Re: Haproxy 1.7 and Ipv6-only hosts
Hi Baptiste, Maxim,
On Wed, Dec 28, 2016 at 02:04:44PM +0100, Baptiste wrote:
> On Fri, Dec 23, 2016 at 5:21 PM, Willy Tarreau wrote:
> > Regarding this issue, I think that in fact we should decide to split the
> > server port apart from the address. After all, we're manipulating the port
> > and the address separately everywhere, we even have some extra settings in
> > other places (eg the fact that the ports are relative). I have not yet
> > analysed the impact of all of this but I think that's definitely something
> > we need to consider for the mid term. It will also remove most of the
> > "switch (family)" needed to retrieve/manipulate ports.
(...)
> I tend to fully agree if you mean having a "service_port" parameter in the
> "struct server" (or some kind of)
> Each time we have to manipulate addr and/or port in the struct
> sockaddr_storage, it's a nightmare and we have to think about all the
> corner cases...
OK so I managed to do it and I think I got it working fine now. It took
some time because in order not to miss any place I renamed the struct
member so that I was sure to spot all places.
I found a small bug in the current DNS resolution implementation when the
family is set to AF_UNSPEC, it immediately marks it as invalid and tries
again, so my DNS server got flooded during my tests :-) But that's fixed
now.
Thus now str2sa_range() doesn't change the family if the address doesn't
resolved. It however continues to *also* copy the port into the address
in the case where it resolves so that we don't have to touch all other
call places (listeners, peers, source, etc). I could get this config to
resolve all addresses as expected :
resolvers mydns
nameserver dns1 8.8.8.8:53
resolve_retries 3
timeout retry 1s
hold valid 1s
defaults
option httplog
log 127.0.0.1:5514 local0
modehttp
timeout connect 5s
timeout client 60s
timeout server 90s
frontend f
bind *:
#bind :::
backend b
# default-server resolvers mydns ## doesn't work
server s1 127.0.0.1:8000 check
server s2 127.0.0.2:8000 check disabled
server s3 wtap.haproxy.local:8000 init-addr none check resolvers
mydns
server s4 haproxy.ipv6.1wt.eu:80 init-addr none check resolvers mydns
server s5 www6.1wt.eu:80
server s6 i...@www6.1wt.eu:80
server s7 i...@www6.1wt.eu:80 init-addr libc
server s8 1wt.eu:80 resolve-prefer ipv6 check init-addr none
resolvers mydns
server s9 1wt.eu:80 resolve-prefer ipv4 check
By the way I found that "resolvers" doesn't work in default-server AND
doesn't emit any warning so I had to specify it on each line. We need to
fix this before issuing 1.7.2.
I'd like you guys to take a look at the attached patches (rebased on 1.7).
There's also an all-in-one patch that you can apply to latest 1.7 snapshot
Maxim if you're interested.
For me it passes all tests and seems to be OK now.
Barring any objection, I'll merge all of them into 1.7 and will make a note
for distro maintainers to properly pick them or they'll get annoying bug
reports.
Thanks,
Willy
>From c5ffce6f998945c1c477387da9908d408b464622 Mon Sep 17 00:00:00 2001
From: Willy Tarreau
Date: Fri, 6 Jan 2017 17:41:29 +0100
Subject: MEDIUM: server: split the address and the port into two different
fields
X-Bogosity: Ham, tests=bogofilter, spamicity=0.00, version=1.2.4
Keeping the address and the port in the same field causes a lot of problems,
specifically on the DNS part where we're forced to cheat on the family to be
able to keep the port. This causes some issues such as some families not being
resolvable anymore.
This patch first moves the service port to a new field "svc_port" so that the
port field is never used anymore in the "addr" field (struct sockaddr_storage).
All call places were adapted (there aren't that many).
---
include/types/server.h | 3 ++-
src/backend.c | 21 +
src/checks.c | 14 +++---
src/server.c | 5 +++--
src/stats.c| 4 ++--
5 files changed, 31 insertions(+), 16 deletions(-)
diff --git a/include/types/server.h b/include/types/server.h
index 20c314b..4678934 100644
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -230,7 +230,8 @@ struct server {
const struct netns_entry *netns;/* contains network namespace
name or NULL. Network namespace comes from configuration */
/* warning, these structs are huge, keep them at the bottom */
- struct sockaddr_storage addr; /* the address to connect to */
+ struct sockaddr_storage addr; /* the address to connect to,
doesn't include the port */
+ unsigned int svc_port; /* the port to connect to (for
relevant families) */
struct xprt_ops *xprt; /* transport-layer operations */
unsigned down_time;
Re: [PATCH-1.7] MINOR: http: custom status reason.
