Re: segfault in src/buffer.c

[Thierry]

Hi,

How can I reproduce the segfault ?

Thierry

On Mon, 17 Aug 2015 15:00:25 +0200
Marc-Antoine marc-antoine.b...@ovh.net wrote:

 Hi,
 
 Cyril, as you said, if removed txn:close() from the lua script, I don't get 
 segfault anymore.
 
 I noticed that if I removed default_backend line from frontend declaration, 
 segfault does not happen even with txn:close() in lua script :
 
 frontend fe:80
 bind 127.0.0.1:80
 acl debugme req.hdr_cnt(X-debug-me) ge 1
 http-request lua mirror if debugme
 #default_backend be
 
 Regards,
 
 On Sat, 15 Aug 2015 23:56:57 +0200,
 Cyril Bonté cyril.bo...@free.fr wrote :
 
  Hi Marc-Antoine,
  
  Le 12/08/2015 19:01, Marc-Antoine a écrit :
   I forgot lua file content :
  
   # cat mylua.lua
   -- a simple mirror web server
   -- it generates a response whose body contains the requests headers
   function mirror(txn)
(...)
txn:close()
   end
  
  This is the call which produce a segfault later, combined with the 
  haproxy configuration. I give more details below.
  
   Marc-Antoine marc-antoine.b...@ovh.net wrote :
(...)
   defaults
modehttp
   (...)
   frontend fe:80
bind 127.0.0.1:80
acl debugme req.hdr_cnt(X-debug-me) ge 1
http-request lua mirror if debugme
default_backend be
  
  It looks that currently, mode http doesn't allow a call to txn:close().
  To extend the issue, txn:close() won't work for a proxy in HTTP mode for 
  both :
  http-request lua
  tcp-request content lua
  
  This is due to the stream processing which still execute some request 
  analyzers even if the lua code sends a response and asks to close the 
  transaction.
  
  I haven't looked at the code enough yet, but maybe we should try to find 
  a way to notify haproxy to stop the processing once txn:close() is called.
  
  This also explains some other segfaults reported in the past :
  http://comments.gmane.org/gmane.comp.web.haproxy/21136
  
 
 
 -- 
 Marc-Antoine
 

Re: Infinite timeout

[Baptiste]

Le 18 août 2015 10:41, mihaly.vukov...@t-systems.com a écrit :

 Hello All,



 we need to set infinite timeout for a specific listener, the docs says
that the infinite timeout can be setup by not defining the timeout value at
all.

 It means that I have to remove the default options, and define the
timeouts explicitly in other listeners.



 My question is, what I have not found in the docs: what if I set the
timeout to 0 (zero). Is that equal to infinite?

 I would mean I can set default values and set to 0 in one speicific
listener block.



 Best Regards,
 Mihály Vukovics



Hi,

You could also set 2 defaults sections. One with timeouts, one without.

Baptiste

subscribe

[Mihaly.Vukovics]

Best Regards,
Mihály Vukovics

Solutions Architect

Delivery/SP/Solutions/SA

Phone:

+36 (1) 381 8033

Mobile:

+36 30 566 8946

E-mail:

mihaly.vukov...@t-systems.com

Internet:

www.it-services.hu; www.t-systems.com

Infinite timeout

[Mihaly.Vukovics]

Hello All,

we need to set infinite timeout for a specific listener, the docs says that the 
infinite timeout can be setup by not defining the timeout value at all.
It means that I have to remove the default options, and define the timeouts 
explicitly in other listeners.

My question is, what I have not found in the docs: what if I set the timeout to 
0 (zero). Is that equal to infinite?
I would mean I can set default values and set to 0 in one speicific listener 
block.

Best Regards,
Mihály Vukovics

Haproxy help

[vivek pal]

Hi,

We have configured haproxy with balance roundrobin, added 2 web server
web1,web2 and map website.domain.com with haproxy ip when we hit
website.domain.com into browser it's working, request is transferring both
server. We want to set first 100 hit sent to web1 and rest web2. is it
possible?

Regards,

Vivek Pal.

Re: ocsp

[Marc-Antoine]

Hi, i did tests you want. see below for answers.

On Mon, 20 Jul 2015 17:42:03 +0200,
Lukas Tribus luky...@hotmail.com wrote :

  Hi Lukas,
 
  frontend cluster:443
  bind 1.2.3.4:443 ssl strict-sni crt /home/provisionning/0.pem crt 
  /home/provisionning/cluster.d
  default_backend cluster
  capture request header Host len 255
 
 Can you confirm there is no SSL intercepting device in front of the 
 webserver, like
 hardware firewalls/UTM and whatnot?
yes
 
 Could you try with just a single certificate (single crt config pointing to a 
 single certificate file, not a
 directory)?
yes it works fine with crt pointing to a signe certificate file.
 
