Re: How to verify HAProxy build on Solaris/SPARC ?

[Tom Hood]

Hi,

I tried Willy's suggestion with -pthread in the OPTIONS_CFLAGS and it
didn't make any difference.  Same errors.
I haven't tried looking at it anymore other than to try Willy's test.

Although I didn't mention it previously, I had seen that suggestion of
trying USE_PTHREAD_SHARED=1.  It also didn't help with 1.8.9, but I haven't
tried with 1.8.13.

If you think of any other tests you'd like me to try, let me know.

Thanks,
-- Tom


On Fri, Aug 31, 2018 at 5:24 AM Olivier Houchard 
wrote:

> Hi Lukas,
>
> On Fri, Aug 31, 2018 at 02:03:47PM +0200, Lukas Tribus wrote:
> > Hello,
> >
> >
> > On Fri, 31 Aug 2018 at 04:30, Willy Tarreau  wrote:
> > > I'd like to ask you to test something just in case it helps. Could
> > > you please modify your makefile to add "-pthread" to "-DUSE_THREAD"
> > > like this :
> > >
> > >  ifneq ($(USE_THREAD),)
> > >  BUILD_OPTIONS   += $(call ignore_implicit,USE_THREAD)
> > > -OPTIONS_CFLAGS  += -DUSE_THREAD
> > > +OPTIONS_CFLAGS  += -DUSE_THREAD -pthread
> > >  OPTIONS_LDFLAGS += -lpthread
> > >  endif
> >
> > Note that in a thread from July Oliver concluded that
> > USE_PTHREAD_PSHARED=1 is needed under Solaris:
> >
> > https://www.mail-archive.com/haproxy@formilux.org/msg30696.html
> >
> >
> > Not sure if we are talking about the same exact issue here though.
> >
>
> I think in this case it is fine, as its gcc is recent enough to have
> the required builtins.
>
> Regards,
>
> Olivier
>

haproxy-auth-request

[Computerisms Corporation]

Hi Gurus;

I was in the IRC channel the other day looking for a way to get 
authentication through apache's authnz-external working from haproxy; 
specifically I have a few nodejs applications and I want to put an 
authentication system using imap in front.  I already have 
authnz-external working so it would be convenient to continue using it. 
dcorbett suggested I investigate lua, which led me to finding 
https://github.com/TimWolla/haproxy-auth-request.  seems like just the 
thing I need.


After I checked that I met all the criteria and installed it and got 
every thing setup and worked out my mistakes, I was left with log 
entries like: Lua function 'auth-request': runtime error: 
haproxy.auth.lua:48: bad argument #1 to 'old_settimeout' (number 
expected, got nil) from [C] field 'request', haproxy.auth.lua:95 C 
function line 56.


Fortunately, the author was most excellent and documented the history of 
this script here: https://bl.duesterhus.eu/20180119/, specifically the 
section regarding haproxy's sockets.  Through that post and also 
comments in the github script containing links to 
https://www.mail-archive.com/haproxy@formilux.org/msg28604.html and 
https://www.mail-archive.com/haproxy@formilux.org/msg28574.html, I am 
lead to believe this should be an fixed in my apt-installed version of 
haproxy 1.8.13-1.


I have been investigating, commenting code, and hacking by trial and 
error to find a solution, but so far I am not able to get past this 
point.  Clearly my skills and understanding are not yet where they need 
to be, being relatively new to both haproxy and lua.


It occurs that this could be a lua problem (as opposed to haproxy), but 
according to what I have read and understood, it seems that this is 
related to haproxy's implementation of lua more than lua itself.  Hence 
I am asking here first.


Wondering if anyone can offer some insight, or point me at some required 
reading that might shed some light on this but isn't aimed at a 
developer level of understanding?  I have read through 
https://www.arpalert.org/haproxy-lua.html#h211 a time or two, but if 
there is a shining light bulb in there it hasn't blinded me yet.



--
Bob Miller
Cell: 867-334-7117
Office: 867-633-3760
www.computerisms.ca

RE: URL rewrite

[Norman Branitsky]

I just realized that this isn't actually correct:
   in their web browser it gets proxied to a backend running at
   https://.cloud.example.com/main?query

I need this request:
https://cloud.example.com/[/]?query
to be sent to the backend server directly as
http://.cloud.example.com/?query


I assume I can use http-request set-uri to rewrite the incoming URL.
I assume I can grab the host name thus:
http-request set-var(req.header_host) req.hdr(host)
But how do I grab the path?
And separate the remainder of the path if necessary,
so I can reassemble the URL as described above?

