Re: hckrnews.com: Grow your Business with High Conversion Rate!!

2020-01-08 Thread Lisa Ross 
Hello *hckrnews.com *,


My name is *Lisa Rose*, and I'm an SEO Specialist.



I was on your website and found, there are many scope of improvements in
designing and development part. This will improve the overall usability and
user friendliness of your website.

If you are *Interested* I'd be happy to send you *No Obligation Audit
Report* for your website, our package, pricing and past work details, if
you'd like to assess our work*.*



*We could lower that cost and not compromise on quality!*



Hope to hear back from you soon.


Kind Regards
*Lisa Ross! Business Development Manager*

*-*

*Note: *Reply back with us "Interested" or allow me to send you No
Obligation Audit Report for your web.

Re: customize format of haproxy X-ForwardedFor ssl_c_s_dn during SSL termination

2020-01-08 Thread Willy Tarreau 
Hi Elliot & Chris,

On Sun, Jan 05, 2020 at 09:09:18PM +, Elliot Otchet wrote:
>  Hi,
> An updated patch is attached for the implementation that adds documentation
> to the doc/configuration.txt and fixes an issue identified during testing.
> I couldn't locate tests for the preexisting ssl_c_s_dn and related
> parameters.  I'd be happy to add tests for the new ones if someone could
> point me in the right direction of the existing ones.

Sorry for the late response, it seems your previous messages were sent
in the unlucky period where everyone's busy doing everything but looking 
at the mailing list :-)

I understand the problem you're facing and I agree that it's easier to have
fresh new code to handle this. However instead of having a separate set of
sample fetches for this, it would be much better to add an optional argument
to the existing one which would change the output format. This would even
allow to factor some existing code I guess. Look for example at the UUID
sample fetch which is a good illustration of this:

  uuid([]) : string
Returns a UUID following the RFC4122 standard. If the version is not
specified, a UUID version 4 (fully random) is returned.

I'm seeing that ssl_c_i_dn() and ssl_c_s_dn() already take up to two
optional args. But that doesn't prevent one from adding a third one with
the output format specification. If you just want to get it emitted with
no specific field filtering you could just use "ssl_c_i_dn(,,rfc2253)" for
example (or any other arg value you choose).

Just my two cents,
Willy

Re: Lua: forcing garbage collector after socket i/o

2020-01-08 Thread Willy Tarreau 
Hi,

On Thu, Jan 02, 2020 at 04:36:58PM -0800, Sadasiva Gujjarlapudi wrote:
> Hi,
> We have observed (significant)request handling rate dropped if the TCP
> sockets were used in `http-request` action.
> Request handling rate recovered with slight increase in memory usage after
> commenting the line in `hlua_socket_connect()`/hlua.c
> `hlua->flags |= HLUA_MUST_GC`
> Doc: https://www.arpalert.org/haproxy-lua.html#h209
> 
> I want to add a param to `Socket:connect()` or add new method
> `Socket:connect2()`.
> to disable forced GC.
> Any feedback is appreciated.

Interesting! CCing Thierry who's the one who knows this best. Thierry,
please also have a look at Sada's follow up e-mail with his numbers and
config. It looks like the GC is particularly aggressive here, and I don't
know if this is really needed. Or maybe we could have a counter and only
force it once every 100 times or so ?

thanks,
Willy

Re: [PATCH] MINOR: cli: use global unix settings for stats/master sockets

2020-01-08 Thread Willy Tarreau 
Hi William,

On Thu, Jan 09, 2020 at 12:26:06AM +0100, William Dauchy wrote:
> allows to use unix-bind settings in config file for both stats and master
> sockets; this will save some double painful config when you can rely on
> the global unix-bind.
> Local settings will still overload the default global.

I had a look at how this currently works and am embarrassed by both the
patch and the way things currently work. Indeed, the patch only makes
use of the mode, uid and gid from the unix-bind statement and silently
ignores the path. It would be tempting to decide that since it's a unix
socket we should enfore all of unix-bind settings to the stats socket,
but then the problem caused by unix-bind is that the path component is
a mandatory prefix that is prepended before all socket paths. So if we
enforce the path we'll break all configs already using unix-bind.

I tend to think that at some point we could decide to purposely break
some of this stuff so that the stats socket is not special at all, but
I fear that some configs could not be expressed anymore due to this,
and typically users will place the stats socket into a location outside
of the chroot so that it cannot be accessed by accident by the process.
That's even more true for the master socket where the path is specified
on the command line, regardless of any global setting.

So maybe in the end your approach is the most reasonable one. However
in this case we should explicitly state in the doc what settings from
the unix-bind directive are reused by the stats/master socket, because
to be transparent, I wasn't aware of the other ones beyond "prefix" and
that's the first thing I tried and was surprized not to see it work as
I imagined it would.

What do you think ?

thanks,
Willy

Re: [PATCH] CLEANUP: server: remove unused err section in server_finalize_init

2020-01-08 Thread Илья Шипицин 
btw, if you add "Fixes: #438", the issue will be closed automatically

https://help.github.com/en/github/managing-your-work-on-github/closing-issues-using-keywords

чт, 9 янв. 2020 г. в 01:33, William Dauchy :

> Since commit 980855bd953c ("BUG/MEDIUM: server: initialize the orphaned
> conns lists and tasks at the end"), we no longer use err section.
>
> This should fix github issue #438
>
> Signed-off-by: William Dauchy 
> ---
>  src/server.c | 2 --
>  1 file changed, 2 deletions(-)
>
> diff --git a/src/server.c b/src/server.c
> index 6212a420..14ff716a 100644
> --- a/src/server.c
> +++ b/src/server.c
> @@ -2053,8 +2053,6 @@ static int server_finalize_init(const char *file,
> int linenum, char **args, int
> srv_lb_commit_status(srv);
>
> return 0;
> -err:
> -   return ERR_ALERT | ERR_FATAL;
>  }
>
>  /*
> --
> 2.24.1
>
>
>

