Re: HAProxy and SNI

2012-03-30 Thread Baptiste 
Forget about it, I found it in the git:

this is a brilliant news :)

req_ssl_sni string
  Returns true when data in the request buffer looks like a complete SSL (v3
  or superior) client hello message with a Server Name Indication TLS extension
  (SNI) matching string. SNI normally contains the name of the host the
  client tries to connect to (for recent browsers). SNI is useful for allowing
  or denying access to certain hosts when SSL/TLS is used by the client. This
  test was designed to be used with TCP request content inspection. If content
  switching is needed, it is recommended to first wait for a complete client
  hello (type 1), like in the example below.

  Examples :
 # Wait for a client hello for at most 5 seconds
 tcp-request inspect-delay 5s
 tcp-request content accept if { req_ssl_hello_type 1 }
 use_backend bk_allow if { req_ssl_sni -f allowed_sites }
 default_backend bk_sorry_page



On Thu, Mar 29, 2012 at 7:48 PM, Baptiste bed...@gmail.com wrote:
 Hey Willy,

 I read sooner in January you mentioned that HAProxy is now able to
 handle SNI, but I can't find anywhere in the documentation how I can
 do it.
 (and ebr spoke about it in the office as well).
 Can you point me to the right section in the documentation please?

 Cheers

Re: Copying a Header before Modifying it

2012-03-30 Thread William Lewis 





Baptiste wrote:

  On Thu, Mar 29, 2012 at 11:42 PM, William Lewis m...@wlewis.co.uk wrote:
  
  
Hi Cyril,


Cyril Bont wrote:

Hi William,

Le 29/03/2012 14:30, William Lewis a crit :

Hi,

So I use Haproxy to rewrite some URL requests infront of my java
webservers, but I also want my java webservers to be able to issue
redirects relative to the url that hit haproxy.

Specifically I want the developers that have access to application
platform but not the haproxy to be able to enforce a resource is only
accessible over https without me having to write a rule in the haproxy
config. In this case they just need to be able to get the original
request and send back a 403 redirect with https:// on the front, of
course they don't see the original url so this is a problem.

I tried solving it with this rule

reqirep ^((HEAD|GET|POST|PUT|DELETE|TRACE|OPTIONS|CONNECT|PATCH)\ ([^\
]*)\ HTTP/1.[01]) \1\nX-Original-Request:\ \3

run before any of the rewrite rules

e.g.
reqrep ^([^\ \t]*[\ \t])(.*) \1/tomcatcontext\2

This results in a request to the webserver which looks like

GET /tomcatcontext/ HTTP/1.1
X-Original-Request: /
Host: example.com
Connection: keep-alive
...

This all works great until you then try and do some acl matching in the
haproxy, because an acl like

acl example-com hdr_end(host) -i example.com

will no longer match.


It should (tested quicky here), can you provide us the version of haproxy
you're using ? I remember there was a bug in old 1.4 versions concerning
headers manipulation.


I was using 1.4.19 but have just updated to 1.4.20 and still having the same
problem, complete example config below

global
 daemon
 quiet
 maxconn 1024
 pidfile /home/haproxyblue/haproxy.pid
 uid 20003
 gid 20003
 chroot /home/haproxyblue
 log 127.0.0.1 local0
 log 127.0.0.1 local1 notice

defaults
 log global
 option httplog
 balance roundrobin
 mode http
 retries 3
 option redispatch
 timeout connect 30
 timeout client 30
 timeout server 30

frontend http-in
 bind *:80


 reqirep ^((HEAD|GET|POST|PUT|DELETE|TRACE|OPTIONS|CONNECT|PATCH)\ ([^\
]*)\ HTTP/1.[01]) \1\nX-Original-Request:\ \3

 acl test hdr_end(host) -i example.com

 reqrep ^([^\ \t]*[\ \t])(.*) \1/tomcatcontext\2 if test

 use_backend echo if test

backend echo
 mode http

 option http-server-close
 option forwardfor
 server echo1 127.0.0.1:





  
  
Hi,

You hould enable http-server-close on the frontend side as well.
Or better, put it in the defaults.

cheers
  


I've added http-server-close to the defaults and the acl still doesn't
match when I write the X-Original-Request header.

Re: Copying a Header before Modifying it

2012-03-30 Thread Cyril Bonté 

Hi all,

Le 30/03/2012 12:27, William Lewis a écrit :

Baptiste wrote:

 (...)

You hould enable http-server-close on the frontend side as well.
Or better, put it in the defaults.

cheers



I've added http-server-close to the defaults and the acl still doesn't
match when I write the X-Original-Request header.


Actually, there's a comment in the code which talks about this issue :
/* FIXME: if the user adds a newline in the replacement, the
 * index will not be recalculated for now, and the new line
 * will not be counted as a new header.
 */

As a side effect, headers indexes do not point to the right position.
This means that acls do not match anymore, which is what you observe.

