[PATCH 2/6] CLEANUP: tools: typo in `strl2irc` mention
`str2irc` does not exist Signed-off-by: William Dauchy --- src/tools.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tools.c b/src/tools.c index 8fef15b4d..2d40d8910 100644 --- a/src/tools.c +++ b/src/tools.c @@ -2178,7 +2178,7 @@ int strl2irc(const char *s, int len, int *ret) * applications designed for hostile environments. It returns zero when the * number has successfully been converted, non-zero otherwise. When an error * is returned, the value is left untouched. It is about 3 times slower - * than str2irc(). + * than strl2irc(). */ int strl2llrc(const char *s, int len, long long *ret) -- 2.30.0
[PATCH 5/6] MEDIUM: server: support {check,agent}_addr, agent_port in server state
logical followup from cli commands addition, so that the state server file stays compatible with the changes made at runtime; use previously added helper to load server attributes. Signed-off-by: William Dauchy --- doc/management.txt| 5 ++- include/haproxy/server-t.h| 9 ++-- .../checks/1be_40srv_odd_health_checks.vtc| 2 +- .../checks/40be_2srv_odd_health_checks.vtc| 2 +- reg-tests/checks/4be_1srv_health_checks.vtc | 6 +-- src/proxy.c | 41 +++ src/server.c | 30 -- 7 files changed, 57 insertions(+), 38 deletions(-) diff --git a/doc/management.txt b/doc/management.txt index 423c614b2..60e25c7e1 100644 --- a/doc/management.txt +++ b/doc/management.txt @@ -2455,7 +2455,10 @@ show servers state [] srv_port:Server port. srvrecord: DNS SRV record associated to this SRV. srv_use_ssl: use ssl for server connections. - srv_check_port: Server check port. + srv_check_port: Server health check port. + srv_check_addr: Server health check address. + srv_agent_addr: Server health agent address. + srv_agent_port: Server health agent port. show sess Dump all known sessions. Avoid doing this on slow connections as this can diff --git a/include/haproxy/server-t.h b/include/haproxy/server-t.h index 32697a9c4..102eb4483 100644 --- a/include/haproxy/server-t.h +++ b/include/haproxy/server-t.h @@ -126,10 +126,13 @@ enum srv_initaddr { "srv_port " \ "srvrecord " \ "srv_use_ssl "\ -"srv_check_port" +"srv_check_port " \ +"srv_check_addr " \ +"srv_agent_addr " \ +"srv_agent_port" -#define SRV_STATE_FILE_MAX_FIELDS 22 -#define SRV_STATE_FILE_NB_FIELDS_VERSION_1 21 +#define SRV_STATE_FILE_MAX_FIELDS 25 +#define SRV_STATE_FILE_NB_FIELDS_VERSION_1 22 #define SRV_STATE_LINE_MAXLEN 512 /* server flags -- 32 bits */ diff --git a/reg-tests/checks/1be_40srv_odd_health_checks.vtc b/reg-tests/checks/1be_40srv_odd_health_checks.vtc index f01205295..c279972aa 100644 --- a/reg-tests/checks/1be_40srv_odd_health_checks.vtc +++ b/reg-tests/checks/1be_40srv_odd_health_checks.vtc @@ -112,6 +112,6 @@ syslog S -wait haproxy h1 -cli { send "show servers state" -expect ~ "# be_id be_name srv_id srv_name srv_addr srv_op_state srv_admin_state srv_uweight srv_iweight srv_time_since_last_change srv_check_status srv_check_result srv_check_health srv_check_state srv_agent_state bk_f_forced_id srv_f_forced_id srv_fqdn srv_port srvrecord srv_use_ssl srv_check_port\n2 be1 1 srv0 ${s0_addr} 2 0 1 1 [[:digit:]]+ 1 0 1 0 0 0 0 - ${s0_port} - 0 0\n2 be1 2 srv1 ${s1_addr} 2 0 1 1 [[:digit:]]+ 6 ([[:digit:]]+ ){3}0 0 0 - ${s1_port} - 0 0\n2 be1 3 srv2 ${s2_addr} 2 0 1 1 [[:digit:]]+ 1 0 1 0 0 0 0 - ${s2_port} - 0 0\n2 be1 4 srv3 ${s3_addr} 2 0 1 1 [[:digit:]]+ 6 ([[:digit:]]+ ){3}0 0 0 - ${s3_port} - 0 0\n2 be1 5 srv4 ${s4_addr} 2 0 1 1 [[:digit:]]+ 1 0 1 0 0 0 0 - ${s4_port} - 0 0\n2 be1 6 srv5 ${s5_addr} 2 0 1 1 [[:digit:]]+ 6 ([[:digit:]]+ ){3}0 0 0 - ${s5_port} - 0 0\n2 be1 7 srv6 ${s6_addr} 2 0 1 1 [[:digit:]]+ 1 0 1 0 0 0 0 - ${s6_port} - 0 0\n2 be1 8 srv7 ${s7_addr} 2 0 1 1 [[:digit:]]+ 6 ([[:digit:]]+ ){3}0 0 0 - ${s7_port} - 0 0\n2 be1 9 srv8 ${s8_addr} 2 0 1 1 [[:digit:]]+ 1 0 1 0 0 0 0 - ${s8_port} - 0 0\n2 be1 10 srv9 ${s9_addr} 2 0 1 1 [[:digit:]]+ 6 ([[:digit:]]+ ){3}0 0 0 - ${s9_port} - 0 0\n2 be1 11 srv10 ${s10_addr} 2 0 1 1 [[:digit:]]+ 1 0 1 0 0 0 0 - ${s10_port} - 0 0\n2 be1 12 srv11 ${s11_addr} 2 0 1 1 [[:digit:]]+ 6 ([[:digit:]]+ ){3}0 0 0 - ${s11_port} - 0 0\n2 be1 13 srv12 ${s12_addr} 2 0 1 1 [[:digit:]]+ 1 0 1 0 0 0 0 - ${s12_port} - 0 0\n2 be1 14 srv13 ${s13_addr} 2 0 1 1 [[:digit:]]+ 6 ([[:digit:]]+ ){3}0 0 0 - ${s13_port} - 0 0\n2 be1 15 srv14 ${s14_addr} 2 0 1 1 [[:digit:]]+ 1 0 1 0 0 0 0 - ${s14_port} - 0 0\n2 be1 16 srv15 ${s15_addr} 2 0 1 1 [[:digit:]]+ 6 ([[:digit:]]+ ){3}0 0 0 - ${s15_port} - 0 0\n2 be1 17 srv16 ${s16_addr} 2 0 1 1 [[:digit:]]+ 1 0 1 0 0 0 0 - ${s16_port} - 0 0\n2 be1 18 srv17 ${s17_addr} 2 0 1 1 [[:digit:]]+ 6 ([[:digit:]]+ ){3}0 0 0 - ${s17_port} - 0 0\n2 be1 19 srv18 ${s18_addr} 2 0 1 1 [[:digit:]]+ 1 0 1 0 0 0 0 - ${s18_port} - 0 0\n2 be1 20 srv19 ${s19_addr} 2 0 1 1 [[:digit:]]+ 6 ([[:digit:]]+ ){3}0 0 0 - ${s19_port} - 0 0\n2 be1 21 srv20 ${s20_addr} 2 0 1 1 [[:digit:]]+ 1 0 1 0 0 0 0 - ${s20_port} - 0 0\n2 be1 22 srv21 ${s21_addr} 2 0 1 1 [[:digit:]]+ 6 ([[:digit:]]+ ){3}0 0 0 - ${s21_port} - 0 0\n2 be1 23 srv22 ${s22_addr} 2 0 1 1 [[:digit:]]+ 1 0 1 0 0 0 0 - ${s22_port} - 0 0\n2 be1 24 srv23 ${s23_addr} 2 0 1 1 [[:digit:]]+ 6 ([[:digit:]]+ ){3}0 0 0 - ${s23_port} - 0 0\n2 be1 25 srv24 ${s24_addr} 2 0 1 1 [[:digit:]]+ 1
