[ANNOUNCE] haproxy-2.0.18

2020-09-29 Thread Willy Tarreau
Hi,

HAProxy 2.0.18 was released on 2020/09/30. It added 43 new commits
after version 2.0.17.

Just like with 2.1.9, this one also collects 2 months of fixes. It does
have essentially the same fixes except for the Lua changes that allowed
all sample fetch functions and converters to be used, since that's quite
not suitable for 2.0 right now. The other fixed issues are still valid
however: fixes for the reference python SPOA server, HTTP 1xx interim
responses that were unexpectedly delayed, command-line parsing issue
causing "haproxy -s" with no more argument to go 100% CPU, an unknown H2
frame type that was accidently rejected while it ought to not to,
listeners not bound to all processes not correctly handling a pause and
resume cycle, the workaround for the libgcc_s crashes when using chroot,
Lua fixes to how arguments are passed to sample fetch functions and
converters (namely maps), a few OCSP issues I don't remember about, and
a rare risk of crash or most likely wrong info being used if a request-only
sample fetch is used in a response.

And unsurprisingly like with 2.1.9, there's no rush to upgrade to 2.0.18,
however I'd appreciate it if new bug reports for 2.0 are provided based
on 2.0.18 so that we're sure we're not facing a known fixed bug (since
some of them are dirty and can cause erratic behaviors which complicate
troubleshooting).

Please find the usual URLs below :
   Site index   : http://www.haproxy.org/
   Discourse: http://discourse.haproxy.org/
   Slack channel: https://slack.haproxy.org/
   Issue tracker: https://github.com/haproxy/haproxy/issues
   Wiki : https://github.com/haproxy/wiki/wiki
   Sources  : http://www.haproxy.org/download/2.0/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.0.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.0.git
   Changelog: http://www.haproxy.org/download/2.0/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
Amaury Denoyelle (1):
  BUG/MINOR: config: Fix memory leak on config parse listen

Christopher Faulet (9):
  BUG/MEDIUM: mux-h2: Don't fail if nothing is parsed for a legacy chunk 
response
  BUG/MEDIUM: mux-h1: Refresh H1 connection timeout after a synchronous send
  BUG/MEDIUM: map/lua: Return an error if a map is loaded during runtime
  BUG/MINOR: lua: Check argument type to convert it to IPv4/IPv6 arg 
validation
  BUG/MINOR: lua: Check argument type to convert it to IP mask in arg 
validation
  BUG/MEDIUM: doc: Fix replace-path action description
  BUG/MEDIUM: pattern: Renew the pattern expression revision when it is 
pruned
  BUG/MEDIUM: http-ana: Don't wait to send 1xx responses received from 
servers
  BUG/MINOR: http-fetch: Don't set the sample type during the htx prefetch

Eric Salama (1):
  BUG/MINOR: Fix memory leaks cfg_parse_peers

Gilchrist Dadaglo (5):
  BUG/MAJOR: contrib/spoa-server: Fix unhandled python call leading to 
memory leak
  BUG/MINOR: contrib/spoa-server: Ensure ip address references are freed
  BUG/MINOR: contrib/spoa-server: Do not free reference to NULL
  BUG/MINOR: contrib/spoa-server: Updating references to free in case of 
failure
  BUG/MEDIUM: contrib/spoa-server: Fix ipv4_address used instead of 
ipv6_address

Tim Duesterhus (3):
  DOC: cache: Use '' instead of '' in error message
  MINOR: Commit .gitattributes
  CLEANUP: Update .gitignore

Victor Kislov (1):
  BUG/MINOR: auth: report valid crypto(3) support depending on build options

William Dauchy (2):
  DOC: spoa-server: fix false friends `actually`
  DOC: agent-check: fix typo in "fail" word expected reply

William Lallemand (5):
  BUG/MINOR: snapshots: leak of snapshots on deinit()
  BUG/MINOR: startup: haproxy -s cause 100% cpu
  BUG/MEDIUM: ssl: check OCSP calloc in ssl_sock_load_ocsp()
  BUG/MEDIUM: ssl: does not look for all SNIs before chosing a certificate
  BUG/MINOR: ssl: verifyhost is case sensitive

Willy Tarreau (16):
  SCRIPTS: git-show-backports: make -m most only show the left branch
  SCRIPTS: git-show-backports: emit the shell command to backport a commit
  BUG/MINOR: stats: use strncmp() instead of memcmp() on health states
  BUG/MEDIUM: htx: smp_prefetch_htx() must always validate the direction
  BUG/MINOR: reload: do not fail when no socket is sent
  BUG/MINOR: threads: work around a libgcc_s issue with chrooting
  BUILD: thread: limit the libgcc_s workaround to glibc only
  BUG/MEDIUM: mux-h1: always apply the timeout on half-closed connections
  BUILD: threads: better workaround for late loading of libgcc_s
  BUG/MINOR: server: report correct error message for invalid port on 
"socks4"
  BUG/MEDIUM: h2: report frame bits only for handled types
  BUG/MEDIUM: listeners: do not pause foreign listeners
  REGTESTS: add a few load balancing tests
 

[ANNOUNCE] haproxy-2.1.9

2020-09-29 Thread Willy Tarreau
Hi,

HAProxy 2.1.9 was released on 2020/09/30. It added 59 new commits
after version 2.1.8.

This version collects 2 months of fixes, the same as those that were spread
over 2.2.3 and 2.2.4, so I won't paraphrase myself, but will just give a
quick summary.

