[SPAM] 總經理收
卼利儠俌僕凞叇劾中伶倿义呝協咴亠俨仟哳化吟円偾剎充侦傯冸叭勤唥休倚乮咃卺咏乻倍伄唘勰叹冬傣侚兒剛卣剂儹侳傼凅叠勗唱伝倦乢呶卭咛亇倁仸唌勽吆冟傖侎兞剧印刵儬便僈凑叔勋唾伪倳乖呪卡咨五俴仫哿匉吒冓傊侁兪剳卼利儠俌僕凞
Re: external-check stdout ends up in load-balanced traffic, destroying tcp sessions
Hi guys, Sorry for late response. I've just tested current git master. It seems the issue is gone now. Wily, thank you for looking into the issue so close. Anticipating latest 1.6.x in official Debian/Ubuntu packages soon. Thanks, Andrey On Tue, Jun 21, 2016 at 7:50 PM, Willy Tarreauwrote: > Thus I backported all of this to 1.6 planning for 1.6.6. It would be nice > if the people affected with issues could give it a try this week (either > from git or just wait for tomorrow morning to get the latest snapshot).
[ANNOUNCE] haproxy-1.6.6
Hi, HAProxy 1.6.6 was released on 2016/06/26. It added 33 new commits after version 1.6.5. Users of 1.6 definitely need to update, as a significant number of annoying bugs were fixed since 1.6.5. Most of these commits fix bugs. A few of them have a major stability impact. The most significant ones are : - BUG/MAJOR: external-checks: use asynchronous signal delivery => random segfaults may happen when external checks are used due to a race condition when accessing the run queue from a signal handler - BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes => the "reqdeny" directive was broken in 1.6-dev2 when the deny_status option was added to "http-request deny" (which was not documented by the way) - BUG/MAJOR: fix listening IP address storage for frontends => gcc 6 doesn't copy the padding between fields in structures, resulting in some addresses not being properly initialized when copying struct sockaddr_storage. This would result in some IPv4 addresses to be ignored on bind lines. - BUG/MEDIUM: dns: unbreak DNS resolver after header fix => some DNS requests got corrupted after a fix that went into 1.6.5. - BUG/MEDIUM: stats: show servers state may show an servers from another backend => some incorrect backend IDs could be dumped in "show servers state" - BUG/MEDIUM: fix risk of segfault with "show tls-keys" => This command may be issued on the CLI. It's rarely used but it's not fun for the unlucky users. - BUG/MEDIUM: sticktables: segfault in some configuration error cases => may crash when track-sc0 is used on a table and sc0_inc_gpc0 on another one and the key doesn't exist there. - BUG/MEDIUM: external-checks: close all FDs right after the fork() => fix some FD leak to external processes causing all sort of issues when the external processes write to these FDs. The other fixes are less important (ie: just produce an unexpected behaviour). In addition, as recently announced, I've backported the small change from 1.7 ensuring that "make" always rebuilds every file whenever any ".h" file changes or any build option changes. It has the side effect that "make install" doesn't build anymore, it only installs (previously it would randomly build what was not built yet, possibly with different options). It should get rid of the bug reports caused by lack of "make clean" after a minor update and will save the reporters from having to try again when there's a doubt. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse: http://discourse.haproxy.org/ Sources : http://www.haproxy.org/download/1.6/src/ Git repository : http://git.haproxy.org/git/haproxy-1.6.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-1.6.git Changelog: http://www.haproxy.org/download/1.6/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : - BUG/MAJOR: fix listening IP address storage for frontends - BUG/MINOR: fix listening IP address storage for frontends (cont) - DOC: Fix typo so fetch is properly parsed by Cyril's converter - BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes - BUG/MEDIUM: stick-tables: fix breakage in table converters - BUG/MEDIUM: dns: unbreak DNS resolver after header fix - BUILD: fix build on Solaris 11 - CLEANUP: connection: fix double negation on memcmp() - BUG/MEDIUM: stats: show servers state may show an servers from another backend - BUG/MEDIUM: fix risk of segfault with "show tls-keys" - BUG/MEDIUM: sticktables: segfault in some configuration error cases - BUG/MEDIUM: lua: converters doesn't work - BUG/MINOR: http: add-header: header name copied twice - BUG/MEDIUM: http: add-header: buffer overwritten - BUG/MINOR: ssl: fix potential memory leak in ssl_sock_load_dh_params() - BUG/MINOR: http: url32+src should use the big endian version of url32 - BUG/MINOR: http: url32+src should check cli_conn before using it - DOC: http: add documentation for url32 and url32+src - BUG/MINOR: fix http-response set-log-level parsing error - MINOR: systemd: Use variable for config and pidfile paths - MINOR: systemd: Perform sanity check on config before reload (cherry picked from commit 68535bddf305fdd22f1449a039939b57245212e7) - BUG/MINOR: init: always ensure that global.rlimit_nofile matches actual limits - BUG/MINOR: init: ensure that FD limit is raised to the max allowed - BUG/MEDIUM: external-checks: close all FDs right after the fork() - BUG/MAJOR: external-checks: use asynchronous signal delivery - BUG/MINOR: external-checks: do not unblock undesired signals - BUILD/MEDIUM: rebuild everything when an include file is changed - BUILD/MEDIUM: force a full rebuild if some build options change - BUG/MINOR: srv-state: fix incorrect output of state file - BUG/MINOR: ssl: close ssl
Re: HTTP 429 Too Many Requests
Hi Cyril, On Fri, Jun 24, 2016 at 09:57:37PM +0200, Cyril Bonté wrote: > Hi all, > > Le 24/06/2016 à 21:33, James Brown a écrit : > > +1 I am also using a fake backend with no servers and a 503 errorfile, > > and it confuses everybody who looks at the config or the metrics. Being > > able to directly emit a 429 would be fantastic. > > Interestingly, it already exists since 1.6-dev2 [1] for "http-request deny" > but the documentation is absolutely missing. And it has recently been fixed > by Willy [2]. Yes indeed. I'm a bit upset not to have noticed the doc provided with this patch was incomplete : it only changed the list of possible return codes. It's not the first time we introduce new features without the respective doc, and I really think that in the future we'll simply revert the patch if we discover the doc is missing. A feature with no doc is only a selfish way for someone to have their own features in mainline in order to avoid having to maintain patches. But for features to be useful they need to be documented. Without doc they don't exist so they can be reverted. I encourage everyone to hunt for undocumented features. We may even discover that a part of the roadmap is already implemented. > Another point is that everything in the code seems to be ready to use the > same option with tarpit... except the configuration parser. Yep indeed. And it does not even support http-response either. That clearly looks like a quick hack that was rushed into mainline for a very specific use case, one more tempting reason to revert it :-( I've added the doc now, but no support for configuring it for tarpit. Thanks, Willy
Re: Does haproxy use regex for balance url_param lookup?
Greetings, On 6/26/16 7:40 AM, k simon wrote: > Hi, lists, >I noticed that haproxy 1.6.5 hog the cpu periodiclly on FreeBSD 10 > with 800K-1M syscalls. I change the balance algo to "uri" and delete all > the regular expressions can work around it. There maybe some bug with > PCRE on FreeBSD or some bug in haproxy, but I can't confirm it. >And does haproxy support wildcard in acl string match ? Depending on exactly how you need to match the string there are some match methods that work like wildcards: https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#7.1.3 That allows for exact/substring/prefix/suffix/subdir/domain matches without using PCRE. - Chad > I can rewrite > my acls to avoid the pcre lib totally. > > > Simon > 20160626
Does haproxy use regex for balance url_param lookup?
Hi, lists, I noticed that haproxy 1.6.5 hog the cpu periodiclly on FreeBSD 10 with 800K-1M syscalls. I change the balance algo to "uri" and delete all the regular expressions can work around it. There maybe some bug with PCRE on FreeBSD or some bug in haproxy, but I can't confirm it. And does haproxy support wildcard in acl string match ? I can rewrite my acls to avoid the pcre lib totally. Simon 20160626