Re: Haproxy 1.6.9 failed to compile regex

2016-10-28 Thread Lukas Tribus 

Hello,


Am 28.10.2016 um 01:03 schrieb Willy Tarreau:



For the record: this has been fixed; and I also implemented the correct
"Built with PCRE" information. Haproxy 1.6.10 will contain those fixes.

~/haproxy-1.6$ git log --oneline v1.6.9.. | grep PCRE
dcdd2ae MINOR: show Built with PCRE version
3a011f1 BUG/MINOR: displayed PCRE version is running release
~/haproxy-1.6$

OK, this means I'll release 1.6.10 ASAP. I just want to take a look at
a CLOSE_WAIT peer connection report I got which might explain certain
cases of zombies after reload.


Definitely, but there is certainly no urgency because of those PCRE 
issues here.



Lukas

Re: Haproxy 1.6.9 failed to compile regex

2016-10-27 Thread Willy Tarreau 
On Thu, Oct 27, 2016 at 05:43:38PM +0200, Lukas Tribus wrote:
> Hello,
> 
> 
> Am 08.09.2016 um 17:48 schrieb Lukas Tribus:
> > 
> > > Means that haproxy -vv reported "Built with PCRE version" version
> > > wrong previously. That confused me.
> > 
> > This returns the output of pcre_version() and yes, the text should be
> > renamed to "Running with PCRE version", because the runtime library
> > returns the version in this case.
> 
> For the record: this has been fixed; and I also implemented the correct
> "Built with PCRE" information. Haproxy 1.6.10 will contain those fixes.
> 
> ~/haproxy-1.6$ git log --oneline v1.6.9.. | grep PCRE
> dcdd2ae MINOR: show Built with PCRE version
> 3a011f1 BUG/MINOR: displayed PCRE version is running release
> ~/haproxy-1.6$

OK, this means I'll release 1.6.10 ASAP. I just want to take a look at
a CLOSE_WAIT peer connection report I got which might explain certain
cases of zombies after reload.

Cheers,
Willy

Re: Haproxy 1.6.9 failed to compile regex

2016-10-27 Thread Lukas Tribus 

Hello,


Am 08.09.2016 um 17:48 schrieb Lukas Tribus:


Means that haproxy -vv reported "Built with PCRE version" version 
wrong previously. That confused me.


This returns the output of pcre_version() and yes, the text should be 
renamed to "Running with PCRE version", because the runtime library 
returns the version in this case.


For the record: this has been fixed; and I also implemented the correct 
"Built with PCRE" information. Haproxy 1.6.10 will contain those fixes.


~/haproxy-1.6$ git log --oneline v1.6.9.. | grep PCRE
dcdd2ae MINOR: show Built with PCRE version
3a011f1 BUG/MINOR: displayed PCRE version is running release
~/haproxy-1.6$



Cheers,

Lukas

Re: Haproxy 1.6.9 failed to compile regex

2016-09-08 Thread Lukas Tribus 

Hello Veiko,


Am 08.09.2016 um 13:11 schrieb Veiko Kukk:
Yes, turned out, build box had newer pcre installed (7 vs 8 major 
version). Compiling pcre statically solved that error/problem.


Good to hear. If you link against a shared library, you will have to 
make sure they match in major versions (same OS), otherwise you will 
have major problems with it (OpenSSL major release differences also lead 
to haproxy crashes). If you link statically to a library, you have to 
remember to upgrade the library and recompile haproxy, if the library 
has a vulnerability.




Means that haproxy -vv reported "Built with PCRE version" version 
wrong previously. That confused me.


This returns the output of pcre_version() and yes, the text should be 
renamed to "Running with PCRE version", because the runtime library 
returns the version in this case.





BTW: openssl version is also reported wrong by haproxy -vv.


OpenSSL informations on the other hand should be correct. "Built with" 
returns the build time OPENSSL_VERSION_TEXT and "Running on" makes the 
library return the version ("SSLeay_version(SSLEAY_VERSION)"). There is 
really no interpretation going on at haproxy level.


Not sure why you would see different "Running on" informations on the 
same box, pointing to the same libssl and libcrypto library in the ldd 
output. That doesn't make sense to me.




