RE: HAProxy Build Error with TARGET

[Coscend@HAProxy]

Bryan,

Thank you for your prompt guidance.

We downloaded this source code:
http://www.haproxy.org/download/1.6/src/haproxy-1.6.9.tar.gz 

After reviewing your e-mail, we found out (from
https://github.com/haproxy/haproxy) that we should use TARGET=linux2628

"- linux2628   for Linux 2.6.28, 3.x, and above (enables splice and
tproxy)"

Thank you, once again.

Sincerely,

Hemant K. Sabat

Coscend Communications Solutions
Web site: www.Coscend.com 
--
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted at:
http://www.Coscend.com/Terms_and_Conditions.html 


-Original Message-
From: Bryan Talbot [mailto:bryan.tal...@playnext.com] 
Sent: Tuesday, September 13, 2016 11:56 PM
To: haproxy.insig...@coscend.com
Cc: HAproxy Mailing Lists 
Subject: Re: HAProxy Build Error with TARGET


> On Sep 13, 2016, at Sep 13, 9:16 PM, Coscend@HAProxy
 wrote:
> 
> Hello HAProxy Community,
> 
> We are upgrading from HAProxy 1.6.7 to 1.6.9 by building from source.  
> We would appreciate any vector on the issue we are facing with 
> specifying TARGET in make and makefile.

What source are you using?


> 
> It is building fine with TARGET=linux2628.  
> However, we are getting a build error with TARGET=linux310 (see log 
> summary and detailed log below).  Makefile also has TARGET=linux310.  
> Our Linux version, uname -r gives 3.10.0-229.el7.x86_64


The official source at http://git.haproxy.org/git/haproxy-1.6.git does not
define TARGET for linux310 anywhere that I can find.

-Bryan

Re: HAProxy Build Error with TARGET

[Bryan Talbot]

> On Sep 13, 2016, at Sep 13, 9:16 PM, Coscend@HAProxy 
>  wrote:
> 
> Hello HAProxy Community,
> 
> We are upgrading from HAProxy 1.6.7 to 1.6.9 by building from source.  We
> would appreciate any vector on the issue we are facing with specifying
> TARGET in make and makefile.  

What source are you using?


> 
> It is building fine with TARGET=linux2628.  
> However, we are getting a build error with TARGET=linux310 (see log summary
> and detailed log below).  Makefile also has TARGET=linux310.  Our Linux
> version, uname -r gives 3.10.0-229.el7.x86_64


The official source at http://git.haproxy.org/git/haproxy-1.6.git does not 
define TARGET for linux310 anywhere that I can find.

-Bryan

HAProxy Build Error with TARGET

[Coscend@HAProxy]

Hello HAProxy Community,

We are upgrading from HAProxy 1.6.7 to 1.6.9 by building from source.  We
would appreciate any vector on the issue we are facing with specifying
TARGET in make and makefile.  

It is building fine with TARGET=linux2628.  
However, we are getting a build error with TARGET=linux310 (see log summary
and detailed log below).  Makefile also has TARGET=linux310.  Our Linux
version, uname -r gives 3.10.0-229.el7.x86_64

Thank you.

ERROR SUMMARY
-
/bin/ld: /usr/local/lua-5.3.1/lib//liblua.a(loadlib.o): undefined reference
to symbol 'dlclose@@GLIBC_2.2.5'
/bin/ld: note: 'dlclose@@GLIBC_2.2.5' is defined in DSO /lib64/libdl.so.2 so
try adding it to the linker command line
/lib64/libdl.so.2: could not read symbols: Invalid operation
collect2: error: ld returned 1 exit status
make: *** [haproxy] Error 1