Re: [PATCH] MINOR: http: Add 410 to http-request deny

2020-01-08 Thread Willy Tarreau 
On Wed, Jan 08, 2020 at 01:26:00PM +0100, Julien Pivotto wrote:
> While we are at it, could we add 404 as well?
> 
> 404 is frequently used to deny to hide the fact that the access is
> denied, see
> https://developer.github.com/v3/troubleshooting/#why-am-i-getting-a-404-error-on-a-repository-that-exists
> 
> I know there are workarounds for this like service an error file but
> getting it out of the box would be nice.

Agreed, I remember someone proposing it a year or two ago already and it
does make sense. Feel free to propose a patch, Florian's can serve as an
example.

Willy

Re: [PATCH] adapt regtest for travis-ci

2020-01-08 Thread Willy Tarreau 
On Wed, Jan 08, 2020 at 11:00:42PM +0500,  ??? wrote:
> for some reason "echo -e" does not work at least in travis-ci.
> as discussed in #423 it is good to use "printf" instead.

Indeed, this is a bashism that I've been used to seeing fail on lots
of systems for at least a decade. And even though today I tend to be
lazy and to use it for my own stuff, real world doesn't wait long to
remind me I'm wrong. Great to see I'm not the only one :-)

Applied, thanks Ilya!
Willy

Re: [PATCH] CLEANUP: server: remove unused err section in server_finalize_init

2020-01-08 Thread Willy Tarreau 
On Wed, Jan 08, 2020 at 09:29:53PM +0100, William Dauchy wrote:
> Since commit 980855bd953c ("BUG/MEDIUM: server: initialize the orphaned
> conns lists and tasks at the end"), we no longer use err section.
> 
> This should fix github issue #438

Merged, thanks William!
Willy

Re: [PATCH] MINOR: lua: Add lua-prepend-path configuration option

2020-01-08 Thread Willy Tarreau 
Hi Tim,

On Wed, Jan 08, 2020 at 10:54:47PM +0100, Tim Duesterhus wrote:
> global
>   lua-prepend-path /etc/haproxy/lua-modules/?/init.lua
>   lua-prepend-path /etc/haproxy/lua-modules/?.lua
>   lua-load /etc/haproxy/lua-modules/auth-request.lua

(...)
> diff --git a/doc/configuration.txt b/doc/configuration.txt
> index d0bb97415..47a4db344 100644
> --- a/doc/configuration.txt
> +++ b/doc/configuration.txt
> @@ -1080,6 +1081,11 @@ lua-load 
>This global directive loads and executes a Lua file. This directive can be
>used multiple times.
>  
> +lua-prepend-path 
> +  Prepends the given string followed by a semicolon to Lua's search path.
> +
> +  see: https://www.lua.org/pil/8.1.html
> +

I'm personally not opposed to this at all, however after reading the link
above and given that Lua's concept of "path" is all but obvious as described
in the link above, we definitely need a bit more text in the doc to quickly
explain that the path is rather a pattern and that the question mark is
replaced by the file in "require", and probably put a short example. Having
the link for more details is fine but not as a redirect to figure how to
use the config keyword.

Thanks!
Willy

[PATCH] MINOR: cli: use global unix settings for stats/master sockets

2020-01-08 Thread William Dauchy 
allows to use unix-bind settings in config file for both stats and master
sockets; this will save some double painful config when you can rely on
the global unix-bind.
Local settings will still overload the default global.

Signed-off-by: William Dauchy 
---
 doc/configuration.txt | 1 +
 doc/management.txt| 1 +
 src/cli.c | 8 
 3 files changed, 10 insertions(+)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index d0bb9741..c3aedb9e 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1293,6 +1293,7 @@ stats socket [|] [param*]
   All parameters supported by "bind" lines are supported, for instance to
   restrict access to some users or their access rights. Please consult
   section 5.1 for more information.
+  "unix-bind" settings have also an effect on this socket settings.
 
 stats timeout 
   The default timeout on the stats socket is set to 10 seconds. It is possible
diff --git a/doc/management.txt b/doc/management.txt
index 973b6f3a..2c48db1f 100644
--- a/doc/management.txt
+++ b/doc/management.txt
@@ -283,6 +283,7 @@ list of options is :
 For security reasons, it is recommended to bind the master CLI to a local
 UNIX socket. The bind options are the same as the keyword "bind" in
 the configuration file with words separated by commas instead of spaces.
+"unix-bind" settings have also an effect on this socket settings.
 
 Note that this socket can't be used to retrieve the listening sockets from
 an old process during a seamless reload.
diff --git a/src/cli.c b/src/cli.c
index ba48d147..07a74067 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -256,6 +256,10 @@ static int stats_parse_global(char **args, int 
section_type, struct proxy *curpx
bind_conf = bind_conf_alloc(global.stats_fe, file, line, 
args[2], xprt_get(XPRT_RAW));
bind_conf->level &= ~ACCESS_LVL_MASK;
bind_conf->level |= ACCESS_LVL_OPER; /* default access level */
+   /* use default settings for unix sockets */
+   bind_conf->ux.uid  = global.unix_bind.ux.uid;
+   bind_conf->ux.gid  = global.unix_bind.ux.gid;
+   bind_conf->ux.mode = global.unix_bind.ux.mode;
 
if (!str2listener(args[2], global.stats_fe, bind_conf, file, 
line, err)) {
memprintf(err, "parsing [%s:%d] : '%s %s' : %s\n",
@@ -2547,6 +2551,10 @@ int mworker_cli_proxy_new_listener(char *line)
 
bind_conf->level &= ~ACCESS_LVL_MASK;
bind_conf->level |= ACCESS_LVL_ADMIN;
+   /* use default settings for unix sockets */
+   bind_conf->ux.uid  = global.unix_bind.ux.uid;
+   bind_conf->ux.gid  = global.unix_bind.ux.gid;
+   bind_conf->ux.mode = global.unix_bind.ux.mode;
 
if (!str2listener(args[0], mworker_proxy, bind_conf, "master-socket", 
0, )) {
ha_alert("Cannot create the listener of the master CLI\n");
-- 
2.24.1