[PATCH 4/6] MEDIUM: cli: add agent-port command
this patch allows to set agent port at runtime. In order to align with both `addr` and `check-addr` commands, also add the possibility to optionnaly set port on `agent-addr` command. This led to a small refactor in order to use the same function for both `agent-addr` and `agent-port` commands. Signed-off-by: William Dauchy --- doc/management.txt | 6 +++- src/server.c | 77 -- 2 files changed, 73 insertions(+), 10 deletions(-) diff --git a/doc/management.txt b/doc/management.txt index bff770e4e..423c614b2 100644 --- a/doc/management.txt +++ b/doc/management.txt @@ -1828,10 +1828,14 @@ set server / agent [ up | down ] switch a server's state regardless of some slow agent checks for example. Note that the change is propagated to tracking servers if any. -set server / agent-addr +set server / agent-addr [port ] Change addr for servers agent checks. Allows to migrate agent-checks to another address at runtime. You can specify both IP and hostname, it will be resolved. + Optionally, change the port agent. + +set server / agent-port + Change the port used for agent checks. set server / agent-send Change agent string sent to agent check target. Allows to update string while diff --git a/src/server.c b/src/server.c index 533755f1e..a983d5d68 100644 --- a/src/server.c +++ b/src/server.c @@ -56,6 +56,8 @@ static int srv_state_get_version(FILE *f); static void srv_cleanup_connections(struct server *srv); static const char *update_server_check_addr_port(struct server *s, const char *addr, const char *port); +static const char *update_server_agent_addr_port(struct server *s, const char *addr, +const char *port); /* List head of all known server keywords */ static struct srv_kw_list srv_keywords = { @@ -3573,6 +3575,47 @@ int update_server_addr(struct server *s, void *ip, int ip_sin_family, const char return 0; } +/* update agent health check address and port + * addr can be ip4/ip6 or a hostname + * must be called with the server lock held. + */ +static const char *update_server_agent_addr_port(struct server *s, const char *addr, +const char *port) +{ + struct sockaddr_storage sk; + struct buffer *msg; + int new_port; + + msg = get_trash_chunk(); + + if (!(s->agent.state & CHK_ST_ENABLED)) { + chunk_appendf(msg, "agent checks are not enabled on this server.\n"); + goto out; + } + + if (addr) { + memset(&sk, 0, sizeof(struct sockaddr_storage)); + if (str2ip(addr, &sk) == NULL) { + chunk_appendf(msg, "invalid addr '%s'\n", addr); + goto out; + } + set_srv_agent_addr(s, &sk); + } + if (port) { + if (strl2irc(port, strlen(port), &new_port) != 0) { + chunk_appendf(msg, "provided port is not an integer\n"); + goto out; + } + if (new_port < 0 || new_port > 65535) { + chunk_appendf(msg, "provided port is invalid\n"); + goto out; + } + set_srv_agent_port(s, new_port); + } +out: + return msg->area; +} + /* update server health check address and port * addr must be ip4 or ip6, it won't be resolved * must be called with the server lock held. @@ -4428,15 +4471,31 @@ static int cli_parse_set_server(char **args, char *payload, struct appctx *appct cli_err(appctx, "'set server agent' expects 'up' or 'down'.\n"); } else if (strcmp(args[3], "agent-addr") == 0) { - struct sockaddr_storage sk; - - memset(&sk, 0, sizeof(sk)); - if (!(sv->agent.state & CHK_ST_ENABLED)) - cli_err(appctx, "agent checks are not enabled on this server.\n"); - else if (str2ip(args[4], &sk)) - set_srv_agent_addr(sv, &sk); - else - cli_err(appctx, "incorrect addr address given for agent.\n"); + char *addr = NULL; + char *port = NULL; + if (strlen(args[4]) == 0) { + cli_err(appctx, "set server / agent-addr requires" + " an address and optionally a port.\n"); + goto out_unlock; + } + addr = args[4]; + if (strcmp(args[5], "port") == 0) + port = args[6]; + warning = update_server_agent_addr_port(sv, addr, port); + if (warning) + cli_msg(appctx, LOG_WARNING, warning); + } + else if (strcmp(args[3], "agent-port") == 0) { + char *port = N
[PATCH 0/6] cli commands coherency
