LUA: add response headers bug

[Wert]

Hi

Conditions:
- The website sends 2 "link" headers in response
- I'm trying to add more from LUA, using "http-response lua.processResponse" 
(backend section) -> "core.register_action("processResponse", { "http-res" }, 
function(txn)"
- Haproxy 1.9.7, LUA 5.3

Case 1:
Syntax that I use since old versions: txn.http:res_add_header('link','12231')

- New header doesn't appear and even native website's headers deleted


Case 2:
Syntax from current docs: txn.http:res_add_header(txn.http,'link','12232')

- New header doesn't appear, but native headers stay


Case 3:
Funny mix with both types.
txn.http:res_add_header('link','12231')
txn.http:res_add_header(txn.http,'link','12232')

- The first new header appear successfully and native headers also stay


Case 4:
Same mix backwards.
txn.http:res_add_header(txn.http,'link','12232')
txn.http:res_add_header('link','12231')

- Same as case #2


Should it be some other syntax?)

--
Wert

stable-bot: WARNING: 33 bug fixes in queue for next release

[stable-bot]

Hi,

This is a friendly bot that watches fixes pending for the next haproxy-stable 
release!  One such e-mail is sent periodically once patches are waiting in the 
last maintenance branch, and an ideal release date is computed based on the 
severity of these fixes and their merge date.  Responses to this mail must be 
sent to the mailing list.

Last release 1.8.19 was issued on 2019/02/11.  There are currently 33 patches 
in the queue cut down this way:
- 5 MAJOR, first one merged on 2019/03/11
- 19 MEDIUM, first one merged on 2019/03/11
- 9 MINOR, first one merged on 2019/03/11

Thus the computed ideal release date for 1.8.20 would be 2019/03/25, which was 
five weeks ago.

The current list of patches in the queue is:
- MAJOR   : listener: Make sure the listener exist before using it.
- MAJOR   : spoe: Fix initialization of thread-dependent fields
- MAJOR   : http_fetch: Get the channel depending on the keyword used
- MAJOR   : stats: Fix how huge POST data are read from the channel
- MAJOR   : checks: segfault during tcpcheck_main
- MEDIUM  : listener: use a self-locked list for the dequeue lists
- MEDIUM  : listener: make sure the listener never accepts too many conns
- MEDIUM  : list: fix the rollback on addq in the locked liss
- MEDIUM  : logs: Only attempt to free startup_logs once.
- MEDIUM  : pattern: assign pattern IDs after checking the config validity
- MEDIUM  : ssl: ability to set TLS 1.3 ciphers using 
ssl-default-server-ciphersuites
- MEDIUM  : list: fix LIST_POP_LOCKED's removal of the last pointer
- MEDIUM  : list: add missing store barriers when updating elements and head
- MEDIUM  : lists: Properly handle the case we're removing the first elt.
- MEDIUM  : maps: only try to parse the default value when it's present
- MEDIUM  : peers: fix a case where peer session is not cleanly reset on 
release.
- MEDIUM  : 51d: fix possible segfault on deinit_51degrees()
- MEDIUM  : thread/http: Add missing locks in set-map and add-acl HTTP rules
- MEDIUM  : list: fix incorrect pointer unlocking in LIST_DEL_LOCKED()
- MEDIUM  : list: fix again LIST_ADDQ_LOCKED
- MEDIUM  : list: correct fix for LIST_POP_LOCKED's removal of last element
- MEDIUM  : spoe: Return an error if nothing is encoded for fragmented 
messages
- MEDIUM  : spoe: Queue message only if no SPOE applet is attached to the 
stream
- MEDIUM  : threads/fd: do not forget to take into account epoll_fd/pipes
- MINOR   : acl: properly detect pattern type SMP_T_ADDR
- MINOR   : spoe: Don't systematically wakeup SPOE stream in the applet 
handler
- MINOR   : da: Get the request channel to call CHECK_HTTP_MESSAGE_FIRST()
- MINOR   : 51d: Get the request channel to call CHECK_HTTP_MESSAGE_FIRST()
- MINOR   : cli: correctly handle abns in 'show cli sockets'
- MINOR   : http/counters: fix missing increment of fe->srv_aborts
- MINOR   : ssl: fix warning about ssl-min/max-ver support
- MINOR   : listener: keep accept rate counters accurate under saturation
- MINOR   : threads: fix the process range of thread masks

