Re: arm64 builds?

[Willy Tarreau]

Hi Ilya,

On Tue, Nov 05, 2019 at 07:20:43PM +0500,  ??? wrote:
> only arm64 are available.
> we can try arm using cross build, for example.

Then don't bother with this, it's likely then that they will not
have all the environment available. Maybe even their hardware does
not support arm32 at all. It was just a suggestion to try to optimize
the solution but even arm64 is already nice to have.

> is it common way to use cross build for building haproxy ?

Yes it is. Actually I don't think I've built it natively for a very
long time now, as even on my laptop I'm used to stick to the cross-
compilers which are distributed on the distcc build farm running on
the lab load generators :-)

In practice just pass "CC=/path/to/gcc" and let it do its job. It will
automatically use LD=$(CC) if you don't override it. You may have to
pass PCRE_INC/PCRE_LIB, SSL_INC/SSL_LIB, LUA_INC/LUA_LIB but that's
about all.

Just for reference here's the command line I'm using when building
(and a variant with -O0 which builds in 3.5 seconds). It may look
large because I force all debugging options but it's in a script so
I don't have to type it :-)

   PATH=/f/tc/x86_64-gcc47_glibc218-linux-gnu/bin:$PATH make -j 120 
TMPDIR=/dev/shm DISTCC_FALLBACK=0 DISTCC_SKIP_LOCAL_RETRY=0 
DISTCC_BACKOFF_PERIOD=0 DISTCC_PAUSE_TIME_MSEC=50 
DISTCC_HOSTS="--localslots_cpp=120 10.0.0.235/120,lzo" 
CC=/g/public/linux/master/x86_64-gcc47_glibc218-linux-gnu-gcc 
TARGET=linux-glibc DEP= USE_PCRE=1 PCREDIR= DEFINE="-DDEBUG_DONT_SHARE_POOLS 
-DDEBUG_MEMORY_POOLS -DDEBUG_UAF -DDEBUG_EXPR -DDEBUG_STRICT -DDEBUG_DEV" 
USE_OPENSSL=1 USE_ZLIB=1 USE_LUA=1 LUA_LIB_NAME=lua EXTRA= USE_SLZ=1 
SLZ_INC=/g/public/slz/src SLZ_LIB=/g/public/slz USE_ZLIB= USE_DEVICEATLAS=1 
DEVICEATLAS_SRC=contrib/deviceatlas USE_51DEGREES=1 
51DEGREES_SRC=contrib/51d/src/trie USE_WURFL=1 WURFL_INC=contrib/wurfl 
WURFL_LIB=contrib/wurfl CPU_CFLAGS="-O2" "$@"

When testing with various local openssl branches I do have another variant
of this which uses the local, native pre-processor and linkers, and remote
compilers. It's a bit ugly since they're not on the same version but in
practice it works fine.

Cheers,
Willy

Re: stats http counter issue

[Willy Tarreau]

Hi Jean,

On Tue, Nov 05, 2019 at 04:33:00PM +0100, Jean Wasilewski wrote:
> Hi,
> 
> While using the stats socket with the official HAProxy exporter, I
> noticed that some metrics seem erronous. While querying for a specific
> frontend, the admin socket reported two differents metrics for the same
> frontend.
> 
> I made this small onliner two retrieve values (with here an example on
> 2XX calls on our frontend `console-online`):
> 
> ```
> $ while true; do echo "show stat" | socat - /run/haproxy/admin.sock |grep \
> -E '\#|FRONT' |grep -E '\#|console' |cut -d, -f41 |xargs -L2 echo; sleep \
> 1; done
> hrsp_2xx 2141807
> hrsp_2xx 136536
> hrsp_2xx 2141819
> hrsp_2xx 2141828
> hrsp_2xx 136536
> hrsp_2xx 2141841
> hrsp_2xx 2141846
> hrsp_2xx 136537
> hrsp_2xx 2141854
> hrsp_2xx 2141856
> hrsp_2xx 2141863
> hrsp_2xx 136537
> ```
> 
> Is this a bug or a misconfiguration?