We have fixes for the reference python SPOA server, HTTP 1xx interim
responses that were unexpectedly delayed, command-line parsing issue
causing "haproxy -s" with no more argument to go 100% CPU, an unknown
H2 frame type that was accidently rejected while it ought to not to,
listeners not bound to all processes not correctly handling a pause and
resume cycle, the workaround for the libgcc_s crashes when using chroot,
Lua fixes to how arguments are passed to sample fetch functions and
converters (namely maps), allowing some converters to have become
accessible again from Lua, a few OCSP issues I don't rememberr about,
and a rare risk of crash or most likely wrong info being used if a
request-only sample fetch is used in a response.

With all this, I'd say that it would be nice to upgrade. No emergency,
but I'd rather not get any reports from 2.1 versions older than 2.1.9
considering the number of known erratic behaviors we can get there.
Please find the usual URLs below :
   Site index   : http://www.haproxy.org/
   Discourse: http://discourse.haproxy.org/
   Slack channel: https://slack.haproxy.org/
   Issue tracker: https://github.com/haproxy/haproxy/issues
   Wiki : https://github.com/haproxy/wiki/wiki
   Sources  : http://www.haproxy.org/download/2.1/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.1.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.1.git
   Changelog: http://www.haproxy.org/download/2.1/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
Amaury Denoyelle (1):
  BUG/MINOR: config: Fix memory leak on config parse listen

Christopher Faulet (19):
  BUG/MEDIUM: mux-h1: Refresh H1 connection timeout after a synchronous send
  BUG/MEDIUM: map/lua: Return an error if a map is loaded during runtime
  MINOR: arg: Add an argument type to keep a reference on opaque data
  BUG/MINOR: converters: Store the sink in an arg pointer for debug() 
converter
  BUG/MINOR: lua: Duplicate map name to load it when a new Map object is 
created
  BUG/MINOR: arg: Fix leaks during arguments validation for 
fetches/converters
  BUG/MINOR: lua: Check argument type to convert it to IPv4/IPv6 arg 
validation
  BUG/MINOR: lua: Check argument type to convert it to IP mask in arg 
validation
  MINOR: hlua: Don't needlessly copy lua strings in trash during args 
validation
  BUG/MINOR: lua: Duplicate lua strings in sample fetches/converters arg 
array
  MEDIUM: lua: Don't filter exported fetches and converters
  MINOR: http-htx: Add an option to eval query-string when the path is 
replaced
  BUG/MINOR: http-rules: Replace path and query-string in "replace-path" 
action
  BUG/MEDIUM: doc: Fix replace-path action description
  Revert "BUG/MINOR: http-rules: Replace path and query-string in 
"replace-path" action"
  BUG/MEDIUM: pattern: Renew the pattern expression revision when it is 
pruned
  MINOR: arg: Use chunk_destroy() to release string arguments
  BUG/MEDIUM: http-ana: Don't wait to send 1xx responses received from 
servers
  BUG/MINOR: http-fetch: Don't set the sample type during the htx prefetch

Eric Salama (1):
  BUG/MINOR: Fix memory leaks cfg_parse_peers

Gilchrist Dadaglo (5):
  BUG/MAJOR: contrib/spoa-server: Fix unhandled python call leading to 
memory leak
  BUG/MINOR: contrib/spoa-server: Ensure ip address references are freed
  BUG/MINOR: contrib/spoa-server: Do not free reference to NULL
  BUG/MINOR: contrib/spoa-server: Updating references to free in case of 
failure
  BUG/MEDIUM: contrib/spoa-server: Fix ipv4_address used instead of 
ipv6_address

Tim Duesterhus (3):
  DOC: cache: Use '' instead of '' in error message
  MINOR: Commit .gitattributes
  CLEANUP: Update .gitignore

Victor Kislov (1):
  BUG/MINOR: auth: report valid crypto(3) support depending on build options

William Dauchy (2):
  DOC: spoa-server: fix false friends `actually`
  DOC: agent-check: fix typo in "fail" word expected reply

William Lallemand (7):
  BUG/MINOR: ssl: fix memory leak at OCSP loading
  BUG/MEDIUM: ssl: memory leak of ocsp data at SSL_CTX_free()
  BUG/MINOR: snapshots: leak of snapshots on deinit()
  BUG/MINOR: startup: haproxy -s cause 100% cpu
  BUG/MEDIUM: ssl: check OCSP calloc in ssl_sock_load_ocsp()
  BUG/MEDIUM: ssl: does not look for all SNIs before chosing a certificate
  BUG/MINOR: ssl: verifyhost is case sensitive

Willy Tarreau (20):
  SCRIPTS: git-show-backports: make -m most only show the left branch
  SCRIPTS: git-show-backports: emit the shell command to 

Re: [PATCH] BUILD: makefile: Fix building with closefrom() support enabled

2020-09-29 Thread Brad Smith

Looks like this should be back ported to 2.0, 2.1 and 2.2.

On 9/30/2020 1:04 AM, Brad Smith wrote:

I noticed the USE_CLOSEFROM define was not being passed along like the rest
during the build.

Looking around I see this was broken with the following two commits and related
series..