Hello, This is a followup from last week cleaning regarding check and agent check. This patch series brings some more coherency on the CLI side. I also put some minor cleaning. William Dauchy (6): CLEANUP: check: fix some typo in comments CLEANUP: tools: typo in `strl2irc` mention MEDIUM: cli: add check-addr command MEDIUM: cli: add agent-port command MEDIUM: server: support {check,agent}_addr, agent_port in server state CLEANUP: server: add missing space in server-state error output doc/management.txt| 15 +- include/haproxy/server-t.h| 9 +- .../checks/1be_40srv_odd_health_checks.vtc| 2 +- .../checks/40be_2srv_odd_health_checks.vtc| 2 +- reg-tests/checks/4be_1srv_health_checks.vtc | 6 +- src/check.c | 18 +- src/proxy.c | 41 ++-- src/server.c | 192 ++ src/tools.c | 2 +- 9 files changed, 213 insertions(+), 74 deletions(-) -- 2.30.0
[PATCH 1/6] CLEANUP: check: fix some typo in comments
a few obvious english typo in comments, some of which introduced by myself quite recently Signed-off-by: William Dauchy --- src/check.c | 18 +- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/src/check.c b/src/check.c index edb2ac29f..5de867d7f 100644 --- a/src/check.c +++ b/src/check.c @@ -1004,7 +1004,7 @@ int check_buf_available(void *target) } /* - * Allocate a buffer. If if fails, it adds the check in buffer wait queue. + * Allocate a buffer. If it fails, it adds the check in buffer wait queue. */ struct buffer *check_get_buf(struct check *check, struct buffer *bptr) { @@ -1211,10 +1211,10 @@ static int start_checks() srand((unsigned)time(NULL)); - /* -* 2- start them as far as possible from each others. For this, we will -* start them after their interval set to the min interval divided by -* the number of servers, weighted by the server's position in the list. + /* 2- start them as far as possible from each other. For this, we will +* start them after their interval is set to the min interval divided +* by the number of servers, weighted by the server's position in the +* list. */ for (px = proxies_list; px; px = px->next) { if ((px->options2 & PR_O2_CHK_ANY) == PR_O2_EXT_CHK) { @@ -1261,7 +1261,7 @@ static int srv_check_healthcheck_port(struct check *chk) srv = chk->server; - /* by default, we use the health check port ocnfigured */ + /* by default, we use the health check port configured */ if (chk->port > 0) return chk->port; @@ -1734,14 +1734,14 @@ int set_srv_agent_send(struct server *srv, const char *send) return 0; } -/* set agent addr and apprropriate flag */ +/* set agent addr and appropriate flag */ inline void set_srv_agent_addr(struct server *srv, struct sockaddr_storage *sk) { srv->agent.addr = *sk; srv->flags |= SRV_F_AGENTADDR; } -/* set agent port and apprropriate flag */ +/* set agent port and appropriate flag */ inline void set_srv_agent_port(struct server *srv, int port) { srv->agent.port = port; @@ -2092,7 +2092,7 @@ static struct srv_kw_list srv_kws = { "CHK", { }, { { "check-via-socks4",srv_parse_check_via_socks4,0, 1 }, /* Enable socks4 proxy for health checks */ { "no-agent-check", srv_parse_no_agent_check, 0, 1 }, /* Do not enable any auxiliary agent check */ { "no-check",srv_parse_no_check,0, 1 }, /* Disable health checks */ - { "no-check-send-proxy", srv_parse_no_check_send_proxy, 0, 1 }, /* Disable PROXY protol for health checks */ + { "no-check-send-proxy", srv_parse_no_check_send_proxy, 0, 1 }, /* Disable PROXY protocol for health checks */ { "rise",srv_parse_check_rise, 1, 1 }, /* Set rise value for health checks */ { "fall",srv_parse_check_fall, 1, 1 }, /* Set fall value for health checks */ { "inter", srv_parse_check_inter, 1, 1 }, /* Set inter value for health checks */ -- 2.30.0
[PATCH 6/6] CLEANUP: server: add missing space in server-state error output
a space was missing in the output to make it more readable. Signed-off-by: William Dauchy --- src/server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/server.c b/src/server.c index 42191eda5..33375e638 100644 --- a/src/server.c +++ b/src/server.c @@ -3017,7 +3017,7 @@ static void srv_update_state(struct server *srv, int version, char **params) out: if (msg->data) { chunk_appendf(msg, "\n"); - ha_warning("server-state application failed for server '%s/%s'%s", + ha_warning("server-state application failed for server '%s/%s' %s", srv->proxy->id, srv->id, msg->area); } } -- 2.30.0
[PATCH 3/6] MEDIUM: cli: add check-addr command