=
DETAILED LOG:  Build Error
=
gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g
-fno-strict-aliasing -Wdeclaration-after-statement   -DCONFIG_HAP_CRYPT
-DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB  -DENABLE_POLL
-DCONFIG_REGPARM=3 -DUSE_OPENSSL  -DUSE_PRIVATE_CACHE -DUSE_LUA
-I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT
-DUSE_TFO -DCONFIG_HAP_NS  -DCONFIG_HAPROXY_VERSION=\"1.6.9\"
-DCONFIG_HAPROXY_DATE=\"2016/08/30\" \
  -DBUILD_TARGET='"linux310"' \
  -DBUILD_ARCH='"x86_64"' \
  -DBUILD_CPU='"native"' \
  -DBUILD_CC='"gcc"' \
  -DBUILD_CFLAGS='"-m64 -march=x86-64 -O2 -march=native -g
-fno-strict-aliasing -Wdeclaration-after-statement"' \
  -DBUILD_OPTIONS='"USE_LIBCRYPT=1 USE_CRYPT_H=1 USE_GETADDRINFO=1
USE_ZLIB=1 USE_POLL=default USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1
USE_PCRE_JIT=1 USE_TFO=1 USE_NS=1"' \
   -c -o src/haproxy.o src/haproxy.c
gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g
-fno-strict-aliasing -Wdeclaration-after-statement   -DCONFIG_HAP_CRYPT
-DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB  -DENABLE_POLL
-DCONFIG_REGPARM=3 -DUSE_OPENSSL  -DUSE_PRIVATE_CACHE -DUSE_LUA
-I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT
-DUSE_TFO -DCONFIG_HAP_NS  -DCONFIG_HAPROXY_VERSION=\"1.6.9\"
-DCONFIG_HAPROXY_DATE=\"2016/08/30\" -c -o src/base64.o src/base64.c
gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g
-fno-strict-aliasing -Wdeclaration-after-statement   -DCONFIG_HAP_CRYPT
-DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB  -DENABLE_POLL
-DCONFIG_REGPARM=3 -DUSE_OPENSSL  -DUSE_PRIVATE_CACHE -DUSE_LUA
-I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT
-DUSE_TFO -DCONFIG_HAP_NS  -DCONFIG_HAPROXY_VERSION=\"1.6.9\"
-DCONFIG_HAPROXY_DATE=\"2016/08/30\" -c -o src/protocol.o src/protocol.c
gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g
-fno-strict-aliasing -Wdeclaration-after-statement   -DCONFIG_HAP_CRYPT
-DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB  -DENABLE_POLL
-DCONFIG_REGPARM=3 -DUSE_OPENSSL  -DUSE_PRIVATE_CACHE -DUSE_LUA
-I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT
-DUSE_TFO -DCONFIG_HAP_NS  -DCONFIG_HAPROXY_VERSION=\"1.6.9\"
-DCONFIG_HAPROXY_DATE=\"2016/08/30\" -c -o src/uri_auth.o src/uri_auth.c
gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g
-fno-strict-aliasing -Wdeclaration-after-statement   -DCONFIG_HAP_CRYPT
-DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB  -DENABLE_POLL
-DCONFIG_REGPARM=3 -DUSE_OPENSSL  -DUSE_PRIVATE_CACHE -DUSE_LUA
-I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT
-DUSE_TFO -DCONFIG_HAP_NS  -DCONFIG_HAPROXY_VERSION=\"1.6.9\"
-DCONFIG_HAPROXY_DATE=\"2016/08/30\" -c -o src/standard.o src/standard.c
gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g
-fno-strict-aliasing -Wdeclaration-after-statement   -DCONFIG_HAP_CRYPT
-DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB  -DENABLE_POLL
-DCONFIG_REGPARM=3 -DUSE_OPENSSL  -DUSE_PRIVATE_CACHE -DUSE_LUA
-I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT
-DUSE_TFO -DCONFIG_HAP_NS  -DCONFIG_HAPROXY_VERSION=\"1.6.9\"
-DCONFIG_HAPROXY_DATE=\"2016/08/30\" -c -o src/buffer.o src/buffer.c
gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g
-fno-strict-aliasing -Wdeclaration-after-statement   -DCONFIG_HAP_CRYPT
-DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB  -DENABLE_POLL
-DCONFIG_REGPARM=3 -DUSE_OPENSSL  -DUSE_PRIVATE_CACHE -DUSE_LUA
-I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT
-DUSE_TFO -DCONFIG_HAP_NS  -DCONFIG_HAPROXY_VERSION=\"1.6.9\"
-DCONFIG_HAPROXY_DATE=\"2016/08/30\" -c -o src/log.o src/log.c
gcc -Iinclude -Iebtree -Wall -m64 -march=x86-64 -O2 -march=native -g
-fno-strict-aliasing -Wdeclaration-after-statement   -DCONFIG_HAP_CRYPT
-DNEED_CRYPT_H -DUSE_GETADDRINFO -DUSE_ZLIB  -DENABLE_POLL
-DCONFIG_REGPARM=3 -DUSE_OPENSSL  -DUSE_PRIVATE_CACHE -DUSE_LUA
-I/usr/local/lua-5.3.1/include/ -DUSE_PCRE -I/usr/include -DUSE_PCRE_JIT
-DUSE_TFO 