BUILD: Makefile: also report disabled options in the BUILD_OPTIONS variable
http://git.haproxy.org/?p=haproxy.git;a=commit;h=05fd82da76d1bbc8d65d63ab246bda7cbcf8481a

BUILD: pass all "USE_*" variables as -DUSE_* to the compiler
http://git.haproxy.org/?p=haproxy.git;a=commit;h=824cd00d3bda8f7f6d4c30baf77ba6c19ab47811



diff --git a/Makefile b/Makefile
index 197126db5..d84b032c2 100644
--- a/Makefile
+++ b/Makefile
@@ -37,6 +37,7 @@
  #   USE_LUA  : enable Lua support.
  #   USE_FUTEX: enable use of futex on kernel 2.6. Automatic.
  #   USE_ACCEPT4  : enable use of accept4() on linux. Automatic.
+#   USE_CLOSEFROM: enable use of closefrom() on *bsd, solaris. 
Automatic.
  #   USE_PRCTL: enable use of prctl(). Automatic.
  #   USE_ZLIB : enable zlib library support.
  #   USE_SLZ  : enable slz library instead of zlib (pick at most 
one).
@@ -291,7 +292,7 @@ use_opts = USE_EPOLL USE_KQUEUE USE_NETFILTER   
  \
 USE_STATIC_PCRE USE_STATIC_PCRE2 USE_TPROXY USE_LINUX_TPROXY   
\
 USE_LINUX_SPLICE USE_LIBCRYPT USE_CRYPT_H  
\
 USE_GETADDRINFO USE_OPENSSL USE_LUA USE_FUTEX USE_ACCEPT4  
\
-   USE_ZLIB USE_SLZ USE_CPU_AFFINITY USE_TFO USE_NS   \
+   USE_CLOSEFROM USE_ZLIB USE_SLZ USE_CPU_AFFINITY USE_TFO USE_NS \
 USE_DL USE_RT USE_DEVICEATLAS USE_51DEGREES USE_WURFL USE_SYSTEMD  
\
 USE_OBSOLETE_LINKER USE_PRCTL USE_THREAD_DUMP USE_EVPORTS
  





[PATCH] BUILD: makefile: Fix building with closefrom() support enabled

2020-09-29 Thread Brad Smith
I noticed the USE_CLOSEFROM define was not being passed along like the rest
during the build.

Looking around I see this was broken with the following two commits and related
series..

BUILD: Makefile: also report disabled options in the BUILD_OPTIONS variable
http://git.haproxy.org/?p=haproxy.git;a=commit;h=05fd82da76d1bbc8d65d63ab246bda7cbcf8481a

BUILD: pass all "USE_*" variables as -DUSE_* to the compiler
http://git.haproxy.org/?p=haproxy.git;a=commit;h=824cd00d3bda8f7f6d4c30baf77ba6c19ab47811



diff --git a/Makefile b/Makefile
index 197126db5..d84b032c2 100644
--- a/Makefile
+++ b/Makefile
@@ -37,6 +37,7 @@
 #   USE_LUA  : enable Lua support.
 #   USE_FUTEX: enable use of futex on kernel 2.6. Automatic.
 #   USE_ACCEPT4  : enable use of accept4() on linux. Automatic.
+#   USE_CLOSEFROM: enable use of closefrom() on *bsd, solaris. 
Automatic.
 #   USE_PRCTL: enable use of prctl(). Automatic.
 #   USE_ZLIB : enable zlib library support.
 #   USE_SLZ  : enable slz library instead of zlib (pick at most 
one).
@@ -291,7 +292,7 @@ use_opts = USE_EPOLL USE_KQUEUE USE_NETFILTER   
  \
USE_STATIC_PCRE USE_STATIC_PCRE2 USE_TPROXY USE_LINUX_TPROXY   \
USE_LINUX_SPLICE USE_LIBCRYPT USE_CRYPT_H  \
USE_GETADDRINFO USE_OPENSSL USE_LUA USE_FUTEX USE_ACCEPT4  \
-   USE_ZLIB USE_SLZ USE_CPU_AFFINITY USE_TFO USE_NS   \
+   USE_CLOSEFROM USE_ZLIB USE_SLZ USE_CPU_AFFINITY USE_TFO USE_NS \
USE_DL USE_RT USE_DEVICEATLAS USE_51DEGREES USE_WURFL USE_SYSTEMD  \
USE_OBSOLETE_LINKER USE_PRCTL USE_THREAD_DUMP USE_EVPORTS
 



[ANNOUNCE] haproxy-2.2.4

2020-09-29 Thread Willy Tarreau
Hi,

HAProxy 2.2.4 was released on 2020/09/30. It added 25 new commits
after version 2.2.3.

For once there's nothing really important, it's just a pipe flush, so most
users might be encouraged to have a look at it and consider an update when
they have nothing better to do on a rainy day.

The main fixes are a rework of my ugly workaround for libgcc_s crashes
that broke 2.2.3 on armv7, an issue by which updating maps on the CLI
could sometimes leave dangling entries accessible from the pattern cache,
a problem with the way multi-process listeners are paused and resumed in
failed attempts at a soft-reload (a socket not bound on all process may
never be able to recover), and a risk of crash when using SSL crypto
engines.

There are a few other pretty minor ones such as parser leaks, crtlist
parsing issues, and an undesired case sensitivity in verifyhost.

The "path-only" option to "balance uri" was backported from 2.3 as too many
users were experiencing trouble with inconsistent hashing of HTTP/1.1 and
HTTP/2 URIs.

That's roughly all. No rush, if you're not facing any bug, it's unlikely
to make your life better. But it may save you from keeping a patch or two
in your local tree, which is always appreciated.