this patch allows to set server health check address at runtime. In order to align with `addr` command, also allow to set port optionnaly. This led to a small refactor in order to use the same function for both `check-addr` and `check-port` commands. This command becomes more and more useful for people having a consul like architecture: - the backend server is located on a container with its own IP - the health checks are done the consul instance located on the host with the host IP Signed-off-by: William Dauchy --- doc/management.txt | 4 +++ src/server.c | 83 +- 2 files changed, 72 insertions(+), 15 deletions(-) diff --git a/doc/management.txt b/doc/management.txt index b74aba769..bff770e4e 100644 --- a/doc/management.txt +++ b/doc/management.txt @@ -1842,6 +1842,10 @@ set server / health [ up | stopping | down ] switch a server's state regardless of some slow health checks for example. Note that the change is propagated to tracking servers if any. +set server / check-addr [port ] + Change the IP address used for server health checks. + Optionally, change the port used for server health checks. + set server / check-port Change the port used for health checking to diff --git a/src/server.c b/src/server.c index da2325e9a..533755f1e 100644 --- a/src/server.c +++ b/src/server.c @@ -54,6 +54,8 @@ static int srv_set_fqdn(struct server *srv, const char *fqdn, int dns_locked); static void srv_state_parse_line(char *buf, const int version, char **params, char **srv_params); static int srv_state_get_version(FILE *f); static void srv_cleanup_connections(struct server *srv); +static const char *update_server_check_addr_port(struct server *s, const char *addr, +const char *port); /* List head of all known server keywords */ static struct srv_kw_list srv_keywords = { @@ -3571,6 +3573,47 @@ int update_server_addr(struct server *s, void *ip, int ip_sin_family, const char return 0; } +/* update server health check address and port + * addr must be ip4 or ip6, it won't be resolved + * must be called with the server lock held. + */ +static const char *update_server_check_addr_port(struct server *s, const char *addr, +const char *port) +{ + struct sockaddr_storage sk; + struct buffer *msg; + int new_port; + + msg = get_trash_chunk(); + + if (addr) { + memset(&sk, 0, sizeof(struct sockaddr_storage)); + if (str2ip2(addr, &sk, 0) == NULL) { + chunk_appendf(msg, "invalid addr '%s'\n", addr); + goto out; + } + s->check.addr = sk; + } + if (port) { + if (strl2irc(port, strlen(port), &new_port) != 0) { + chunk_appendf(msg, "provided port is not an integer\n"); + goto out; + } + if (new_port < 0 || new_port > 65535) { + chunk_appendf(msg, "provided port is invalid\n"); + goto out; + } + /* prevent the update of port to 0 if MAPPORTS are in use */ + if ((s->flags & SRV_F_MAPPORTS) && new_port == 0) { + chunk_appendf(msg, "can't unset 'port' since MAPPORTS is in use\n"); + goto out; + } + s->check.port = new_port; + } +out: + return msg->area; +} + /* * This function update a server's addr and port only for AF_INET and AF_INET6 families. * @@ -4403,23 +4446,32 @@ static int cli_parse_set_server(char **args, char *payload, struct appctx *appct cli_err(appctx, "cannot allocate memory for new string.\n"); } } - else if (strcmp(args[3], "check-port") == 0) { - int i = 0; - if (strl2irc(args[4], strlen(args[4]), &i) != 0) { - cli_err(appctx, "'set server check-port' expects an integer as argument.\n"); - goto out_unlock; - } - if ((i < 0) || (i > 65535)) { - cli_err(appctx, "provided port is not valid.\n"); + else if (strcmp(args[3], "check-addr") == 0) { + char *addr = NULL; + char *port = NULL; + if (strlen(args[4]) == 0) { + cli_err(appctx, "set server / check-addr requires" + " an address and optionally a port.\n"); goto out_unlock; } - /* prevent the update of port to 0 if MAPPORTS are in use */ - if ((sv->flags & SRV_F_MAPPORTS) && (i == 0)) { - cli_err(appctx, "can't unset 'port' since MAPPORTS is in use.\n"); + addr = args[4]; + if
[PATCH] typo fixes
Hello, another cleanup. Ilya From c9fd28093d04050a9fddef84a7fd99686831aaf4 Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin Date: Sat, 6 Feb 2021 22:29:08 +0500 Subject: [PATCH] CLEANUP: assorted typo fixes in the code and comments This is 17th iteration of typo fixes --- contrib/prometheus-exporter/service-prometheus.c | 4 ++-- doc/configuration.txt| 4 ++-- include/haproxy/h2.h | 2 +- include/haproxy/htx.h| 2 +- src/h2.c | 4 ++-- src/http_ana.c | 4 ++-- src/mux_h1.c | 6 +++--- src/mux_h2.c | 8 src/ssl_ckch.c | 2 +- 9 files changed, 18 insertions(+), 18 deletions(-) diff --git a/contrib/prometheus-exporter/service-prometheus.c b/contrib/prometheus-exporter/service-prometheus.c index 126962f5e..9ef0381f3 100644 --- a/contrib/prometheus-exporter/service-prometheus.c +++ b/contrib/prometheus-exporter/service-prometheus.c @@ -236,7 +236,7 @@ const struct promex_metric promex_st_metrics[ST_F_TOTAL_FIELDS] = { [ST_F_COMP_BYP] = { .n = IST("http_comp_bytes_bypassed_total"), .type = PROMEX_MT_COUNTER, .flags = (PROMEX_FL_FRONT_METRIC | PROMEX_FL_BACK_METRIC ) }, [ST_F_COMP_RSP] = { .n = IST("http_comp_responses_total"),.type = PROMEX_MT_COUNTER, .flags = (PROMEX_FL_FRONT_METRIC | PROMEX_FL_BACK_METRIC ) }, [ST_F_LASTSESS] = { .n = IST("last_session_seconds"), .type = PROMEX_MT_GAUGE,.flags = ( PROMEX_FL_BACK_METRIC | PROMEX_FL_SRV_METRIC) }, - //[ST_F_LAST_CHK] ignroed + //[ST_F_LAST_CHK] ignored //[ST_F_LAST_AGT] ignored [ST_F_QTIME] = { .n = IST("queue_time_average_seconds"), .type = PROMEX_MT_GAUGE,.flags = ( PROMEX_FL_BACK_METRIC | PROMEX_FL_SRV_METRIC) }, [ST_F_CTIME] = { .n = IST("connect_time_average_seconds"), .type = PROMEX_MT_GAUGE,.flags = ( PROMEX_FL_BACK_METRIC | PROMEX_FL_SRV_METRIC) }, @@ -282,7 +282,7 @@ const struct promex_metric promex_st_metrics[ST_F_TOTAL_FIELDS] = { [ST_F_UWEIGHT]= { .n = IST("uweight"), .type = PROMEX_MT_GAUGE,.flags = ( PROMEX_FL_BACK_METRIC | PROMEX_FL_SRV_METRIC) }, }; -/* Description of overriden stats fields */ +/* Description of overridden stats fields */ const struct ist promex_st_metric_desc[ST_F_TOTAL_FIELDS] = { [ST_F_PXNAME] = IST("The proxy name."), [ST_F_SVNAME] = IST("The service name (FRONTEND for frontend, BACKEND for backend, any name for server/listener)."), diff --git a/doc/configuration.txt b/doc/configuration.txt index f8b1e9336..c2814590e 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -18814,7 +18814,7 @@ shdr([[,]]) : string (deprecated) This fetch works like the req.hdr() fetch with the difference that it acts on the headers within an HTTP response. - Like req.hdr() the res.hdr() fetch considers the comma to be a delimeter. If + Like req.hdr() the res.hdr() fetch considers the comma to be a delimiter. If this is not desired res.fhdr() should be used. It may be used in tcp-check based expect rules. @@ -18835,7 +18835,7 @@ shdr_cnt([]) : integer (deprecated) acts on the headers within an HTTP response. Like req.hdr_cnt() the res.hdr_cnt() fetch considers the comma to be a - delimeter. If this is not desired res.fhdr_cnt() should be used. + delimiter. If this is not desired res.fhdr_cnt() should be used. It may be used in tcp-check based expect rules. diff --git a/include/haproxy/h2.h b/include/haproxy/h2.h index 1b49b850e..8d2aa9511 100644 --- a/include/haproxy/h2.h +++ b/include/haproxy/h2.h @@ -182,7 +182,7 @@ enum h2_err { #define H2_MSGF_RSP_1XX0x0010// a 1xx ( != 101) HEADERS frame was received #define H2_MSGF_BODYLESS_RSP 0x0020// response message is known to have no body // (response to HEAD request or 204/304 response) -#define H2_MSGF_EXT_CONNECT0x0040// Extented CONNECT method from rfc 8441 +#define H2_MSGF_EXT_CONNECT0x0040// Extended CONNECT method from rfc 8441 #define H2_MAX_STREAM_ID ((1U << 31) - 1) #define H2_MAX_FRAME_LEN ((1U << 24) - 1) diff --git a/include/haproxy/htx.h b/include/haproxy/htx.h index 3ff581bac..a6c62f906 100644 --- a/include/haproxy/htx.h +++ b/include/haproxy/htx.h @@ -308,7 +308,7 @@ static inline struct htx_blk *htx_get_next_blk(const struct htx *htx, } /* Returns 1 if is the block is the only one inside the HTX message , - * excluding all unsued blocks. Otherwise, it returns 0. If 1 is returned, this + * excluding all unused blocks. Otherwise, it returns 0. If 1 is returned,
[ANNOUNCE] haproxy-2.2.9
Hi, HAProxy 2.2.9 was released on 2021/02/06. It added 51 new commits after version 2.2.8. It's basically the same as what was integrated into 2.3.5, plus a few older fixes that were left under observation in 2.3 for 3 versions. This explains why this change log will look familiar to those having read the 2.3 one. There's no critical bug in this one but fixes for a few problematic ases that either have been there for a while or resulted from recent ncomplete fixes: - an issue in filters (compression, spoe, etc) could block response headers in empty responses with no content-length ; - there was a risk of temporary CLOSE_WAIT on aborted H2 connections since the recent fixes for truncated responses. Note that these ones would vanish on timeout anyway, hence it was more annoying than dramatic ; - the CLI's "abort ssl cert" would purge the old instead of new SSL info; - errors on connections would not prevent SSL handshake from being performed, leading to wasted CPU cycles that could sometimes maintain the load artificially high during contention ; - Lua's core.get_info() got broken in previous version due to the missing definition of INF_BUILD_INFO in stats ; - there was a small risk of crash in tcpchecks when using multiple connections ; - the previous fix for DNS SRV records was incorrect and had to be reverted in 2.3.4 as it was sometimes causing a bad pointer dereference and crashing. The code was rechecked and the correct fix merged again ; - an alignment issue in the XXHash code affecting ARMv6/v7 running in 32-bit mode on 64-bit kernels was addressed ; it could cause bus errors and crashes in 32-bit chroots or containers when using the pattern LRU cache ; - a few other really minor issues were addressed - "server" definitions in "frontend" sections were mistakenly not rejected during parsing, but would generally result in random crashes later due to uninitialised fields. They are now properly rejected. - two older fixes for rare crashes that had been left baking in 2.3 for 3 months now were finally backported In addition, the maximum HTTP/1 chunk size was extended from 2 GB to 4 PB since there was no more compelling reason to limit ourselves to 32 bits storage anymore. Last, some of the "show fd" output improvements were backported as they significantly help when reporting bugs. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse: http://discourse.haproxy.org/ Slack channel: https://slack.haproxy.org/ Issue tracker: https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.2/src/ Git repository : http://git.haproxy.org/git/haproxy-2.2.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.2.git Changelog: http://www.haproxy.org/download/2.2/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Adis Nezirovic (1): BUG/MEDIUM: stats: add missing INF_BUILD_INFO definition Amaury Denoyelle (1): BUG/MINOR: config: fix leak on proxy.conn_src.bind_hdr_name Baptiste Assmann (1): BUG/MINOR: dns: SRV records ignores duplicated AR records (v2) Bertrand Jacquin (3): MINOR: build: discard echoing in help target BUG/MINOR: mworker: define _GNU_SOURCE for strsignal() BUILD/MINOR: lua: define _GNU_SOURCE for LLONG_MAX Christopher Faulet (8): BUG/MINOR: init: Use a dynamic buffer to set HAPROXY_CFGFILES env variable MINOR: config: Add failifnotcap() to emit an alert on proxy capabilities MINOR: server: Forbid server definitions in frontend sections BUG/MEDIUM: filters/htx: Fix data forwarding when payload length is unknown MINOR: h1: Raise the chunk size limit up to (2^52 - 1) BUG/MINOR: stick-table: Always call smp_fetch_src() with a valid arg list MINOR: config: Deprecate and ignore tune.chksize global option BUG/MEDIUM: tcpcheck: Don't destroy connection in the wake callback context David CARLIER (1): BUG/MINOR: threads: Fixes the number of possible cpus report for Mac. Frédéric Lécaille (4): MINOR: peers: Add traces for peer control messages. BUG/MINOR: peers: Possible appctx pointer dereference. BUG/MINOR: peers: Wrong "new_conn" value for "show peers" CLI command. MINOR: contrib: Make the wireshark peers dissector compile for more distribs. Jan Wagner (1): DOC: fix "smp_size" vs "sample_size" in "log" directive arguments Olivier Houchard (1): BUG/MEDIUM: lists: Lock the element while we check if it is in a list. Tim Duesterhus (1): DOC: Improve documentation of the various hdr() fetches William Lallemand (3): BUG/MINOR: ssl: init tmp chunk correctly in ssl_sock_load_sctl_from_file() BUG/MEDIUM: ssl/cli: abort ssl cert is fr
Re: [PATCH} improve ssl guarding
you are right. I've fixed it. сб, 23 янв. 2021 г. в 21:41, William Lallemand : > On Sat, Jan 23, 2021 at 04:50:08PM +0500, Илья Шипицин wrote: > > Hello, > > > > yet another guard improving patch (forgot to fix last time) > > > > Ilya > > Hello, > > > From 5ce5623fac558d85c0ef0ec26dcffca754a87fae Mon Sep 17 00:00:00 2001 > > From: Ilya Shipitsin > > Date: Sat, 23 Jan 2021 16:38:33 +0500 > > Subject: [PATCH 1/2] BUILD: ssl: guard SSL_CTX_add_server_custom_ext with > > special macro > > > > --- > > src/ssl_sock.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/src/ssl_sock.c b/src/ssl_sock.c > > index 2bda3d765..803af393f 100644 > > --- a/src/ssl_sock.c > > +++ b/src/ssl_sock.c > > @@ -6720,7 +6720,7 @@ static struct action_kw_list http_req_actions = > {ILH, { > > > > INITCALL1(STG_REGISTER, http_req_keywords_register, &http_req_actions); > > > > -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined > OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) > > +#ifdef HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT > > > > I believe you wanted to write "SSL_CTX" and not "SL_CTX" here? > > > static void ssl_sock_sctl_free_func(void *parent, void *ptr, > CRYPTO_EX_DATA *ad, int idx, long argl, void *argp) > > { > > @@ -6818,7 +6818,7 @@ static void __ssl_sock_init(void) > > #if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x1010L) > > ssl_locking_init(); > > #endif > > -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined > OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) > > +#ifdef HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT > > sctl_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, > ssl_sock_sctl_free_func); > > #endif > > > > > -- > William Lallemand > From 5cbc6e7f428756c8cf67d9789f0b8df6b8715a20 Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin Date: Sat, 6 Feb 2021 18:55:27 +0500 Subject: [PATCH 1/2] BUILD: ssl: fix typo in HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT macro HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT was introduced in ec609098718b9c1cd803ca57442b2b98c9ba4a16 however it was defined as HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT (missing "S") let us fix typo --- include/haproxy/openssl-compat.h | 2 +- src/ssl_sock.