---
The haproxy stable-bot is freely provided by HAProxy Technologies to help 
improve the quality of each HAProxy release.  If you have any issue with these 
emails or if you want to suggest some improvements, please post them on the 
list so that the solutions suiting the most users can be found.

fix LibreSSL builds

[Илья Шипицин]

Hi,

I tested the following patch on LibreSSL-2.7.5, 2.8.3, 2.9.1

thanks!
Ilya Shipitcin
From 12c3a7b0eac4bab73864869bf8fcb365c9ba06ef Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin 
Date: Sun, 28 Apr 2019 00:00:16 +0500
Subject: [PATCH] BUILD: add defines to support LibreSSL tested on
 LibreSSL-2.7.5, 2.8.3, 2.9.1

---
 include/proto/openssl-compat.h |  2 +-
 include/proto/ssl_sock.h   |  2 +-
 src/cli.c  |  2 +-
 src/ssl_sock.c | 44 +-
 4 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/include/proto/openssl-compat.h b/include/proto/openssl-compat.h
index ffee2e40..47d7bbd2 100644
--- a/include/proto/openssl-compat.h
+++ b/include/proto/openssl-compat.h
@@ -89,7 +89,7 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned cha
 }
 #endif
 
-#if (OPENSSL_VERSION_NUMBER < 0x101fL) || defined(LIBRESSL_VERSION_NUMBER)
+#if (OPENSSL_VERSION_NUMBER < 0x101fL) || (LIBRESSL_VERSION_NUMBER < 0x207fL)
 /*
  * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL
  */
diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index ce52fb74..586ebb90 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@@ -85,7 +85,7 @@ SSL_CTX *ssl_sock_get_generated_cert(unsigned int key, struct bind_conf *bind_co
 int ssl_sock_set_generated_cert(SSL_CTX *ctx, unsigned int key, struct bind_conf *bind_conf);
 unsigned int ssl_sock_generated_cert_key(const void *data, size_t len);
 
-#if (OPENSSL_VERSION_NUMBER >= 0x101fL) && !defined(OPENSSL_NO_ASYNC)
+#if (OPENSSL_VERSION_NUMBER >= 0x101fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
 void ssl_async_fd_handler(int fd);
 void ssl_async_fd_free(int fd);
 #endif
diff --git a/src/cli.c b/src/cli.c
index 9581369c..508d70e9 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -1002,7 +1002,7 @@ static int cli_io_handler_show_fd(struct appctx *appctx)
 			 (fdt.iocb == poller_pipe_io_handler) ? "poller_pipe_io_handler" :
 			 (fdt.iocb == mworker_accept_wrapper) ? "mworker_accept_wrapper" :
 #ifdef USE_OPENSSL
-#if (OPENSSL_VERSION_NUMBER >= 0x101fL) && !defined(OPENSSL_NO_ASYNC)
+#if (OPENSSL_VERSION_NUMBER >= 0x101fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
 			 (fdt.iocb == ssl_async_fd_free) ? "ssl_async_fd_free" :
 			 (fdt.iocb == ssl_async_fd_handler) ? "ssl_async_fd_handler" :
 #endif
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 015943ee..e2b98a0b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -57,7 +57,7 @@
 #include 
 #endif
 
-#if (OPENSSL_VERSION_NUMBER >= 0x101fL) && !defined(OPENSSL_NO_ASYNC)
+#if (OPENSSL_VERSION_NUMBER >= 0x101fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
 #include 
 #endif
 
@@ -573,7 +573,7 @@ fail_get:
 }
 #endif
 
-#if (OPENSSL_VERSION_NUMBER >= 0x101fL) && !defined(OPENSSL_NO_ASYNC)
+#if (OPENSSL_VERSION_NUMBER >= 0x101fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
 /*
  * openssl async fd handler
  */
@@ -2295,7 +2295,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
 	SSL_set_SSL_CTX(ssl, ctx);
 }
 
-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)
+#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)) && !defined(LIBRESSL_VERSION_NUMBER)
 
 static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
 {
@@ -4027,7 +4027,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
 
 	SSL_CTX_set_options(ctx, options);
 
