Re: dsr and haproxy

2022-11-06 Thread Willy Tarreau 
On Fri, Nov 04, 2022 at 05:33:40PM +0100, Lukas Tribus wrote:
> On Fri, 4 Nov 2022 at 16:50, Szabo, Istvan (Agoda)
>  wrote:
> >
> > Yeah, that's why I'm curious anybody ever made it work somehow?
> 
> Perhaps I should have been clearer.
> 
> It's not supported because it's not possible.
> 
> Haproxy the OSS uses the socket API, haproxy cannot forward IP packets
> arbitrarily, which is required for DRS.

And in fact it goes beyond the API. The first and foremost reason is
that if you want to intercept TCP and work on contents, you have to
accept an incoming connection first. For this you need do respond to
a SYN with a SYN-ACK that holds a locally-chosen sequence number.
Then assuming the connection is validated and you're going to pass
it to a server, while you could imagine replicating the SYN sequence
number from the client, the server will chose its own sequence number
for the SYN-ACK, which will not match the one you chosed previously,
and as such if you send the server's response directly to the client,
this last one will never understand this traffic because it's shifted
by the difference between the two sequence numbers.

Some large hosting platforms had worked around this in the late 90s
and early 2000s by prepending a header to TCP segments sent to the
server, containing all the front connection's parameters (a bit like
the proxy protocol), and the servers' TCP stack was heavily modified
to use the parameters presented in this header to create the connection,
including ports, sequence numbers, options etc that the server had to
use. For obvious reasons such servers ought never be exposed to the
net or it would have been trivial to DoS them or even to hijack their
connections! I remember that others had proposed TCP extensions to
tell a peer to skip a range of sequence numbers to make this possible
(i.e. "I'm sending you a 1.3 GB hole then the data comes") as a way to
splice a server connection to an already accepted one. But similarly
this totally disappeared because it was hackish and totally insecure.

> This is a hard no, not a "we do not support this configuration because
> nobody ever tried it and we can't guarantee it will work".

Definitely ;-)

Cheers,
Willy

Re: [PATCH]: BUILD: insecure-setuid-wanted support on FreeBSD

2022-11-06 Thread Willy Tarreau 
Hi David,

On Fri, Nov 04, 2022 at 07:34:46PM +, David CARLIER wrote:
> Hi,
> 
> here a little patch to port the insecure-setuid-wanted directive on FreeBSD.

Thanks. I'm having a few comments below.

> From be693024d7e49173f7ff37566232238fc5ea1887 Mon Sep 17 00:00:00 2001
> From: David CARLIER 
> Date: Fri, 4 Nov 2022 19:24:03 +
> Subject: [PATCH] BUILD: insecure-setuid-wanted support on FreeBSD.
> 
> using the procctl api to ignore the suid/sgid bits to be ignored.
> ---
>  src/haproxy.c | 11 +--
>  1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/src/haproxy.c b/src/haproxy.c
> index 806497062..94b9bde4e 100644
> --- a/src/haproxy.c
> +++ b/src/haproxy.c
> @@ -3003,7 +3003,7 @@ static void *run_thread_poll_loop(void *data)
>   pthread_mutex_unlock(_mutex);
>  #endif
>  
> -#if defined(PR_SET_NO_NEW_PRIVS) && defined(USE_PRCTL)
> +#if (defined(PR_SET_NO_NEW_PRIVS) && defined(USE_PRCTL)) || 
> (defined(PROC_NO_NEW_PRIVS_CTL) && defined(USE_PROCCTL))

At this point this should move to compat.h, to do something like this
for example:

  #if (defined(PR_SET_NO_NEW_PRIVS) && defined(USE_PRCTL)) || \  /* linux */
  (defined(PROC_NO_NEW_PRIVS_CTL) && defined(USE_PROCCTL))   /* freebsd 
*/
  #define HAVE_NO_NEW_PRIVS
  #endif

Then here you'd just use:

  #ifdef HAVE_NO_NEW_PRIVS

>   /* Let's refrain from using setuid executables. This way the impact of
>* an eventual vulnerability in a library remains limited. It may
>* impact external checks but who cares about them anyway ? In the
> @@ -3014,7 +3014,14 @@ static void *run_thread_poll_loop(void *data)
>*/
>   if (!(global.tune.options & GTUNE_INSECURE_SETUID) && !master) {
>   static int warn_fail;
> - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1 && 
> !_HA_ATOMIC_FETCH_ADD(_fail, 1)) {
> +#if defined(USE_PRCTL)
> + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1
> +#else
> + int refrain_setuid = PROC_NO_NEW_PRIVS_ENABLE;
> + /* we can save one syscall once freebsd 14 becomes the minimum 
> version, removing getpid */
> + if (procctl(P_PID, getpid(), PROC_NO_NEW_PRIVS_CTL, 
> _setuid) == -1
> +#endif
> + && !_HA_ATOMIC_FETCH_ADD(_fail, 1)) {

And the part above is not nice, it breaks an "if" expression making it
much harder to follow, which is particularly problematic in code aimed
at improving security. I wouldn't be surprised if it would even break
auto-indent or parens matching on some editors.

Better put that in a separate function such as ha_no_new_privs() which
calls the suitable syscall and arguments depending on which approach is
desired. It could be left in this file I guess, even though for the long
term I think we'll finally create an "src/sys.c" file to support system
specific abstraction but we'd rather do that later.

Thanks,
Willy

Re: [PATCH] CI: switch to LibreSSL-3.6.1, enable QUIC

2022-11-06 Thread Willy Tarreau 
On Sat, Nov 05, 2022 at 10:12:00AM +0500,  ??? wrote:
> gentle ping

Sorry Ilya, quite busy at the moment, now applied.

Thanks!
Willy

Re: [PATCH] fix spelling "choosen" --> "chosen"

2022-11-06 Thread Willy Tarreau 
On Wed, Nov 02, 2022 at 10:43:49AM +0100, William Lallemand wrote:
> > > - if (!tp->choosen)
> > > + if (!tp->chosen)
> > >   return;
> > >  
> > > - chunk_appendf(b, "\n\tversion_information:(choosen=0x%08x", 
> > > tp->choosen);
> > > + chunk_appendf(b, "\n\tversion_information:(chosen=0x%08x", tp->coosen);
>  
> 
> I don't think it will even compile this way. 

I confirm it doesn't. I was about to fix it myself but I'd firt like
to get a confirmation that it's OK to change this.

Willy