 itself. But we can't tell you more, you didn't provide any information on
 them.

 By adding a X-Forwarded-Proto header, your server/application must take
 it into account. And this is where there is no standard.
 For example :
 - some applications require X-Forwarded-Proto: https
 - some others require that the server set an environment variables, and
 depending on the component, it can have different names/values, some are
 case sensitive, some others not (HTTPS=on, HTTPS=On, ...)
 - apache redirects will use a special syntax on ServerName with a https://
 prefix, ...

 As you see, it depends on what the developers thought at the time they
 included SSL Offloading support.


 On Sun, Jan 11, 2015 at 6:56 PM, RAKESH P B pb.rakes...@gmail.com
 mailto:pb.rakes...@gmail.com wrote:

 Please find updated configuration file.

 On Sun, Jan 11, 2015 at 6:53 PM, RAKESH P B pb.rakes...@gmail.com
 mailto:pb.rakes...@gmail.com wrote:

 Hi Lukas,

 Thanks you for the quick response. Please find the attached
 Haproxy configuration.

 On Sun, Jan 11, 2015 at 5:21 PM, Lukas Tribus
 luky...@hotmail.com mailto:luky...@hotmail.com wrote:

  Hi Team,
 
  I have an issue Haproxy SSL redirection. Whenever any
 request is
  redirected from HAproxy , then two redirected request is
 send, one is
  with http and other with https while URL for both request
 is same.
  For example,
  when the URL is redirected tohttps://www.example.com/to/
 path? , then
  these two request are send
 http://www.example.com/path1/path2/path3?
 https://www.example.com/path1/path2/path3?

 Can you share the config?


 Lukas






 --
 Cyril Bonté

Round Robin not very random

[Alexey Zilber]

Hi All,

  We got hit with a bit of traffic and we saw haproxy dump most of the
traffic to 3-4 app servers, sometimes even just one and driving load on
there to 90.  We were running 1.5.9, I upgraded to 1.5.10 and the same
problem remained.  Currently traffic is low so everything is load balanced
evenly, but we expect another spike in a few hours and I expect the issue
to return.


Here's what haproxy-status looked like:




Do I need to switch to maybe add a weight and tracking?  We have 12
frontend appservers load balancing to 28.  All run haproxy and the app
server software.

Thanks!
Alex

Send specific string on TCP

[Hoggins!]

Hello folks,

I'd like to use the proxy / webirc feature of ngIRCd. For that, it is
required that the proxy sends the following command at the beginning of
the communication :

WEBIRC password username hostname ip-address

(see http://ngircd.barton.de/doc/Protocol.txt, section II.4)

How can I do this in my backend ? Shall I use something like tcp-check
send ? I'd like, in this example, to replace the ip-address variable
by something computed by HAProxy, and which reflects the actual IP
address of the client.

Thanks !



signature.asc
Description: OpenPGP digital signature

Re: Haproxy SSL Redirection issue

[Cyril Bonté]

Hi,

Le 15/01/2015 03:59, RAKESH P B a écrit :

Hi Cyrill,

Thanks for the update.

In Application  side we are not using any SSL offloading.  I have tested
with pound (for ssl termination)  haproxy (for load balancing)
combination and issue got resolved.


I guess you have RewriteLocation  0 in your pound configuration (the 
default is 1), this will explain why you see a difference.



But if i tried with haproxy only ,
then getting the issue. I think there is some configuration changes need
to made with haproxy to support application side URL redirect. Please
find the status codes details. Please help me.


This is really not the job of the reverse proxy to decide by itself to 
change the protocol in the redirects (it can add very bad side effects) 
but in your case, if you're sure that there won't be any valid http 
redirect, you can rewrite the headers sent in the response.

For example with :
  http-response replace-header Location ^http://(.*) https://\1


 1.

haproxy (only)

https://www.example.com/search/quotes? : 302


Here you'll have
Location: http://www.example.com/search/quotes?
catched by the rule given previously, rewriting the header to :
Location: https://www.example.com/search/quotes?


http://www.example.com/search/quotes? : 301


This step won't happen  anymore.


https://www.example.com/search/quotes? : 200

 2.

Pound (termination )  haproxy ( loadbalancing)
https://www.example.com/search/quotes? : 302
https://www.example.com/search/quotes? : 200

 3.


On Tue, Jan 13, 2015 at 5:49 PM, RAKESH P B pb.rakes...@gmail.com
mailto:pb.rakes...@gmail.com wrote:

Hi Cyrill,

Thanks for the update.  I'll check with my developer and let you
know how the way SSL offloading support in Application side.

On Tue, Jan 13, 2015 at 3:14 AM, Cyril Bonté cyril.bo...@free.fr
mailto:cyril.bo...@free.fr wrote:

Hi,

Le 12/01/2015 22:27, RAKESH P B a écrit :

Hi All,

Can I have an update on this.


 From what you describe and your configuration, this is not
haproxy related but you should take a look on the application or
on the server itself. But we can't tell you more, you didn't
provide any information on them.

By adding a X-Forwarded-Proto header, your server/application
must take it into account. And this is where there is no standard.
For example :
- some applications require X-Forwarded-Proto: https
- some others require that the server set an environment
variables, and depending on the component, it can have different
names/values, some are case sensitive, some others not
(HTTPS=on, HTTPS=On, ...)
- apache redirects will use a special syntax on ServerName with
a https:// prefix, ...