Lukas

Re: Haproxy 1.6.9 failed to compile regex

2016-09-07 Thread Vincent Bernat 
 ❦  7 septembre 2016 16:42 CEST, Veiko Kukk  :

>> I tried to upgrade from 1.6.8 to 1.6.9, but found strange errors printed
>> by haproxy 1.6.9. Any ideas, why?
>
> Another strange issue is that 1.6.9 shows:
> Running on OpenSSL version : OpenSSL 1.0.0-fips 29 Mar 2010
>
> System does have openssl 1.0.1e-48.el6_8.1 installed and nothing
> else. So how is it possible that it's using different version than
> system has?

It could be statically compiled. Check with ldd.
-- 
Too much is just enough.
-- Mark Twain, on whiskey

Re: Haproxy 1.6.9 failed to compile regex

2016-09-07 Thread Lukas Tribus 


Am 07.09.2016 um 16:42 schrieb Veiko Kukk:


On 07/09/16 14:37, Veiko Kukk wrote:

I tried to upgrade from 1.6.8 to 1.6.9, but found strange errors printed
by haproxy 1.6.9. Any ideas, why?


Another strange issue is that 1.6.9 shows:
Running on OpenSSL version : OpenSSL 1.0.0-fips 29 Mar 2010

System does have openssl 1.0.1e-48.el6_8.1 installed and nothing else. 
So how is it possible that it's using different version than system has?


Do you compile on the same box were the executable runs?

Looks like you have a mess with your system libraries.


Compare "ldd haproxy" (working and non-working executable). You will 
probably see that it points to a different path (both pcre and openssl).




Lukas

Re: Haproxy 1.6.9 failed to compile regex

2016-09-07 Thread Veiko Kukk 


On 07/09/16 14:37, Veiko Kukk wrote:

I tried to upgrade from 1.6.8 to 1.6.9, but found strange errors printed
by haproxy 1.6.9. Any ideas, why?


Another strange issue is that 1.6.9 shows:
Running on OpenSSL version : OpenSSL 1.0.0-fips 29 Mar 2010

System does have openssl 1.0.1e-48.el6_8.1 installed and nothing else. 
So how is it possible that it's using different version than system has?


On the other hand - 1.6.8 reports proper openssl version:
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013

Veiko

Haproxy 1.6.9 failed to compile regex

2016-09-07 Thread Veiko Kukk 

Hi,

I tried to upgrade from 1.6.8 to 1.6.9, but found strange errors printed 
by haproxy 1.6.9. Any ideas, why?


[ALERT] 250/112901 (12026) : parsing [/etc/haproxy/haproxy.cfg:57] : 
'reqirep' : regular expression '^([^ :]*) /(.*)' : failed to compile 
regex '^([^ :]*) /(.*)' (error=unknown or incorrect option bit(s) set)


[ALERT] 250/112901 (12026) : parsing [/etc/haproxy/haproxy.cfg:205] : 
'reqidel' : regular expression '^If-Match:.*' : failed to compile regex 
'^If-Match:.*' (error=unknown or incorrect option bit(s) set)


[ALERT] 250/112901 (12026) : parsing [/etc/haproxy/haproxy.cfg:279] : 
'rspidel' : regular expression '^Content-Location' : failed to compile 
regex '^Content-Location' (error=unknown or incorrect option bit(s) set)



Downgrading to 1.6.8 solves this error.

# haproxy -vv
HA-Proxy version 1.6.9 2016/08/30
Copyright 2000-2016 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing 
-Wdeclaration-after-statement

  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity("identity"), 
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")

Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.0-fips 29 Mar 2010
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 7.8 2008-09-05
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built without Lua support
Built with transparent proxy support using: IP_TRANSPARENT 
IPV6_TRANSPARENT IP_FREEBIND


Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

# haproxy -vv
HA-Proxy version 1.6.8 2016/08/14
Copyright 2000-2016 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing 
-Wdeclaration-after-statement

  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.3
Compression algorithms supported : identity("identity"), 
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")

Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 7.8 2008-09-05
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built without Lua support
Built with transparent proxy support using: IP_TRANSPARENT 
IPV6_TRANSPARENT IP_FREEBIND


Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Veiko