It sounds like you're working in multi-process mode (nbproc > 1). If
so, this is the expected behavior since stats are per process. This
was one of the drivers for the porting to threads. If for any reason
you really want to stick to nbproc, then I'd recommend you to use one
stats socket per process (use the "process" directive on each line)
and to query both of them individually. But frankly this is painful as
it may return conflicting server states during some transitions because
the checks are per-process as well.

You can replace "nbproc 2" with "nbthread 2" in your config, watch for
warnings in case you'd already have a few explicit "process" entries,
or even remove nbproc and nbthread to let haproxy start one thread per
available core.

Hoping this helps,
Willy

Re: Product Info

[Willy Tarreau]

On Wed, Nov 06, 2019 at 05:32:26AM +1000, Rob Thomas wrote:
> "Prior to" means "before". So 2.0.6 is when it was fixed.

Yep, and by the way, you should use any newer 2.0.X release which will
contain many more important fixes than this one that is unlikely to
hit anyone outside of a lab purposely built to trigger it (since
"http-reuse always" is clearly documented as "must not use with known
non-compliant servers").

If unsure, it's always good to check for known fixes here:

 http://www.haproxy.org/bugs/bugs-2.0.html

Willy

Re: [PATCH] bugfix to make do-resolve to use DNS cache

[Jarno Huuskonen]

Hi,

On Tue, Nov 05, Baptiste wrote:
> David Birdsong reported a bug last week about http do-resolve action not
> using the DNS cache.
> The patch in attachment fixes this issue.
> There is no github issue associated to this bug.
> Backport status is up to 2.0.

Quick question: are the printf's there on purpose or leftover debug
outputs ?

-Jarno

@@ -73,6 +73,7 @@ int check_trk_action(struct act_rule *rule, struct proxy *px, 
char **err)
 int act_resolution_cb(struct dns_requester *requester, struct dns_nameserver 
*nameserver)
 {
struct stream *stream;
+printf("%s %d\n", __FUNCTION__, __LINE__);
 
if (requester->resolution == NULL)
return 0;
@@ -89,6 +90,7 @@ int act_resolution_cb(struct dns_requester *requester, struct 
dns_nameserver *na
 int act_resolution_error_cb(struct dns_requester *requester, int error_code)
 {
struct stream *stream;
+printf("%s %d\n", __FUNCTION__, __LINE__);
 
if (requester->resolution == NULL)
return 0;

-- 
Jarno Huuskonen

Re: [PATCH] bugfix to make do-resolve to use DNS cache

[Willy Tarreau]

Hi Baptiste,

thanks for the fix, but before taking it, are you really sure it's
the version you wanted to send ? There are a couple of debugging
printf() left so I could remove them by hand but maybe you intended
to send a different patch, thus I'd rather let you double-check.