Please find the usual URLs below :
   Site index   : http://www.haproxy.org/
   Discourse: http://discourse.haproxy.org/
   Slack channel: https://slack.haproxy.org/
   Issue tracker: https://github.com/haproxy/haproxy/issues
   Wiki : https://github.com/haproxy/wiki/wiki
   Sources  : http://www.haproxy.org/download/2.2/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.2.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.2.git
   Changelog: http://www.haproxy.org/download/2.2/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
Amaury Denoyelle (1):
  BUG/MINOR: config: Fix memory leak on config parse listen

Christopher Faulet (2):
  BUG/MEDIUM: pattern: Renew the pattern expression revision when it is 
pruned
  BUG/MINOR: http-fetch: Don't set the sample type during the htx prefetch

Eric Salama (1):
  BUG/MINOR: Fix memory leaks cfg_parse_peers

Ilya Shipitsin (1):
  REGTESTS: use "command" instead of "which" for better POSIX compatibility

Miroslav Zagorac (1):
  BUILD: trace: include tools.h

Olivier Houchard (1):
  BUG/MEDIUM: ssl: Don't call ssl_sock_io_cb() directly.

Tim Duesterhus (1):
  BUG/MINOR: Fix type passed of sizeof() for calloc()

William Dauchy (1):
  DOC: agent-check: fix typo in "fail" word expected reply

William Lallemand (3):
  BUG/MINOR: ssl: verifyhost is case sensitive
  BUG/MINOR: ssl/crt-list: crt-list could end without a \n
  BUG/MINOR: ssl/crt-list: exit on warning out of crtlist_parse_line()

Willy Tarreau (13):
  BUILD: threads: better workaround for late loading of libgcc_s
  BUG/MINOR: server: report correct error message for invalid port on 
"socks4"
  BUG/MINOR: h2/trace: do not display "stream error" after a frame ACK
  BUG/MEDIUM: h2: report frame bits only for handled types
  MINOR: h2/trace: also display the remaining frame length in traces
  MINOR: backend: make the "whole" option of balance uri take only one bit
  MINOR: backend: add a new "path-only" option to "balance uri"
  REGTESTS: add a few load balancing tests
  BUG/MEDIUM: listeners: do not pause foreign listeners
  REGTEST: fix host part in balance-uri-path-only.vtc
  REGTEST: make agent-check.vtc require 1.8
  REGTEST: make abns_socket.vtc require 1.8
  REGTEST: make map_regm_with_backref require 1.7

---



Easy but useful feature missing, anyone interested ?

2020-09-29 Thread Willy Tarreau
Hi all,

while revisiting pending issues, I've come across this one, about
the impossibility for an environment variable to produce multiple
words in the configuration:

https://github.com/haproxy/haproxy/issues/165

It can be trivially addressed by adding support for ${VAR[*]} to the
config language. This addition is relatively simple to do, roughly
speaking, simply add the code in parse_line() in the "if" block dealing
with "$", detect the presence of '[', terminate the variable name here,
raise a flag, then once the variable is resolved, increase arg for each
space found.

We've missed it for 2.2 already, it would be nice if someone interested
in this feature could have a look at it before we release 2.3. I'm OK
with merging it slightly late given that the side effects are quickly
tested.

In the same vein, I've long been saying that we're missing an ifdef
mechanism, but if we had $(if,cond,true,false) like makefiles, we could
already do a lot, particularly in the regtests. There's quite more work
here (define expressions for the condition, internal variable names for
version and builtin options, recursive resolving of variable names), but
it's likely that the same person(s) might be interested.

If someone's interested in having a look at that, please let me know.
There's no shame in trying and not succeeding, don't worry :-)

Thanks,
Willy



Re: stable-bot: Bugfixes waiting for a release 2.2 (11), 2.1 (36), 2.0 (26), 1.8 (12)

2020-09-29 Thread Willy Tarreau
On Wed, Sep 30, 2020 at 12:00:08AM +, stable-...@haproxy.com wrote:
> Thus the computed ideal release date for 2.2.4 would be 2020-10-11, which is 
> in two weeks or less.
> Thus the computed ideal release date for 2.1.9 would be 2020-09-04, which was 
> three weeks ago.
> Thus the computed ideal release date for 2.0.18 would be 2020-10-04, which is 
> in one week or less.

If not disturbed today, I'll try to emit a bunch of versions to flush the
pipe from known bugs.

Willy



Re: [PATCH] BUILD: makefile: Update feature flags for FreeBSD

2020-09-29 Thread Brad Smith

On 9/29/2020 5:12 AM, Willy Tarreau wrote:

On Tue, Sep 15, 2020 at 03:10:04AM -0400, Brad Smith wrote:

This updates the feature flags for FreeBSD.

FreeBSD 10 adds support for accept4().

Enable getaddrinfo().

>From the FreeBSD port / package.

Applied, thanks Brad! And sorry for missing it the first time, it simply
went out of my scrolling area :-)

Willy


Thanks.



stable-bot: Bugfixes waiting for a release 2.2 (11), 2.1 (36), 2.0 (26), 1.8 (12)

2020-09-29 Thread stable-bot
Hi,

This is a friendly bot that watches fixes pending for the next haproxy-stable 
release!  One such e-mail is sent periodically once patches are waiting in the 
last maintenance branch, and an ideal release date is computed based on the 
severity of these fixes and their merge date.  Responses to this mail must be 
sent to the mailing list.


Last release 2.2.3 was issued on 2020-09-08.  There are currently 11 patches in 
the queue cut down this way:
- 3 MEDIUM, first one merged on 2020-09-11
- 8 MINOR, first one merged on 2020-09-22

Thus the computed ideal release date for 2.2.4 would be 2020-10-11, which is in 
two weeks or less.