It appears several times in the code, the one that concerns this issue 
in the function apply_filter_to_req_line() in src/proto_http.c


--
Cyril Bonté

Re: haproxy 1.5dev7 server check failed with IPv6

2012-03-30 Thread Brane F. Gračnar 
On 03/29/2012 10:20 PM, Sander Klein wrote:

 Are you sure it's not an config error on the webserver side? I've been 
 running dev7 for quite some time and do a lot of IPv6 checks. Never had 
 any problems with it.

Same here.

Best regards, Brane

Re: Copying a Header before Modifying it

2012-03-30 Thread Cyril Bonté 

Hi again,

Le 30/03/2012 13:24, Cyril Bonté a écrit :

Hi all,

Le 30/03/2012 12:27, William Lewis a écrit :

Baptiste wrote:

  (...)

You hould enable http-server-close on the frontend side as well.
Or better, put it in the defaults.

cheers



I've added http-server-close to the defaults and the acl still doesn't
match when I write the X-Original-Request header.


Actually, there's a comment in the code which talks about this issue :
/* FIXME: if the user adds a newline in the replacement, the
* index will not be recalculated for now, and the new line
* will not be counted as a new header.
*/

As a side effect, headers indexes do not point to the right position.
This means that acls do not match anymore, which is what you observe.

It appears several times in the code, the one that concerns this issue
in the function apply_filter_to_req_line() in src/proto_http.c


Please find in attachment a quick and *dirty* fix to realign the headers 
indexes for your case (based on haproxy 1.4.20).

Maybe this can help you.

--
Cyril Bonté
--- ./haproxy-1.4.20/src/proto_http.c	2012-03-10 21:06:21.0 +0100
+++ ./haproxy-1.4.20-newline/src/proto_http.c	2012-03-30 15:14:31.127457646 +0200
@@ -5849,12 +5849,20 @@
 
 			http_msg_move_end(txn-req, delta);
 			cur_end += delta;
-			cur_end = (char *)http_parse_reqline(txn-req, req-data,
-			 HTTP_MSG_RQMETH,
-			 cur_ptr, cur_end + 1,
-			 NULL, NULL);
-			if (unlikely(!cur_end))
-return -1;
+			/* Quick and dirty hack to realign headers indexes if the user adds a newline
+			 * in the replacement.
+			 */
+			{
+char *cur_end2 = (char *)http_parse_reqline(txn-req, req-data,
+	 HTTP_MSG_RQMETH,
+	 cur_ptr, cur_end + 1,
+	 NULL, NULL);
+if (unlikely(!cur_end2))
+	return -1;
+if (cur_end - cur_end2  0) {
+	txn-req.sl.rq.l += cur_end - cur_end2;
+}
+			}
 
 			/* we have a full request and we know that we have either a CR
 			 * or an LF at ptr.

Surge 2012 CFP is Open!

2012-03-30 Thread Katherine Jeschke 
Surge 2012, the scalability conference, September 27-28, Baltimore, MD
has opened its CFP. Please visit http://omniti.com/surge/2012/cfp for
details.

-- 
Katherine Jeschke
Director of Marketing and Creative Services
OmniTI Computer Consulting, Inc.
7070 Samuel Morse Drive, Ste.150
Columbia, MD 21046
O: 443-325-1357, 222
F: 410/872-4911
C: 443/643-6140
omniti.com
Surge2012: http://omniti.com/surge/2012
PG Corridor Days - DC: http://pgday.bwpug.org/

The information contained in this electronic message and any attached
documents is privileged, confidential, and protected from disclosure.
If you are not the intended recipient, note that any review,
disclosure, copying, distribution, or use of the contents of this
electronic message or any attached documents is prohibited. If you
have received this communication in error, please destroy it and
notify us immediately by telephone (1-443-325-1360) or by electronic
mail (i...@omniti.com). Thank you.

Can we perform rsp_add for specified hosts?

2012-03-30 Thread fred hu 
Hi, All

I need insert Set-Cookie response header for specified request(host)

I start with creating following two lines of configuration

acl rsptest hdr_beg(host) -i www.google.com
rspadd Set-Cookie:\ GOOGLEID=123456 if rsptest

But all i got is following warning:

acl 'rsptest' involves some volatile request-only criteria which will be
ignored.

So, do we support rsp_add for specified hosts and how?

-- 
*Fred Hu*
*Best Regards*

Re: Can we perform rsp_add for specified hosts?

2012-03-30 Thread Baptiste 
Hi,

You're trying to insert a RESPONSE header if a REQUEST header exists.
It may not work, either never match or always match.
I mean that your acl has an undetermined state when called.
You should match something from the response to be sure it works.

regards


On Sat, Mar 31, 2012 at 5:51 AM, fred hu frederick...@gmail.com wrote:
 Hi, All

 I need insert Set-Cookie response header for specified request(host)

 I start with creating following two lines of configuration

 acl rsptest hdr_beg(host) -i www.google.com
 rspadd Set-Cookie:\ GOOGLEID=123456 if rsptest

 But all i got is following warning:

 acl 'rsptest' involves some volatile request-only criteria which will be
 ignored.

 So, do we support rsp_add for specified hosts and how?

 --
 Fred Hu
 Best Regards