Re: [PATCH] Minor improvements to doc "http-request set-src"
Olivier,
Am 20.04.20 um 20:03 schrieb Olivier D:
> I'm using gmail so I add to attach patches and was not able to send them
> directly. If format is wrong, tell me :)
>
Format looks good to me. Your commit message however does not (fully)
follow the instructions within the CONTRIBUTING file
(https://github.com/haproxy/haproxy/blob/dfad6a41ad9f012671b703788dd679cf24eb8c5a/CONTRIBUTING#L562-L567):
>As a rule of thumb, your patch MUST NEVER be made only of a subject line,
>it *must* contain a description. Even one or two lines, or indicating
>whether a backport is desired or not. It turns out that single-line commits
>are so rare in the Git world that they require special manual (hence
>painful) handling when they are backported, and at least for this reason
>it's important to keep this in mind.
Regarding the patch itself:
> diff --git doc/configuration.txt doc/configuration.txt
> index 5d01835d7..ddfabcd92 100644
> --- doc/configuration.txt
> +++ doc/configuration.txt
> @@ -6735,7 +6735,8 @@ option forwardfor [ except ] [ header
> ] [ if-none ]
>header for a known source address or network by adding the "except" keyword
>followed by the network address. In this case, any source IP matching the
>network will not cause an addition of this header. Most common uses are
> with
> - private networks or 127.0.0.1.
> + private networks or 127.0.0.1. Another way to do it is to tell HAProxy to
> + trust a custom header with "http-request set-src".
This change looks incorrect to me. "option forwardfor" is for sending,
not "receiving" IP addresses.
>Alternatively, the keyword "if-none" states that the header will only be
>added if it is not present. This should only be used in perfectly trusted
> @@ -6760,6 +6761,14 @@ option forwardfor [ except ] [ header
> ] [ if-none ]
> mode http
> option forwardfor header X-Client
>
> + Example :
> +# Trust a specific header and use it as origin IP.
> +# If not found, source IP will be used.
> +frontend www
> +mode http
> +http-request set-src CF-Connecting-IP
I believe this should read `http-request set-src
%[req.hdr(CF-Connecting-IP)]`. However:
1. I don't like having company specific headers in there. Especially
since Cloudflare supports the standard XFF.
2. I don't consider that a useful addition.
> +option forwardfor
> +
>See also : "option httpclose", "option http-server-close",
> "option http-keep-alive"
>
Patch 2:
> diff --git doc/configuration.txt doc/configuration.txt
> index ddfabcd92..49324fa53 100644
> --- doc/configuration.txt
> +++ doc/configuration.txt
> @@ -5114,7 +5114,8 @@ http-request set-src [ { if | unless }
> ]
>This is used to set the source IP address to the value of specified
>expression. Useful when a proxy in front of HAProxy rewrites source IP, but
>provides the correct IP in a HTTP header; or you want to mask source IP for
> - privacy.
> + privacy. All subsequent calls to src field will return this value
> + (see example).
This change looks good to me.
>Arguments :
>Is a standard HAProxy expression formed by a sample-fetch
> followed
> @@ -5124,6 +5125,11 @@ http-request set-src [ { if | unless }
> ]
> http-request set-src hdr(x-forwarded-for)
> http-request set-src src,ipmask(24)
>
> + Example:
Only a single "Example:" heading is used throughout the documentation.
As the first line can be shared with the previous example you could
write something like: # After the masking this will track connections
based on the IP address with the last octet zeroed out.
> +# This will track connection based on header IP
> +http-request set-src hdr(x-forwarded-for)
> +http-request track-sc0 src
> +
>When possible, set-src preserves the original source port as long as the
>address family allows it, otherwise the source port is set to 0.
Best regards
Tim Düsterhus
[PATCH] Minor improvements to doc "http-request set-src"
Hello,
Find attached two small patches to improve documentation on "option
forwardfor" and "http-request set-src".
I'm using gmail so I add to attach patches and was not able to send them
directly. If format is wrong, tell me :)
Olivier
From efbc320861c9c5a43219983cfc1073070b3e6622 Mon Sep 17 00:00:00 2001
From: Olivier Doucet
Date: Mon, 20 Apr 2020 19:39:27 +0200
Subject: [DOC] This patch adds example on how to use "http-request
set-src" with "option forwardfor".
---
doc/configuration.txt | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git doc/configuration.txt doc/configuration.txt
index 5d01835d7..ddfabcd92 100644
--- doc/configuration.txt
+++ doc/configuration.txt
@@ -6735,7 +6735,8 @@ option forwardfor [ except ] [ header ]
[ if-none ]
header for a known source address or network by adding the "except" keyword
followed by the network address. In this case, any source IP matching the
network will not cause an addition of this header. Most common uses are with
- private networks or 127.0.0.1.
+ private networks or 127.0.0.1. Another way to do it is to tell HAProxy to
+ trust a custom header with "http-request set-src".