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index b4af429cf..3fe58be40 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -50,7 +50,7 @@ #endif #if ((OPENSSL_VERSION_NUMBER >= 0x1000200fL) && !defined(OPENSSL_NO_TLSEXT) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)) -#define HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT +#define HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT #endif #if ((OPENSSL_VERSION_NUMBER >= 0x10002000L) && !defined(LIBRESSL_VERSION_NUMBER)) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index ccce57874..f2c8a667c 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1497,7 +1497,7 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckc #endif -#ifdef HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT +#ifdef HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT #define CT_EXTENSION_TYPE 18 @@ -3217,7 +3217,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an } #endif -#ifdef HAVE_SL_CTX_ADD_SERVER_CUSTOM_EXT +#ifdef HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT if (sctl_ex_index >= 0 && ckch->sctl) { if (ssl_sock_load_sctl(ctx, ckch->sctl) < 0) { memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n", -- 2.29.2 From 8db969c4b7f40865a895f37772d697d6f08e9727 Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin Date: Sat, 6 Feb 2021 18:59:22 +0500 Subject: [PATCH 2/2] BUILD: ssl: guard SSL_CTX_add_server_custom_ext with special macro special guard macros HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT was defined earlier exactly for guarding SSL_CTX_add_server_custom_ext, let us use it wherever appropriate --- src/ssl_sock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index f2c8a667c..310578503 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -6922,7 +6922,7 @@ static struct action_kw_list http_req_actions = {ILH, { INITCALL1(STG_REGISTER, http_req_keywords_register, &http_req_actions); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) +#ifdef HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT static void ssl_sock_sctl_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp) { @@ -7020,7 +7020,7 @@ static void __ssl_sock_init(void) #if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x1010L) ssl_locking_init(); #endif -#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) +#ifdef HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT sctl_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_sctl_free_func); #endif --
[PATCH] BUILD/MEDIUM defer-accept flag support for FreeBSD proposal
Hi hope this little patch will find its use. Thanks. Regards. From 02dc058b4f0f41ad1deeb581653e1c3cfb2b2432 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sat, 6 Feb 2021 12:11:11 + Subject: [PATCH] BUILD/MEDIUM: proto_tcp defer-accept flag support for FreeBSD. FreeBSD has a kernel feature (accf) and a sockopt flag similar to the Linux's TCP_DEFER_ACCEPT to filter incoming data upon ACK. The main difference is the filter needs to be placed when the socket actually listens. --- src/cfgparse-tcp.c | 4 ++-- src/proto_tcp.c| 12 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/src/cfgparse-tcp.c b/src/cfgparse-tcp.c index 4dc39d547..e7868e6bf 100644 --- a/src/cfgparse-tcp.c +++ b/src/cfgparse-tcp.c @@ -61,7 +61,7 @@ static int bind_parse_transparent(char **args, int cur_arg, struct proxy *px, st } #endif -#ifdef TCP_DEFER_ACCEPT +#if defined(TCP_DEFER_ACCEPT) || defined(SO_ACCEPTFILTER) /* parse the "defer-accept" bind keyword */ static int bind_parse_defer_accept(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { @@ -243,7 +243,7 @@ static int srv_parse_tcp_ut(char **args, int *cur_arg, struct proxy *px, struct * not enabled. */ static struct bind_kw_list bind_kws = { "TCP", { }, { -#ifdef TCP_DEFER_ACCEPT +#if defined(TCP_DEFER_ACCEPT) || defined(SO_ACCEPTFILTER) { "defer-accept", bind_parse_defer_accept, 0 }, /* wait for some data for 1 second max before doing accept */ #endif #ifdef SO_BINDTODEVICE diff --git a/src/proto_tcp.c b/src/proto_tcp.c index 485603d57..85cd56360 100644 --- a/src/proto_tcp.c +++ b/src/proto_tcp.c @@ -711,6 +711,18 @@ int tcp_bind_listener(struct listener *listener, char *errmsg, int errlen) goto tcp_close_return; } +#if defined(SO_ACCEPTFILTER) + /* the socket needs to listen first */ + if (listener->options & LI_O_DEF_ACCEPT) { + struct accept_filter_arg accept; + memset(&accept, 0, sizeof(accept)); + strcpy(accept.af_name, "dataready"); + if (setsockopt(fd, SOL_SOCKET, SO_ACCEPTFILTER, &accept, sizeof(accept)) == -1) { + msg = "cannot enable ACCEPT_FILTER"; + err |= ERR_WARN; + } + } +#endif #if defined(TCP_QUICKACK) if (listener->options & LI_O_NOQUICKACK) setsockopt(fd, IPPROTO_TCP, TCP_QUICKACK, &zero, sizeof(zero)); -- 2.30.0