On Sun, Jan 01, 2017 at 01:16:03PM -0800, Robin H. Johnson wrote: > The older 'rsprep' directive allows modification of the status reason. > > Extend 'http-response set-status' to take an optional string of the new > status reason. (...) now backported, thanks for taking care of it, it saved me some time. Willy
[PATCH] BUG/MINOR: ssl: EVP_PKEY must be freed after X509_get_pubkey
0001-BUG-MINOR-ssl-EVP_PKEY-must-be-freed-after-X509_get_.patch Description: Binary data
Re: [PATCH] BUILD: ssl: fix to build (again) with boringssl
This patch is a WIP and should not be full functional.
Don’t merge to haproxy Willy :)
> Le 6 janv. 2017 à 18:18, Emmanuel Hocdet a écrit :
>
> Hi Igor,
>
> The patch is for 1.8dev.
>
> <0001-BUILD-ssl-fix-to-build-again-with-boringssl.patch>
>
>
>> Le 3 janv. 2017 à 17:19, Igor Pav a écrit :
>>
>> tried compile 1.7.1 with boringssl, but seems not work, error like below:
>>
>> In file included from src/ssl_sock.c:87:0:
>> include/proto/openssl-compat.h:107:1: error: unknown type name ‘OCSP_CERTID’
>> static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const
>> OCSP_SINGLERESP *single)
>> ^
>> include/proto/openssl-compat.h:107:1: error: unknown type name
>> ‘OCSP_SINGLERESP’
>> include/proto/openssl-compat.h: In function ‘OCSP_SINGLERESP_get0_id’:
>> include/proto/openssl-compat.h:109:15: error: request for member
>> ‘certId’ in something not a structure or union
>> return single->certId;
>> ^
>> src/ssl_sock.c: In function ‘ssl_sock_bind_verifycbk’:
>> src/ssl_sock.c:1070:4: warning: implicit declaration of function
>> ‘ssl_sock_dump_errors’ [-Wimplicit-function-declaration]
>> ssl_sock_dump_errors(conn);
>> ^
>> src/ssl_sock.c: In function ‘ssl_sock_do_create_cert’:
>> src/ssl_sock.c:1241:3: warning: implicit declaration of function
>> ‘X509V3_EXT_conf’ [-Wimplicit-function-declaration]
>> if (!(ext = X509V3_EXT_conf(NULL, &ctx, x509v3_ext_names[i],
>> x509v3_ext_values[i])))
>> ^
>> src/ssl_sock.c:1241:13: warning: assignment makes pointer from integer
>> without a cast [enabled by default]
>> if (!(ext = X509V3_EXT_conf(NULL, &ctx, x509v3_ext_names[i],
>> x509v3_ext_values[i])))
>>^
>> src/ssl_sock.c:1252:2: warning: implicit declaration of function
>> ‘EVP_PKEY_base_id’ [-Wimplicit-function-declaration]
>> key_type = EVP_PKEY_base_id(capkey);
>> ^
>> src/ssl_sock.c:1264:3: warning: implicit declaration of function
>> ‘EVP_PKEY_get_default_digest_nid’ [-Wimplicit-function-declaration]
>> if (EVP_PKEY_get_default_digest_nid(capkey, &nid) <= 0)
>> ^
>> src/ssl_sock.c: In function ‘ssl_sock_prepare_ctx’:
>> src/ssl_sock.c:2720:3: warning: implicit declaration of function
>> ‘SSL_CTX_set_ssl_version’ [-Wimplicit-function-declaration]
>> SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
>> ^
>> src/ssl_sock.c:2786:46: error: ‘ssl_tlsext_ticket_key_cb’ undeclared
>> (first use in this function)
>> if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_tlsext_ticket_key_cb)) {
>> ^
>> src/ssl_sock.c:2786:46: note: each undeclared identifier is reported
>> only once for each function it appears in
>> src/ssl_sock.c:2820:13: warning: assignment discards ‘const’ qualifier
>> from pointer target type [enabled by default]
>> cipher = sk_SSL_CIPHER_value(ciphers, idx);
>>^
>> src/ssl_sock.c:2874:2: warning: passing argument 2 of
>> ‘SSL_CTX_set_tlsext_servername_callback’ from incompatible pointer
>> type [enabled by default]
>> SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_cbk);
>> ^
>> In file included from src/ssl_sock.c:43:0:
>> /build/boringssl/include/openssl/ssl.h:2357:20: note: expected ‘int
>> (*)(struct SSL *, int *, void *)’ but argument is of type ‘int
>> (*)(struct SSL *, int *, struct bind_conf *)’
>> OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_callback(
>> ^
>> src/ssl_sock.c: In function ‘ssl_sock_handshake’:
>> src/ssl_sock.c:3531:48: error: ‘SSL’ has no member named ‘packet_length’
>> empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
>> ^
>> src/ssl_sock.c:3609:46: error: ‘SSL’ has no member named ‘packet_length’
>> empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
>> ^
>> make: *** [src/ssl_sock.o] Error 1
>>
>> On Mon, Aug 18, 2014 at 6:56 AM, Lukas Tribus wrote:
>>> Google's boringssl doesn't currently support OCSP, so
>>> disable it if detected.
