July 31, 2019 - Captives likely to go on CXO hiring spree
RE: [PR/FEATURE] support for virtual hosts / Host header per server
Hello, Didn't get any reply here. Is anybody reviewing this mailing list? One user reviewed the pull request and noticed missing braces around an if section. https://github.com/haproxy/haproxy/pull/167 Patch committed: https://github.com/haproxy/haproxy/compare/master...morotti:master Regards. From: Morotti, Romain D Sent: 17 July 2019 12:08 To: 'haproxy@formilux.org' Subject: [PR/FEATURE] support for virtual hosts / Host header per server Hello, We've been using haproxy for load balancing internal services for a while. We've been trying to use it recently for load balancing to kubernetes and similar hosting platforms and it is currently not possible. The Host header has to be set appropriately in HTTP requests, in HTTP healthchecks AND in TLS SNI for requests to be accepted/routed properly. But HAProxy doesn't have the capability to set the Host per server. This is a long standing issue. It's simply never been supported. For some limited use cases with a single host, this can be hacked around with a careful combination of "http-request add-header", "httpchk", "http-send-name" and "sni" settings. https://serverfault.com/questions/770737/making-haproxy-pass-a-host-name-in-httpcheck https://serverfault.com/questions/594669/haproxy-health-checking-multiple-servers-with-different-host-names The attached patch adds full support for this, using a vhost setting per server. It will be set in HTTP requests forwarded to the server, in HTTP healthchecks (if using http healthchecks) and in TLS SNI (if using TLS). Configuration looks like this: +server srv-host 10.10.0.1:8080 vhost myapp.naeast-1a.example.com check +server srv-host 10.20.0.1:8080 vhost myapp.nawest-2b.example.com check +server srv-host 10.30.0.1:8080 vhost myapp.emea-1b.example.com check backup Regards. This message is confidential and subject to terms at: https://www.jpmorgan.com/emaildisclaimer including on confidential, privileged or legal entity information, viruses and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited.
haproxy -v doesn't show commit used when building from 2.0 repository?
Hi List, I have build haproxy 2.0.3-0ff395c from sources however after running a 'haproxy -v' it shows up as: 'HA-Proxy version 2.0.3 2019/07/23 - https://haproxy.org/' this isn't really correct imho as its a version based on code committed on date 7/30. And i kinda expected the commit-id to be part of the version shown? Did i do something wrong? I thought the commit should automatically become part of the version. Though its very well possible ive broken the local freebsd makefile im using.. When building from master repository it seems to work fine though. If its caused by the contents of the repository, can it be changed? I find it really useful to see which commit a certain compiled haproxy binary was based upon. Thanks in advance :). Regards, PiBa-NL (Pieter)
[PATCH] BUG/MAJOR: http/sample: use a static buffer for raw -> htx conversion
I've attached a patch to fix a bug in http sampling on raw connections. This
fixes crashes experienced with a frontend configuration similar to:
frontend haproxy_v4_http_0
mode tcp
bind ipv4@:80
default_backend chat
tcp-request inspect-delay 60s
tcp-request content reject unless { req_len gt 0 }
acl example_com req.hdr(host) -m str example.com
acl example_org req.hdr(host) -m str example.org
acl example_net req.hdr(host) -m str example.net
acl chat path -m str /chat
acl post method -m str POST
use_backend chat if chat post # explicitly send chunked transfer encoded chat
to chatd
use_backend cdn if example_com
use_backend cdn if example_org
use_backend cdn if example_net
If the host header in inbound requests is not example.com, the check for
example.org will use the wrong trash buffer, and sometimes results in crashes.
I wasn't able to get a clear crash reproduction, but the call to
htx_get_next_blk() in src/http_htx.c:http_find_header would be called with blk
way out of range, and the loop will walk memory until it happens to find an
exit condition, or it reads unmapped memory and segfaults. Most often, it seems
the wrong trash buffer still has the old htx buffer, so it usually doesn't
crash.
I found the blk pointer was out of range in my core dumps, and added logging in
htx_get_next when pos > htx->tail; from there it was pretty easy to figure out
what happened.
I solved this by using a thread local static buffer for the raw buffer to htx
conversion, but there's probably other ways to fix it.