thanks,
Willy

On Tue, Nov 05, 2019 at 10:04:30AM +0100, Baptiste wrote:
> diff --git a/src/action.c b/src/action.c
> index 7684202..36eedc8 100644
> --- a/src/action.c
> +++ b/src/action.c
> @@ -73,6 +73,7 @@ int check_trk_action(struct act_rule *rule, struct proxy 
> *px, char **err)
>  int act_resolution_cb(struct dns_requester *requester, struct dns_nameserver 
> *nameserver)
>  {
>   struct stream *stream;
> +printf("%s %d\n", __FUNCTION__, __LINE__);
>  
>   if (requester->resolution == NULL)
>   return 0;
> @@ -89,6 +90,7 @@ int act_resolution_cb(struct dns_requester *requester, 
> struct dns_nameserver *na
>  int act_resolution_error_cb(struct dns_requester *requester, int error_code)
>  {
>   struct stream *stream;
> +printf("%s %d\n", __FUNCTION__, __LINE__);
>  
>   if (requester->resolution == NULL)
>   return 0;
> diff --git a/src/dns.c b/src/dns.c
> index 15d40a1..d5bf449 100644
> --- a/src/dns.c
> +++ b/src/dns.c
> @@ -363,8 +363,9 @@ void dns_trigger_resolution(struct dns_requester *req)
>* valid */
>   exp = tick_add(res->last_resolution, resolvers->hold.valid);
>   if (resolvers->t && (res->status != RSLV_STATUS_VALID ||
> - !tick_isset(res->last_resolution) || tick_is_expired(exp, now_ms)))
> + !tick_isset(res->last_resolution) || tick_is_expired(exp, now_ms))) 
> {
>   task_wakeup(resolvers->t, TASK_WOKEN_OTHER);
> + }
>  }
>  
>  
> @@ -2150,8 +2151,13 @@ enum act_return dns_action_do_resolve(struct act_rule 
> *rule, struct proxy *px,
>   struct dns_resolution *resolution;
>   struct sample *smp;
>   char *fqdn;
> + struct dns_requester *req;
> + struct dns_resolvers  *resolvers;
> + struct dns_resolution *res;
> + int exp;
>  
>   /* we have a response to our DNS resolution */
> + use_cache:
>   if (s->dns_ctx.dns_requester && s->dns_ctx.dns_requester->resolution != 
> NULL) {
>   resolution = s->dns_ctx.dns_requester->resolution;
>   if (resolution->step == RSLV_STEP_RUNNING) {
> @@ -2211,6 +2217,22 @@ enum act_return dns_action_do_resolve(struct act_rule 
> *rule, struct proxy *px,
>  
>   s->dns_ctx.parent = rule;
>   dns_link_resolution(s, OBJ_TYPE_STREAM, 0);
> +
> + /* Check if there is a fresh enough response in the cache of our 
> associated resolution */
> + req = s->dns_ctx.dns_requester;
> + if (!req || !req->resolution) {
> + dns_trigger_resolution(s->dns_ctx.dns_requester);
> + return ACT_RET_YIELD;
> + }
> + res   = req->resolution;
> + resolvers = res->resolvers;
> +
> + exp = tick_add(res->last_resolution, resolvers->hold.valid);
> + if (resolvers->t && res->status == RSLV_STATUS_VALID && 
> tick_isset(res->last_resolution)
> +&& !tick_is_expired(exp, now_ms)) {
> + goto use_cache;
> + }
> +
>   dns_trigger_resolution(s->dns_ctx.dns_requester);
>   return ACT_RET_YIELD;
>  }
> -- 
> 2.7.4
> 

Re: Peers, logs and debugging.

[Willy Tarreau]

On Tue, Nov 05, 2019 at 11:30:01AM +0100, Frederic Lecaille wrote:
> I have missed the case where the listener of the "peers" section is declared
> after "log" lines. In such case ->peers_fe is NULL when entering the "log"
> line parser.
> 
> So, this last patch is better.

Thanks Fred, now merged :-)
Willy

Re: [PATCH] doc: fix date and http_date keywords syntax

[Willy Tarreau]

merged, thanks Cyril.
Willy

[PATCH] doc: fix date and http_date keywords syntax

[Cyril Bonté]

---
 doc/configuration.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index d8fe6b650..0bb7313cd 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -13245,7 +13245,7 @@ hex2i
   Converts a hex string containing two hex digits per input byte to an
   integer. If the input value cannot be converted, then zero is returned.
 
-http_date([])
+http_date([])
   Converts an integer supposed to contain a date since epoch to a string
   representing this date in a format suitable for use in HTTP header fields. If
   an offset value is specified, then it is added to the date before the
@@ -14066,7 +14066,7 @@ cpu_ns_tot : integer
   high cpu_calls count, for example when processing many HTTP chunks, and for
   this reason it is often preferred to log cpu_ns_avg instead.
 
-date([, ]) : integer
+date([],[]) : integer
   Returns the current date as the epoch (number of seconds since 01/01/1970).
 
   If an offset value is specified, then it is added to the current date before
-- 
2.24.0

Re: Product Info

[Rob Thomas]

"Prior to" means "before". So 2.0.6 is when it was fixed.