>>>
>>> OCSP support may be reintroduced as per:
>>> https://code.google.com/p/chromium/issues/detail?id=398677
>>>
>>> In that case we can simply revert this commit.
>>>
>>> Signed-off-by: Lukas Tribus
>>> ---
>>> include/proto/ssl_sock.h | 2 +-
>>> src/dumpstats.c | 2 +-
>>> src/ssl_sock.c | 6 +++---
>>> 3 files changed, 5 insertions(+), 5 deletions(-)
>>>
>>> diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
>>> index 3e111cd..6362953 100644
>>> --- a/include/proto/ssl_sock.h
>>> +++ b/include/proto/ssl_sock.h
>>> @@ -54,7 +54,7 @@ char *ssl_sock_get_version(struct connection *conn);
>>> int ssl_sock_get_cert_used(struct connection *conn);
>>> int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk
>>> *out);
>>> unsigned int ssl_sock_get_verify_result(struct connection *conn);
>>> -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
>>> +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined
>>> OPENSSL_IS_BORINGSSL)
>>> int ssl_sock_upda
PATCH] BUILD: ssl: fix to build (again) with boringssl
Hi Igor,
The patch is for 1.8dev.
0001-BUILD-ssl-fix-to-build-again-with-boringssl.patch
Description: Binary data
> Le 3 janv. 2017 à 17:19, Igor Pav a écrit :
>
> tried compile 1.7.1 with boringssl, but seems not work, error like below:
>
> In file included from src/ssl_sock.c:87:0:
> include/proto/openssl-compat.h:107:1: error: unknown type name ‘OCSP_CERTID’
> static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const
> OCSP_SINGLERESP *single)
> ^
> include/proto/openssl-compat.h:107:1: error: unknown type name
> ‘OCSP_SINGLERESP’
> include/proto/openssl-compat.h: In function ‘OCSP_SINGLERESP_get0_id’:
> include/proto/openssl-compat.h:109:15: error: request for member
> ‘certId’ in something not a structure or union
> return single->certId;
> ^
> src/ssl_sock.c: In function ‘ssl_sock_bind_verifycbk’:
> src/ssl_sock.c:1070:4: warning: implicit declaration of function
> ‘ssl_sock_dump_errors’ [-Wimplicit-function-declaration]
>ssl_sock_dump_errors(conn);
>^
> src/ssl_sock.c: In function ‘ssl_sock_do_create_cert’:
> src/ssl_sock.c:1241:3: warning: implicit declaration of function
> ‘X509V3_EXT_conf’ [-Wimplicit-function-declaration]
> if (!(ext = X509V3_EXT_conf(NULL, &ctx, x509v3_ext_names[i],
> x509v3_ext_values[i])))
> ^
> src/ssl_sock.c:1241:13: warning: assignment makes pointer from integer
> without a cast [enabled by default]
> if (!(ext = X509V3_EXT_conf(NULL, &ctx, x509v3_ext_names[i],
> x509v3_ext_values[i])))
> ^
> src/ssl_sock.c:1252:2: warning: implicit declaration of function
> ‘EVP_PKEY_base_id’ [-Wimplicit-function-declaration]
> key_type = EVP_PKEY_base_id(capkey);
> ^
> src/ssl_sock.c:1264:3: warning: implicit declaration of function
> ‘EVP_PKEY_get_default_digest_nid’ [-Wimplicit-function-declaration]
> if (EVP_PKEY_get_default_digest_nid(capkey, &nid) <= 0)
> ^
> src/ssl_sock.c: In function ‘ssl_sock_prepare_ctx’:
> src/ssl_sock.c:2720:3: warning: implicit declaration of function
> ‘SSL_CTX_set_ssl_version’ [-Wimplicit-function-declaration]
> SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
> ^
> src/ssl_sock.c:2786:46: error: ‘ssl_tlsext_ticket_key_cb’ undeclared
> (first use in this function)
> if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_tlsext_ticket_key_cb)) {
> ^
> src/ssl_sock.c:2786:46: note: each undeclared identifier is reported
> only once for each function it appears in
