Re: TLS-PSK support for haproxy?

[Nenad Merdanovic]

Hello,

On 1/5/2017 4:47 PM, Emeric Brun wrote:
> On 01/05/2017 04:22 AM, Nenad Merdanovic wrote:
>> I have a working patch for this, but it's very ugly currently (minimal
>> error checking, no warnings/messages, no docs, very basic tests done
>> only, etc.)
>>
>> I expect to have a version for review by EOW (depending on the workload,
>> maybe a bit sooner).
>>
>> Regards,
>> Nenad
> 
> Great news Nenad!

I haven't really had as much time as I wanted for this, but I am
attaching a patch that I think is good enough for review as I don't
expect design decisions to change.

There are some minor things I want to improve (rename things like
'psk_key'), add some ifdefs for OPENSSL_NO_PSK and write the
documentation of course. Depending on the client/server side:
- On the bind line, there is a psk-file keyword that loads a series of
PSKs and any can be used
- On the server line, there is a psk keyword, that takes the same format
as the file (:) and is used for the backend connection.

I'll send a full Git patch if this looks OK within the next few days.

Regards,
Nenad
diff --git a/include/types/listener.h b/include/types/listener.h
index 03f4a72b..4dc5a05b 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -134,6 +134,7 @@ struct bind_conf {
int strict_sni;/* refuse negotiation if sni doesn't match a 
certificate */
struct eb_root sni_ctx;/* sni_ctx tree of all known certs 
full-names sorted by name */
struct eb_root sni_w_ctx;  /* sni_ctx tree of all known certs wildcards 
sorted by name */
+   struct eb_root psk;/* PSK tree, keyed by identity */
struct tls_keys_ref *keys_ref; /* TLS ticket keys reference */
 
char *ca_sign_file;/* CAFile used to generate and sign server 
certificates */
diff --git a/include/types/server.h b/include/types/server.h
index 5092eb7d..f0cf8bd4 100644
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -261,6 +261,8 @@ struct server {
char *ca_file;  /* CAfile to use on verify */
char *crl_file; /* CRLfile to use on verify */
char *client_crt;   /* client certificate to send */
+   char *psk_identity; /* PSK identity */
+   char *psk_key;  /* PSK key */
struct sample_expr *sni;/* sample expression for SNI */
} ssl_ctx;
 #endif
diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
index e71ba793..6a24a2ec 100644
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h
@@ -25,6 +25,12 @@
 #include 
 #include 
 
+struct psk_pair {
+   char *key;
+   char *identity;
+   struct ebmb_node node;
+};
+
 struct sni_ctx {
SSL_CTX *ctx; /* context associated to the certificate */
int order;/* load order for the certificate */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index acf1c39c..717ad323 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -531,6 +531,29 @@ end:
return ret;
 }
 
+static int ssl_srv_psk_cb(SSL *ssl, char *identity, unsigned char *psk, 
unsigned int max_psk_len)
+{
+   struct connection *conn;
+   struct ebmb_node *node;
+   struct psk_pair *pp;
+
+   conn = SSL_get_app_data(ssl);
+
+   node = ebst_lookup(_listener(conn->target)->bind_conf->psk, 
identity);
+
+   if (!node)
+   return 0;
+
+   pp = ebmb_entry(node, struct psk_pair, node);
+
+   if(strlen(pp->key) > max_psk_len)
+   return 0;
+
+   memcpy(psk, pp->key, strlen(pp->key));
+
+   return(strlen(pp->key));
+}
+
 #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
 static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], 
unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc)
 {
@@ -2827,6 +2850,9 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, 
SSL_CTX *ctx)
}
 #endif
 
+   if(ebmb_first(_conf->psk))
+   SSL_CTX_set_psk_server_callback(ctx, ssl_srv_psk_cb);
+
if (global_ssl.life_time)
SSL_CTX_set_timeout(ctx, global_ssl.life_time);
 
@@ -2988,6 +3014,30 @@ static int ssl_sock_srv_hostcheck(const char *pattern, 
const char *hostname)
return 1;
 }
 
+static int ssl_sock_client_psk_cb(SSL *ssl, const char *hint, char *identity, 
unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)
+{
+   struct connection *conn;
+   struct server *srv;
+   int ret;
+
+   (void) hint;
+
+   conn = SSL_get_app_data(ssl);
+   srv = objt_server(conn->target);
+
+   if(strlen(srv->ssl_ctx.psk_identity) + 1 > max_identity_len)
+   return 0;
+
+   strncpy(identity, srv->ssl_ctx.psk_identity, max_identity_len);
+
+   if(strlen(srv->ssl_ctx.psk_key) > max_psk_len)
+   return 0;
+
+   memcpy(psk, srv->ssl_ctx.psk_key, 

HTTP redirects while still allowing keep-alive

[Ciprian Dorin Craciun]

Quick question:  how can I configure HAProxy to redirect (via
`http-request redirect ...`) without HAProxy sending the `Connection:
close` header, thus still allowing keep-alive on this connection.

