Question About ev_epoll.c:_do_fork()
Hello I am reading ev_epoll.c:_do_fork() of HAProxy-1.8.30. In its comment, the following sentence appears. If it fails, it disables the poller by setting its pref to 0. But I can't find out such code in _do_fork(); I also read _do_fork() of HAProxy-2.4.0 and its comment doesn't have the above sentence. Also, There is no difference between code of _do_fork() of 1.8.30 and that of 2.4.0 except REGPRM1 declaration. So I thought the above sentense would be unnecessary to HAProxy-1.8.30. Is my thought correct? Kazu
Re: HashiCorp
Yes, go ahead On Wed, Jul 14, 2021, 6:55 PM Donna Nash wrote: > Good Day, > > > > I would like to know you are interested HashiCorp Users across a range of > industries and geographic regions. > > > > If yes we can move forward. > > > > Who we are > > > > We are a global database providing company . > > > > Hope we get positive reply from your team. > > > > Thank > > Donna Nash > > Access tech data > > > > >
HaProxy Sends 502 Bad Gateway with 'SH' in the Log
HI Team, I have problem with respect to the HaProxy timeouts. I have an application which runs behind the HaProxy (Version 1.8) The application which I have can be considered as a Blackbox in which, the internals are unknown. In this application there is a RESTFul endpoint which takes considerable time to complete (less than 5 min) and returns an empty response (204). When I execute above endpoint (which goes through the HAProxy) it returns 502 Bad Gateway response and I can see following log message in HAProxy logs. RESTFul Endpoint: GET /abc/service/com.team.repository.internal.diagnostic Log output-> Jul 14 05:55:01 localhost haproxy[116403]: 9.XX.XXX.219:38442 [14/Jul/2021:05:54:00.789] oift~ abc-default/defaultserver 0/0/143/-1/60217 502 204 - - SH-- 36/36/0/0/0 0/0 "GET /abc/service/com.team.repository.internal.diagnostic?id=com.team.repository.service.database.databaseStatisticsDiagnostic HTTP/1.1" However, when I remove HAProxy from the topolgy and invoke the same RESTFul endpoint, I can get the response (empty) correctly. Note: I can see the 'SH' response code in the above log. According to https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#8.5, I can see that HAProxy was waiting for proper headers from my application server. Is there anyway which we can overcome this issue ? My HAProxy configurtions are as follows, global log 127.0.0.1:514 local0 info chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 6000 userhaproxy group haproxy daemon stats socket /var/lib/haproxy/stats tune.ssl.default-dh-param 2048 tune.maxrewrite 4096 defaults modehttp log global option httplog option dontlognull option http-server-close option redispatch retries 3 timeout http-request10m timeout queue 10m timeout connect 1m timeout client 10m timeout server 10m timeout tunnel 10m timeout http-keep-alive 10m maxconn 6000 frontend openshift bind*:80 bind*:443 ssl crt /etc/ssl/private/hap.pem modehttp redirectscheme https if !{ ssl_fc } maxconn 2000 default_backend abc-default backend abc-default fullconn 1000 balance roundrobin server defaultserver abc-haproxy.apps.sstream-dev-new.os.com ssl verify none Thanks you in advance! Buddhi D. S. DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
HashiCorp