[PATCH] MINOR: lua: Add lua-prepend-path configuration option

2020-01-08 Thread Tim Duesterhus 
List,

while working on updating my haproxy-auth-request [1] to make use of
haproxy-lua-http [2] instead of the crappy lua-socket [3] I realized
that it would be difficult for the administrator to use the script
afterwards.

The reason is that `require` in Lua attempts to search the modules
either in the current working directory (which is different from
the filename of the script executing the `require` and which most
likely is not anywhere near HAProxy's configuration folder) or within
Lua's library path which is compiled into Lua (in my case this is
something like `/usr/share/lua/5.3/`).

Add a `lua-prepend-path` configuration option that prepend the given
string to Lua's path, allowing scripts loaded with `lua-load` to find
libraries within that path.

Example configuration:

global
lua-prepend-path /etc/haproxy/lua-modules/?/init.lua
lua-prepend-path /etc/haproxy/lua-modules/?.lua
lua-load /etc/haproxy/lua-modules/auth-request.lua

would result in something like this:

[ALERT] 007/225248 (6638) : parsing [./haproxy.cfg:5] : Lua runtime error: 
auth-request.lua:23: module 'haproxy-lua-http' not found:
no field package.preload['haproxy-lua-http']
no file '/etc/haproxy/lua-modules/haproxy-lua-http.lua'
no file '/etc/haproxy/lua-modules/haproxy-lua-http/init.lua'
no file '/usr/local/share/lua/5.3/haproxy-lua-http.lua'
no file '/usr/local/share/lua/5.3/haproxy-lua-http/init.lua'
no file '/usr/local/lib/lua/5.3/haproxy-lua-http.lua'
no file '/usr/local/lib/lua/5.3/haproxy-lua-http/init.lua'
no file '/usr/share/lua/5.3/haproxy-lua-http.lua'
no file '/usr/share/lua/5.3/haproxy-lua-http/init.lua'
no file './haproxy-lua-http.lua'
no file './haproxy-lua-http/init.lua'
no file '/usr/local/lib/lua/5.3/haproxy-lua-http.so'
no file '/usr/lib/x86_64-linux-gnu/lua/5.3/haproxy-lua-http.so'
no file '/usr/lib/lua/5.3/haproxy-lua-http.so'
no file '/usr/local/lib/lua/5.3/loadall.so'
no file './haproxy-lua-http.so'

I'd appreciate if we could backport this to 2.1. It should be fairly
self-contained.

Best regards
Tim Düsterhus

[1] https://github.com/TimWolla/haproxy-auth-request
[2] https://github.com/haproxytech/haproxy-lua-http
[3] https://github.com/TimWolla/haproxy-auth-request/issues/4

Apply with `git am --scissors` to automatically cut the commit message.

-- >8 --
Subject: [PATCH] MINOR: lua: Add lua-prepend-path configuration option

lua-prepend-path allows the administrator to specify a custom Lua library
path to load custom Lua modules that are useful within the context of HAProxy
without polluting the global Lua library folder.
---
 doc/configuration.txt |  6 ++
 src/hlua.c| 16 
 2 files changed, 22 insertions(+)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index d0bb97415..47a4db344 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -603,6 +603,7 @@ The following keywords are supported in the "global" 
section :
- log-tag
- log-send-hostname
- lua-load
+   - lua-prepend-path
- mworker-max-reloads
- nbproc
- nbthread
@@ -1080,6 +1081,11 @@ lua-load 
   This global directive loads and executes a Lua file. This directive can be
   used multiple times.
 
+lua-prepend-path 
+  Prepends the given string followed by a semicolon to Lua's search path.
+
+  see: https://www.lua.org/pil/8.1.html
+
 master-worker [no-exit-on-failure]
   Master-worker mode. It is equivalent to the command line "-W" argument.
   This mode will launch a "master" which will monitor the "workers". Using
diff --git a/src/hlua.c b/src/hlua.c
index 37f786687..4f39755b3 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -7458,8 +7458,24 @@ static int hlua_load(char **args, int section_type, 
struct proxy *curpx,
return 0;
 }
 
+static int hlua_prepend_path(char **args, int section_type, struct proxy 
*curpx,
+ struct proxy *defpx, const char *file, int line,
+ char **err)
+{
+   lua_getglobal(gL.T, "package"); /* push package*/
+   lua_pushstring(gL.T, args[1]);  /* push given path */
+   lua_pushstring(gL.T, ";");  /* push semicolon  */
+   lua_getfield(gL.T, -3, "path"); /* push old path   */
+   lua_concat(gL.T, 3);/* concatenate to new path */
+   lua_setfield(gL.T, -2, "path"); /* store new path  */
+   lua_pop(gL.T, 1);   /* pop package */
+
+   return 0;
+}
+
 /* configuration keywords declaration */
 static struct cfg_kw_list cfg_kws = {{ },{
+   { CFG_GLOBAL, "lua-prepend-path", hlua_prepend_path },
{ CFG_GLOBAL, "lua-load", hlua_load },
{ CFG_GLOBAL, "tune.lua.session-timeout", hlua_session_timeout },
{ CFG_GLOBAL, "tune.lua.task-timeout",hlua_task_timeout },
-- 
2.24.1

[PATCH] CLEANUP: server: remove unused err section in server_finalize_init

2020-01-08 Thread William Dauchy 
Since commit 980855bd953c ("BUG/MEDIUM: server: initialize the orphaned
conns lists and tasks at the end"), we no longer use err section.