On Tue, 5 Nov 2019 at 18:53, 
wrote:

> Hi Team,
>
>
>
> My name is Anurag and I am with Wells Fargo division of Application
> Products Centre of Excellence (APCoE).
>
> My duties include researching and Identifying product vendor patches and
> releases for products for a subset of 3rd party vendor products.
>
> This is part of regular exercise(quarterly) to identify latest patches of
> the 3rd party vendor products.
>
>
>
> I need your assistance to regarding your product HAProxy, as per the NVD
> data and CVE-2019-18277- it says A flaw was found in HAProxy before
> 2.0.6. So request you to please confirm which is the latest release
> available which is fixing this vulnerability.
>
>
>
>
>
> Regards,
>
> Anurag
>
>

Re: [PATCH] bugfix to make do-resolve to use DNS cache

[David Birdsong]

Thanks!

On Tue, Nov 5, 2019, 1:04 AM Baptiste  wrote:

> Hi there,
>
> David Birdsong reported a bug last week about http do-resolve action not
> using the DNS cache.
> The patch in attachment fixes this issue.
> There is no github issue associated to this bug.
> Backport status is up to 2.0.
>
> Baptiste
>

stats http counter issue

[Jean Wasilewski]

Hi,

While using the stats socket with the official HAProxy exporter, I
noticed that some metrics seem erronous. While querying for a specific
frontend, the admin socket reported two differents metrics for the same
frontend.

I made this small onliner two retrieve values (with here an example on
2XX calls on our frontend `console-online`):

```
$ while true; do echo "show stat" | socat - /run/haproxy/admin.sock |grep \
-E '\#|FRONT' |grep -E '\#|console' |cut -d, -f41 |xargs -L2 echo; sleep \
1; done
hrsp_2xx 2141807
hrsp_2xx 136536
hrsp_2xx 2141819
hrsp_2xx 2141828
hrsp_2xx 136536
hrsp_2xx 2141841
hrsp_2xx 2141846
hrsp_2xx 136537
hrsp_2xx 2141854
hrsp_2xx 2141856
hrsp_2xx 2141863
hrsp_2xx 136537
```

Is this a bug or a misconfiguration?

I am running the latest stable version of HAProxy (2.0.8-1ppa1~xenial).

Thank you in advance,

Jean Wasilewski


signature.asc
Description: PGP signature

Re: arm64 builds?

[Илья Шипицин]

пн, 4 нояб. 2019 г. в 17:49, Willy Tarreau :

> Hi Ilya,
>
> On Mon, Nov 04, 2019 at 12:18:49AM +0500,  ??? wrote:
> > hello,
> >
> > should we switch some builds to arm64?
> >
> > https://blog.travis-ci.com/2019-10-07-multi-cpu-architecture-support
>
> Ah that's interesting! I frequently build for arm/arm64 but I agree
> it would be nice to have this done more frequently. The two main points
> I'm seeing are :
>   - unsigned chars, which occasionally trigger a warning somewhere
>   - non-x86 build, which can occasionally trigger a build error if
> we accidently rely on an arch-specific function
>
> In fact I would even suggest that we build for arm instead of arm64 so
> that we switch to 32 bits at the same time and have an opportunity to
> detect long vs int vs uint64t vs pointer vs size_t issues (typically
> places where printf uses "%lu" without a cast for uint64_t).
>


only arm64 are available.
we can try arm using cross build, for example. is it common way to use
cross build for building haproxy ?


>
> Thanks,
> Willy
>

Re: Peers, logs and debugging.

[Yves Lafon]

> On 5 Nov 2019, at 11:30, Frederic Lecaille  wrote:
> 
> On 11/5/19 11:06 AM, Frederic Lecaille wrote:
>> On 11/4/19 1:52 PM, Willy Tarreau wrote:
>>> Hi Yves,
>>> 
>>> On Mon, Nov 04, 2019 at 10:47:23AM +0100, Yves Lafon wrote:
 Hi,
 Trying to debug why some replications are stuck between peers, I was
 wondering if it was possible to have low-level logging of connections or at
 least TCP states in the peers section to figure out what is happening.
 There are some information using 'show peers', but it will lack some
 information (like if there was multiple reconnect attempts in a row).
>>> 
>>> Now that our peers sections are full-featured proxies, I think it should
>>> not be hard to implement the "log" directive there at least to enable
>>> logging of incoming connections. It's probably as simple as just setting
>>> the log_wait field to non-zero. And I agree that peers remain one of the
>>> least verbose area of the code, yet are responsible for some long head
>>> scratching :-/
>>> 
>>> Willy
>>> 
>> Hi,
>> Here is a patch to support "log" directive in "peers" section.
>> I hope this will help.
>> Fred.
> 
> I have missed the case where the listener of the "peers" section is declared 
> after "log" lines. In such case ->peers_fe is NULL when entering the "log" 
> line parser.
> 
> So, this last patch is better.
> 
> Fred.
> <0001-MINOR-peers-Add-log-directive-to-peers-section.patch>