Last release 2.1.8 was issued on 2020-07-31.  There are currently 36 patches in 
the queue cut down this way:
- 1 MAJOR, first one merged on 2020-09-07
- 12 MEDIUM, first one merged on 2020-08-05
- 23 MINOR, first one merged on 2020-08-11

Thus the computed ideal release date for 2.1.9 would be 2020-09-04, which was 
three weeks ago.

Last release 2.0.17 was issued on 2020-07-31.  There are currently 26 patches 
in the queue cut down this way:
- 1 MAJOR, first one merged on 2020-09-07
- 11 MEDIUM, first one merged on 2020-08-05
- 14 MINOR, first one merged on 2020-08-11

Thus the computed ideal release date for 2.0.18 would be 2020-10-04, which is 
in one week or less.

Last release 1.8.26 was issued on 2020-08-03.  There are currently 12 patches 
in the queue cut down this way:
- 5 MEDIUM, first one merged on 2020-08-05
- 7 MINOR, first one merged on 2020-08-03

Thus the computed ideal release date for 1.8.27 would be 2020-10-26, which is 
in four weeks or less.

The current list of patches in the queue is:
 - 2.0, 2.1  - MAJOR   : contrib/spoa-server: Fix unhandled 
python call leading to memory leak
 - 2.0, 2.1  - MEDIUM  : mux-h1: Refresh H1 connection timeout 
after a synchronous send
 - 2.0, 2.1  - MEDIUM  : htx: smp_prefetch_htx() must always 
validate the direction
 - 2.0, 2.1  - MEDIUM  : ssl: does not look for all SNIs before 
chosing a certificate
 - 2.1, 2.2  - MEDIUM  : h2: report frame bits only for handled 
types
 - 2.0, 2.1  - MEDIUM  : http-ana: Don't wait to send 1xx 
responses received from servers
 - 2.1   - MEDIUM  : ssl: memory leak of ocsp data at 
SSL_CTX_free()
 - 2.0, 2.1  - MEDIUM  : contrib/spoa-server: Fix ipv4_address 
used instead of ipv6_address
 - 2.0, 2.1  - MEDIUM  : mux-h1: always apply the timeout on 
half-closed connections
 - 2.2   - MEDIUM  : ssl: Don't call ssl_sock_io_cb() 
directly.
 - 1.8   - MEDIUM  : pattern: fix memory leak in regex 
pattern functions
 - 1.8, 2.0, 2.1, 2.2- MEDIUM  : pattern: Renew the pattern 
expression revision when it is pruned
 - 1.8, 2.0  - MEDIUM  : mux-h2: Don't fail if nothing is 
parsed for a legacy chunk response
 - 1.8, 2.0, 2.1 - MEDIUM  : ssl: check OCSP calloc in 
ssl_sock_load_ocsp()
 - 1.8, 2.0, 2.1 - MEDIUM  : map/lua: Return an error if a map is 
loaded during runtime
 - 2.0, 2.1  - MEDIUM  : doc: Fix replace-path action 
description
 - 1.8, 2.0, 2.1 - MINOR   : reload: do not fail when no socket is 
sent
 - 2.0, 2.1  - MINOR   : contrib/spoa-server: Updating 
references to free in case of failure
 - 2.1   - MINOR   : arg: Fix leaks during arguments 
validation for fetches/converters
 - 2.0, 2.1, 2.2 - MINOR   : http-fetch: Don't set the sample type 
during the htx prefetch
 - 2.2   - MINOR   : config: Fix memory leak on config 
parse listen
 - 2.1, 2.2  - MINOR   : h2/trace: do not display "stream 
error" after a frame ACK
 - 2.0, 2.1, 2.2 - MINOR   : ssl: verifyhost is case sensitive
 - 2.0, 2.1  - MINOR   : snapshots: leak of snapshots on 
deinit()
 - 2.2   - MINOR   : Fix type passed of sizeof() for 
calloc()
 - 2.0, 2.1  - MINOR   : contrib/spoa-server: Ensure ip address 
references are freed
 - 1.8, 2.0, 2.1 - MINOR   : startup: haproxy -s cause 100% cpu
 - 1.8, 2.0, 2.1 - MINOR   : stats: use strncmp() instead of 
memcmp() on health states
 - 1.8, 2.0, 2.1 - MINOR   : lua: Check argument type to convert it 
to IPv4/IPv6 arg validation
 - 2.1   - MINOR   : http-rules: Replace path and 
query-string in "replace-path" action"
 - 2.0, 2.1, 2.2 - MINOR   : server: report correct error message 
for invalid port on "socks4"
 - 2.1   - MINOR   : ssl: fix memory leak at OCSP loading
 - 2.1   - MINOR   : lua: Duplicate lua strings in sample 
fetches/converters arg array
 - 1.8, 2.0, 2.1 - MINOR   : threads: work around a libgcc_s 

Bid Writing Workshops Via Zoom

2020-09-29 Thread NFP Workshops


NFP WORKSHOPS
18 Blake Street, York YO1 8QG   01133 280988
Affordable Training Courses for Charities, Schools & Public Sector 
Organisations 




This email has been sent to haproxy@formilux.org
CLICK TO UNSUBSCRIBE FROM LIST
Alternatively send a blank e-mail to unsubscr...@nfpmail2001.co.uk quoting 
haproxy@formilux.org in the subject line.
Unsubscribe requests will take effect within seven days. 




Bid Writing: The Basics
Online via ZOOM 

COST £95.00

TOPICS COVERED

Do you know the most common reasons for rejection? Are you gathering the right 
evidence? Are you making the right arguments? Are you using the right 
terminology? Are your numbers right? Are you learning from rejections? Are you 
assembling the right documents? Do you know how to create a clear and concise 
standard funding bid?