-Original Message-
From: Norman Branitsky 
Sent: Monday, August 27, 2018 6:53 PM
To: 'Tim Düsterhus' ; haproxy 
Subject: RE: URL rewrite

Your examples are all correct.

-Original Message-
From: Tim Düsterhus 
Sent: Monday, August 27, 2018 6:22 PM
To: Norman Branitsky ; haproxy 

Subject: Re: URL rewrite

Norman,

Am 27.08.2018 um 23:45 schrieb Norman Branitsky:
> I need to rewrite my URLs according to the following pattern:
> cloud.example.com/?query
> becomes:
> .cloud.example.com/main?query
> 
> HAProxy will terminate SSL - I have a wildcard certificate for 
> *.cloud.example.com.
> As the target servers are running Docker Enterprise, I do not need DNS 
> entries for every possible instance of  as Docker EE will handle 
> this internally.
> Is there a way to do this?
> 

What exactly do you mean by rewrite? Do you want that when a user requests

https://cloud.example.com/?query

in their web browser it gets proxied to a backend running at

https://.cloud.example.com/main?query

? Is it possible that there follows a path that you need to preserve:

https://cloud.example.com///?query
to
https://.cloud.example.com/main//?query

?

Best regards
Tim Düsterhus

Re: How to verify HAProxy build on Solaris/SPARC ?

[Olivier Houchard]

Hi Lukas,

On Fri, Aug 31, 2018 at 02:03:47PM +0200, Lukas Tribus wrote:
> Hello,
> 
> 
> On Fri, 31 Aug 2018 at 04:30, Willy Tarreau  wrote:
> > I'd like to ask you to test something just in case it helps. Could
> > you please modify your makefile to add "-pthread" to "-DUSE_THREAD"
> > like this :
> >
> >  ifneq ($(USE_THREAD),)
> >  BUILD_OPTIONS   += $(call ignore_implicit,USE_THREAD)
> > -OPTIONS_CFLAGS  += -DUSE_THREAD
> > +OPTIONS_CFLAGS  += -DUSE_THREAD -pthread
> >  OPTIONS_LDFLAGS += -lpthread
> >  endif
> 
> Note that in a thread from July Oliver concluded that
> USE_PTHREAD_PSHARED=1 is needed under Solaris:
> 
> https://www.mail-archive.com/haproxy@formilux.org/msg30696.html
> 
> 
> Not sure if we are talking about the same exact issue here though.
> 

I think in this case it is fine, as its gcc is recent enough to have
the required builtins.

Regards,

Olivier

Re: [PATCH] REGTEST: stick-tables: Test expiration when used with table_*

[Willy Tarreau]

On Fri, Aug 31, 2018 at 11:14:00AM +0200, Frederic Lecaille wrote:
> Hi,
> 
> I am coming back to this reg testing sent by Daniel which was very
> interesting because very complete and because there was a little
> detail to fix.
(...)

applied, thanks Fred.

Willy

Re: [PATCH] REGTEST: stick-tables: Test expiration when used with table_*

[Frederic Lecaille]

Hi,

I am coming back to this reg testing sent by Daniel which was very
interesting because very complete and because there was a little
detail to fix.

On 06/21/2018 04:53 AM, Willy Tarreau wrote:

Hi Daniel,

On Wed, Jun 20, 2018 at 10:28:43AM -0400, Daniel Corbett wrote:

+shell -expect "used:0" {
+echo "show table http1" |socat ${tmpdir}/h1/stats.sock -


As mentioned in previous mails, but after the first version of
this reg testing file, we can now use -cli argument to send commands
to the CLI which is automatically created for each script without
having to mention it in the configuration file (with -conf argument).

So the shell command above may be replaced by this section:

haproxy h1 -cli {
send "show table http1"
expect ~ "used: 0"
} -wait

The little detail to fix is that on my PC the CLI expect command may
sometimes fail because the unique stick-table entry created during
this script may sometime still be present when we dump the stick-table.
So here we expect to have no entry at all, or an entry with a null "use"
counter (use=0).