Good Day, I would like to know you are interested HashiCorp Users across a range of industries and geographic regions. If yes we can move forward. Who we are We are a global database providing company . Hope we get positive reply from your team. Thank Donna Nash Access tech data
[PATCH] JA3 TLS Fingerprinting (take 2)
Hi, Thank you for all comments I have received regarding JA3 Fingerprinting patches. Here is the new set of patches which incorporated all your suggestions. Willy: I lowered memory requirements for ssl_capture (now 40 extra bytes), but I did not go with the lowest as you suggested (unsigned char for length/unsigned short for offset). Potentially this would work just fine, yet specification allows to exceed that ( https://mta.openssl.org/pipermail/openssl-dev/2015-September/002860.html) and personally I'm more in favour of sticking to standards as things could bite us in the future. Dropping precalculated xxh64 hash would allow us to go as low as 28 bytes if we care a lot about memory. Regards, Marcin Deranek From 14a84a136e7e52957ae44fecaec432bdb9e3f4c9 Mon Sep 17 00:00:00 2001 From: Marcin Deranek Date: Tue, 13 Jul 2021 14:05:24 +0200 Subject: [PATCH 3/5] MINOR: sample: Add be2dec converter Add be2dec converter which allows to build JA3 compatible TLS fingerprints by converting big-endian binary data into string separated unsigned integers eg. http-request set-header X-SSL-JA3 %[ssl_fc_protocol_hello_id],\ %[ssl_fc_cipherlist_bin(1),be2dec(-,2)],\ %[ssl_fc_extlist_bin(1),be2dec(-,2)],\ %[ssl_fc_eclist_bin(1),be2dec(-,2)],\ %[ssl_fc_ecformats_bin,be2dec(-,1)] --- doc/configuration.txt | 12 +++ reg-tests/converter/be2dec.vtc | 50 + src/sample.c | 57 ++ 3 files changed, 119 insertions(+) create mode 100644 reg-tests/converter/be2dec.vtc diff --git a/doc/configuration.txt b/doc/configuration.txt index ecbbcdd04..d39e90752 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -16064,6 +16064,18 @@ base64 an SSL ID can be copied in a header). For base64url("URL and Filename Safe Alphabet" (RFC 4648)) variant see "ub64enc". +be2dec(,,[]) + Converts a binary input sample to a string containing an unsigned integer + number per input bytes. is put every + binary input bytes if specified. flag indicates whatever binary + input is truncated at boundaries. maximum value is + limited by the size of long long int (8 bytes). + + Example: + bin(01020304050607),be2dec(:,2) # 258:772:1286:7 + bin(01020304050607),be2dec(-,2,1) # 258-772-1286 + bin(01020304050607),be2dec(,2,1) # 2587721286 + bool Returns a boolean TRUE if the input value of type signed integer is non-null, otherwise returns FALSE. Used in conjunction with and(), it can be diff --git a/reg-tests/converter/be2dec.vtc b/reg-tests/converter/be2dec.vtc new file mode 100644 index 0..d329e01b3 --- /dev/null +++ b/reg-tests/converter/be2dec.vtc @@ -0,0 +1,50 @@ +varnishtest "be2dec converter Test" + +#REQUIRE_VERSION=2.5 + +feature ignore_unknown_macro + +server s1 { + rxreq + txresp +} -repeat 2 -start + +haproxy h1 -conf { +defaults + mode http + timeout connect 1s + timeout client 1s + timeout server 1s + +frontend fe + bind "fd@${fe}" + + requests + http-request set-var(txn.input) req.hdr(input) + + http-response set-header be2dec-1 "%[var(txn.input),be2dec(:,1)]" + http-response set-header be2dec-2 "%[var(txn.input),be2dec(-,3)]" + http-response set-header be2dec-3 "%[var(txn.input),be2dec(::,3,1)]" + + default_backend be + +backend be + server s1 ${s1_addr}:${s1_port} +} -start + +client c1 -connect ${h1_fe_sock} { + txreq -url "/" \ + -hdr "input: 0123456789" + rxresp + expect resp.status == 200 + expect resp.http.be2dec-1 == "48:49:50:51:52:53:54:55:56:57" + expect resp.http.be2dec-2 == "3158322-3355701-3553080-57" + expect resp.http.be2dec-3 == "3158322::3355701::3553080" + txreq -url "/" \ + -hdr "input: abcdefghijklmnopqrstuvwxyz" + rxresp + expect resp.status == 200 + expect resp.http.be2dec-1 == "97:98:99:100:101:102:103:104:105:106:107:108:109:110:111:112:113:114:115:116:117:118:119:120:121:122" + expect resp.http.be2dec-2 == "6382179-6579558-6776937-6974316-7171695-7369074-7566453-7763832-31098" + expect resp.http.be2dec-3 == "6382179::6579558::6776937::6974316::7171695::7369074::7566453::7763832" +} -run diff --git a/src/sample.c b/src/sample.c index d02034cf0..5b7ad8b34 100644 --- a/src/sample.c +++ b/src/sample.c @@ -2057,6 +2057,62 @@ static int sample_conv_crypto_hmac(const struct arg *args, struct sample *smp, v #endif /* USE_OPENSSL */ +static int sample_conv_be2dec_check(struct arg *args, struct sample_conv *conv, +const char *file, int line, char **err) +{ + if (args[1].data.sint <= 0 || args[1].data.sint > sizeof(unsigned long long)) { + memprintf(err, "chunk_size out of [1..%ld] range (%lld)", sizeof(unsigned long long), args[1].data.sint); + return 0; + } + + if (args[2].data.sint != 0 && args[2].data.sint != 1) { + memprintf(err, "Unsupported truncate value (%lld)", args[2].data.sint); + return 0; + } + + return 1; +} + +static int sample_conv_be2dec(const struct arg *args, struct samp
Empty agent_status in statistics
Hi, After version 2.4-dev7, we lost some statistics about agent checks, When we added below code to /src/stats.c, we start to get result of the agent checks in statistics. But we are not sure about our code. If it is a bug will you fix it soon ? after "case ST_F_CHECK_HEALTH:" lines case ST_F_AGENT_STATUS: if ((sv->agent.state & (CHK_ST_ENABLED|CHK_ST_PAUSED)) == CHK_ST_ENABLED) {const char *fld_chksts;fld_chksts = chunk_newstr(out); chunk_strcat(out, "* "); // for check in progress chunk_strcat(out, get_check_status_info(sv->agent.status)); if (!(sv->agent.state & CHK_ST_INPROGRESS)) fld_chksts += 2; // skip "* " metric = mkf_str(FN_OUTPUT, get_check_status_info(sv->agent.status)); }break; case ST_F_AGENT_CODE: if ((sv->agent.state & (CHK_ST_ENABLED|CHK_ST_PAUSED)) == CHK_ST_ENABLED && sv->agent.status >= HCHK_STATUS_L57DATA) metric = mkf_u32(FN_OUTPUT, sv->agent.code); break;case ST_F_AGENT_DURATION: if ((sv->agent.state & (CHK_ST_ENABLED|CHK_ST_PAUSED)) == CHK_ST_ENABLED && sv->agent.status >= HCHK_STATUS_CHECKED) metric = mkf_u64(FN_DURATION, sv->agent.duration);break; case ST_F_AGENT_DESC:if ((sv->agent.state & (CHK_ST_ENABLED|CHK_ST_PAUSED)) == CHK_ST_ENABLED) metric = mkf_str(FN_OUTPUT, get_check_status_description(sv->agent.status)); break;case ST_F_LAST_AGT: if ((sv->agent.state & (CHK_ST_ENABLED|CHK_ST_PAUSED)) == CHK_ST_ENABLED) metric = mkf_str(FN_OUTPUT, sv->agent.desc); break;case ST_F_AGENT_RISE:if ((sv->check.state & (CHK_ST_ENABLED|CHK_ST_PAUSED)) == CHK_ST_ENABLED) metric = mkf_u32(FO_CONFIG|FS_SERVICE, ref->agent.rise);break; case ST_F_AGENT_FALL:if ((sv->check.state & (CHK_ST_ENABLED|CHK_ST_PAUSED)) == CHK_ST_ENABLED) metric = mkf_u32(FO_CONFIG|FS_SERVICE, ref->agent.fall); break;case ST_F_AGENT_HEALTH: if ((sv->check.state & (CHK_ST_ENABLED|CHK_ST_PAUSED)) == CHK_ST_ENABLED) me Thanks, Yusuf