Alternatively, the keyword "if-none" states that the header will only be
added if it is not present. This should only be used in perfectly trusted
@@ -6760,6 +6761,14 @@ option forwardfor [ except ] [ header ]
[ if-none ]
mode http
option forwardfor header X-Client
+ Example :
+# Trust a specific header and use it as origin IP.
+# If not found, source IP will be used.
+frontend www
+mode http
+http-request set-src CF-Connecting-IP
+option forwardfor
+
See also : "option httpclose", "option http-server-close",
"option http-keep-alive"
--
2.18.0.windows.1
From 34efa737cf09753301787dde7dc77df2041b3288 Mon Sep 17 00:00:00 2001
From: Olivier Doucet
Date: Mon, 20 Apr 2020 19:59:43 +0200
Subject: [DOC] add useful informations on "http-request set-src"
---
doc/configuration.txt | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git doc/configuration.txt doc/configuration.txt
index ddfabcd92..49324fa53 100644
--- doc/configuration.txt
+++ doc/configuration.txt
@@ -5114,7 +5114,8 @@ http-request set-src [ { if | unless }
]
This is used to set the source IP address to the value of specified
expression. Useful when a proxy in front of HAProxy rewrites source IP, but
provides the correct IP in a HTTP header; or you want to mask source IP for
- privacy.
+ privacy. All subsequent calls to src field will return this value
+ (see example).
Arguments :
Is a standard HAProxy expression formed by a sample-fetch followed
@@ -5124,6 +5125,11 @@ http-request set-src [ { if | unless }
]
http-request set-src hdr(x-forwarded-for)
http-request set-src src,ipmask(24)
+ Example:
+# This will track connection based on header IP
+http-request set-src hdr(x-forwarded-for)
+http-request track-sc0 src
+
When possible, set-src preserves the original source port as long as the
address family allows it, otherwise the source port is set to 0.
--
2.18.0.windows.1
Re: [PATCH] CI: special purpose build, testing compatibility against "no-deprecated" openssl
Hello Ilya , On Mon, 20 Apr 2020 at 16:12, Илья Шипицин wrote: >> I added weekly build for detection incompatibilities against "no-deprecated" >> openssl. >> >> (well, I first thought to add those option to travis, but it became >> over-engineered from my point of view) >> >> Lukas, if you have suggestions how to add to travis, I can try. I agree that it would be nice to have testing around the no-deprecated openssl option, it's just that I don't know anything about travis/github actions *at all*. I did see the make options in this patch and I don't see anything wrong with it. So from my point of view, you can proceed how you see fit. Thanks, Lukas
Re: [PATCH] CI: special purpose build, testing compatibility against "no-deprecated" openssl
Lukas, Willy ? чт, 16 апр. 2020 г. в 23:16, Илья Шипицин : > Hello, > > I added weekly build for detection incompatibilities against > "no-deprecated" openssl. > > (well, I first thought to add those option to travis, but it became > over-engineered from my point of view) > > Lukas, if you have suggestions how to add to travis, I can try. > > Cheers, > Ilya Shipitsin >
Re: Problem with crl certificate
Ciao Marco, thanks for your help. We've found the problem, we do need also the CRL from ROOT CA on top of the file passed to crl-file parameter, thant contein already the intermediate crl. But now we have another challenges, but we're going to loose this time as already discussed in [1] and [2]. We proxy MQTT connections, and wa can't afford a restart of haproxy every day to force haproxy to take the updated CRL... Any help? Regards,Domenico [1] https://discourse.haproxy.org/t/crl-reload-and-long-life-tcp-connections/2645/2[2 ] https://discourse.haproxy.org/t/ssl-termination-fails-when-crl-is-published/2336 Il giorno sab, 18/04/2020 alle 10.40 +0200, Marco Corte ha scritto: > Hi! > Il 17/04/20 18:43, Davide Guarneri ha scritto: > > crt /etc/haproxy/ssl/cert.pem ca-file /etc/haproxy/ssl/ca- > > chain.cert.pem verify required crl-file > > /etc/haproxy/ssl/intermediate.crl.pem > > I would verify how the certificates and the keys are placed in the > files. > /etc/haproxy/ssl/cert.pem must contain "both the required > certificates and any associated private keys. [...] If your CA > requires an intermediate certificate, this can also be concatenated > into this file." (from HAProxy documentation) > The client certificate is checked against the signature of the CAs > defined in /etc/haproxy/ssl/ca-chain.cert.pem > Moreover it is checked if the client certificate is listed in the > certificate revocation list in /etc/haproxy/ssl/intermediate.crl.pem > Hope this helpsCiao! > .marcoc
Server weight in server-template and consul dns
Hi, I have the following template in a server backend: server-template tomcats 10 _tomcat._tcp.service.consul resolvers consul resolve-prefer ipv4 check This is the SRV records resolution: # dig +short @127.0.0.1 -p 8600 _tomcat._tcp.service.consul SRV 1 10 8080 ip-10-20-3-21.node.dc1.consul. 1 10 8080 ip-10-20-4-244.node.dc1.consul. The server's weight reported by haproxy is 1 where I expected to see 10. Just to clarify, is this expected or there is a mixup between priority and weight? Thanks, Igor