This should fix github issue #438

Signed-off-by: William Dauchy 
---
 src/server.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/server.c b/src/server.c
index 6212a420..14ff716a 100644
--- a/src/server.c
+++ b/src/server.c
@@ -2053,8 +2053,6 @@ static int server_finalize_init(const char *file, int 
linenum, char **args, int
srv_lb_commit_status(srv);
 
return 0;
-err:
-   return ERR_ALERT | ERR_FATAL;
 }
 
 /*
-- 
2.24.1

[PATCH] adapt regtest for travis-ci

2020-01-08 Thread Илья Шипицин 
Hello,

for some reason "echo -e" does not work at least in travis-ci.
as discussed in #423 it is good to use "printf" instead.

Cheers,
Ilya Shipitcin
From e0ae24b754b6f660b0d942df25ed1e0bfe189967 Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin 
Date: Wed, 8 Jan 2020 22:56:30 +0500
Subject: [PATCH] REGTEST: set_ssl_cert.vtc: replace "echo" with "printf"

"echo -e" for some reason does not work on travis-ci, so let us switch
to "printf"

Fixes: #423
---
 reg-tests/ssl/set_ssl_cert.vtc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/reg-tests/ssl/set_ssl_cert.vtc b/reg-tests/ssl/set_ssl_cert.vtc
index 3d6ff0c98..11b2d154b 100644
--- a/reg-tests/ssl/set_ssl_cert.vtc
+++ b/reg-tests/ssl/set_ssl_cert.vtc
@@ -42,7 +42,7 @@ shell {
 }
 
 shell {
-   echo -e "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/ecdsa.pem)\n" | socat "${tmpdir}/h1/stats" -
+   printf "set ssl cert ${testdir}/common.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
echo "commit ssl cert ${testdir}/common.pem" | socat "${tmpdir}/h1/stats" -
 }
 
-- 
2.24.1

Re: [PATCH] cirrus-ci: choose proper openssl package name

2020-01-08 Thread Christopher Faulet 

Le 07/01/2020 à 19:44, Илья Шипицин a écrit :

hello,


freebsd-11.3 names package "openssl"
freebsd-12.1 names package "openssl111"

I added switch for that



Applied, thanks !

--
Christopher Faulet

Re: [PATCH] CLEANUP: mux-h2: remove unused goto "out_free_h2s"

2020-01-08 Thread Christopher Faulet 

Le 08/01/2020 à 15:16, William Dauchy a écrit :

Since commit fa8aa867b915 ("MEDIUM: connections: Change struct
wait_list to wait_event.") we no longer use this section.

this should fix github issue #437

Signed-off-by: William Dauchy 
---
  src/mux_h2.c | 3 ---
  1 file changed, 3 deletions(-)

diff --git a/src/mux_h2.c b/src/mux_h2.c
index be9dae92..6ec8d6c0 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -1347,9 +1347,6 @@ static struct h2s *h2s_new(struct h2c *h2c, int id)
  
  	TRACE_LEAVE(H2_EV_H2S_NEW, h2c->conn, h2s);

return h2s;
-
- out_free_h2s:
-   pool_free(pool_head_h2s, h2s);
   out:
TRACE_DEVEL("leaving in error", H2_EV_H2S_ERR|H2_EV_H2S_END, h2c->conn);
return NULL;



Applied, thanks !

--
Christopher Faulet

Re: [PATCH] MINOR: http: Add 410 to http-request deny

2020-01-08 Thread Christopher Faulet 

Le 08/01/2020 à 13:54, Florian Tham a écrit :

Hello Tim,

Am 1/8/20 um 1:21 PM schrieb Tim Düsterhus:

Please reference GitHub issue #80 in the commit message.
"See issue #80." would be sufficient.


+   "410 Gone\n",


Please add a description of the error message after the headline for
consistency with the other messages.


I fixed both issues and added a second patch implementing 404.

Best regards,

Florian



Applied, thanks !

--
Christopher Faulet

[PATCH] CLEANUP: mux-h2: remove unused goto "out_free_h2s"

2020-01-08 Thread William Dauchy 
Since commit fa8aa867b915 ("MEDIUM: connections: Change struct
wait_list to wait_event.") we no longer use this section.

this should fix github issue #437

Signed-off-by: William Dauchy 
---
 src/mux_h2.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/mux_h2.c b/src/mux_h2.c
index be9dae92..6ec8d6c0 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -1347,9 +1347,6 @@ static struct h2s *h2s_new(struct h2c *h2c, int id)
 
TRACE_LEAVE(H2_EV_H2S_NEW, h2c->conn, h2s);
return h2s;
-
- out_free_h2s:
-   pool_free(pool_head_h2s, h2s);
  out:
TRACE_DEVEL("leaving in error", H2_EV_H2S_ERR|H2_EV_H2S_END, h2c->conn);
return NULL;
-- 
2.24.1

Re: [PATCH] MINOR: http: Add 410 to http-request deny

2020-01-08 Thread Florian Tham 
Hello Tim,

Am 1/8/20 um 1:21 PM schrieb Tim Düsterhus:
> Please reference GitHub issue #80 in the commit message.
> "See issue #80." would be sufficient.
> 
>> +"410 Gone\n",
> 
> Please add a description of the error message after the headline for
> consistency with the other messages.