Are you communicating with people or just excluding them? Do you know your own 
organisation well enough? Are you thinking through your projects carefully 
enough? Do you know enough about your competitors? Are you answering the 
questions funders will ask themselves about your application? Are you 
submitting applications correctly?

PARTICIPANTS  

Staff members, volunteers, trustees or board members of charities, schools, not 
for profits or public sector organisations who intend to submit grant funding 
applications to charitable grant making trusts and foundations. People who 
provide advice to these organisations are also welcome.

BOOKING DETAILS   

Participants receive full notes and sample bids by e-mail after the workshop. 
The workshop consists of talk, questions and answers. There are no power points 
or audio visuals used. All places must be booked through the online booking 
system using a debit card, credit card or paypal. We do not issue invoices or 
accept bank or cheque payments. If you do not have a payment card from your 
organisation please use a personal one and claim reimbursement using the 
booking confirmation e-mail as proof of purchase.

BOOKING TERMS

Workshop bookings are non-cancellable and non-refundable. If you are unable to 
participate on the booked date you may allow someone else to log on in your 
place. There is no need to contact us to let us know that there will be a 
different participant. Bookings are non-transferable between dates unless an 
event is postponed. If an event is postponed then bookings will be valid on any 
future scheduled date for that workshop.
   
QUESTIONS

If you have a question please e-mail in...@nfpmail2001.co.uk You will usually 
receive a response within 24 hours. Due to our training commitments we are 
unable to accept questions by phone. 
Bid Writing: Advanced
Online via ZOOM 

COST £95.00

TOPICS COVERED

Are you applying to the right trusts? Are you applying to enough trusts? Are 
you asking for the right amount of money? Are you applying in the right ways? 
Are your projects the most fundable projects? 

Are you carrying out trust fundraising in a professional way? Are you 
delegating enough work? Are you highly productive or just very busy? Are you 
looking for trusts in all the right places? 

How do you compare with your competitors for funding? Is the rest of your 
fundraising hampering your bids to trusts? Do you understand what trusts are 
ideally looking for?

PARTICIPANTS  

Staff members, volunteers, trustees or board members of charities, schools, not 
for profits or public sector organisations who intend to submit grant funding 
applications to charitable grant making trusts and foundations. People who 
provide advice to these organisations are also welcome.

BOOKING DETAILS   

Participants receive full notes and sample bids by e-mail after the workshop. 
The workshop consists of talk, questions and answers. There are no power points 
or audio visuals used. All places must be booked through the online booking 
system using a debit card, credit card or paypal. We do not issue invoices or 
accept bank or cheque payments. If you do not have a payment card from your 
organisation please use a personal one and claim reimbursement using the 
booking confirmation e-mail as proof of purchase.

BOOKING TERMS

Workshop bookings are non-cancellable and non-refundable. If you are unable to 
participate on the booked date you may allow someone else to log on in your 
place. There is no need to contact us to let us know that there will be a 
different participant. Bookings are non-transferable between dates unless an 
event is postponed. If an event is postponed then bookings will be valid on any 
future scheduled date for that workshop.
   
QUESTIONS

If you have a question please e-mail in...@nfpmail2001.co.uk You will usually 
receive a response within 24 hours. Due to our training commitments we are 
unable to accept questions by phone. 
Dates & Booking Links
BID WRITING: THE BASICS
Mon 12 Oct 2020
10.00 to 12.30Booking Link
Mon 26 Oct 2020
10.00 to 12.30Booking Link
Mon 09 Nov 2020
10.00 to 12.30Booking Link
Mon 23 Nov 2020
10.00 to 

[PATCH v2 2/2] MINOR: ssl: Add error if a crt-list might be truncated

2020-09-29 Thread Tim Duesterhus
Similar to warning during the parsing of the regular configuration file
that was added in 2fd5bdb439da29f15381aeb57c51327ba57674fc this patch adds
a warning to the parsing of a crt-list if the file does not end in a
newline (and thus might have been truncated).

The logic essentially just was copied over. It might be good to refactor
this in the future, allowing easy re-use within all line-based config
parsers.

see https://github.com/haproxy/haproxy/issues/860#issuecomment-693422936
see 0354b658f061d00d5ab4b728d7deeff2c8f1503a

This should be backported as a warning to 2.2.
---
 src/ssl_crtlist.c | 28 ++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index f1c15e051..c0987bc17 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -452,6 +452,7 @@ int crtlist_parse_file(char *file, struct bind_conf 
*bind_conf, struct proxy *cu
struct stat buf;
int linenum = 0;
int cfgerr = 0;
+   int missing_lf = -1;
 
if ((f = fopen(file, "r")) == NULL) {
memprintf(err, "cannot open file '%s' : %s", file, 
strerror(errno));
@@ -471,6 +472,14 @@ int crtlist_parse_file(char *file, struct bind_conf 
*bind_conf, struct proxy *cu
char *crt_path;
struct ckch_store *ckchs;
 
+   if (missing_lf != -1) {
+   memprintf(err, "parsing [%s:%d]: Stray NUL character at 
position %d.\n",
+ file, linenum, (missing_lf + 1));
+   cfgerr |= ERR_ALERT | ERR_FATAL;
+   missing_lf = -1;
+   break;
+   }
+
linenum++;
end = line + strlen(line);
if (end-line == sizeof(thisline)-1 && *(end-1) != '\n') {
@@ -486,14 +495,22 @@ int crtlist_parse_file(char *file, struct bind_conf 
*bind_conf, struct proxy *cu
if (*line == '#' || *line == '\n' || *line == '\r')
continue;
 