-#if (OPENSSL_VERSION_NUMBER >= 0x101fL) && !defined(OPENSSL_NO_ASYNC)
+#if (OPENSSL_VERSION_NUMBER >= 0x101fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
 	if (global_ssl.async)
 		mode |= SSL_MODE_ASYNC;
 #endif
@@ -4039,7 +4039,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
 #ifdef OPENSSL_IS_BORINGSSL
 	SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
 	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
-#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
 	if (bind_conf->ssl_conf.early_data) {
 		SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY);
 		SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite);
@@ -4815,7 +4815,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
 		options |= SSL_OP_NO_TICKET;
 	SSL_CTX_set_options(ctx, options);
 
-#if (OPENSSL_VERSION_NUMBER >= 0x101fL) && !defined(OPENSSL_NO_ASYNC)
+#if (OPENSSL_VERSION_NUMBER >= 0x101fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
 	if (global_ssl.async)
 		mode |= SSL_MODE_ASYNC;
 #endif
@@ -5368,7 +5368,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
 	if (!conn->xprt_ctx)
 		goto out_error;
 
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#if 

Re: MEDIUM: Adding upstream socks4 proxy support

[Alec Liu]

Hi Tim,

Ic, let me resent it here, thank you.

Hi List,
Willy,

I have the updated patch attached to this email, please help to review it.
If you want to give it a try, you can use "ssh -D 1080 ..." to setup a
quick socks4 tunnel proxy for testing.

Thank you.

Regards,
Alexander Liu

On Sat, Apr 27, 2019 at 5:55 PM Tim Düsterhus  wrote:
>
> Alec,
>
> Am 27.04.19 um 11:39 schrieb Alec Liu:
> > Got it, thank you.
> > btw: I have the patch sent to the mail loop of the issue #82 already.
>
> please keep it on the list (in this specific thread). GitHub strips the
> attachments and generally does not forward the emails unmodified. You
> can see the result here:
> https://github.com/haproxy/haproxy/issues/82#issuecomment-487271175
>
> Best regards
> Tim Düsterhus


0001-MEDIUM-connection-issue-82-Adding-upstream-socks4-pr.patch
Description: Binary data

Re: MEDIUM: Adding upstream socks4 proxy support

[Tim Düsterhus]

Alec,

Am 27.04.19 um 11:39 schrieb Alec Liu:
> Got it, thank you.
> btw: I have the patch sent to the mail loop of the issue #82 already.

please keep it on the list (in this specific thread). GitHub strips the
attachments and generally does not forward the emails unmodified. You
can see the result here:
https://github.com/haproxy/haproxy/issues/82#issuecomment-487271175

Best regards
Tim Düsterhus

Re: MEDIUM: Adding upstream socks4 proxy support

[Alec Liu]

Hi Tim,

Got it, thank you.
btw: I have the patch sent to the mail loop of the issue #82 already.

Regards,
Alexander Liu

On Sat, Apr 27, 2019 at 5:21 PM Tim Düsterhus  wrote:
>
> Alec,
>
> Am 27.04.19 um 08:54 schrieb Alec Liu:
> > Thank you for the comment. I will have them fix.
> > But I have a question, I am not sure which subsystem should I put it
> > in? Looks like I have more than one subsystem touched.
> >
>
> In my previous reply I suggested 'connection' which seems fitting. But
> in the end I'm not the person applying the patch. Don't sweat it too
> much though, Willy usually is happy to adjust small things if the patch
> is fine in general.
>
> Best regards
> Tim Düsterhus

Re: MEDIUM: Adding upstream socks4 proxy support

[Alec Liu]

Hi Tim,

Thank you for the comment. I will have them fix.
But I have a question, I am not sure which subsystem should I put it
in? Looks like I have more than one subsystem touched.

Thank you.

Regards,
Alexander Liu

On Sat, Apr 27, 2019 at 7:57 AM Tim Düsterhus  wrote:
>
> Alec,
>
> Am 26.04.19 um 22:10 schrieb Alec Liu:
> > Here is the patch for adding upstream socks4 proxy support.
> > Please help to review it, thank you.
> >
>
> I can't comment on the technical side, but a few comments on the
> 'process' side:
>
> 1. You did not update the documentation yet (doc/configuration.txt)
> 2. The subsystem is missing from your commit message. It probably should
> be: MEDIUM: connection: Add socks4 support for upstream connections
> 3. The two commits should be merged into a single one.
> 4. Please mention the issue number in the commit message: 'See issue #82'
>
> Best regards
> Tim Düsterhus