[ANNOUNCE] haproxy-2.3.5
Hi, HAProxy 2.3.5 was released on 2021/02/06. It added 54 new commits after version 2.3.4. There's no critical bug in this one but fixes for a few problematic cases that either have been there for a while or resulted from recent incomplete fixes: - an issue in filters (compression, spoe, etc) could block response headers in empty responses with no content-length ; - there was a risk of temporary CLOSE_WAIT on aborted H2 connections since the recent fixes for truncated responses. Note that these ones would vanish on timeout anyway, hence it was more annoying than dramatic ; - a rare risk of segfault in idle connections code related to accidental reuse of a TCP connection involving a pending handshake was fixed ; - the CLI's "abort ssl cert" would purge the old instead of new SSL info; - errors on connections would not prevent SSL handshake from being performed, leading to wasted CPU cycles that could sometimes maintain the load artificially high during contention ; - Lua's core.get_info() got broken in previous version due to the missing definition of INF_BUILD_INFO in stats ; - there was a small risk of crash in tcpchecks when using multiple connections ; - the previous fix for DNS SRV records was incorrect and had to be reverted in 2.3.4 as it was sometimes causing a bad pointer dereference and crashing. The code was rechecked and the correct fix merged again ; - an alignment issue in the XXHash code affecting ARMv6/v7 running in 32-bit mode on 64-bit kernels was addressed ; it could cause bus errors and crashes in 32-bit chroots or containers when using the pattern LRU cache ; - a few other really minor issues were addressed - "server" definitions in "frontend" sections were mistakenly not rejected during parsing, but would generally result in random crashes later due to uninitialised fields. They are now properly rejected. In addition, the maximum HTTP/1 chunk size was extended from 2 GB to 4 PB since there was no more compelling reason to limit ourselves to 32 bits storage anymore. Last, some of the "show fd" output improvements were backported as they significantly help when reporting bugs. 2.2.9 is imminent as well with essentially the same fixes, I just don't know yet if my backport of the tcpcheck fix is correct and don't want to take any risks :-) Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse: http://discourse.haproxy.org/ Slack channel: https://slack.haproxy.org/ Issue tracker: https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.3/src/ Git repository : http://git.haproxy.org/git/haproxy-2.3.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.3.git Changelog: http://www.haproxy.org/download/2.3/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Adis Nezirovic (1): BUG/MEDIUM: stats: add missing INF_BUILD_INFO definition Amaury Denoyelle (6): BUG/MINOR: config: fix leak on proxy.conn_src.bind_hdr_name BUG/MEDIUM: session: only retrieve ready idle conn from session REORG: backend: simplify conn_backend_get BUG/MEDIUM: backend: never reuse a connection for tcp mode BUG/MINOR: backend: check available list allocation for reuse BUG/MINOR: mux_h2: fix incorrect stat titles Baptiste Assmann (1): BUG/MINOR: dns: SRV records ignores duplicated AR records (v2) Bertrand Jacquin (3): MINOR: build: discard echoing in help target BUG/MINOR: mworker: define _GNU_SOURCE for strsignal() BUILD/MINOR: lua: define _GNU_SOURCE for LLONG_MAX Christopher Faulet (8): BUG/MINOR: init: Use a dynamic buffer to set HAPROXY_CFGFILES env variable MINOR: config: Add failifnotcap() to emit an alert on proxy capabilities MINOR: server: Forbid server definitions in frontend sections BUG/MEDIUM: tcpcheck: Don't destroy connection in the wake callback context BUG/MEDIUM: filters/htx: Fix data forwarding when payload length is unknown MINOR: h1: Raise the chunk size limit up to (2^52 - 1) BUG/MINOR: stick-table: Always call smp_fetch_src() with a valid arg list MINOR: config: Deprecate and ignore tune.chksize global option David CARLIER (1): BUG/MINOR: threads: Fixes the number of possible cpus report for Mac. Frédéric Lécaille (4): MINOR: peers: Add traces for peer control messages. BUG/MINOR: peers: Possible appctx pointer dereference. BUG/MINOR: peers: Wrong "new_conn" value for "show peers" CLI command. MINOR: contrib: Make the wireshark peers dissector compile for more distribs. Remi Tricot-Le Breton (1): BUG/MINOR: sock: Unclosed fd in case of connection allocation failure Tim Duesterhus (1): DOC: Improve docu