Re: Balance Roundrobin vs Balance Source

2013-04-27 Thread James Bensley 
On 18 April 2013 21:13,  hapr...@serverphorums.com wrote:
  balance roundrobin
   cookie SERVERID insert indirect nocache
   server server01 xxx.xxx.xxx.:8081 check cookie s1
   server server02 xxx.xxx..xxx:8081 check cookie s2

Presumably you want this to be balance source though anyway. If you
have a client which doesn't accept cookies, they will be balanced in a
round robin style for every request they make, so balance source
give a kind of stickiness for clients that don't allow/support
cookies?

Cheers,
James.

Re: HAProxy on FreeBSD 8.3 with transparent proxying (TProxy?)

2013-04-27 Thread PiBa-NL 

Hi Willy,

It seams the changes where easier than i expected, assuming ive done it 
'correctly'...

I generated 2 patch files:
-FreeBSD IP_BINDANY git diff.patch generated with a git diff (against 
a hopefully relatively recent source tree)(i couldnt get it to fetch 
http://git.1wt.eu/git/haproxy.git ..)
-FreeBSD IP_BINDANY diff -urN.patch generated with diff -urN (against 
the 'port source')


I hope one of them can be used by you.
Please take a look and comment if something is amiss.

Greetings
PiBa-NL

Op 26-4-2013 23:40, PiBa-NL schreef:

Hi Willy,

Ill give it a try and send the patch as an attachment, though im not 
100% comfortable with the code. I think i can do it.

Will take me a few days though..

Thanks sofar.

Op 26-4-2013 23:12, Willy Tarreau schreef:

On Fri, Apr 26, 2013 at 11:03:00PM +0200, PiBa-NL wrote:

Hi Willy / Lukas,

It seams to me OpenBSD doesn't support the IP_BINDANY flag..:
http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/sys/netinet/in.h
http://www.openbsd.org/cgi-bin/cvsweb/%7Echeckout%7E/src/sys/netinet/in.h 


it seems it has, but differently :

http://unix.derkeiler.com/Mailing-Lists/FreeBSD/net/2008-07/msg00399.html


While FreeBSD does:
http://svnweb.freebsd.org/base/head/sys/netinet/in.h?view=markup

But then again neither of them supports SOL_IP, so i would expect
compilation to simply 'fail'. When trying to compile with the
USE_LINUX_TPROXY option.

Which is exactly the reason I don't want to remap these things which
are linux-specific, and instead use the proper call depending on the
available flags. Eg something like this :

#if defined(SOL_IP)  defined(IP_TRANSPARENT)
 /* linux */
 ret = setsockop(fd, SOL_IP, IP_TRANSPARENT, one, sizeof(one));
#elif defined (IP_PROTOIP)  defined(IP_BINDANY)
 /* freebsd */
 ret = setsockop(fd, IP_PROTOIP, IP_BINDANY, one, sizeof(one));
#elif defined (IP_PROTOIP)  defined(IP_BINDANY)
 /* openbsd */
 ret = setsockop(fd, SOL_SOCKET, SO_BINDANY, one, sizeof(one));
#else
 /* unsupported platform */
 ret = -1;
#endif


The combination i think is unlikely to cause problems for other
currently working builds/systems..

If you want i can probably come up with a combination that makes it 
work

for FreeBSD with a special USE_FREEBSD_TPROXY make option.

No, really I think something like above is much better for the long
term. It's more work to adapt existing code first but will pay in the
long term, even in the short term if it allows us to support OpenBSD
at the same time.


Or go for the 'full automatic inclusion' depending on available flags.
Which i think is even 'nicer'. But probably needs more testing to
confirm proper working..
I would be willing to make these changes. Is this the way to go?

As you like, if you feel comfortable with changing the way the current
code works (the linux-specific one), feel free to try, otherwise I can
do it over the week-end, and then a second patch derived from yours will
bring in support for FreeBSD then OpenBSD if someone here is able to
test it.


Thanks for reviewing my proposed changes sofar.

you're welcome :-)

Willy





diff -urN workoriginal/haproxy-1.5-dev18/include/common/compat.h 
work/haproxy-1.5-dev18/include/common/compat.h
--- workoriginal/haproxy-1.5-dev18/include/common/compat.h  2013-04-26 
19:36:15.0 +
+++ work/haproxy-1.5-dev18/include/common/compat.h  2013-04-27 
14:56:27.0 +
@@ -93,6 +93,15 @@
 #endif /* !IPV6_TRANSPARENT */
 #endif /* CONFIG_HAP_LINUX_TPROXY */