Thanks, I’ll try this.

-- 
Baroula que barouleras, au tiéu toujou t'entourneras.

~~Yves

Re: Peers, logs and debugging.

[Frederic Lecaille]

On 11/5/19 11:06 AM, Frederic Lecaille wrote:

On 11/4/19 1:52 PM, Willy Tarreau wrote:

Hi Yves,

On Mon, Nov 04, 2019 at 10:47:23AM +0100, Yves Lafon wrote:

Hi,
Trying to debug why some replications are stuck between peers, I was
wondering if it was possible to have low-level logging of connections 
or at

least TCP states in the peers section to figure out what is happening.
There are some information using 'show peers', but it will lack some
information (like if there was multiple reconnect attempts in a row).


Now that our peers sections are full-featured proxies, I think it should
not be hard to implement the "log" directive there at least to enable
logging of incoming connections. It's probably as simple as just setting
the log_wait field to non-zero. And I agree that peers remain one of the
least verbose area of the code, yet are responsible for some long head
scratching :-/

Willy



Hi,

Here is a patch to support "log" directive in "peers" section.
I hope this will help.

Fred.


I have missed the case where the listener of the "peers" section is 
declared after "log" lines. In such case ->peers_fe is NULL when 
entering the "log" line parser.


So, this last patch is better.

Fred.
>From 408094ce430f762c7c8a56c0e11d011e9a372705 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Tue, 5 Nov 2019 09:57:45 +0100
Subject: [PATCH] MINOR: peers: Add "log" directive to "peers" section.

This patch is easy to review: let's call parse_logsrv() function to parse
"log" directive as this is already for other sections for proxies.
This enable us to log incoming TCP connections for the listeners for "peers"
sections.

Update the documentation for "peers" section.
---
 doc/configuration.txt |  6 ++
 src/cfgparse.c| 11 +++
 2 files changed, 17 insertions(+)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index d8fe6b650..233255c07 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -2138,6 +2138,12 @@ default-server [param*]
 enable
   This re-enables a disabled peers section which was previously disabled.
 
+log  [len ] [format ] [sample :]
+ [ []]
+  "peers" sections support the same "log" keyword as for the proxies to
+  log information about the "peers" listener. See "log" option for proxies for
+  more details.
+
 peer  : [param*]
   Defines a peer inside a peers section.
   If  is set to the local peer name (by default hostname, or forced
diff --git a/src/cfgparse.c b/src/cfgparse.c
index eaad6c2cd..2e200e885 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -714,6 +714,17 @@ int cfg_parse_peers(const char *file, int linenum, char **args, int kwm)
 		}
 		err_code |= parse_server(file, linenum, args, curpeers->peers_fe, NULL, 0);
 	}
+	else if (strcmp(args[0], "log") == 0) {
+		if (init_peers_frontend(file, linenum, NULL, curpeers) != 0) {
+			err_code |= ERR_ALERT | ERR_ABORT;
+			goto out;
+		}
+		if (!parse_logsrv(args, >peers_fe->logsrvs, (kwm == KWM_NO), )) {
+			ha_alert("parsing [%s:%d] : %s : %s\n", file, linenum, args[0], errmsg);
+			err_code |= ERR_ALERT | ERR_FATAL;
+			goto out;
+		}
+	}
 	else if (strcmp(args[0], "peers") == 0) { /* new peers section */
 		/* Initialize these static variables when entering a new "peers" section*/
 		bind_line = peer_line = 0;
-- 
2.20.1

Re: Peers, logs and debugging.