This should be backported to 2.0, and possible 1.9 if htx processing is used
for mode tcp with http header processing in 1.9, which I'm not sure about.
--
Richard Russo
to...@enslaves.us
0001-BUG-MAJOR-http-sample-use-a-static-buffer-for-raw-ht.patch
Description: Binary data
haproxy -v doesn't show commit used when building from 2.0 repository?
Hi List, I have build haproxy 2.0.3-0ff395c from sources however after running a 'haproxy -v' it shows up as: 'HA-Proxy version 2.0.3 2019/07/23 - https://haproxy.org/' this isn't really correct imho as its a version based on code committed on date 7/30. And i kinda expected the commit-id to be part of the version shown? Did i do something wrong? I thought the commit should automatically become part of the version. Though its very well possible ive broken the local freebsd makefile im using.. When building from master repository it seems to work fine though. If its caused by the contents of the repository, can it be changed? I find it really useful to see which commit a certain compiled haproxy binary was based upon. Thanks in advance . Regards, PiBa-NL (Pieter)
Re: haproxy -v doesn't show commit used when building from 2.0 repository?
Hi Pieter, On Wed, Jul 31, 2019 at 10:56:54PM +0200, PiBa-NL wrote: > Hi List, > > I have build haproxy 2.0.3-0ff395c from sources however after running a > 'haproxy -v' it shows up as: 'HA-Proxy version 2.0.3 2019/07/23 - > https://haproxy.org/' this isn't really correct imho as its a version based > on code committed on date 7/30. And i kinda expected the commit-id to be > part of the version shown? I know what's happening, I always forget to do it with each new major release. We're using Git attributes to automatically patch files "SUBVERS" and "VERDATE" when creating the archive : $ cat info/attributes SUBVERS export-subst VERDATE export-subst And this is something I forget to re-create with each new repository, I've fixed it now. It will be OK with new snapshots starting tomorrow. Thanks! Willy
Re: [PATCH] BUG/MAJOR: http/sample: use a static buffer for raw -> htx conversion
Hi Richard,
On Wed, Jul 31, 2019 at 02:03:26PM -0700, Richard Russo wrote:
> I've attached a patch to fix a bug in http sampling on raw connections. This
> fixes crashes experienced with a frontend configuration similar to:
>
> frontend haproxy_v4_http_0
> mode tcp
> bind ipv4@:80
> default_backend chat
> tcp-request inspect-delay 60s
> tcp-request content reject unless { req_len gt 0 }
> acl example_com req.hdr(host) -m str example.com
> acl example_org req.hdr(host) -m str example.org
> acl example_net req.hdr(host) -m str example.net
> acl chat path -m str /chat
> acl post method -m str POST
> use_backend chat if chat post # explicitly send chunked transfer encoded
> chat to chatd
> use_backend cdn if example_com
> use_backend cdn if example_org
> use_backend cdn if example_net
>
> If the host header in inbound requests is not example.com, the check for
> example.org will use the wrong trash buffer, and sometimes results in
> crashes. I wasn't able to get a clear crash reproduction, but the call to
> htx_get_next_blk() in src/http_htx.c:http_find_header would be called with
> blk way out of range, and the loop will walk memory until it happens to find
> an exit condition, or it reads unmapped memory and segfaults. Most often, it
> seems the wrong trash buffer still has the old htx buffer, so it usually
> doesn't crash.
>
> I found the blk pointer was out of range in my core dumps, and added logging
> in htx_get_next when pos > htx->tail; from there it was pretty easy to figure
> out what happened.
>
> I solved this by using a thread local static buffer for the raw buffer to htx
> conversion, but there's probably other ways to fix it.
I think your patch is right. I'll let Christopher check it and merge it,
but indeed there's a problem here since buffers allocated using
get_trash_chunk() are just for local use and should never be passed
across functions since they will be reassigned.
Good catch, thank you!
Willy
Re: [PR/FEATURE] support for virtual hosts / Host header per server
Hello Romain, On Wed, Jul 31, 2019 at 04:02:04PM +, Morotti, Romain D wrote: > Hello, > > Didn't get any reply here. Is anybody reviewing this mailing list? Sorry about this but I simply think that most developers are busy chasing complex bugs and since it's the holiday period it's more difficult to find time to review patches. Regards, Willy