+   if (end > line && *(end-1) == '\n') {
+   /* kill trailing LF */
+   *(end - 1) = 0;
+   }
+   else {
+   /* mark this line as truncated */
+   missing_lf = end - line;
+   }
+
entry = crtlist_entry_new();
if (entry == NULL) {
memprintf(err, "Not enough memory!");
cfgerr |= ERR_ALERT | ERR_FATAL;
goto error;
}
-   if (*(end - 1) == '\n')
-   *(end - 1) = '\0'; /* line parser mustn't receive any 
\n */
+
cfgerr |= crtlist_parse_line(thisline, _path, entry, file, 
linenum, err);
if (cfgerr & ERR_CODE)
goto error;
@@ -587,6 +604,13 @@ int crtlist_parse_file(char *file, struct bind_conf 
*bind_conf, struct proxy *cu
 
entry = NULL;
}
+
+   if (missing_lf != -1) {
+   memprintf(err, "parsing [%s:%d]: Missing LF on last line, file 
might have been truncated at position %d.\n",
+ file, linenum, (missing_lf + 1));
+   cfgerr |= ERR_ALERT | ERR_FATAL;
+   }
+
if (cfgerr & ERR_CODE)
goto error;
 
-- 
2.28.0




[PATCH v2 1/2] CLEANUP: ssl: Use structured format for error line report during crt-list parsing

2020-09-29 Thread Tim Duesterhus
This reuses the known `parsing [%s:%d]:` from regular config file error
reporting.
---
 src/ssl_crtlist.c | 30 +++---
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index fd141fc50..f1c15e051 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -327,8 +327,8 @@ int crtlist_parse_line(char *line, char **crt_path, struct 
crtlist_entry *entry,
/* Check if we reached the limit and the last char is not \n.
 * Watch out for the last line without the terminating '\n'!
 */
-   memprintf(err, "line %d too long in file '%s', limit is %d 
characters",
- linenum, file, CRT_LINESIZE-1);
+   memprintf(err, "parsing [%s:%d]: line too longlimit is %d 
characters",
+ file, linenum, CRT_LINESIZE-1);
cfgerr |= ERR_ALERT | ERR_FATAL;
goto error;
}
@@ -340,12 +340,12 @@ int crtlist_parse_line(char *line, char **crt_path, 
struct crtlist_entry *entry,
*line = 0;
} else if (*line == '[') {
if (ssl_b) {
-   memprintf(err, "too many '[' on line %d in file 
'%s'.", linenum, file);
+   memprintf(err, "parsing [%s:%d]: too many '['", 
file, linenum);
cfgerr |= ERR_ALERT | ERR_FATAL;
goto error;
}
if (!arg) {
-   memprintf(err, "file must start with a cert on 
line %d in file '%s'", linenum, file);
+   memprintf(err, "parsing [%s:%d]: file must 
start with a cert", file, linenum);
cfgerr |= ERR_ALERT | ERR_FATAL;
goto error;
}
@@ -354,12 +354,12 @@ int crtlist_parse_line(char *line, char **crt_path, 
struct crtlist_entry *entry,
*line = 0;
} else if (*line == ']') {
if (ssl_e) {
-   memprintf(err, "too many ']' on line %d in file 
'%s'.", linenum, file);
+   memprintf(err, "parsing [%s:%d]: too many ']'", 
file, linenum);
cfgerr |= ERR_ALERT | ERR_FATAL;
goto error;
}
if (!ssl_b) {
-   memprintf(err, "missing '[' in line %d in file 
'%s'.", linenum, file);
+   memprintf(err, "parsing [%s:%d]: missing '['", 
file, linenum);
cfgerr |= ERR_ALERT | ERR_FATAL;
goto error;
}
@@ -368,7 +368,7 @@ int crtlist_parse_line(char *line, char **crt_path, struct 
crtlist_entry *entry,
*line = 0;
} else if (newarg) {
if (arg == MAX_CRT_ARGS) {
-   memprintf(err, "too many args on line %d in 
file '%s'.", linenum, file);
+   memprintf(err, "parsing [%s:%d]: too many args 
", file, linenum);
cfgerr |= ERR_ALERT | ERR_FATAL;
goto error;
}
@@ -403,8 +403,8 @@ int crtlist_parse_line(char *line, char **crt_path, struct 
crtlist_entry *entry,
newarg = 1;
cfgerr |= ssl_bind_kws[i].parse(args, cur_arg, 
NULL, ssl_conf, err);
if (cur_arg + 1 + ssl_bind_kws[i].skip > ssl_e) 
{
-   memprintf(err, "ssl args out of '[]' 
for %s on line %d in file '%s'",
- args[cur_arg], linenum, file);
+   memprintf(err, "parsing [%s:%d]: ssl 
args out of '[]' for %s",
+ file, linenum, args[cur_arg]);
cfgerr |= ERR_ALERT | ERR_FATAL;
goto error;
}
@@ -413,8 +413,8 @@ int crtlist_parse_line(char *line, char **crt_path, struct 
crtlist_entry *entry,
}
}
if (!cfgerr && !newarg) {
-   memprintf(err, "unknown ssl keyword %s on line %d in 
file '%s'.",
- args[cur_arg], linenum, file);
+   memprintf(err, "parsing [%s:%d]: unknown ssl keyword 
%s",
+ file, linenum, args[cur_arg]);
cfgerr |= ERR_ALERT | ERR_FATAL;
goto error;
}
@@ -477,8 +477,8 @@ int crtlist_parse_file(char *file, struct bind_conf 
*bind_conf, struct 

