Re: [PATCH] MINOR: Add srv_queue converter

2019-08-26 Thread Willy Tarreau 
Hi Nenad,

On Tue, Aug 27, 2019 at 01:58:13AM +0200, Nenad Merdanovic wrote:
> The converter can be useful to look up a server queue from a dynamic value.

Thanks, applied. This made me think that it could be useful to have a few
other ones like srv_is_up and srv_conn. Also, your use case consisting in
looking up a server name from a cookie made me think that we could refactor
the cookie lookup code so that it's usable from a sample fetch. This way
we could have something like srv_from_cookie([]) doing all the
work and returning a backend/server name that can be looked up directly
from a frontend so that it's still possible to decide to route the request
to a different backend depending on what is found there. Just an idea.

Cheers,
Willy

[PATCH] MINOR: Add srv_queue converter

2019-08-26 Thread Nenad Merdanovic 
The converter can be useful to look up a server queue from a dynamic value.

Signed-off-by: Nenad Merdanovic 
---
 doc/configuration.txt |  7 +++
 src/backend.c | 35 ++-
 2 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 4e18f0f6..20c39c77 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -13622,6 +13622,13 @@ sha2([])
   Please note that this converter is only available when haproxy has been
   compiled with USE_OPENSSL.
 
+srv_queue
+  Takes an input value of type string, either a server name or 
/
+  format and returns the number of queued sessions on that server. Can be used
+  in places where we want to look up queued sessions from a dynamic name, like 
a
+  cookie value (e.g. req.cook(SRVID),srv_queue) and then make a decision to 
break
+  persistence or direct a request elsewhere.
+
 strcmp()
   Compares the contents of  with the input value of type string. Returns
   the result as a signed integer compatible with strcmp(3): 0 if both strings
diff --git a/src/backend.c b/src/backend.c
index 917b612b..1b01536c 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -2286,6 +2286,38 @@ static int sample_conv_nbsrv(const struct arg *args, 
struct sample *smp, void *p
return 1;
 }
 
+static int
+sample_conv_srv_queue(const struct arg *args, struct sample *smp, void 
*private)
+{
+   struct proxy *px;
+   struct server *srv;
+   char *bksep;
+
+   if (!smp_make_safe(smp))
+   return 0;
+
+   bksep = strchr(smp->data.u.str.area, '/');
+
+   if (bksep) {
+   *bksep = '\0';
+   px = proxy_find_by_name(smp->data.u.str.area, PR_CAP_BE, 0);
+   if (!px)
+   return 0;
+   smp->data.u.str.area = bksep + 1;
+   } else {
+   if (!(smp->px->cap & PR_CAP_BE))
+   return 0;
+   px = smp->px;
+   }
+
+   srv = server_find_by_name(px, smp->data.u.str.area);
+   if (!srv)
+   return 0;
+
+   smp->data.type = SMP_T_SINT;
+   smp->data.u.sint = srv->nbpend;
+   return 1;
+}
 
 /* Note: must not be declared  as its list will be overwritten.
  * Please take care of keeping this list alphabetically sorted.
@@ -2313,7 +2345,8 @@ INITCALL1(STG_REGISTER, sample_register_fetches, 
_kws);
 
 /* Note: must not be declared  as its list will be overwritten */
 static struct sample_conv_kw_list sample_conv_kws = {ILH, {
-   { "nbsrv", sample_conv_nbsrv, 0, NULL, SMP_T_STR, SMP_T_SINT },
+   { "nbsrv", sample_conv_nbsrv, 0, NULL, SMP_T_STR, SMP_T_SINT },
+   { "srv_queue", sample_conv_srv_queue, 0, NULL, SMP_T_STR, SMP_T_SINT },
{ /* END */ },
 }};
 
-- 
2.19.1

Re: [RFC] setting the backend SNI from the client's authority TLV, when the target address was forwarded

2019-08-26 Thread Geoff Simmons 
On 8/26/19 18:03, Emmanuel Hocdet wrote:
> 
> Great to see TLS onloader continue.

Working on it ...

> About the TLS onloader configuration. If i understand the principle of 
> servers set to 0.0.0.0 and stick table:
> The server configuration will look like:
>server s0 0.0.0.0:0 ssl sni fc_pp_authority
>[…]

Yes, I'm currently testing a new patch, and the config looks very much
like that.

Real-world use cases may want to implement the fallback logic that we
were talking about earlier in the thread, since fc_pp_authority may or
may not have been present in the PROXY header. "Set SNI to
fc_pp_authority if it was sent, otherwise set it to ssl_fc_sni".


Best,
Geoff
-- 
** * * UPLEX - Nils Goroll Systemoptimierung

Scheffelstraße 32
22301 Hamburg

Tel +49 40 2880 5731
Mob +49 176 636 90917
Fax +49 40 42949753

http://uplex.de



signature.asc
Description: OpenPGP digital signature

Re: [RFC] setting the backend SNI from the client's authority TLV, when the target address was forwarded

2019-08-26 Thread Emmanuel Hocdet 



HI  Geoff, Willy

Great to see TLS onloader continue.

> Le 22 août 2019 à 16:33, Geoff Simmons  a écrit :
> 
> On 8/22/19 14:40, Willy Tarreau wrote:
>> 
>>> I would suggest naming it something like fc_authority or
>>> fc_pp_authority, to be specific about where it came from.
> 
> Since you used fc_pp_authority in an example further down, I'll take
> that as the choice (unless somebody yells). Seems better to me, since
> just "authority" could refer to a number of things.
> 

fc_pp_authority seems ok.
(fc_)authority could refer to ssl_fc_sni for ssl connection or host header for 
http connection.


About the TLS onloader configuration. If i understand the principle of servers 
set to 0.0.0.0 and stick table:
The server configuration will look like:
   server s0 0.0.0.0:0 ssl sni fc_pp_authority
   […]
For stick part, to correctly reused TLS connection, destination IP + authority 
should be used.

Regards
Manu