 Can you make the openssl tests from the server, connecting locally without 
 any intermediate
 devices?
i did and results are the same.

Regards, 
 
 
 
 Thanks,
 
 Lukas
 
 


-- 
Marc-Antoine

Re: segfault in src/buffer.c

[Cyril Bonté]

Hi Thierry,

Le 18/08/2015 12:33, Thierry a écrit :

Hi,

How can I reproduce the segfault ?


While I tried to simplify the test to its minimal form, I could see that 
the segfault doesn't occur in http-keep-alive mode, but does in 
httpclose or http-server-close mode.


Here is the minimal configuration to reproduce the segfault :
haproxy.cfg :
global
lua-load bug.lua

listen test
bind :9000
mode http
option httpclose
http-request lua closebug

bug.lua :
function closebug(txn)
txn:close()
end


--
Cyril Bonté

[SPAM] 香港企業電郵數據庫

[香港企業電郵數據庫]

香港企業電郵數據庫，100RMB/一萬郵箱
電郵數據庫更新於2015年,
如有需要請加QQ:2969169808 或者電郵：2969169...@qq.com

Re: segfault in src/buffer.c

[Cyril Bonté]

Hi again Thierry,

Le 18/08/2015 22:28, Cyril Bonté a écrit :

Hi Thierry,

Le 18/08/2015 12:33, Thierry a écrit :

Hi,

How can I reproduce the segfault ?


While I tried to simplify the test to its minimal form, I could see that
the segfault doesn't occur in http-keep-alive mode, but does in
httpclose or http-server-close mode.

Here is the minimal configuration to reproduce the segfault :
haproxy.cfg :
global
 lua-load bug.lua

listen test
 bind :9000
 mode http
 option httpclose
 http-request lua closebug

bug.lua :
function closebug(txn)
 txn:close()
end


Well, to complete the test case, using httpclose or http-server-close, 
it will segfault only if it requires to change the Connection header 
in the response.


$ echo -ne GET / HTTP/1.1\r\nHost: localhost\r\n\r\n | nc localhost 9000
= segfault

Backtrace associated :
...
#1 0x00410bc7 in buffer_insert_line2 (b=0x732c00, pos=0x732c35 
\r\nache-Control: no-cache\r\nConnection: close\r\nContent-Type: 
text/html\r\n\r\nhtmlbodyh1503 Service Unavailable/h1\nNo server 
is available to handle this request.\n/body/html\n,

str=0x4b23bf Connection: close, len=len@entry=17) at src/buffer.c:126
#2 0x0044653f in http_header_add_tail2 (msg=msg@entry=0x724a50, 
hdr_idx=hdr_idx@entry=0x7249f0, text=optimized out, len=17) at 
src/proto_http.c:508
#3 0x004496c0 in http_change_connection_header 
(txn=txn@entry=0x7249f0, msg=msg@entry=0x724a50, wanted=4194304) at 
src/proto_http.c:1984
#4 0x0045147f in http_process_request (s=s@entry=0x724670, 
req=req@entry=0x724680, an_bit=an_bit@entry=512) at src/proto_http.c:4689
#5 0x0047bcf6 in process_stream (t=optimized out) at 
src/stream.c:1741

#6 0x00415665 in process_runnable_tasks () at src/task.c:238
#7 0x0040c0c0 in run_poll_loop () at src/haproxy.c:1528
#8 0x00408f66 in main (argc=optimized out, argv=optimized 
out) at src/haproxy.c:1887


$ echo -ne GET / HTTP/1.1\r\nHost: localhost\r\nConnection: 
close\r\n\r\n | nc localhost 9000

= OK

It won't segfault exactly in the same manner as Marc-Antoine, but it 
shows that haproxy tries to process the HTTP request and response after 
txn.close() is called.


How about completely removing txn:close() and check a return value for 
lua function ? 0 : haproxy go to the next steps ;  0 : haproxy stops 
immediately the session.

This could prevent such use cases :
txn:close()
txn.res:send(test\r\n)
txn.http:res_add_header(header, value)


--
Cyril Bonté

Re: [PATCH] DOC: match several lua configuration option names to those implemented in code

[Willy Tarreau]

On Tue, Aug 18, 2015 at 11:32:10PM +0200, Thierry FOURNIER wrote:
 Hi,
 
 Thank you for the doc fix.