A correct regex would be something like 'used: (0|1\n.*use=0.*)\n$'.

Find attached to this mail Daniel's reg testing file with
the fixes mentioned above.

Fred.

>From 18692c4dd350ff6ef3609a56bd0162517590f2f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Fri, 31 Aug 2018 11:05:39 +0200
Subject: [PATCH] REGTEST/MINOR: Add a reg testing file for 3e60b11.

Thank you to Daniel for having worked on this one.
---
 reg-tests/stick-table/b1.vtc | 70 
 1 file changed, 70 insertions(+)
 create mode 100644 reg-tests/stick-table/b1.vtc

diff --git a/reg-tests/stick-table/b1.vtc b/reg-tests/stick-table/b1.vtc
new file mode 100644
index ..43e25eb2
--- /dev/null
+++ b/reg-tests/stick-table/b1.vtc
@@ -0,0 +1,70 @@
+# commit 3e60b11
+# BUG/MEDIUM: stick-tables: Decrement ref_cnt in table_* converters
+#
+# When using table_* converters ref_cnt was incremented
+# and never decremented causing entries to not expire.
+#
+# The root cause appears to be that stktable_lookup_key()
+# was called within all sample_conv_table_* functions which was
+# incrementing ref_cnt and not decrementing after completion.
+#
+# Added stktable_release() to the end of each sample_conv_table_*
+# function and reworked the end logic to ensure that ref_cnt is
+# always decremented after use.
+#
+# This should be backported to 1.8
+
+varnishtest "stick-tables: Test expirations when used with table_*"
+
+# As some macros for haproxy are used in this file, this line is mandatory.
+feature ignore_unknown_macro
+
+# Do nothing.
+server s1 {
+} -start
+
+haproxy h1 -conf {
+# Configuration file of 'h1' haproxy instance.
+defaults
+mode   http
+timeout connect 5s
+timeout server  30s
+timeout client  30s
+
+frontend http1
+bind "fd@${my_frontend_fd}"
+stick-table size 1k expire 1ms type ip store conn_rate(10s),http_req_cnt,http_err_cnt,http_req_rate(10s),http_err_rate(10s),gpc0,gpc0_rate(10s),gpt0
+http-request track-sc0 req.hdr(X-Forwarded-For)
+http-request redirect location https://${s1_addr}:${s1_port}/ if { req.hdr(X-Forwarded-For),table_http_req_cnt(http1) -m int lt 0  }
+http-request redirect location https://${s1_addr}:${s1_port}/ if { req.hdr(X-Forwarded-For),table_trackers(http1) -m int lt 0  }
+http-request redirect location https://${s1_addr}:${s1_port}/ if { req.hdr(X-Forwarded-For),in_table(http1) -m int lt 0  }
+http-request redirect location https://${s1_addr}:${s1_port}/ if { req.hdr(X-Forwarded-For),table_bytes_in_rate(http1) -m int lt 0  }
+http-request redirect location https://${s1_addr}:${s1_port}/ if { req.hdr(X-Forwarded-For),table_bytes_out_rate(http1) -m int lt 0  }
+http-request redirect location https://${s1_addr}:${s1_port}/ if { req.hdr(X-Forwarded-For),table_conn_cnt(http1) -m int lt 0  }
+http-request redirect location https://${s1_addr}:${s1_port}/ if { req.hdr(X-Forwarded-For),table_conn_cur(http1) -m int lt 0  }
+http-request redirect location https://${s1_addr}:${s1_port}/ if { req.hdr(X-Forwarded-For),table_conn_rate(http1) -m int lt 0  }
+http-request redirect location https://${s1_addr}:${s1_port}/ if { req.hdr(X-Forwarded-For),table_gpt0(http1) -m int lt 0  }
+http-request redirect location https://${s1_addr}:${s1_port}/ if { req.hdr(X-Forwarded-For),table_gpc0(http1) -m int lt 0  }
+http-request redirect location https://${s1_addr}:${s1_port}/ if { req.hdr(X-Forwarded-For),table_gpc0_rate(http1) -m int lt 0  }
+http-request redirect location https://${s1_addr}:${s1_port}/ if { req.hdr(X-Forwarded-For),table_http_err_cnt(http1) -m int lt 0  }
+http-request redirect location https://${s1_addr}:${s1_port}/ if {