+#if (defined(SOL_IP)defined(IP_TRANSPARENT)) \
+ || (defined(SOL_IPV6)  defined(IPV6_TRANSPARENT)) \
+ || (defined(SOL_IP)defined(IP_FREEBIND)) \
+ || (defined(IPPROTO_IP)defined(IP_BINDANY)) \
+ || (defined(IPPROTO_IPV6)  defined(IPV6_BINDANY)) \
+ || (defined(SOL_SOCKET)defined(SO_BINDANY))
+  #define HAP_TRANSPARENT
+#endif
+
 /* We'll try to enable SO_REUSEPORT on Linux 2.4 and 2.6 if not defined.
  * There are two families of values depending on the architecture. Those
  * are at least valid on Linux 2.4 and 2.6, reason why we'll rely on the
diff -urN workoriginal/haproxy-1.5-dev18/include/types/connection.h 
work/haproxy-1.5-dev18/include/types/connection.h
--- workoriginal/haproxy-1.5-dev18/include/types/connection.h   2013-04-26 
19:36:15.0 +
+++ work/haproxy-1.5-dev18/include/types/connection.h   2013-04-27 
14:56:30.0 +
@@ -219,7 +219,7 @@
char *iface_name;/* bind interface name or NULL */
struct port_range *sport_range;  /* optional per-server TCP source 
ports */
struct sockaddr_storage source_addr; /* the address to which we want to 
bind for connect() */
-#if defined(CONFIG_HAP_CTTPROXY) || defined(CONFIG_HAP_LINUX_TPROXY)
+#if defined(CONFIG_HAP_CTTPROXY) || defined(HAP_TRANSPARENT)
struct sockaddr_storage tproxy_addr; /* non-local address we want to 
bind to for connect() */
char *bind_hdr_name; /* bind to

Re: CRL verification problem

2013-04-27 Thread Godbach 

 Hi, all
 
 I have tested CRL verification for master of haproxy git repository
 under such conditions:
 * two CAs(CA1CA2) used to do verification
 * CRL file specified, but contains CRL only issued by CA1
 
 When I send request with certificate issued by CA2, the verification
 will fail with the reason of 'Unknown CA', certificates issued by CA1
 will be verified successfully. Then I append CRL issued by CA2 into CRL
 file. There are two CRLs in CRL file now. Client certificates issued by
 CA1 or CA2 can be verified OK.
 
 It means that if more than one CA used and CRL verification is enabled,
 each CRL issued by each CA should be put into one single file, otherwise
 client certificates issued by the CA which does not supply CRL may fail
 to be verified.
 
 Since haproxy called SSL library to do CRL verification with the
 following code:
  X509_STORE_set_flags(store,
 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
 I guess that it may be the behavior of SSL library but found nothing
 related with this problem.
 
 Any help will be much appreciated.
 
 Best Regards,
 Godbach
 

The main configuration for frontend as below:

frontend fe
bind ip:443 ssl crt 1.cer verify required ca-file ca-root-both.cer
crl-file ca-root-crl-both.cer

There are two CAs in file ca-root-both.cer in PEM format, and two CRLs
in ca-root-crl-both.cer in PEM format.

If only one CRL issued by one of two CAs in crl-file. The cert issued
by the other CA will be failed to verify.

Anyone who had this problem?

Best Regards,
Godbach

Haproxy crash while initializing compression

2013-04-27 Thread Godbach 
Hi, all

Haproxy of latest snapshot will crash while initializing compression
under such configuration:

global
...
tune.zlib.memlevel 6
tune.zlib.windowsize 8
frontend
...
compression algo gzip deflate
...

The coredump information as below:

Core was generated by `./haproxy -f h.cfg -d'.
Program terminated with signal 11, Segmentation fault.
#0  0x00360e4066d3 in deflateReset () from /lib64/libz.so.1
Missing separate debuginfos, use: debuginfo-install
glibc-2.12-1.47.el6.x86_64 keyutils-libs-1.4-4.el6.x86_64
krb5-libs-1.9-33.el6_3.3.x86_64 libcom_err-1.41.12-12.el6.x86_64
libselinux-2.0.94-5.3.el6.x86_64 nss-softokn-freebl-3.12.9-11.el6.x86_64
openssl-1.0.0-25.el6_3.1.x86_64 zlib-1.2.3-27.el6.x86_64
(gdb) bt
#0  0x00360e4066d3 in deflateReset () from /lib64/libz.so.1
#1  0x00360e406aa4 in deflateInit_ () from /lib64/libz.so.1
#2  0x00460d63 in deflate_init (comp_ctx=0x7fffe3b7b728,
level=9) at src/compression.c:524
#3  0x0041c8d8 in cfg_parse_listen (file=0x7fffe3b7d35d h.cfg,
linenum=27, args=0x7fffe3b7bfd0, kwm=value optimized out)
at src/cfgparse.c:5560
#4  0x0041f418 in readcfgfile (file=0x7fffe3b7d35d h.cfg) at
src/cfgparse.c:5987
#5  0x00405736 in init (argc=value optimized out, argv=value
optimized out) at src/haproxy.c:646
#6  0x00406c49 in main (argc=value optimized out,
argv=0x7fffe3b7c4b8) at src/haproxy.c:1287
(gdb) quit


Linenum 27 of cofiguration file is the compression algo config:
   compression algo gzip deflate

There will be no crash if I use the following configuration:
   compression algo deflate gzip
The only difference is to change the order of gzip and deflate.

Ther will be no crash either if set tune.zlib.windowsize to default
value 15 just keeping the algo order 'gzip deflate'.

Zlib version is zlib-1.2.3.

Best Regards,
Godbach