Patch applied, thanks guys!

Willy

[SPAM] Дешевые проекты на Лазурном берегу

[Егорова]

болшее информации

Re: Haproxy help

[Aaron West]

Hi Vivek,

You can do this I think with the first scheduler so the option balance
first :

This is what haproxy doc says:

  first   The first server with available connection slots receives
the
  connection. The servers are chosen from the lowest numeric
  identifier to the highest (see server parameter id),
which
  defaults to the server's position in the farm. Once a
server
  reaches its maxconn value, the next server is used. It
does
  not make sense to use this algorithm without setting
maxconn.
  The purpose of this algorithm is to always use the
smallest
  number of servers so that extra servers can be powered off
  during non-intensive hours. This algorithm ignores the
server
  weight, and brings more benefit to long session such as
RDP
  or IMAP than HTTP, though it can be useful there too. In
  order to use this algorithm efficiently, it is recommended
  that a cloud controller regularly checks server usage to
turn
  them off when unused, and regularly checks backend queue
to
  turn new servers on when the queue inflates.
Alternatively,
  using http-check send-state may inform servers on the
load.

Otherwise you may be able to do something based on session rate with ACL's,
I used this config once previously :

frontend TestVIP 192.168.0.236:80 http://192.168.0.236/ transparent
mode http
maxconn 4
option accept-invalid-http-request
acl max_conn_reached srv_sess_rate(prod/ProdRIP) gt 10
acl prod_dead nbsrv(prod) lt 1
acl whitelist hdr_sub(Cookie) -i SERVERID
default_backend prod
use_backend prod if whitelist
use_backend fallback if max_conn_reached OR prod_dead

backend prod
 mode http
 balance leastconn
option abortonclose
option forwardfor
option accept-invalid-http-response
option http-keep-alive
cookie SERVERID insert nocache indirect
 server ProdRIP 192.168.0.245 weight 100 cookie ProdRIP check port 80
inter 4000 rise 2 fall 2 minconn 0 maxconn 0


backend fallback
mode http
balance leastconn
option abortonclose
option forwardfor
option accept-invalid-http-response
option http-keep-alive
server FallbackRIP 192.168.0.246 weight 100 minconn 0 maxconn 0

Regards

Aaron West

Loadbalancer.org Limited
+44 (0)330 380 1064
www.loadbalancer.org

On 18 August 2015 at 13:06, vivek pal mr.vivek...@gmail.com wrote:


 Hi,

 We have configured haproxy with balance roundrobin, added 2 web server
 web1,web2 and map website.domain.com with haproxy ip when we hit
 website.domain.com into browser it's working, request is transferring
 both server. We want to set first 100 hit sent to web1 and rest web2. is it
 possible?

 Regards,

 Vivek Pal.

La plus grande communauté de femmes célibataires

[Marion de MecACroquer]

   Les plus belles rencontres sur MecACroquer.Com
http://www.dating-meet.com/t/nlc/539584628dd2c7955ce926456240b2ff0100bde050997968d2a47a84478c1db5ff2e3c6.mac
http://www.dating-meet.com/t/nlc/539584628dd2c7955ce926456240b2ff0100bde050997968d2a47a84478c1db5ff2e3c6.mac
http://www.dating-meet.com/t/nlc/539584628dd2c7955ce926456240b2ff0100bde050997968d2a47a84478c1db5ff2e3c6.mac
http://www.dating-meet.com/t/nlc/539584628dd2c7955ce926456240b2ff0100bde050997968d2a47a84478c1db5ff2e3c6.mac
http://www.dating-meet.com/t/nlc/539584628dd2c7955ce926456240b2ff0100bde050997968d2a47a84478c1db5ff2e3c6.mac
http://www.dating-meet.com/t/nlc/539584628dd2c7955ce926456240b2ff0100bde050997968d2a47a84478c1db5ff2e3c6.mac
http://www.dating-meet.com/t/nlc/539584628dd2c7955ce926456240b2ff0100bde050997968d2a47a84478c1db5ff2e3c6.mac
http://www.dating-meet.com/t/nlc/539584628dd2c7955ce926456240b2ff0100bde050997968d2a47a84478c1db5ff2e3c6.mac
 *Site de rencontre généraliste où les femmes ont le pouvoir*

 Découvrez le site de rencontre MecACroquer ! Un site qui change les codes
de la rencontre. Ce sont les femmes qui ont le pouvoir. Osez
MecACroquer.Com, un site basé sur le concept du girl power. Les codes de
séductions changent, ce sont désormais les femmes qui ont le pouvoir dans
le jeu de la séduction.
 Rejoignez les milliers de célibataires sans plus attendre.