[Frederic Lecaille]

On 11/4/19 1:52 PM, Willy Tarreau wrote:

Hi Yves,

On Mon, Nov 04, 2019 at 10:47:23AM +0100, Yves Lafon wrote:

Hi,
Trying to debug why some replications are stuck between peers, I was
wondering if it was possible to have low-level logging of connections or at
least TCP states in the peers section to figure out what is happening.
There are some information using 'show peers', but it will lack some
information (like if there was multiple reconnect attempts in a row).


Now that our peers sections are full-featured proxies, I think it should
not be hard to implement the "log" directive there at least to enable
logging of incoming connections. It's probably as simple as just setting
the log_wait field to non-zero. And I agree that peers remain one of the
least verbose area of the code, yet are responsible for some long head
scratching :-/

Willy



Hi,

Here is a patch to support "log" directive in "peers" section.
I hope this will help.

Fred.
>From b0c0c7c4981e83f5a748233ddbaba4d0025a4f71 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Tue, 5 Nov 2019 09:57:45 +0100
Subject: [PATCH] MINOR: peers: Add "log" directive to "peers" section.

This patch is easy to review: let's call parse_logsrv() function to parse
"log" directive as this is already for other sections for proxies.
This enable us to log incoming TCP connections for the listeners for "peers"
sections.

Update the documentation for "peers" section.
---
 doc/configuration.txt | 6 ++
 src/cfgparse.c| 7 +++
 2 files changed, 13 insertions(+)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index d8fe6b650..233255c07 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -2138,6 +2138,12 @@ default-server [param*]
 enable
   This re-enables a disabled peers section which was previously disabled.
 
+log  [len ] [format ] [sample :]
+ [ []]
+  "peers" sections support the same "log" keyword as for the proxies to
+  log information about the "peers" listener. See "log" option for proxies for
+  more details.
+
 peer  : [param*]
   Defines a peer inside a peers section.
   If  is set to the local peer name (by default hostname, or forced
diff --git a/src/cfgparse.c b/src/cfgparse.c
index eaad6c2cd..5e6bf2c7e 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -714,6 +714,13 @@ int cfg_parse_peers(const char *file, int linenum, char **args, int kwm)
 		}
 		err_code |= parse_server(file, linenum, args, curpeers->peers_fe, NULL, 0);
 	}
+	else if (strcmp(args[0], "log") == 0) {
+		if (!parse_logsrv(args, >peers_fe->logsrvs, (kwm == KWM_NO), )) {
+			ha_alert("parsing [%s:%d] : %s : %s\n", file, linenum, args[0], errmsg);
+			err_code |= ERR_ALERT | ERR_FATAL;
+			goto out;
+		}
+	}
 	else if (strcmp(args[0], "peers") == 0) { /* new peers section */
 		/* Initialize these static variables when entering a new "peers" section*/
 		bind_line = peer_line = 0;
-- 
2.20.1

[PATCH] bugfix to make do-resolve to use DNS cache

[Baptiste]

Hi there,

David Birdsong reported a bug last week about http do-resolve action not
using the DNS cache.
The patch in attachment fixes this issue.
There is no github issue associated to this bug.
Backport status is up to 2.0.

Baptiste
From 74e1328ef08de6740c30b5b5989d1413bb904742 Mon Sep 17 00:00:00 2001
From: Baptiste Assmann 
Date: Wed, 30 Oct 2019 16:06:53 +0100
Subject: [PATCH] BUG/MINOR: action: do-resolve now use cached response

As reported by David Birdsong on the ML, the HTTP action do-resolve does
not use the DNS cache.
Actually, the action is "registred" to the resolution for said name to
be resolved and wait until an other requester triggers the it. Once the
resolution is finished, then the action is updated with the result.
To trigger this, you must have a server with runtime DNS resolution
enabled and run a do-resolve action with the same fqdn AND they use the
same resolvers section.

This patch fixes this behavior by ensuring the resolution associated to
the action has a valid answer which is not considered as expired. If
those conditions are valid, then we can use it (it's the "cache").

