subject:"ACL block ignored in 2.0.25"

Re: ACL block ignored in 2.0.25

2021-11-22 Thread Bart van der Schans

On Mon, Nov 22, 2021 at 12:59 AM Olivier Houchard  wrote:

> Hi Bart,
>
> On Thu, Nov 18, 2021 at 08:06:55PM +0100, Bart van der Schans wrote:
> > Here is the patch:
> >
> > Fix "block" ACL by reverting accidental removal of code in
> > 8ab2a364a8c8adf0965e74a41a2ff3cebd43e7a9
> > ---
> > diff --git a/src/cfgparse.c b/src/cfgparse.c
> > index 857321e1..78f0ed76 100644
> > --- a/src/cfgparse.c
> > +++ b/src/cfgparse.c
> > @@ -2823,6 +2823,16 @@ int check_config_validity()
> > }
> > }
> >
> > +   /* move any "block" rules at the beginning of the http-request
> > rules */
> > +   if (!LIST_ISEMPTY(>block_rules)) {
> > +   /* insert block_rules into http_req_rules at the
> beginning
> > */
> > +   curproxy->block_rules.p->n=
> curproxy->http_req_rules.n;
> > +   curproxy->http_req_rules.n->p = curproxy->block_rules.p;
> > +   curproxy->block_rules.n->p=
> >http_req_rules;
> > +   curproxy->http_req_rules.n= curproxy->block_rules.n;
> > +   LIST_INIT(>block_rules);
> > +   }
> > +
> > /* check validity for 'tcp-request' layer 4/5/6/7 rules
> */
> > cfgerr += check_action_rules(>tcp_req.l4_rules,
> > curproxy, _code);
> > cfgerr += check_action_rules(>tcp_req.l5_rules,
> > curproxy, _code);
>
> Your patch has been committed as feeccc6e40e4d61b1e9fa84aca961aceabe39371
>
> Thanks a lot !
>
>
Thank you for the fast turnaround!

Bart

Olivier
>
>

Re: ACL block ignored in 2.0.25

2021-11-21 Thread Olivier Houchard

Hi Bart,

On Thu, Nov 18, 2021 at 08:06:55PM +0100, Bart van der Schans wrote:
> Here is the patch:
> 
> Fix "block" ACL by reverting accidental removal of code in
> 8ab2a364a8c8adf0965e74a41a2ff3cebd43e7a9
> ---
> diff --git a/src/cfgparse.c b/src/cfgparse.c
> index 857321e1..78f0ed76 100644
> --- a/src/cfgparse.c
> +++ b/src/cfgparse.c
> @@ -2823,6 +2823,16 @@ int check_config_validity()
> }
> }
> 
> +   /* move any "block" rules at the beginning of the http-request
> rules */
> +   if (!LIST_ISEMPTY(>block_rules)) {
> +   /* insert block_rules into http_req_rules at the beginning
> */
> +   curproxy->block_rules.p->n= curproxy->http_req_rules.n;
> +   curproxy->http_req_rules.n->p = curproxy->block_rules.p;
> +   curproxy->block_rules.n->p= >http_req_rules;
> +   curproxy->http_req_rules.n= curproxy->block_rules.n;
> +   LIST_INIT(>block_rules);
> +   }
> +
> /* check validity for 'tcp-request' layer 4/5/6/7 rules */
> cfgerr += check_action_rules(>tcp_req.l4_rules,
> curproxy, _code);
> cfgerr += check_action_rules(>tcp_req.l5_rules,
> curproxy, _code);

Your patch has been committed as feeccc6e40e4d61b1e9fa84aca961aceabe39371

Thanks a lot !

Olivier

Re: ACL block ignored in 2.0.25

2021-11-18 Thread Bart van der Schans

Here is the patch:

Fix "block" ACL by reverting accidental removal of code in
8ab2a364a8c8adf0965e74a41a2ff3cebd43e7a9
---
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 857321e1..78f0ed76 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -2823,6 +2823,16 @@ int check_config_validity()
}
}

+   /* move any "block" rules at the beginning of the http-request
rules */
+   if (!LIST_ISEMPTY(>block_rules)) {
+   /* insert block_rules into http_req_rules at the beginning
*/
+   curproxy->block_rules.p->n= curproxy->http_req_rules.n;
+   curproxy->http_req_rules.n->p = curproxy->block_rules.p;
+   curproxy->block_rules.n->p= >http_req_rules;
+   curproxy->http_req_rules.n= curproxy->block_rules.n;
+   LIST_INIT(>block_rules);
+   }
+
/* check validity for 'tcp-request' layer 4/5/6/7 rules */
cfgerr += check_action_rules(>tcp_req.l4_rules,
curproxy, _code);
cfgerr += check_action_rules(>tcp_req.l5_rules,
curproxy, _code);
--

On Thu, Nov 18, 2021 at 6:11 PM Olivier Houchard  wrote:

> On Thu, Nov 18, 2021 at 05:59:24PM +0100, Bart van der Schans wrote:
> > A bit more digging:
> >
> > It looks like this commit broke it:
> >
> http://git.haproxy.org/?p=haproxy-2.0.git;a=commitdiff;h=8ab2a364a8c8adf0965e74a41a2ff3cebd43e7a9
> >
> > Re-adding the following block on line 2826 in cfgparse.c in 2.0.25
> "solves"
> > the issue but I have no idea if that is the right thing to do:
> >
> > -   /* move any "block" rules at the beginning of the
> > http-request rules */
> > -   if (!LIST_ISEMPTY(>block_rules)) {
> > -   /* insert block_rules into http_req_rules at
> > the beginning */
> > -   curproxy->block_rules.p->n=
> > curproxy->http_req_rules.n;
> > -   curproxy->http_req_rules.n->p =
> curproxy->block_rules.p;
> > -   curproxy->block_rules.n->p=
> > >http_req_rules;
> > -   curproxy->http_req_rules.n=
> curproxy->block_rules.n;
> > -   LIST_INIT(>block_rules);
> > -   }
> >
> > Thanks
> > Bart
> >
> I think you are totally correct, and this is the right thing to do. That
> block is unrelated to the other changes in that commit, and probably
> should not have been removed.
>
> Regards,
>
> Olivier
>
>

Re: ACL block ignored in 2.0.25

2021-11-18 Thread Olivier Houchard

On Thu, Nov 18, 2021 at 05:59:24PM +0100, Bart van der Schans wrote:
> A bit more digging:
> 
> It looks like this commit broke it:
> http://git.haproxy.org/?p=haproxy-2.0.git;a=commitdiff;h=8ab2a364a8c8adf0965e74a41a2ff3cebd43e7a9
> 
> Re-adding the following block on line 2826 in cfgparse.c in 2.0.25 "solves"
> the issue but I have no idea if that is the right thing to do:
> 
> -   /* move any "block" rules at the beginning of the
> http-request rules */
> -   if (!LIST_ISEMPTY(>block_rules)) {
> -   /* insert block_rules into http_req_rules at
> the beginning */
> -   curproxy->block_rules.p->n=
> curproxy->http_req_rules.n;
> -   curproxy->http_req_rules.n->p = 
> curproxy->block_rules.p;
> -   curproxy->block_rules.n->p=
> >http_req_rules;
> -   curproxy->http_req_rules.n= 
> curproxy->block_rules.n;
> -   LIST_INIT(>block_rules);
> -   }
> 
> Thanks
> Bart
> 
I think you are totally correct, and this is the right thing to do. That
block is unrelated to the other changes in that commit, and probably
should not have been removed.

Regards,

Olivier

Re: ACL block ignored in 2.0.25

2021-11-18 Thread Bart van der Schans

A bit more digging:

It looks like this commit broke it:
http://git.haproxy.org/?p=haproxy-2.0.git;a=commitdiff;h=8ab2a364a8c8adf0965e74a41a2ff3cebd43e7a9

Re-adding the following block on line 2826 in cfgparse.c in 2.0.25 "solves"
the issue but I have no idea if that is the right thing to do:

-   /* move any "block" rules at the beginning of the
http-request rules */
-   if (!LIST_ISEMPTY(>block_rules)) {
-   /* insert block_rules into http_req_rules at
the beginning */
-   curproxy->block_rules.p->n=
curproxy->http_req_rules.n;
-   curproxy->http_req_rules.n->p = curproxy->block_rules.p;
-   curproxy->block_rules.n->p=
>http_req_rules;
-   curproxy->http_req_rules.n= curproxy->block_rules.n;
-   LIST_INIT(>block_rules);
-   }

Thanks
Bart

On Thu, Nov 18, 2021 at 5:47 PM Bart van der Schans 
wrote:

> Hi good folks!
>
> We ran into an issue with 2.0.25 that it ignores the "block" (deprecated
> but still valid) statement. The following works in 2.0.24 but not in 2.0.25:
>
> frontend http-in
>   bind   :80
>   mode   http
>   logglobal
>   // snip, all the usual stuff
>
>   # block any unwanted source IP addresses or networks
>   acl forbidden_src src  127.0.0.1
>   block if forbidden_src
>
> With 2.0.24 as expected:
> $ curl http://localhost/adsf
> 403 Forbidden
> Request forbidden by administrative rules.
> 
>
> With 2.0.25 (503 because no real backend in my test setup):
> $ curl http://localhost/adsf
> 503 Service Unavailable
> No server is available to handle this request.
> 
>
> Wondering if I'm missing something or if this is a security issue. For now
> we are have quickly "patched" our prod servers by replacing "block" with
> "http-request deny" which does show the correct behavior.
>
> Any comments or suggestions?
>
> Thanks
> Bart
>
>

ACL block ignored in 2.0.25

2021-11-18 Thread Bart van der Schans

Hi good folks!

We ran into an issue with 2.0.25 that it ignores the "block" (deprecated
but still valid) statement. The following works in 2.0.24 but not in 2.0.25:

frontend http-in
  bind   :80
  mode   http
  logglobal
  // snip, all the usual stuff

  # block any unwanted source IP addresses or networks
  acl forbidden_src src  127.0.0.1
  block if forbidden_src

With 2.0.24 as expected:
$ curl http://localhost/adsf
403 Forbidden
Request forbidden by administrative rules.


With 2.0.25 (503 because no real backend in my test setup):
$ curl http://localhost/adsf
503 Service Unavailable
No server is available to handle this request.


Wondering if I'm missing something or if this is a security issue. For now
we are have quickly "patched" our prod servers by replacing "block" with
"http-request deny" which does show the correct behavior.

Any comments or suggestions?

Thanks
Bart

Re: ACL block ignored in 2.0.25

Re: ACL block ignored in 2.0.25

Re: ACL block ignored in 2.0.25

Re: ACL block ignored in 2.0.25

Re: ACL block ignored in 2.0.25

ACL block ignored in 2.0.25

6 matches

Site Navigation

Mail list logo

Footer information