Re: Capture entire HTTP request (all headers one shot)

[Manas Gupta]

Thanks for the pointer.

I need to log the values of these headers as well. Any suggestions on how
to do that?

On Tue, Sep 13, 2016 at 1:28 PM, Pavlos Parissis 
wrote:

> On 13/09/2016 09:58 μμ, Manas Gupta wrote:
> > Hi,
> > I am familiar with capturing individual HTTP headers in HAProxy 1.6.x
> > (http://blog.haproxy.com/2015/10/14/whats-new-in-haproxy-1-6/). This
> requires the
> > header to be explicitly stated in the cfg
> >
> > For example to capture the via header -
> > capture request header Via len 100
> >
> > And then log via - %[capture.req.hdr(0)]
> >
>
> Use the following to get all headers without their value:
>
> %[req.hdr_names(:)]
>
> Cheers,
> Pavlos
>
>

Re: Capture entire HTTP request (all headers one shot)

[Pavlos Parissis]

On 13/09/2016 09:58 μμ, Manas Gupta wrote:
> Hi,
> I am familiar with capturing individual HTTP headers in HAProxy 1.6.x
> (http://blog.haproxy.com/2015/10/14/whats-new-in-haproxy-1-6/). This requires 
> the
> header to be explicitly stated in the cfg
> 
> For example to capture the via header -
> capture request header Via len 100
> 
> And then log via - %[capture.req.hdr(0)]
> 

Use the following to get all headers without their value:

%[req.hdr_names(:)]

Cheers,
Pavlos



signature.asc
Description: OpenPGP digital signature

Capture entire HTTP request (all headers one shot)

[Manas Gupta]

Hi,
I am familiar with capturing individual HTTP headers in HAProxy 1.6.x (
http://blog.haproxy.com/2015/10/14/whats-new-in-haproxy-1-6/). This
requires the header to be explicitly stated in the cfg

For example to capture the via header -
capture request header Via len 100

And then log via - %[capture.req.hdr(0)]

For troubleshooting, occasionally, I would like to log all HTTP headers,
without specifying each and every individual header in the cfg.

Apart from using tcpdump/wireshark, can I do this using HAProxy?

Thanks

化工品国际快递无需提供任何资料

[mr zhang]

您好：首先对我们的冒昧来访深表歉意。希望我们的信息能给你带来帮助。我这边是茹顺化工科技国际快递，专注农药产品登记，化工产品登记，贸易产品 大包小包　
解决疑难杂症产品出口的国际快递，价格优惠，无需提供任何资料及DGM鉴定报告，空运鉴定报告。
承接类型：电池 化工品 液体 粉末 颗粒颜料电池等等疑难产品。电话：158.0058918.0 QQ：1163.07587.8 张经理 欢迎来电咨询

Re: [PATCH] MINOR: enable IP_BIND_ADDRESS_NO_PORT on backend connections

[Willy Tarreau]

On Tue, Sep 13, 2016 at 09:51:15AM +, Lukas Tribus wrote:
> Enable IP_BIND_ADDRESS_NO_PORT on backend connections when the source
> address is specified without port or port ranges. This is supported
> since Linux 4.2/libc 2.23.
> 
> If the kernel supports it but the libc doesn't, we can define it at
> build time:
> make [...] DEFINE=-DIP_BIND_ADDRESS_NO_PORT=24
> 
> For more informations about this feature, see Linux commit 90c337da

Merged, thank you Lukas!
willy

[PATCH] MINOR: enable IP_BIND_ADDRESS_NO_PORT on backend connections

[Lukas Tribus]

Enable IP_BIND_ADDRESS_NO_PORT on backend connections when the source
address is specified without port or port ranges. This is supported
since Linux 4.2/libc 2.23.