I fixed both issues and added a second patch implementing 404.

Best regards,

Florian
>From 38961d35696bd24b66815e4e09f78a8af3d0d021 Mon Sep 17 00:00:00 2001
From: Florian Tham 
Date: Wed, 8 Jan 2020 10:19:05 +0100
Subject: [PATCH 1/2] MINOR: http: Add 410 to http-request deny

This patch adds http status code 410 Gone to http-request deny. See
issue #80.
---
 doc/configuration.txt |  8 +---
 include/common/http.h |  1 +
 src/http.c| 11 +++
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 9bc7d7150..69daaa8b7 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -374,6 +374,8 @@ HAProxy may emit the following status codes by itself :
 accessing the stats page)
403  when a request is forbidden by a "http-request deny" rule
408  when the request timeout strikes before the request is complete
+   410  when the requested resource is no longer available and will not
+be available again
500  when haproxy encounters an unrecoverable internal error, such as a
 memory allocation failure, which should never happen
502  when the server returns an empty, invalid or incomplete response, or
@@ -3605,7 +3607,7 @@ errorfile  
  yes   |yes   |   yes  |   yes
   Arguments :
 is the HTTP status code. Currently, HAProxy is capable of
-  generating codes 200, 400, 403, 405, 408, 425, 429, 500, 502,
+  generating codes 200, 400, 403, 405, 408, 410, 425, 429, 500, 502,
   503, and 504.
 
 designates a file containing the full HTTP response. It is
@@ -3654,7 +3656,7 @@ errorloc302  
  yes   |yes   |   yes  |   yes
   Arguments :
 is the HTTP status code. Currently, HAProxy is capable of
-  generating codes 200, 400, 403, 405, 408, 425, 429, 500, 502,
+  generating codes 200, 400, 403, 405, 408, 410, 425, 429, 500, 502,
   503, and 504.
 
  it is the exact contents of the "Location" header. It may contain
@@ -3686,7 +3688,7 @@ errorloc303  
  yes   |yes   |   yes  |   yes
   Arguments :
 is the HTTP status code. Currently, HAProxy is capable of
-  generating codes 200, 400, 403, 405, 408, 425, 429, 500, 502,
+  generating codes 200, 400, 403, 405, 408, 410, 425, 429, 500, 502,
   503, and 504.
 
  it is the exact contents of the "Location" header. It may contain
diff --git a/include/common/http.h b/include/common/http.h
index 857c66e1d..2d9bad7ee 100644
--- a/include/common/http.h
+++ b/include/common/http.h
@@ -85,6 +85,7 @@ enum {
 	HTTP_ERR_403,
 	HTTP_ERR_405,
 	HTTP_ERR_408,
+	HTTP_ERR_410,
 	HTTP_ERR_421,
 	HTTP_ERR_425,
 	HTTP_ERR_429,
diff --git a/src/http.c b/src/http.c
index c9168669d..4f57a43bc 100644
--- a/src/http.c
+++ b/src/http.c
@@ -218,6 +218,7 @@ const int http_err_codes[HTTP_ERR_SIZE] = {
 	[HTTP_ERR_403] = 403,
 	[HTTP_ERR_405] = 405,
 	[HTTP_ERR_408] = 408,
+	[HTTP_ERR_410] = 410,
 	[HTTP_ERR_421] = 421,
 	[HTTP_ERR_425] = 425,
 	[HTTP_ERR_429] = 429,
@@ -273,6 +274,15 @@ const char *http_err_msgs[HTTP_ERR_SIZE] = {
 	"\r\n"
 	"408 Request Time-out\nYour browser didn't send a complete request in time.\n\n",
 
+	[HTTP_ERR_410] =
+	"HTTP/1.1 410 Gone\r\n"
+	"Content-length: 114\r\n"
+	"Cache-Control: no-cache\r\n"
+	"Connection: close\r\n"
+	"Content-Type: text/html\r\n"
+	"\r\n"
+	"410 Gone\nThe resource is no longer available and will not be available again.\n\n",
+
 	[HTTP_ERR_421] =
 	"HTTP/1.1 421 Misdirected Request\r\n"
 	"Content-length: 104\r\n"
@@ -379,6 +389,7 @@ int http_get_status_idx(unsigned int status)
 	case 403: return HTTP_ERR_403;
 	case 405: return HTTP_ERR_405;
 	case 408: return HTTP_ERR_408;
+	case 410: return HTTP_ERR_410;
 	case 421: return HTTP_ERR_421;
 	case 425: return HTTP_ERR_425;
 	case 429: return HTTP_ERR_429;
-- 
2.24.1

>From 86a8e1f4be02a713dbfd8e5704fc4c4eb2b3cd22 Mon Sep 17 00:00:00 2001
From: Florian Tham 
Date: Wed, 8 Jan 2020 13:35:30 +0100
Subject: [PATCH 2/2] MINOR: http: Add 404 to http-request deny

This patch adds http status code 404 Not Found to http-request deny. See
issue #80.
---
 doc/configuration.txt | 13 +++--
 include/common/http.h |  1 +
 src/http.c| 11 +++
 3 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 69daaa8b7..d0bb97415 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -373,6 +373,7 @@ HAProxy may emit the following status codes by itself :
401

Re: [PATCH] MINOR: http: Add 410 to http-request deny

2020-01-08 Thread Aleksandar Lazic 


+1 for 404 Addition

Jan 8, 2020 1:26:36 PM Julien Pivotto :

