Re: [PATCH] DOC: clarify matching strings on binary fetches

2019-12-04 Thread Willy Tarreau 
On Wed, Dec 04, 2019 at 03:38:51PM +, Mathias Weiersmüller (cyberheads 
GmbH) wrote:
> Willy,
> Will I (pardon the pun) send backported patches for the documentation for
> versions 1.5 - 2.1? Or is that handled by you?

Normally we do it ourselves because this way we get the upper commit IDs
when these are merged. From time to time when patches are very different
however, or touch areas that only the reporter understands, we prefer to
get the backports as well. In your case it should not be an issue to
apply your patch to older versions' documentation so that'll flow down
to these versions as we make the backports.

Thanks!
Willy

Re: [PATCH] DOC: clarify matching strings on binary fetches

2019-12-04 Thread cyberheads GmbH 
Willy,
Will I (pardon the pun) send backported patches for the documentation for 
versions 1.5 - 2.1? Or is that handled by you?

Regards

Mathias

From: Willy Tarreau 
Sent: Tuesday, December 3, 2019 07:35
To: Mathias Weiersmüller (cyberheads GmbH) 
Cc: haproxy@formilux.org ; tfourn...@arpalert.org 
; Aleksandar Lazic 
Subject: Re: [PATCH] DOC: clarify matching strings on binary fetches

Hi Mathias,

On Mon, Dec 02, 2019 at 09:01:56AM +, Mathias Weiersmüller (cyberheads 
GmbH) wrote:
> Documentation patch provided - I would backport it all the way down to 1.5 as
> it might save from headaches.

Good point indeed, now merged, thank you!

Willy

Re: [PATCH] DOC: clarify matching strings on binary fetches

2019-12-02 Thread Willy Tarreau 
Hi Mathias,

On Mon, Dec 02, 2019 at 09:01:56AM +, Mathias Weiersmüller (cyberheads 
GmbH) wrote:
> Documentation patch provided - I would backport it all the way down to 1.5 as
> it might save from headaches.

Good point indeed, now merged, thank you!

Willy

[PATCH] DOC: clarify matching strings on binary fetches

2019-12-02 Thread cyberheads GmbH 
Documentation patch provided - I would backport it all the way down to 1.5 as 
it might save from headaches.

Best regards

Mathias

>
> It would be nice when you send us a patch to fix the doc.
> 
> Regards
> Aleks
> 
> Nov 30, 2019 11:35:24 AM Mathias Weiersmüller (cyberheads GmbH) 
> :
>
> > (CCing Thierry Fournier as maintainer of the pattern matching part)
> > 
> > 
> > > We use HAProxy in TCP Mode for non-HTTP protocols.
> > > 
> > > The request of one particular protocol looks like this:
> > > 
> > - length of message (binary value, 4 bytes long)
> > >  
> > > - binary part (40-200 bytes)
> > > - XML part
> > > 
> > > Goal: We want to use a particular backend when the XML part of the 
> > > request contains the string "".
> > > 
> > > We used this ACL:
> > > acl tag_found req.payload(0,0) -m sub 
> > > 
> > > The problem:
> > > The substring matching stops on a Null byte (\0) in a binary fetch. 
> > > We always have this case (the request normally starts with Null 
> > > bytes). Therefore, the match never succeeds. As there might be null 
> > > bytes in the binary part too, we cannot just start the payload fetch 
> > > after byte 4.
> > > 
> > > ==
> > > frontend fe_test
> > > bind *:3000
> > > 
> > > tcp-request inspect-delay 5s
> > > 
> > > acl content_present req_len gt 0
> > > acl tag_found req.payload(0,0) -m sub 
> > > 
> > > tcp-request content accept if content_present tcp-request content 
> > > reject
> > > 
> > > # depending on if the payload contains the string "", we use 
> > > different backends # right now, the two backends are exactly the same.
> > > use_backend be_tag if tag_found
> > > default_backend be_default
> > > 
> > > backend be_tag
> > > server srv_1:4000
> > > 
> > > backend be_default
> > > server srv_1:4000
> > > 
> > > Test cases:
> > > (tested on versions 2.0.10, 1.5.18)
> > > echo -e '' | nc 127.0.0.1 3000 # will use backend be_tag echo 
> > > -e '\0' | nc 127.0.0.1 3000 # will use backend be_default, but 
> > > should use be_tag ==
> > > 
> > > Workaround:
> > > =>convert payload into hexified string, parse against hex:
> > > acl tag_found req.payload(0,0),hex -m sub 3C7461673E # this is  
> > > in hexadecimal
> > > 
> > > Dear list members, these are the questions I am twisting my mind with. Do 
> > > you have a good take one these?
> > > 
> > > - Is there another (better) way to do a substring match on a payload 
> > > which contains Null bytes?
> > > - Would another, new match method make sense here (something like 
> > > sub_bin ? )
> > > - Do we run into a problem with the hex conversion because the size 
> > > of the sample has double the size than the original (maybe bigger 
> > > than bufsize?)
> > > 
> > > 
> > 
> > If this behavior is intended, then the configuration manual (7.1.3 Matching 
> > strings) should be updated to reflect this:
> > 
> > Do not use string matches for binary fetches which might contain null 
> > bytes (0x00), as the comparison stops at the occurrence of the first 
> > null byte. Instead, convert the binary fetch to a hex string with the hex 
> > converter first.
> > 
> > Example:
> > acl tag_found req.payload(0,0),hex -m sub 3C7461673E # this is  
> > in hexadecimal
 



0001-DOC-clarify-matching-strings-on-binary-fetches.patch
Description: 0001-DOC-clarify-matching-strings-on-binary-fetches.patch