 Discutez, échangez et rencontrez de nouvelles personnes, qui sait ? Venez
rencontrer des célibataires sexy...
 Inscrivez-vous maintenant sur MecACroquer en moins de 1 minute !

 Grâce à MecACroquer, faites les plus belles rencontres ! Laissez vous
surprendre par de belles rencontres.
 Faites toujours plus de rencontres via notre service en ligne. Utilisez et
abusez des nombreuses fonctionnalités proposées afin de rencontrer
l'amour pour une nuit ou pour la vie.


 Inscrivez-vous et utilisez notre service de rencontre innovant !
 Un problème à l'inscription ? Contactez notre service client :
cont...@mecacroquer.com.
 Vous avez reçu ce mail de notre part car vous avez visité notre site
internet récemment.
 Vous n'avez cependant pas été ajouté à une base de donnée marketing.
Veuillez ignorer cet email si vous êtes déjà inscrit.


Pour ne plus recevoir de newsletter de notre part, configurer vos
alertes et notifications en vous désinscrivant de la newsletter :  sur
cette page.
http://www.mecacroquer.com/emailing/unsubscribe.html?t=lWWVnp_AYgem=Y2tmbG2RoJnR1qLc33WXqNbSzaSt2pOk2Jk

Re: segfault in src/buffer.c

[Marc-Antoine]

Hi Thierry,

using lua file and cfg file i provided in my two first mails and lastest 
source, you should get segault when doing :

# curl http://127.0.0.1 -H X-debug-me: yes

Regards,

On Tue, 18 Aug 2015 12:33:40 +0200,
Thierry t...@thierry.1s.fr wrote :

 Hi,
 
 How can I reproduce the segfault ?
 
 Thierry
 
 On Mon, 17 Aug 2015 15:00:25 +0200
 Marc-Antoine marc-antoine.b...@ovh.net wrote:
 
  Hi,
  
  Cyril, as you said, if removed txn:close() from the lua script, I don't 
  get segfault anymore.
  
  I noticed that if I removed default_backend line from frontend declaration, 
  segfault does not happen even with txn:close() in lua script :
  
  frontend fe:80
  bind 127.0.0.1:80
  acl debugme req.hdr_cnt(X-debug-me) ge 1
  http-request lua mirror if debugme
  #default_backend be
  
  Regards,
  
  On Sat, 15 Aug 2015 23:56:57 +0200,
  Cyril Bonté cyril.bo...@free.fr wrote :
  
   Hi Marc-Antoine,
   
   Le 12/08/2015 19:01, Marc-Antoine a écrit :
I forgot lua file content :
   
# cat mylua.lua
-- a simple mirror web server
-- it generates a response whose body contains the requests headers
function mirror(txn)
 (...)
 txn:close()
end
   
   This is the call which produce a segfault later, combined with the 
   haproxy configuration. I give more details below.
   
Marc-Antoine marc-antoine.b...@ovh.net wrote :
 (...)
defaults
 modehttp
(...)
frontend fe:80
 bind 127.0.0.1:80
 acl debugme req.hdr_cnt(X-debug-me) ge 1
 http-request lua mirror if debugme
 default_backend be
   
   It looks that currently, mode http doesn't allow a call to txn:close().
   To extend the issue, txn:close() won't work for a proxy in HTTP mode for 
   both :
   http-request lua
   tcp-request content lua
   
   This is due to the stream processing which still execute some request 
   analyzers even if the lua code sends a response and asks to close the 
   transaction.
   
   I haven't looked at the code enough yet, but maybe we should try to find 
   a way to notify haproxy to stop the processing once txn:close() is called.
   
   This also explains some other segfaults reported in the past :
   http://comments.gmane.org/gmane.comp.web.haproxy/21136
   
  
  
  -- 
  Marc-Antoine
  
 


-- 
Marc-Antoine

Re: [PATCH] DOC: match several lua configuration option names to those implemented in code

[Thierry FOURNIER]

Hi,

Thank you for the doc fix.

Thierry


On Sun, 16 Aug 2015 16:08:01 +0200
PiBa-NL piba.nl@gmail.com wrote:

 Hi,
 Ive found some inconsistencies in the documentation, patch attached.
 Could you take a look and merge it? Thanks.
 Regards,
 PiBa-NL

Re: getting transparent proxy to work.

