[SPAM] 總經理收

2016-06-26 Thread 重要通知 . 查收 

卼利儠俌僕凞叇劾中伶倿义呝協咴亠俨仟哳化吟円偾剎充侦傯冸叭勤唥休倚乮咃卺咏乻倍伄唘勰叹冬傣侚兒剛卣剂儹侳傼凅叠勗唱伝倦乢呶卭咛亇倁仸唌勽吆冟傖侎兞剧印刵儬便僈凑叔勋唾伪倳乖呪卡咨五俴仫哿匉吒冓傊侁兪剳卼利儠俌僕凞

Re: external-check stdout ends up in load-balanced traffic, destroying tcp sessions

2016-06-26 Thread Andrey Galkin 
Hi guys,

Sorry for late response. I've just tested current git master. It seems
the issue is gone now.

Wily, thank you for looking into the issue so close.

Anticipating latest 1.6.x in official Debian/Ubuntu packages soon.

Thanks,
Andrey

On Tue, Jun 21, 2016 at 7:50 PM, Willy Tarreau  wrote:
> Thus I backported all of this to 1.6 planning for 1.6.6. It would be nice
> if the people affected with issues could give it a try this week (either
> from git or just wait for tomorrow morning to get the latest snapshot).

[ANNOUNCE] haproxy-1.6.6

2016-06-26 Thread Willy Tarreau 
Hi,

HAProxy 1.6.6 was released on 2016/06/26. It added 33 new commits
after version 1.6.5. Users of 1.6 definitely need to update, as a
significant number of annoying bugs were fixed since 1.6.5.

Most of these commits fix bugs. A few of them have a major stability impact.
The most significant ones are :
  - BUG/MAJOR: external-checks: use asynchronous signal delivery
=> random segfaults may happen when external checks are used due to
   a race condition when accessing the run queue from a signal handler

  - BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes
=> the "reqdeny" directive was broken in 1.6-dev2 when the deny_status
   option was added to "http-request deny" (which was not documented by
   the way)

  - BUG/MAJOR: fix listening IP address storage for frontends
=> gcc 6 doesn't copy the padding between fields in structures,
   resulting in some addresses not being properly initialized when
   copying struct sockaddr_storage. This would result in some IPv4
   addresses to be ignored on bind lines.

  - BUG/MEDIUM: dns: unbreak DNS resolver after header fix
=> some DNS requests got corrupted after a fix that went into 1.6.5.

  - BUG/MEDIUM: stats: show servers state may show an servers from another 
backend
=> some incorrect backend IDs could be dumped in "show servers state"

  - BUG/MEDIUM: fix risk of segfault with "show tls-keys"
=> This command may be issued on the CLI. It's rarely used but it's not
   fun for the unlucky users.

  - BUG/MEDIUM: sticktables: segfault in some configuration error cases
=> may crash when track-sc0 is used on a table and sc0_inc_gpc0 on
   another one and the key doesn't exist there.

  - BUG/MEDIUM: external-checks: close all FDs right after the fork()
=> fix some FD leak to external processes causing all sort of issues
   when the external processes write to these FDs.

The other fixes are less important (ie: just produce an unexpected behaviour).
In addition, as recently announced, I've backported the small change from 1.7
ensuring that "make" always rebuilds every file whenever any ".h" file changes
or any build option changes. It has the side effect that "make install" doesn't
build anymore, it only installs (previously it would randomly build what was
not built yet, possibly with different options). It should get rid of the bug
reports caused by lack of "make clean" after a minor update and will save the
reporters from having to try again when there's a doubt.