> src/ssl_sock.c:2820:13: warning: assignment discards ‘const’ qualifier
> from pointer target type [enabled by default]
> cipher = sk_SSL_CIPHER_value(ciphers, idx);
> ^
> src/ssl_sock.c:2874:2: warning: passing argument 2 of
> ‘SSL_CTX_set_tlsext_servername_callback’ from incompatible pointer
> type [enabled by default]
> SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_cbk);
> ^
> In file included from src/ssl_sock.c:43:0:
> /build/boringssl/include/openssl/ssl.h:2357:20: note: expected ‘int
> (*)(struct SSL *, int *, void *)’ but argument is of type ‘int
> (*)(struct SSL *, int *, struct bind_conf *)’
> OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_callback(
>^
> src/ssl_sock.c: In function ‘ssl_sock_handshake’:
> src/ssl_sock.c:3531:48: error: ‘SSL’ has no member named ‘packet_length’
> empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
>^
> src/ssl_sock.c:3609:46: error: ‘SSL’ has no member named ‘packet_length’
>empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
> ^
> make: *** [src/ssl_sock.o] Error 1
>
> On Mon, Aug 18, 2014 at 6:56 AM, Lukas Tribus wrote:
>> Google's boringssl doesn't currently support OCSP, so
>> disable it if detected.
>>
>> OCSP support may be reintroduced as per:
>> https://code.google.com/p/chromium/issues/detail?id=398677
>>
>> In that case we can simply revert this commit.
>>
>> Signed-off-by: Lukas Tribus
>> ---
>> include/proto/ssl_sock.h | 2 +-
>> src/dumpstats.c | 2 +-
>> src/ssl_sock.c | 6 +++---
>> 3 files changed, 5 insertions(+), 5 deletions(-)
>>
>> diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
>> index 3e111cd..6362953 100644
>> --- a/include/proto/ssl_sock.h
>> +++ b/include/proto/ssl_sock.h
>> @@ -54,7 +54,7 @@ char *ssl_sock_get_version(struct connection *conn);
>> int ssl_sock_get_cert_used(struct connection *conn);
>> int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk
>> *out);
>> unsigned int ssl_sock_get_verify_result(struct connection *conn);
>> -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
>> +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined
>> OPENSSL_IS_BORINGSSL)
>> int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err);
>> #endif
>>
>> diff --git a/src/dumpstats.c b/src/dumpstats.c
>> index 5365042..3855e09 100644
>> --- a/src/dumpstats.c
>> +++ b/src/dumpstats.c
>> @@
Re: [PATCH] MINOR: http: custom status reason.
On Mon, Jan 02, 2017 at 07:00:37PM +0100, Thierry FOURNIER wrote: > Hi. I agree it looks good. It works fine and it dont change the actual > API. Thanks for the test files ! Now applied, thanks to you both :-) Willy
Re: SSL acl
Hi, On 05.01.2017 18:51, Steven De Roover wrote: > Dear > > I have router running OpenWRT, which has haproxy 1.5.14-13 running. > which release are you running? 1.5.14-13 is somewhat old. > My main goal for using haproxy is having a reverse proxy to handle all > my (sub)domains. should be possible. > > Now, I also wanted to start using SSL certificates. However, I cannot > seem to configure ACL's to let decide which server to use. > > The documentation states to use "ssl_fc_sni". Is that correct? > if you have more than one certifcate, then ists correct. > Is this something I should manage to get working, with this version of > haproxy? Would you please so kind and share your config and give us the output for haproxy -vv ? > > With best regards > Steven De Roover cheers, thomas