My use-case is the following:  I have a stubborn server that insists
on pointing to the "wrong" resource URL's, thus on a page load, I get
a storm of redirects, each with a different connection (due to the
`Connection: close` reply header).


I tried to skim the documentation and search the internet (and the
mailing list archives), but no such topic popped-up, thus I have the
feeling this is quite impossible as of now...

Thanks,
Ciprian.

Re: haproxy with support http/2 - Remote IP

[Aleksandar Lazic]

Hi Pavel

Am 08-01-2017 14:00, schrieb Pavel Urbánek:


Hello,

do you have configuration apache for suport http/2 with haproxy ?


[snipp]


But i dont how setup apache to accept mod proxy.


Maybe this can help.

https://github.com/roadrunner2/mod-proxy-protocol

Best regards
Aleks


S pozdravem

PAVEL URBÁNEK,

-

Tato zpráva byla zkontrolována na viry programem Avast Antivirus.
www.avast.com

[PATCH] BUG/MINOR: ssl: assert on SSL_set_shutdown with BoringSSL

[Emmanuel Hocdet]

0001-BUG-MINOR-ssl-assert-on-SSL_set_shutdown-with-Boring.patch
Description: Binary data

haproxy with support http/2 - Remote IP

[Pavel Urbánek]

Hello,

do you have configuration apache for suport http/2 with haproxy ?



if I use:



backend nodes
mode tcp
balance roundrobin
option ssl-hello-chk
server web01 172.17.0.3:443 check
server web02 172.17.0.4:443 check



in apache is IP from proxy server not from client ip.



I know that this is solution:

backend https-servers
mode tcp
balance roundrobin
server srv1 10.0.0.11:443 send-proxy
server srv2 10.0.0.12:443 send-proxy





But i dont how setup apache to accept mod proxy.





S pozdravem



Pavel Urbánek,



---
Tato zpráva byla zkontrolována na viry programem Avast Antivirus.
https://www.avast.com/antivirus

Re: [PATCH 0/2] MEDIUM: stats: Add JSON output option to show (info|stat)

[Simon Horman]

Hi Willy,

On Sun, Jan 08, 2017 at 07:37:24AM +0100, Willy Tarreau wrote:
> Hi Simon,
> 
> On Wed, Jan 04, 2017 at 09:37:24AM +0100, Simon Horman wrote:
> > Hi,
> > 
> > this short series is an RFC implementation of adding JSON format
> > output to show (info|stat). It also adds a new show schema json
> > stats command to allow retreival of the schema which describes
> > the JSON output of show (info|stat).
> (...)
> 
> Thanks for this. I'm seeing in stats_emit_json_field_tags() that
> you have to emit the names of the various types, scopes, etc...
> I think this is the reason why you mention in patch 1 that it needs
> to be updated if the structure evolves. Probably that we should put
> these fields in an array declared just next to the enums. This way
> the declaration will be a bit more centralized.
> 
> > Some areas for possible discussion:
> > * Use of STAT_STARTED in first patch
> > * Possible automatic generation of (part) of schema in 2nd patch
> > * Improved documentation
> 
> For now I don't see anything there which needs further discussion, and
> nobody commented on your patches either, possibly indicating you're on
> the right track. If you want I can merge this series, it will be easier
> for you to update it later using incremental patches.
> 
> > Some discussion of the size of JSON output is included as an appendix
> > to the changelog of the first patch.
> 
> I'd prefer to integrate this with your commit message because it's quite 
> useful as-is.
> 
> Just let me know if you want the series to get merged or if you prefer
> to respin it.

I'd prefer if you merged the series as-is
and I then provided incremental updates.

-- 
Simon Horman  si...@horms.nl
Horms Solutions BV  www.horms.nl
Parnassusweg 819, 1082 LZ Amsterdam, Netherlands
Tel: +31 (0)20 800 6155Skype: horms7