Re: show errors from stats socket

2020-09-29 Thread Willy Tarreau
Hi Elias,

On Mon, Sep 28, 2020 at 12:51:18PM +0200, Elias Abacioglu wrote:
> Hi
> 
> I'm trying to get details about some errors in one of my backends.
> Looking at the stats, there are a bunch of errors per server.
> However, when I try to get details about the errors via the stats socket.
> 
> # echo "show errors -1" | socat stdio /var/lib/haproxy/stats.sock
> Total events captured on [28/Sep/2020:12:44:29.832] : 0
> 
> I get nothing.
> Anyone with a clue on what I might be doing wrong?

That's already a good thing! Errors captured there are unparsable messages
(requests or responses) indicating either attacks from a client, or a
severe bug on a server. What type of errors are you noticing ? It's
possible to have plenty of other types of errors, including closed
connections, resets, timeouts etc, which will not appear there.

Willy



Re: [PATCH 2/2] DOC: crt: advise to move away from cert bundle

2020-09-29 Thread William Lallemand
On Tue, Sep 29, 2020 at 11:26:21AM +0200, Willy Tarreau wrote:
> On Mon, Sep 28, 2020 at 02:31:18PM +0200, William Lallemand wrote:
> > > diff --git a/doc/management.txt b/doc/management.txt
> > > index adbad95d3..42e8ddbca 100644
> > > --- a/doc/management.txt
> > > +++ b/doc/management.txt
> > > @@ -1725,6 +1725,10 @@ new ssl cert 
> > >Create a new empty SSL certificate store to be filled with a 
> > > certificate and
> > >added to a directory or a crt-list. This command should be used in
> > >combination with "set ssl cert" and "add ssl crt-list".
> > > +  Note that bundle certificates are not supported; it is recommended to 
> > > use
> > > +  `ssl-load-extra-file none` in global config to avoid loading 
> > > certificates as
> > > +  bundle and then mixing with single certificates in the runtime API. 
> > > This will
> > > +  avoid confusion, especailly when it comes to the `commit` command.
> > >  
> > >  prompt
> > >Toggle the prompt at the beginning of the line and enter or leave 
> > > interactive
> > 
> > 
> > 
> > I don't think that's the good approach for 2.3, I replied on the github
> > issue: https://github.com/haproxy/haproxy/issues/872
> 
> I already picked that doc patch the day before, should we revert it then,
> or just part of it maybe ?
> 

I saw that, don't revert it, I'm going to made some changes on top on
it.

Thanks,

-- 
William Lallemand



Re: [PATCH 2/2] DOC: crt: advise to move away from cert bundle

2020-09-29 Thread Willy Tarreau
On Mon, Sep 28, 2020 at 02:31:18PM +0200, William Lallemand wrote:
> > diff --git a/doc/management.txt b/doc/management.txt
> > index adbad95d3..42e8ddbca 100644
> > --- a/doc/management.txt
> > +++ b/doc/management.txt
> > @@ -1725,6 +1725,10 @@ new ssl cert 
> >Create a new empty SSL certificate store to be filled with a certificate 
> > and
> >added to a directory or a crt-list. This command should be used in
> >combination with "set ssl cert" and "add ssl crt-list".
> > +  Note that bundle certificates are not supported; it is recommended to use
> > +  `ssl-load-extra-file none` in global config to avoid loading 
> > certificates as
> > +  bundle and then mixing with single certificates in the runtime API. This 
> > will
> > +  avoid confusion, especailly when it comes to the `commit` command.
> >  
> >  prompt
> >Toggle the prompt at the beginning of the line and enter or leave 
> > interactive
> 
> 
> 
> I don't think that's the good approach for 2.3, I replied on the github
> issue: https://github.com/haproxy/haproxy/issues/872

I already picked that doc patch the day before, should we revert it then,
or just part of it maybe ?

Willy



Re: [PATCH 2/2] MINOR: ssl: Add error if a crt-list might be truncated

2020-09-29 Thread Willy Tarreau
Hi Tim,

On Mon, Sep 28, 2020 at 07:02:15PM +0200, Tim Duesterhus wrote:
> see https://github.com/haproxy/haproxy/issues/860#issuecomment-693422936
> see 0354b658f061d00d5ab4b728d7deeff2c8f1503a
> 
> This should be backported as a warning to 2.2.

As a rule of thumb, it would be good to keep in mind to always provide a
bit of context in commit messages so that people working on backports can
judge of the relevance of a patch when reading the "git log" output without
having to start a browser, switch context, or even depend on github's
accessibility.

Links are perfect for reference and to provide the full details but should
not constitute the essence of the description, which should still be there,
even if it can be synthetic. Plus imagine if two years ahead github decides
to start purge old issues, we'd lose all history!

Thanks!
Willy



Re: [PATCH] BUILD: makefile: Update feature flags for FreeBSD

2020-09-29 Thread Willy Tarreau
On Tue, Sep 15, 2020 at 03:10:04AM -0400, Brad Smith wrote:
> This updates the feature flags for FreeBSD.
> 
> FreeBSD 10 adds support for accept4().
> 
> Enable getaddrinfo().
> 
> >From the FreeBSD port / package.

Applied, thanks Brad! And sorry for missing it the first time, it simply
went out of my scrolling area :-)

Willy