> While we are at it, could we add 404 as well?
> 
> 404 is frequently used to deny to hide the fact that the access is
> denied, see
> https://developer.github.com/v3/troubleshooting/#why-am-i-getting-a-404-error-on-a-repository-that-exists
> 
> I know there are workarounds for this like service an error file but
> getting it out of the box would be nice.
> 
> On 08 Jan 10:43, Florian Tham wrote:
> 
> > Hello,
> > 
> > I need to return HTTP 410 Gone to certain incoming requests. The
> > attached patch adds deny_status 410 to http-request-deny. It partly
> > fixes https://github.com/haproxy/haproxy/issues/80.
> > 
> > Best regards,
> > 
> > Florian
> > 
> 
> 
> > [37mFrom 2336fe0d37a0edeb61ce39a6fe1c5477e6fe6e3d Mon Sep 17 00:00:00 
> > 2001
> > [37mFrom: Florian Tham 
> > [37mDate: Wed, 8 Jan 2020 10:19:05 +0100
> > [37mSubject: [PATCH] MINOR: http: Add 410 to http-request deny
> > 
> > [37mThis patch adds http status code 410 Gone to http-request deny.
> > [37m---
> > [37m doc/configuration.txt | 8 +---
> > [37m include/common/http.h | 1 +
> > [37m src/http.c | 11 +++
> > [37m 3 files changed, 17 insertions(+), 3 deletions(-)
> > 
> > [37mdiff --git a/doc/configuration.txt b/doc/configuration.txt
> > [37mindex 9bc7d7150..69daaa8b7 100644
> > [37m--- a/doc/configuration.txt
> > [37m+++ b/doc/configuration.txt
> > [37m@@ -374,6 +374,8 @@ HAProxy may emit the following status codes by 
> > itself :
> > [37m accessing the stats page)
> > [37m 403 when a request is forbidden by a "http-request deny" rule
> > [37m 408 when the request timeout strikes before the request is complete
> > [32m+ 410 when the requested resource is no longer available and will 
> > not
> > [32m+ be available again
> > [37m 500 when haproxy encounters an unrecoverable internal error, such as 
> > a
> > [37m memory allocation failure, which should never happen
> > [37m 502 when the server returns an empty, invalid or incomplete response, 
> > or
> > [37m@@ -3605,7 +3607,7 @@ errorfile  
> > [37m yes | yes | yes | yes
> > [37m Arguments :
> > [37m  is the HTTP status code. Currently, HAProxy is capable of
> > [31m- generating codes 200, 400, 403, 405, 408, 425, 429, 500, 502,
> > [32m+ generating codes 200, 400, 403, 405, 408, 410, 425, 429, 500, 502,
> > [37m 503, and 504.
> > [37m 
> > [37m  designates a file containing the full HTTP response. It is
> > [37m@@ -3654,7 +3656,7 @@ errorloc302  
> > [37m yes | yes | yes | yes
> > [37m Arguments :
> > [37m  is the HTTP status code. Currently, HAProxy is capable of
> > [31m- generating codes 200, 400, 403, 405, 408, 425, 429, 500, 502,
> > [32m+ generating codes 200, 400, 403, 405, 408, 410, 425, 429, 500, 502,
> > [37m 503, and 504.
> > [37m 
> > [37m  it is the exact contents of the "Location" header. It may 
> > contain
> > [37m@@ -3686,7 +3688,7 @@ errorloc303  
> > [37m yes | yes | yes | yes
> > [37m Arguments :
> > [37m  is the HTTP status code. Currently, HAProxy is capable of
> > [31m- generating codes 200, 400, 403, 405, 408, 425, 429, 500, 502,
> > [32m+ generating codes 200, 400, 403, 405, 408, 410, 425, 429, 500, 502,
> > [37m 503, and 504.
> > [37m 
> > [37m  it is the exact contents of the "Location" header. It may 
> > contain
> > [37mdiff --git a/include/common/http.h b/include/common/http.h
> > [37mindex 857c66e1d..2d9bad7ee 100644
> > [37m--- a/include/common/http.h
> > [37m+++ b/include/common/http.h
> > [37m@@ -85,6 +85,7 @@ enum {
> > [37m HTTP_ERR_403,
> > [37m HTTP_ERR_405,
> > [37m HTTP_ERR_408,
> > [32m+ HTTP_ERR_410,
> > [37m HTTP_ERR_421,
> > [37m HTTP_ERR_425,
> > [37m HTTP_ERR_429,
> > [37mdiff --git a/src/http.c b/src/http.c
> > [37mindex c9168669d..8aa6bf98b 100644
> > [37m--- a/src/http.c
> > [37m+++ b/src/http.c
> > [37m@@ -218,6 +218,7 @@ const int http_err_codes[HTTP_ERR_SIZE] = {
> > [37m [HTTP_ERR_403] = 403,
> > [37m [HTTP_ERR_405] = 405,
> > [37m [HTTP_ERR_408] = 408,
> > [32m+ [HTTP_ERR_410] = 410,
> > [37m [HTTP_ERR_421] = 421,
> > [37m [HTTP_ERR_425] = 425,
> > [37m [HTTP_ERR_429] = 429,
> > [37m@@ -273,6 +274,15 @@ const char *http_err_msgs[HTTP_ERR_SIZE] = {
> > [37m "\r\n"
> > [37m "408 Request Time-out\nYour browser didn't send a 
> > complete request in time.\n\n",
> > [37m 
> > [32m+ [HTTP_ERR_410] =
> > [32m+ "HTTP/1.1 410 Gone\r\n"
> > [32m+ "Content-length: 44\r\n"
> > [32m+ "Cache-Control: no-cache\r\n"
> > [32m+ "Connection: close\r\n"
> > [32m+ "Content-Type: text/html\r\n"
> > [32m+ "\r\n"
> > [32m+ "410 Gone\n",
> > [32m+
> > [37m [HTTP_ERR_421] =
> > [37m "HTTP/1.1 421 Misdirected Request\r\n"
> > [37m

Re: [PATCH] MINOR: http: Add 410 to http-request deny

2020-01-08 Thread Julien Pivotto 
While we are at it, could we add 404 as well?