[Rich Vigorito]

After changing the default gateway of the web servers to 10.10.130.79 this 
didnt fix it. The site we were testing on, and then all the other sites as well 
were unresponsive. So what I was unclear on is if we changed the default 
gateway to the vip of the test site we were using on the web server, how would 
the other web sites served from the box work. We have 4 sites on that box all 
w/ different VIPs for each. So we expected the other sites to fail and perhaps 
the test site to succeed but this wasnt the case. In the case of the test site 
traffic was getting to the web server to haproxy but not returning to either 
haproxy or the workstation making the request. 

Id just like to clarify I few of my assumptions about this doc: 
http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/

Linux Kernel requirements
You have to ensure your kernel has been compiled with the following options:
  – CONFIG_NETFILTER_TPROXY
  – CONFIG_NETFILTER_XT_TARGET_TPROXY

 this to be done on haproxy boxes (not the webservers), ie:
 [richv@haproxy2 ~]$  lsmod | grep -i tproxy
 xt_TPROXY  17327  0
 nf_defrag_ipv6 34651  2 xt_socket,xt_TPROXY
 nf_defrag_ipv4 12729  3 xt_socket,xt_TPROXY,nf_conntrack_ipv4

and: [richv@haproxy2 ~]$ grep -i tproxy /boot/*
/boot/config-3.10.0-229.4.2.el7.x86_64:CONFIG_NETFILTER_XT_TARGET_TPROXY=m

** note, im using centos 7. in boot file i see 
CONFIG_NETFILTER_XT_TARGET_TPROXY in lsmod output only see xt_TPROXY. This is 
correct, I should see both  CONFIG_NETFILTER_TPROXY  
CONFIG_NETFILTER_XT_TARGET_TPROXY in lsmod output or boot file? 


sysctl settings
The following sysctls must be enabled:
  – net.ipv4.ip_forward
  – net.ipv4.ip_nonlocal_bind

 this to be done on haproxy boxes (not the webservers), ie:
[richv@haproxy2 ~]$ sudo sysctl -p
 vm.swappiness = 0
 net.ipv4.ip_nonlocal_bind = 1
 net.ipv4.ip_forward = 1
---

iptables rules
You must setup the following iptables rules:
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

 this to be done on haproxy boxes (not the webservers), ie:
haproxy2 sudo iptables -L -n -t mangle
 Chain PREROUTING (policy ACCEPT)
 target prot opt source   destination
 DIVERT tcp  --  0.0.0.0/00.0.0.0/0socket
 [...]
 Chain DIVERT (1 references)
 target prot opt source   destination
 MARK   all  --  0.0.0.0/00.0.0.0/0MARK set 0x1
 ACCEPT all  --  0.0.0.0/00.0.0.0/0


IP route rules
Then, tell the Operating System to forward packets marked by iptables to the 
loopback where HAProxy can catch them:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
 this to be done on haproxy boxes (not the webservers), ie:

haproxy2  ip rule show
 0: from all lookup local
 32762: from all fwmark 0x1 lookup 100 
 32766: from all lookup main
 32767: from all lookup default

haproxy ip route show table 100
 local default dev lo  scope host



In summary for my setup, everything in that tutorial is to be performed on the 
haproxy box, not the web servers?




From: Baptiste bed...@gmail.com
Sent: Friday, August 14, 2015 1:07 AM
To: Rich Vigorito
Cc: HAProxy
Subject: Re: getting transparent proxy to work.

temporary just for the troubleshooting period, and validate this is
the root of your issue.
The definitive solution belongs to you then!

Please clarify the rest of your email. I don't understand what IPs or
loopbacks you're speaking about.

Before going further, please apply the default gateway change and
confirm it works after this.

Baptiste



On Thu, Aug 13, 2015 at 10:28 PM, Rich Vigorito ri...@ocp.org wrote:
 A couple clarifications. What do you mean by temporary? ... this wouldnt be 
 needed indefinitely? What ive articulated is only one site served through the 
 2 web servers. Our web servers serve multiple sites, how to accommodate this? 
 Ie couldnt have 5 different IPs in the loopback?
 
 From: Baptiste bed...@gmail.com
 Sent: Wednesday, August 12, 2015 11:41 PM
 To: Rich Vigorito
 Cc: HAProxy
 Subject: Re: getting transparent proxy to work.

 Hi Rich,

 so here is your problem.
 Please temporarily change this default gateway of the web servers to
 the active VIP: 10.10.130.79.
 What happens, and what you