bal Lua library path.
See this mailing list thread for details:
https://www.mail-archive.com/haproxy@formilux.org/msg35839.html
Specifically this email for the patch:
https://www.mail-archive.com/haproxy@formilux.org/msg35896.html
Best regards
Tim Düsterhus
ld
> force me to stop even more frequently and chat with coworkers :-)
>
15 emails per hour is one every 4 minutes. If I'd be sending emails at
that rate I'd just use an actual chat :-) That is of course unless I
send largish patch bombs in an automated fashion.
Best regards
Tim Düsterhus
to sending 15 emails per hour for
abuse prevention in case my password ever leaks. So 2 patches did not
make it through the first time. I hope I did not completely mess up
threading when sending the last 2. My email limit is now up to 20 :-)
Best regards
Tim Düsterhus
as of now is 15 commits
ahead of master. So I'll send an updated series once 2.2 is out.
Or you tell me to send it now and apply it to 'next'. While I'm here:
There's already one commit sitting in the next branch to be applied
after the release.
Best regards
Tim Düsterhus
Willy,
find the patch attached.
Best regards
Tim Düsterhus
Developer WoltLab GmbH
--
WoltLab GmbH
Nedlitzer Str. 27B
14469 Potsdam
Tel.: +49 331 96784338
duester...@woltlab.com
www.woltlab.com
Managing director:
Marcel Werk
AG Potsdam HRB 26795 P
>F
to apply pretty seamlessly
to HAProxy 2.0, it contains all you need.
One small note: The correct terminology for "sha2 filter" is "sha2
converter".
Best regards
Tim Düsterhus
_c_der ?
> (ssl_c_der,sha2(256))
>
You are right, of course.
While adjusting the example from the commit message I replaced the 'der'
instead of the 'f'.
Best regards
Tim Düsterhus
proxy/commit/d4376302377e4f51f43a183c2c91d929b27e1ae3
The ssl_c_sha1 is simply a hash of the DER representation of the
certificate. So you can just hash it with the sha2 converter:
ssl_c_sha256,sha2(256)
Best regards
Tim Düsterhus
figuration
(http-after-response), in case I have to revert back.
My two previous attempts failed due to heap / allocator corruption
(issues #681 and #700).
Best regards
Tim Düsterhus
ddress right now!
Agreed. This is something non-trivial and the solution should not be
rushed. Personally I've already adjusted my rules.
I just filed a tracking bug for it on GitHub, so that the discussion
will not get lost in the depths of the email archive:
https://github.com/haproxy/haproxy/issues/714
Best regards
Tim Düsterhus
Hi List,
Am 22.06.20 um 21:13 schrieb Tim Düsterhus:
> What kind of (configuration) advice would you give me? Do you have any
> concerns? I consider *anything* a valid answer here and I'd like to hear
> from both experienced admins and "newbies".
>
> I'll give the &
such a configuration. To fix this, please ensure that all
following
| timeouts are set to a non-zero value: 'client', 'connect',
'server'.
Warnings were found.
Configuration file is valid
I guess a truncated last line cannot be differentiated from file that
does not
end with a new line
---
What kind of (configuration) advice would you give me? Do you have any
concerns? I consider *anything* a valid answer here and I'd like to hear
from both experienced admins and "newbies".
I'll give the "solution" once I get some replies :-)
Best regards
Tim Düsterhus
ARNING] 173/185130 (17415) : parsing [/tmp/example/cat:3]: line is not
> terminated by a newline (LF / '\n').
> [ALERT] 173/185130 (17415) : Error(s) found in configuration file :
> /tmp/example/cat
> [ALERT] 173/185130 (17415) : Fatal errors found in configuration.
Thus even if we might never not support leaving out the trailing newline
I consider that something worthwhile to warn about.
Best regards
Tim Düsterhus
origin
Example:
$ http --headers localhost:8080
HTTP/1.1 200 OK
cache-control: no-cache
content-type: text/html
transfer-encoding: chunked
x-frame-options: sameorigin
Best regards
Tim Düsterhus
silent. See:
http://cbonte.github.io/haproxy-dconv/2.1/configuration.html#4.2-http-response%20set-log-level
Best regards
Tim Düsterhus
efore the 2.2 release.
>
I'd definitely postpone changing anything about VTest past 2.2. Any bugs
found using that will be backported anyway. So nothing really lost by
waiting for the release.
Best regards
Tim Düsterhus
trust you that the patch fixes *a* bug, even if it might not be *my*
bug, thus feel free to apply.
Best regards
Tim Düsterhus
GTERM in HAProxy anyway,
so there is no need for this distinction. I did not yet look into the
details of the failing tests, though.