404 is frequently used to deny to hide the fact that the access is
denied, see
https://developer.github.com/v3/troubleshooting/#why-am-i-getting-a-404-error-on-a-repository-that-exists

I know there are workarounds for this like service an error file but
getting it out of the box would be nice.

On 08 Jan 10:43, Florian Tham wrote:
> Hello,
> 
> I need to return HTTP 410 Gone to certain incoming requests. The
> attached patch adds deny_status 410 to http-request-deny. It partly
> fixes https://github.com/haproxy/haproxy/issues/80.
> 
> Best regards,
> 
> Florian

> From 2336fe0d37a0edeb61ce39a6fe1c5477e6fe6e3d Mon Sep 17 00:00:00 
> 2001
> From: Florian Tham 
> Date: Wed, 8 Jan 2020 10:19:05 +0100
> Subject: [PATCH] MINOR: http: Add 410 to http-request deny
> 
> This patch adds http status code 410 Gone to http-request deny.
> ---
>  doc/configuration.txt |  8 +---
>  include/common/http.h |  1 +
>  src/http.c| 11 +++
>  3 files changed, 17 insertions(+), 3 deletions(-)
> 
> diff --git a/doc/configuration.txt b/doc/configuration.txt
> index 9bc7d7150..69daaa8b7 100644
> --- a/doc/configuration.txt
> +++ b/doc/configuration.txt
> @@ -374,6 +374,8 @@ HAProxy may emit the following status codes by 
> itself :
>  accessing the stats page)
> 403  when a request is forbidden by a "http-request deny" rule
> 408  when the request timeout strikes before the request is 
> complete
> +   410  when the requested resource is no longer available and will 
> not
> +be available again
> 500  when haproxy encounters an unrecoverable internal error, such 
> as a
>  memory allocation failure, which should never happen
> 502  when the server returns an empty, invalid or incomplete 
> response, or
> @@ -3605,7 +3607,7 @@ errorfile  
>   yes   |yes   |   yes  |   yes
>    Arguments :
>  is the HTTP status code. Currently, HAProxy is capable 
> of
> -  generating codes 200, 400, 403, 405, 408, 425, 429, 500, 
> 502,
> +  generating codes 200, 400, 403, 405, 408, 410, 425, 429, 
> 500, 502,
>    503, and 504.
>  
>  designates a file containing the full HTTP response. It 
> is
> @@ -3654,7 +3656,7 @@ errorloc302  
>   yes   |yes   |   yes  |   yes
>    Arguments :
>  is the HTTP status code. Currently, HAProxy is capable 
> of
> -  generating codes 200, 400, 403, 405, 408, 425, 429, 500, 
> 502,
> +  generating codes 200, 400, 403, 405, 408, 410, 425, 429, 
> 500, 502,
>    503, and 504.
>  
>   it is the exact contents of the "Location" header. It may 
> contain
> @@ -3686,7 +3688,7 @@ errorloc303  
>   yes   |yes   |   yes  |   yes
>    Arguments :
>  is the HTTP status code. Currently, HAProxy is capable 
> of
> -  generating codes 200, 400, 403, 405, 408, 425, 429, 500, 
> 502,
> +  generating codes 200, 400, 403, 405, 408, 410, 425, 429, 
> 500, 502,
>    503, and 504.
>  
>   it is the exact contents of the "Location" header. It may 
> contain
> diff --git a/include/common/http.h b/include/common/http.h
> index 857c66e1d..2d9bad7ee 100644
> --- a/include/common/http.h
> +++ b/include/common/http.h
> @@ -85,6 +85,7 @@ enum {
>  HTTP_ERR_403,
>  HTTP_ERR_405,
>  HTTP_ERR_408,
> +HTTP_ERR_410,
>  HTTP_ERR_421,
>  HTTP_ERR_425,
>  HTTP_ERR_429,
> diff --git a/src/http.c b/src/http.c
> index c9168669d..8aa6bf98b 100644
> --- a/src/http.c
> +++ b/src/http.c
> @@ -218,6 +218,7 @@ const int http_err_codes[HTTP_ERR_SIZE] = {
>  [HTTP_ERR_403] = 403,
>  [HTTP_ERR_405] = 405,
>  [HTTP_ERR_408] = 408,
> +[HTTP_ERR_410] = 410,
>  [HTTP_ERR_421] = 421,
>  [HTTP_ERR_425] = 425,
>  [HTTP_ERR_429] = 429,
> @@ -273,6 +274,15 @@ const char *http_err_msgs[HTTP_ERR_SIZE] = {
>  "\r\n"
>  "408 Request Time-out\nYour browser didn't 
> send a complete request in time.\n\n",
>  
> +[HTTP_ERR_410] =
> +"HTTP/1.1 410 Gone\r\n"
>

Re: [PATCH] MINOR: http: Add 410 to http-request deny

2020-01-08 Thread Tim Düsterhus 
Florian,

Am 08.01.20 um 10:43 schrieb Florian Tham:
> This patch adds http status code 410 Gone to http-request deny.

Please reference GitHub issue #80 in the commit message.
"See issue #80." would be sufficient.

