Re: [PATCH 2/3] MINOR: Add `ha_generate_uuid_v7`

[Willy Tarreau]

On Thu, Apr 25, 2024 at 08:15:30PM +0200, Tim Düsterhus wrote:
> Hi
> 
> On 4/24/24 08:39, Willy Tarreau wrote:
> > Just thinking about all the shifts above, I think you could have
> > gone through less efforts by acting on 64-bit randoms (less shifts).
> > But the difference is probably not that much anyway.
> 
> I've used the existing implementation for UUIDv4 as the basis, that's why
> the code looks like it does.

Ah OK makes sense ;-)

Willy

Re: [PATCH 2/3] MINOR: Add `ha_generate_uuid_v7`

[Tim Düsterhus]

Hi

On 4/24/24 08:39, Willy Tarreau wrote:

Just thinking about all the shifts above, I think you could have
gone through less efforts by acting on 64-bit randoms (less shifts).
But the difference is probably not that much anyway.


I've used the existing implementation for UUIDv4 as the basis, that's 
why the code looks like it does.


Best regards
Tim Düsterhus

Article submission for haproxy.org

[Raddie Kalytenko]

Hi there,
I hope you are doing well!

My name is Raddie. I am contacting you on behalf of lawrina.org.
This is our legaltech space with professionally designed legal templates,
guides, and AI-driven software for contract drafting.

I was searching for new websites to collaborate with and came across yours.
Need to say that you did good work! The website is great :)
I am interested in submitting a post for haproxy.org.

We will create content that will be unique, special for your platform, and
useful for your audience.
In return, I need a backlink to our site in this article.
I am confident that our article will provide your audience with valuable
legal knowledge and increase your website traffic.

The article can have a custom topic, about tech laws, for example.
Please let me know if you are interested.
I will be happy to provide you with more details: topics, prices, terms,
and other conditions.

Thank you for considering this opportunity!
Best regards,

*Raddie Kalytenko*

Affordable Web Design/Development

[Danny Baileys]

Hi,

Are you looking for a professional website Designing or Redesigning service?

We deliver amazing featured websites at genuine prices in the time frame.

Tell us about your requirements. We would be happy to share quotes and
pricelist.

Thanks & Regards,

Danny
[image: beacon]

Re: [PATCH] MINOR: config: rhttp: Downgrade error on attach-srv name parsing

[Amaury Denoyelle]

Hi William !

Sorry for the delay. We have rediscussed this issue this morning and
here is my answer on your patch.

It is definitely legitimate to want to be able to use reverse HTTP
without SSL on the server line. However, the way that haproxy currently
uses idle connection is that at least the SNI parameter alone must be
set to match the name parameter of the corresponding attach-srv rule. If
this is not the case, the connection will never be reused.

But in fact, when rereading haproxy code this morning, we found that it
is valid to have SNI parameter set even if SSL is not active, and this
will produce the desired effect. We are definitely okay with merging an
adjusted version of your patch for the moment, see my remarks below.
However, using SNI on a server line without SSL is something tricky.
Thus we plan to add a new keyword to replace it when SSL is not used to
have the same effect. When this will be done, you should update your
configuration to use it.

On Fri, Apr 12, 2024 at 02:29:30PM +0100, William Manley wrote:
> An attach-srv config line usually looks like this:
> tcp-request session attach-srv be/srv name ssl_c_s_dn(CN)
> The name is a key that is used when looking up connections in the
> connection pool.  Without this patch you'd get an error if you passed
> anything other than "ssl_c_s_dn(CN)" as the name expression.  Now you can
> pass arbitrary expressions and it will just warn you if you aren't
> producing a configuration that is RFC compliant.
> I'm doing this as I want to use `fc_pp_unique_id` as the name.

I'm not 100% okay with your description here. The current code condition
does not check that "ssl_c_s_dn(CN)" is used as expression, but rather
that if name is defined for an attach-srv rule, the targetted server
must have both SSL and SNI activated. I think this paragraph should be
reworded.

> ---
>  src/tcp_act.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> diff --git a/src/tcp_act.c b/src/tcp_act.c
> index a88fab4af..4d2a56c67 100644
> --- a/src/tcp_act.c
> +++ b/src/tcp_act.c
> @@ -522,8 +522,7 @@ static int tcp_check_attach_srv(struct act_rule *rule, 
> struct proxy *px, char **
>  
>   if ((rule->arg.attach_srv.name && (!srv->use_ssl || !srv->sni_expr)) ||
>   (!rule->arg.attach_srv.name && srv->use_ssl && srv->sni_expr)) {
> - memprintf(err, "attach-srv rule: connection will never be used; 
> either specify name argument in conjunction with defined SSL SNI on targeted 
> server or none of these");
> - return 0;
> + ha_warning("attach-srv rule: connection may never be used; 
> usually name argument is defined SSL SNI on targeted server or none of 
> these");
>   }
>  
>   rule->arg.attach_srv.srv = srv;
> -- 
> 2.34.1
> 

I think an alternative patch may be more desirable here. We could update
the condition with the following statement without removing the fatal
error :

>   if ((rule->arg.attach_srv.name && !srv->sni_expr) ||
>   (!rule->arg.attach_srv.name && srv->sni_expr)) {

This reflects the current mandatory usage of reverse-http : if name is
used on attach-srv, sni keyword must be specified on the server line.

Let me know your thoughts. If you're okay, can you adjust your patch
please ? If not, do not hesitate to tell me if there is something you
disagreeing with.

Thanks,

-- 
Amaury Denoyelle