Segfault on 2.6.0 with TCP switching to HTTP/2

[David Leadbeater]

I tried upgrading to 2.6.0 (from 2.5.6) and I'm seeing a segfault when
making HTTP/2 requests. I'm using a frontend in TCP mode and then
switching it to HTTP/2.

I've made a minimal config that exhibits the segfault, below. Simply
doing curl -vk https://ip is enough to trigger it for me.

Thread 1 "haproxy" received signal SIGSEGV, Segmentation fault.
0x555d1d07 in h2s_close (h2s=0x55a60b70) at src/mux_h2.c:1497
1497 HA_ATOMIC_DEC(>h2c->px_counters->open_streams);
(gdb) bt
#0  0x555d1d07 in h2s_close (h2s=0x55a60b70) at src/mux_h2.c:1497
#1  h2s_destroy (h2s=0x55a60b70) at src/mux_h2.c:1515
#2  0x555d3463 in h2_detach (sd=) at src/mux_h2.c:4432

The exact backtrace varies but always in h2s_destroy.

(In case you're wondering what on earth I'm doing, there's a write-up
of it at https://dgl.cx/2022/04/showing-you-your-actual-http-request)

David

---
global
  ssl-default-bind-options no-sslv3 no-tlsv10
  user nobody

defaults
  timeout connect 10s
  timeout client 30s
  timeout server 2m

frontend tcp-https
  mode tcp
  bind [::]:443 v4v6 ssl crt /etc/haproxy/ssl/bodge.cloud.pem alpn h2,http/1.1
  acl ipwtf hdr(Host),lower,field(1,:),word(-1,.,2) ip.wtf
  default_backend ipwtf
  tcp-request inspect-delay 10s
  tcp-request content switch-mode http if !ipwtf
  use_backend cloud-regions.bodge.cloud if !ipwtf

backend ipwtf
  mode tcp
  server ipwtf localhost:8080

backend cloud-regions.bodge.cloud
  mode http
  server cr localhost:8080

[PATCH] DOC: add info about ssl-engine for 2.6

[Aleksandar Lazic]

Hi.

Attached a doc patch about ssl-engine and 2.6 is related to
https://github.com/haproxy/haproxy/issues/1752


Regards
Alex
>From 85bcc5ea26d7c1f468dbbf6a10b33bc9f79da819 Mon Sep 17 00:00:00 2001
From: Aleksandar Lazic 
Date: Wed, 15 Jun 2022 23:52:30 +0200
Subject: [PATCH] DOC: add info about ssl-engine for 2.6

In the announcment of 2.6 is mentioned that the openssl engine
is not enabled by default.

This patch add the information to the configuration.txt.

Is related to #1752

Should be backported to 2.6
---
 doc/configuration.txt | 4 
 1 file changed, 4 insertions(+)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 183710c35..d0e74e0fb 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -2666,6 +2666,10 @@ ssl-engine  [algo ]
   openssl configuration file uses:
   https://www.openssl.org/docs/man1.0.2/apps/config.html
 
+  Since version 2.6 is the ssl-engine not enabled in the default build. In case
+  that the ssl-engine is requierd can HAProxy be rebuild with USE_ENGINE=1
+  build flag.
+
 ssl-mode-async
   Adds SSL_MODE_ASYNC mode to the SSL context. This enables asynchronous TLS
   I/O operations if asynchronous capable SSL engines are used. The current
-- 
2.25.1

Re: HttpClient in Lua

[Aleksandar Lazic]

Hi Phil,

please keep the ML in the loop.

On Thu, 16 Jun 2022 00:19:57 +1000
Philip Young  wrote:

> Hi Alex
> 
> Thanks for the reply, but unfortunately that only sets the CA certs that
> issued the server certs. I need a way to specify a client certificate that
> will be used to talk to authz service. 

Ah okay sorry haven't understood that you want to send client certificate.
I would try to use http://docs.haproxy.org/2.6/configuration.html#5.2-crt
with the Client Certificate in the pem and set it on the server line.

It's my conclusion of that code.
https://git.haproxy.org/?p=haproxy.git;a=blob;f=src/hlua.c;hb=HEAD#l12530

Again it's just a assumption as I had never the requirements to use client
certificates with haproxy.

Regards
Alex

> Thanks anyway
> 
> Sent from my iPhone
> 
> > On 16 Jun 2022, at 12:03 am, Aleksandar Lazic  wrote:
> > 
> > HI.
> > 
> >> On Wed, 15 Jun 2022 23:33:27 +1000
> >> Philip Young  wrote:
> >> 
> >> Hi
> >> I am currently writing a LUA module to make authorisation decisions on
> >> whether a request is allowed, by calling out to another service to make the
> >> authorisation decision.
> >> In the Lua module, I am using Socket.connect_ssl() to
> >> connect to the authorisation service but I am struggling to work out how to
> >> set the path to the certificate I want to use to connect to the
> >> authorisation service.
> >> Does anybody know how to set the path to the certificate that is
> >> used when using Socket.connect_ssl() Is it possible to do this using the
> >> httpclient?
> > 
> > As I'm not a lua nor httpclient expert but maybe this could help.
> > https://docs.haproxy.org/2.6/configuration.html#httpclient.ssl.ca-file
> > 
> > Also check if you mabye need to adopt this at least for the beginning.
> > https://docs.haproxy.org/2.6/configuration.html#httpclient.ssl.verify
> > 
> >> I have tried asking the Slack chat channel and on the commercial
> >> site but no one knows. 
> >> 
> >> Cheers Phil
> > 
> > Hth
> > Alex