> + "410 Gone\n",

Please add a description of the error message after the headline for
consistency with the other messages.

Best regards
Tim Düsterhus

Re: learning SSL stuff

2020-01-08 Thread William Lallemand 
On Wed, Jan 01, 2020 at 08:18:49PM +0500, Илья Шипицин wrote:
> Hello,
> 
> while working on #429,
> I noticed strange things that I do not understand
> for example
> 
> if (ecdhe == NULL) {
> (void)SSL_CTX_set_ecdh_auto(ctx, 1);
> return cfgerr;
> }
> 
> why do we need to call SSL_CTX_set_ecdh_auto right before returning error ?
> 

The purpose here is just to leave the function, not to return an error. 
No error are set after calling SSL_CTX_set_ecdh_auto(). You are supposed to
return any warning or error when leaving the function, and they are stored in
the cfgerr variable.

-- 
William Lallemand

[PATCH] MINOR: http: Add 410 to http-request deny

2020-01-08 Thread Florian Tham 
Hello,

I need to return HTTP 410 Gone to certain incoming requests. The
attached patch adds deny_status 410 to http-request-deny. It partly
fixes https://github.com/haproxy/haproxy/issues/80.

Best regards,

Florian
From 2336fe0d37a0edeb61ce39a6fe1c5477e6fe6e3d Mon Sep 17 00:00:00 2001
From: Florian Tham 
Date: Wed, 8 Jan 2020 10:19:05 +0100
Subject: [PATCH] MINOR: http: Add 410 to http-request deny

This patch adds http status code 410 Gone to http-request deny.
---
 doc/configuration.txt |  8 +---
 include/common/http.h |  1 +
 src/http.c| 11 +++
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 9bc7d7150..69daaa8b7 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -374,6 +374,8 @@ HAProxy may emit the following status codes by itself :
 accessing the stats page)
403  when a request is forbidden by a "http-request deny" rule
408  when the request timeout strikes before the request is complete
+   410  when the requested resource is no longer available and will not
+be available again
500  when haproxy encounters an unrecoverable internal error, such as a
 memory allocation failure, which should never happen
502  when the server returns an empty, invalid or incomplete response, or
@@ -3605,7 +3607,7 @@ errorfile  
  yes   |yes   |   yes  |   yes
   Arguments :
 is the HTTP status code. Currently, HAProxy is capable of
-  generating codes 200, 400, 403, 405, 408, 425, 429, 500, 502,
+  generating codes 200, 400, 403, 405, 408, 410, 425, 429, 500, 502,
   503, and 504.
 
 designates a file containing the full HTTP response. It is
@@ -3654,7 +3656,7 @@ errorloc302  
  yes   |yes   |   yes  |   yes
   Arguments :
 is the HTTP status code. Currently, HAProxy is capable of
-  generating codes 200, 400, 403, 405, 408, 425, 429, 500, 502,
+  generating codes 200, 400, 403, 405, 408, 410, 425, 429, 500, 502,
   503, and 504.
 
  it is the exact contents of the "Location" header. It may contain
@@ -3686,7 +3688,7 @@ errorloc303  
  yes   |yes   |   yes  |   yes
   Arguments :
 is the HTTP status code. Currently, HAProxy is capable of
-  generating codes 200, 400, 403, 405, 408, 425, 429, 500, 502,
+  generating codes 200, 400, 403, 405, 408, 410, 425, 429, 500, 502,
   503, and 504.
 
  it is the exact contents of the "Location" header. It may contain
diff --git a/include/common/http.h b/include/common/http.h
index 857c66e1d..2d9bad7ee 100644
--- a/include/common/http.h
+++ b/include/common/http.h
@@ -85,6 +85,7 @@ enum {
 	HTTP_ERR_403,
 	HTTP_ERR_405,
 	HTTP_ERR_408,
+	HTTP_ERR_410,
 	HTTP_ERR_421,
 	HTTP_ERR_425,
 	HTTP_ERR_429,
diff --git a/src/http.c b/src/http.c
index c9168669d..8aa6bf98b 100644
--- a/src/http.c
+++ b/src/http.c
@@ -218,6 +218,7 @@ const int http_err_codes[HTTP_ERR_SIZE] = {
 	[HTTP_ERR_403] = 403,
 	[HTTP_ERR_405] = 405,
 	[HTTP_ERR_408] = 408,
+	[HTTP_ERR_410] = 410,
 	[HTTP_ERR_421] = 421,
 	[HTTP_ERR_425] = 425,
 	[HTTP_ERR_429] = 429,
@@ -273,6 +274,15 @@ const char *http_err_msgs[HTTP_ERR_SIZE] = {
 	"\r\n"
 	"408 Request Time-out\nYour browser didn't send a complete request in time.\n\n",
 
+	[HTTP_ERR_410] =
+	"HTTP/1.1 410 Gone\r\n"
+	"Content-length: 44\r\n"
+	"Cache-Control: no-cache\r\n"
+	"Connection: close\r\n"
+	"Content-Type: text/html\r\n"
+	"\r\n"
+	"410 Gone\n",
+
 	[HTTP_ERR_421] =
 	"HTTP/1.1 421 Misdirected Request\r\n"
 	"Content-length: 104\r\n"
@@ -379,6 +389,7 @@ int http_get_status_idx(unsigned int status)
 	case 403: return HTTP_ERR_403;
 	case 405: return HTTP_ERR_405;
 	case 408: return HTTP_ERR_408;
+	case 410: return HTTP_ERR_410;
 	case 421: return HTTP_ERR_421;
 	case 425: return HTTP_ERR_425;
 	case 429: return HTTP_ERR_429;
-- 
2.24.1