If the kernel supports it but the libc doesn't, we can define it at
build time:
make [...] DEFINE=-DIP_BIND_ADDRESS_NO_PORT=24

For more informations about this feature, see Linux commit 90c337da
---
Testing was limited to strace, confirming that we only set it when we specify
the source IP, and only when the port is set to 0:

## no source address set ##
setsockopt(6, SOL_TCP, TCP_NODELAY, [1], 4) = 0
connect(6, {sa_family=AF_INET, sin_port=htons(80), 
sin_addr=inet_addr("10.0.0.3")}, 16) = -1 EINPROGRESS (Operation now in 
progress)

## source address set, port is non-zero  ##
setsockopt(6, SOL_TCP, TCP_NODELAY, [1], 4) = 0
setsockopt(6, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
bind(6, {sa_family=AF_INET, sin_port=htons(2), 
sin_addr=inet_addr("10.0.0.55")}, 16) = 0
connect(6, {sa_family=AF_INET, sin_port=htons(80), 
sin_addr=inet_addr("10.0.0.3")}, 16) = -1 EINPROGRESS (Operation now in 
progress)

## source address set, port is zero (IP_BIND_ADDRESS_NO_PORT is 0x18) ##
setsockopt(6, SOL_TCP, TCP_NODELAY, [1], 4) = 0
setsockopt(6, SOL_IP, 0x18 /* IP_??? */, [1], 4) = 0
setsockopt(6, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
bind(6, {sa_family=AF_INET, sin_port=htons(0), 
sin_addr=inet_addr("10.0.0.55")}, 16) = 0
connect(6, {sa_family=AF_INET, sin_port=htons(80), 
sin_addr=inet_addr("10.0.0.3")}, 16) = -1 EINPROGRESS (Operation now in 
progress)

---
 doc/configuration.txt | 3 +++
 src/proto_tcp.c   | 4 
 2 files changed, 7 insertions(+)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 52e6cf4..dc43003 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -10936,6 +10936,9 @@ source [:[-]] [interface ] ...
   total concurrent connections. The limit will then reach 64k connections per
   server.
 
+  Since Linux 4.2/libc 2.23 IP_BIND_ADDRESS_NO_PORT is set for connections
+  specifying the source address without port(s).
+
   Supported in default-server: No
 
 ssl
diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 91d6688..424731a 100644
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -467,6 +467,10 @@ int tcp_connect_server(struct connection *conn, int data, 
int delack)
} while (ret != 0); /* binding NOK */
}
else {
+#ifdef IP_BIND_ADDRESS_NO_PORT
+   static int bind_address_no_port = 1;
+   setsockopt(fd, SOL_IP, IP_BIND_ADDRESS_NO_PORT, (const 
void *) _address_no_port, sizeof(int));
+#endif
ret = tcp_bind_socket(fd, flags, >source_addr, 
>addr.from);
if (ret != 0)
conn->err_code = CO_ER_CANT_BIND;
-- 
1.9.1

Re: [PATCH 2/3] MINOR: show Built with PCRE version

[Willy Tarreau]

Hi Lukas,

On Mon, Sep 12, 2016 at 09:38:20PM +, Lukas Tribus wrote:
> The 4th (new) patch that I'm sending implements the possibility to 
> disable SO_REUSEPORT. The intention with that patch is to have it 
> backported to 1.6 in the long run, because I believe it is useful not 
> only for troubleshooting/debug situations, but also for some specific 
> use cases. It needs a careful review though, since it touches bitmasks 
> which I am also not particularly fond of.

It looks pretty good, I've applied it. I agree it could be backported,
thanks for doing this one.

> Sometimes in the next few days I also want to send an RFC patch enabling 
> Linux 4.2' new IP_BIND_ADDRESS_NO_PORT socket option, which I believe we 
> can enable without much error handling or configuration.

Yes I agree. In my opinion it should be done whenever we call bind()
with a port 0.

Whole series applied, thanks Lukas!
Willy