Backport status: 2.0
---
 src/action.c |  2 ++
 src/dns.c| 24 +++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/src/action.c b/src/action.c
index 7684202..36eedc8 100644
--- a/src/action.c
+++ b/src/action.c
@@ -73,6 +73,7 @@ int check_trk_action(struct act_rule *rule, struct proxy *px, char **err)
 int act_resolution_cb(struct dns_requester *requester, struct dns_nameserver *nameserver)
 {
 	struct stream *stream;
+printf("%s %d\n", __FUNCTION__, __LINE__);
 
 	if (requester->resolution == NULL)
 		return 0;
@@ -89,6 +90,7 @@ int act_resolution_cb(struct dns_requester *requester, struct dns_nameserver *na
 int act_resolution_error_cb(struct dns_requester *requester, int error_code)
 {
 	struct stream *stream;
+printf("%s %d\n", __FUNCTION__, __LINE__);
 
 	if (requester->resolution == NULL)
 		return 0;
diff --git a/src/dns.c b/src/dns.c
index 15d40a1..d5bf449 100644
--- a/src/dns.c
+++ b/src/dns.c
@@ -363,8 +363,9 @@ void dns_trigger_resolution(struct dns_requester *req)
 	 * valid */
 	exp = tick_add(res->last_resolution, resolvers->hold.valid);
 	if (resolvers->t && (res->status != RSLV_STATUS_VALID ||
-	!tick_isset(res->last_resolution) || tick_is_expired(exp, now_ms)))
+	!tick_isset(res->last_resolution) || tick_is_expired(exp, now_ms))) {
 		task_wakeup(resolvers->t, TASK_WOKEN_OTHER);
+	}
 }
 
 
@@ -2150,8 +2151,13 @@ enum act_return dns_action_do_resolve(struct act_rule *rule, struct proxy *px,
 	struct dns_resolution *resolution;
 	struct sample *smp;
 	char *fqdn;
+	struct dns_requester *req;
+	struct dns_resolvers  *resolvers;
+	struct dns_resolution *res;
+	int exp;
 
 	/* we have a response to our DNS resolution */
+ use_cache:
 	if (s->dns_ctx.dns_requester && s->dns_ctx.dns_requester->resolution != NULL) {
 		resolution = s->dns_ctx.dns_requester->resolution;
 		if (resolution->step == RSLV_STEP_RUNNING) {
@@ -2211,6 +2217,22 @@ enum act_return dns_action_do_resolve(struct act_rule *rule, struct proxy *px,
 
 	s->dns_ctx.parent = rule;
 	dns_link_resolution(s, OBJ_TYPE_STREAM, 0);
+
+	/* Check if there is a fresh enough response in the cache of our associated resolution */
+	req = s->dns_ctx.dns_requester;
+	if (!req || !req->resolution) {
+		dns_trigger_resolution(s->dns_ctx.dns_requester);
+		return ACT_RET_YIELD;
+	}
+	res   = req->resolution;
+	resolvers = res->resolvers;
+
+	exp = tick_add(res->last_resolution, resolvers->hold.valid);
+	if (resolvers->t && res->status == RSLV_STATUS_VALID && tick_isset(res->last_resolution)
+		   && !tick_is_expired(exp, now_ms)) {
+		goto use_cache;
+	}
+
 	dns_trigger_resolution(s->dns_ctx.dns_requester);
 	return ACT_RET_YIELD;
 }
-- 
2.7.4

Product Info

[APCoEProductNotifications]

Hi Team,



My name is Anurag and I am with Wells Fargo division of Application Products 
Centre of Excellence (APCoE).

My duties include researching and Identifying product vendor patches and 
releases for products for a subset of 3rd party vendor products.

This is part of regular exercise(quarterly) to identify latest patches of the 
3rd party vendor products.



I need your assistance to regarding your product HAProxy, as per the NVD data 
and CVE-2019-18277- it says A flaw was found in HAProxy before 2.0.6. So 
request you to please confirm which is the latest release available which is 
fixing this vulnerability.



[cid:image001.png@01D593E4.5AF415B0]


Regards,
Anurag