Please find the usual URLs below :
   Site index   : http://www.haproxy.org/
   Discourse: http://discourse.haproxy.org/
   Sources  : http://www.haproxy.org/download/1.6/src/
   Git repository   : http://git.haproxy.org/git/haproxy-1.6.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-1.6.git
   Changelog: http://www.haproxy.org/download/1.6/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
  - BUG/MAJOR: fix listening IP address storage for frontends
  - BUG/MINOR: fix listening IP address storage for frontends (cont)
  - DOC: Fix typo so fetch is properly parsed by Cyril's converter
  - BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes
  - BUG/MEDIUM: stick-tables: fix breakage in table converters
  - BUG/MEDIUM: dns: unbreak DNS resolver after header fix
  - BUILD: fix build on Solaris 11
  - CLEANUP: connection: fix double negation on memcmp()
  - BUG/MEDIUM: stats: show servers state may show an servers from another 
backend
  - BUG/MEDIUM: fix risk of segfault with "show tls-keys"
  - BUG/MEDIUM: sticktables: segfault in some configuration error cases
  - BUG/MEDIUM: lua: converters doesn't work
  - BUG/MINOR: http: add-header: header name copied twice
  - BUG/MEDIUM: http: add-header: buffer overwritten
  - BUG/MINOR: ssl: fix potential memory leak in ssl_sock_load_dh_params()
  - BUG/MINOR: http: url32+src should use the big endian version of url32
  - BUG/MINOR: http: url32+src should check cli_conn before using it
  - DOC: http: add documentation for url32 and url32+src
  - BUG/MINOR: fix http-response set-log-level parsing error
  - MINOR: systemd: Use variable for config and pidfile paths
  - MINOR: systemd: Perform sanity check on config before reload (cherry picked 
from commit 68535bddf305fdd22f1449a039939b57245212e7)
  - BUG/MINOR: init: always ensure that global.rlimit_nofile matches actual 
limits
  - BUG/MINOR: init: ensure that FD limit is raised to the max allowed
  - BUG/MEDIUM: external-checks: close all FDs right after the fork()
  - BUG/MAJOR: external-checks: use asynchronous signal delivery
  - BUG/MINOR: external-checks: do not unblock undesired signals
  - BUILD/MEDIUM: rebuild everything when an include file is changed
  - BUILD/MEDIUM: force a full rebuild if some build options change
  - BUG/MINOR: srv-state: fix incorrect output of state file
  - BUG/MINOR: ssl: close ssl

Re: HTTP 429 Too Many Requests

2016-06-26 Thread Willy Tarreau 
Hi Cyril,

On Fri, Jun 24, 2016 at 09:57:37PM +0200, Cyril Bonté wrote:
> Hi all,
> 
> Le 24/06/2016 à 21:33, James Brown a écrit :
> > +1 I am also using a fake backend with no servers and a 503 errorfile,
> > and it confuses everybody who looks at the config or the metrics. Being
> > able to directly emit a 429 would be fantastic.
> 
> Interestingly, it already exists since 1.6-dev2 [1] for "http-request deny"
> but the documentation is absolutely missing. And it has recently been fixed
> by Willy [2].

Yes indeed. I'm a bit upset not to have noticed the doc provided with this
patch was incomplete : it only changed the list of possible return codes.
It's not the first time we introduce new features without the respective
doc, and I really think that in the future we'll simply revert the patch
if we discover the doc is missing. A feature with no doc is only a selfish
way for someone to have their own features in mainline in order to avoid
having to maintain patches. But for features to be useful they need to be
documented. Without doc they don't exist so they can be reverted. I
encourage everyone to hunt for undocumented features. We may even discover
that a part of the roadmap is already implemented.

> Another point is that everything in the code seems to be ready to use the
> same option with tarpit... except the configuration parser.

Yep indeed. And it does not even support http-response either. That clearly
looks like a quick hack that was rushed into mainline for a very specific
use case, one more tempting reason to revert it :-(

I've added the doc now, but no support for configuring it for tarpit.

Thanks,
Willy

Re: Does haproxy use regex for balance url_param lookup?

2016-06-26 Thread Chad Lavoie 
Greetings,

On 6/26/16 7:40 AM, k simon wrote:
> Hi, lists,
>I noticed that haproxy 1.6.5 hog the cpu periodiclly on FreeBSD 10 
> with 800K-1M syscalls. I change the balance algo to "uri" and delete all 
> the regular expressions can work around it. There maybe some bug with 
> PCRE on FreeBSD or some bug in haproxy, but I can't confirm it.
>And does haproxy support wildcard in acl string match ?
Depending on exactly how you need to match the string there are some
match methods that work like wildcards:
https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#7.1.3

That allows for exact/substring/prefix/suffix/subdir/domain matches
without using PCRE.

- Chad
>  I can rewrite 
> my acls to avoid the pcre lib totally.
>
>
> Simon
> 20160626

Does haproxy use regex for balance url_param lookup?

2016-06-26 Thread k simon 
Hi, lists,
   I noticed that haproxy 1.6.5 hog the cpu periodiclly on FreeBSD 10 
with 800K-1M syscalls. I change the balance algo to "uri" and delete all 
the regular expressions can work around it. There maybe some bug with 
PCRE on FreeBSD or some bug in haproxy, but I can't confirm it.
   And does haproxy support wildcard in acl string match ? I can rewrite 
my acls to avoid the pcre lib totally.


Simon
20160626

subscribe

2016-06-26 Thread k simon

[SPAM] Lacrymogène, taser, pistolet d'alarme, les produits légaux pour se défendre

2016-06-26 Thread AntiAgression.com