Re: haproxy 2.6.0 and quic

[Amaury Denoyelle]

On Fri, Jun 03, 2022 at 07:08:43AM -0600, Shawn Heisey wrote:
> [...]
> A word of warning that you would probably also get from the devs here: 
> HTTP3/QUIC support is still new and not entirely working. I have it
> configured and it only works correctly for VERY simple websites.  Any
> complex webapp I try it on will fail in some way, but if I disable HTTP3 and
> use HTTP2, it works.
> 

Hi,

I just wanted to let you and other QUIC enthusiast know that I
found a defect in haproxy QPACK implementation which prevented to
decrypt some headers. The fix has been merged and it helped greatly on
my test with a nextcloud instance.

Of course, I still have some other issues and unexpected behavior, but
if you have the time do not hesitate to test the development version and
give us your thoughts. As an alternative, we may probably emit soon a
2.6.1 with the first batch of QUIC issues resolved so far.

Regards,

-- 
Amaury Denoyelle

Re: HttpClient in Lua

[Aleksandar Lazic]

HI.

On Wed, 15 Jun 2022 23:33:27 +1000
Philip Young  wrote:

> Hi
> I am currently writing a LUA module to make authorisation decisions on
> whether a request is allowed, by calling out to another service to make the
> authorisation decision.
> In the Lua module, I am using Socket.connect_ssl() to
> connect to the authorisation service but I am struggling to work out how to
> set the path to the certificate I want to use to connect to the authorisation
> service.
> Does anybody know how to set the path to the certificate that is
> used when using Socket.connect_ssl() Is it possible to do this using the
> httpclient?

As I'm not a lua nor httpclient expert but maybe this could help.
https://docs.haproxy.org/2.6/configuration.html#httpclient.ssl.ca-file

Also check if you mabye need to adopt this at least for the beginning.
https://docs.haproxy.org/2.6/configuration.html#httpclient.ssl.verify

> I have tried asking the Slack chat channel and on the commercial
> site but no one knows. 
> 
> Cheers Phil

Hth
Alex

HttpClient in Lua

[Philip Young]

Hi
I am currently writing a LUA module to make authorisation decisions on whether 
a request is allowed, by calling out to another service to make the 
authorisation decision. 
In the Lua module, I am using Socket.connect_ssl() to connect to the 
authorisation service but I am struggling to work out how to set the path to 
the certificate I want to use to connect to the authorisation service. 
Does anybody know how to set the path to the certificate that is used when 
using Socket.connect_ssl() 
Is it possible to do this using the httpclient?
I have tried asking the Slack chat channel and on the commercial site but no 
one knows. 

Cheers Phil

Re: Configuration in a database

[Yuriy Ivkin]

Hi Илья,

Thank you for your response!

Got it. If there is no a native way then I will think about some config 
generator app on the same host as the haproxy. Thank you!


15.06.2022 13:24, Илья Шипицин пишет:
there are few external tools for config provisioning, what comes to 
mind ...


(*) consul templates consul-template/haproxy.md at main · 
hashicorp/consul-template (github.com) 

(*) dataplane api haproxytech/dataplaneapi: HAProxy Data Plane API 
(github.com) 


natively, haproxy uses text config files (which are usually 
provisioned by some automation)


ср, 15 июн. 2022 г. в 14:54, Yuriy Ivkin :

Greetings!

 Are there any solutions allow keep configuration in a database
instead of text file ? Fast googling did not give any results.

-- 
Best regards,

Yuriy Ivkin


--
Best regards,
Yuriy Ivkin

Re: Configuration in a database

[Илья Шипицин]

there are few external tools for config provisioning, what comes to mind ...

(*) consul templates consul-template/haproxy.md at main ·
hashicorp/consul-template (github.com)

(*) dataplane api haproxytech/dataplaneapi: HAProxy Data Plane API
(github.com) 

natively, haproxy uses text config files (which are usually provisioned by
some automation)

ср, 15 июн. 2022 г. в 14:54, Yuriy Ivkin :

> Greetings!
>
>  Are there any solutions allow keep configuration in a database instead of
> text file ? Fast googling did not give any results.
>
> --
> Best regards,
> Yuriy Ivkin
>
>

Configuration in a database

[Yuriy Ivkin]

Greetings!

 Are there any solutions allow keep configuration in a database instead 
of text file ? Fast googling did not give any results.


--
Best regards,
Yuriy Ivkin