As you see, it depends on what the developers thought at the
time they included SSL Offloading support.


On Sun, Jan 11, 2015 at 6:56 PM, RAKESH P B
pb.rakes...@gmail.com mailto:pb.rakes...@gmail.com
mailto:pb.rakes...@gmail.com
mailto:pb.rakes...@gmail.com__ wrote:

 Please find updated configuration file.

 On Sun, Jan 11, 2015 at 6:53 PM, RAKESH P B
pb.rakes...@gmail.com mailto:pb.rakes...@gmail.com
 mailto:pb.rakes...@gmail.com
mailto:pb.rakes...@gmail.com__ wrote:

 Hi Lukas,

 Thanks you for the quick response. Please find the
attached
 Haproxy configuration.

 On Sun, Jan 11, 2015 at 5:21 PM, Lukas Tribus
 luky...@hotmail.com mailto:luky...@hotmail.com
mailto:luky...@hotmail.com mailto:luky...@hotmail.com
wrote:

  Hi Team,
 
  I have an issue Haproxy SSL redirection.
Whenever any request is
  redirected from HAproxy , then two redirected
request is send, one is
  with http and other with https while URL for
both request is same.
  For example,
  when the URL is redirected
tohttps://www.example.com/to/__path
http://www.example.com/to/path? , then
  these two request are send
 http://www.example.com/path1/__path2/path3
http://www.example.com/path1/path2/path3?
 https://www.example.com/__path1/path2/path3
https://www.example.com/path1/path2/path3?

 Can you share the config?


 Lukas






--
Cyril Bonté






--
Cyril Bonté

No TCP RST on tcp-request connection reject

[Christian Ruppert]

Hey guys,

just a thought... wouldn't it make sense to add an option to tcp-request
connection reject to disable the actual TCP RST? So, an attacker tries to
(keep) open a lot of ports:

a) HAProxy (configured with rate limiting etc.) does a tcp-request connection
reject which ends up as a TCP RST. The attacker gets the RST and immediately 
again
b) the same as a) but the socket will be closed on the server side but no RST,
nothing will be sent back to the remote side. The connections on the remote side
will be kept open until timeout.

Wouldn't it make sense to implement an option for b) so it can be used during
major attacks or so?

Re: No TCP RST on tcp-request connection reject

[Baptiste]

On Wed, Jan 14, 2015 at 5:00 PM, Christian Ruppert c.rupp...@babiel.com wrote:
 Hey guys,

 just a thought... wouldn't it make sense to add an option to tcp-request
 connection reject to disable the actual TCP RST? So, an attacker tries to
 (keep) open a lot of ports:

 a) HAProxy (configured with rate limiting etc.) does a tcp-request connection
 reject which ends up as a TCP RST. The attacker gets the RST and immediately 
 again
 b) the same as a) but the socket will be closed on the server side but no RST,
 nothing will be sent back to the remote side. The connections on the remote 
 side
 will be kept open until timeout.

 Wouldn't it make sense to implement an option for b) so it can be used during
 major attacks or so?


Hi Christian,

Have you had a look at tarpit related options from HAProxy?
You can slowdown the attack thanks to it.

Baptiste

Re: No TCP RST on tcp-request connection reject

[Christian Ruppert]

Hi Baptiste,

tarpit is pretty handy but as far as I understood it will keep the connection
open, on both sides. So at some point (pretty quickly actually) we cannot handle
any more connections on that host. The host will become slow and/or
unresponsive. When we close the connection on our local side but don't notify
the remote side it will probably exhaust the attacker and we could handle more
connections and/or free and re-use such connections that has been classified too
much.

On 01/14/2015 05:28 PM, Baptiste wrote:
 On Wed, Jan 14, 2015 at 5:00 PM, Christian Ruppert c.rupp...@babiel.com 
 wrote:
 Hey guys,

 just a thought... wouldn't it make sense to add an option to tcp-request
 connection reject to disable the actual TCP RST? So, an attacker tries to
 (keep) open a lot of ports:

 a) HAProxy (configured with rate limiting etc.) does a tcp-request 
 connection
 reject which ends up as a TCP RST. The attacker gets the RST and 
 immediately again
 b) the same as a) but the socket will be closed on the server side but no 
 RST,
 nothing will be sent back to the remote side. The connections on the remote 
 side
 will be kept open until timeout.

 Wouldn't it make sense to implement an option for b) so it can be used during
 major attacks or so?

 
 Hi Christian,
 
 Have you had a look at tarpit related options from HAProxy?
 You can slowdown the attack thanks to it.
 
 Baptiste
 

-- 
Mit freundlichen Grüßen,
Christian Ruppert
Systemadministrator

..

Babiel GmbH
Erkrather Str. 224 a
D-40233 Düsseldorf

Tel: 0211-179349 0
Fax: 0211-179349 29
c.rupp...@babiel.com

http://www.babiel.com

GESCHÄFTSFÜHRER
Georg Babiel, Dr. Rainer Babiel, Harald Babiel
Amtsgericht Düsseldorf HRB 38633

DISCLAIMER
The information transmitted in this electronic mail message may contain
confidential and or privileged materials. Any review, retransmission,
dissemination or other use of or taking of any action in reliance upon, this
information by persons or entities other than the intended recipient is
prohibited. If you receive such e-mails in error, please contact the sender and
delete the material from any computer.