Best regards
Tim Düsterhus
William,
Am 14.06.20 um 16:59 schrieb Tim Düsterhus:
> I can reproduce this with the following config:
>
> frontend http
> mode http
> bind 127.0.0.1:80
>
> http-request redirect scheme https if METH_GET
>
>> $ valgrind ./haproxy -c -f ./crasher.cf
6484==by 0x5271CA: deinit (haproxy.c:2706)
> ==6484==by 0x528017: deinit_and_exit (haproxy.c:2871)
> ==6484==by 0x528E90: init (haproxy.c:2205)
> ==6484==by 0x41F382: main (haproxy.c:3127)
> ==6484== Address 0x0 is not stack'd, malloc'd or (recently) free'd
I would assume that this is related to METH_GET being a default acl.
Best regards
Tim Düsterhus
William,
Am 13.06.20 um 16:46 schrieb Tim Düsterhus:
> tune.ssl.default-dh-param 2048 solved the issue for me.
>
> I'd argue that this is a bug in HAProxy nonetheless, because apparently
> the crt-list file is not fully parsed in case of DH parameter warnings
> (not errors)
Dear List,
Am 13.06.20 um 16:11 schrieb Tim Düsterhus:
> Any ideas?
>
Looking at the startup warnings is always a good idea:
> Jun 13 14:40:52 *snip* haproxy[15815]: [WARNING] 164/144052 (15815) :
> Reexecuting Master process
> Jun 13 14:40:52 *snip* haproxy[15815]: [WARN
solution :-)
Any ideas?
Best regards
Tim Düsterhus
.
>
> I'd say that the one in 'pattern' is a bug and that the other two just need a
> /* fall through */ comment.
>
> See the build log below for what I'm seeing within a debian:sid Docker
> container:
>
> [...]
>
> Tim Düsterhus (2):
> BUILD: Remove nowarn for
end of next week, which is close to initial estimates.
>
I would assume that the release of 2.2 is also the date where 1.9 goes
from EoL to unmaintained? You might or might not want to plan a final
1.9 release then as well.
Best regards
Tim Düsterhus
IP blocking or something else in place?
>
See also:
https://github.com/haproxy/haproxy/issues/49#issuecomment-633521350
Best regards
Tim Düsterhus
terms of files anyway.
Best regards
Tim Düsterhus
Emeric,
Willy,
Am 02.06.20 um 15:10 schrieb Emeric Brun:
> Thank you Tim!
>
> Here the updated patch.
This looks good to me now. I trust that you actually tested the changes.
Reviewed-by: Tim Duesterhus
Best regards
Tim Düsterhus
missing from the commit message.
Other than that the patch looks good to me, but I didn't actually test a
binary compiled from it.
Best regards
Tim Düsterhus
ed. It only triggers at two places
within Lua with something regarding 'setjmp'. It might be possible to
re-enable that one as well, but I don't understand that code.
Best regards
Tim Düsterhus
rb =
> node = 0x19e2e60
> #3 0x004d1da3 in deinit () at src/haproxy.c:2762
strace does not show any further activity.
Best regards
Tim Düsterhus
Vincent,
Am 28.05.20 um 12:41 schrieb Tim Düsterhus:
> Okay, I've done what I really wanted to avoid and built my own HAProxy.
> I'm now running HAProxy 2.1.5-1~~~timwolla+1 and I hope that it will
> smoothly upgrade to Vincent's build once it is released.
>
While researching
ux=H1
> : mode=TCPside=FE|BE mux=PASS
>
> Available services :
> prometheus-exporter
>
> Available filters :
> [SPOE] spoe
> [CACHE] cache
> [FCGI] fcgi-app
> [TRACE] trace
> [COMP] compression
My Postfix + Dovecot still works as evidenced by the fact that I am able
read your email and send a reply. My HTTP services also work.
Best regards
Tim Düsterhus
it will be end of
life on November, 30th anyway.
Best regards
Tim Düsterhus
break Dovecot or I compile my own
HAProxy.
Best regards
Tim Düsterhus
[1] https://www.mail-archive.com/haproxy@formilux.org/msg37344.html
fails without
them and passes with them :-/
For posteriority the correct commits are:
68ad53cb3781010ccde7c781b6a3a1e926b5ed23
3ab504f5ff53968ae70d592cba4c1c7da6a0e7ff
d82056c319814f9328db07dd50ab90785ec6c95c
Best regards
Tim Düsterhus
However in the general case you won't get far as a client in today's
Internet without supporting TLS 1.2. For my machines I dropped support
for anything < 1.2 on port 443 more than 2 years ago.
Best regards
Tim Düsterhus
l configurable with
> min-ssl-ver if you want the support for prior TLS versions.
>
> Does anybody have any objections?
>
As a data point:
The OpenSSL shipped with Debian Buster does not support anything below
TLS 1.2 by default [1]. The same is true starting with Ubuntu 20.0
feature which will for example allow to define errorfile templates
> which embed a unique ID or at least be a bit more user-friendly.
Sweet. I always wanted to embed the unique ID in the error messages.
Best regards
Tim Düsterhus
maps from Lua? They should be
> backed by ebtree and be faster right?
>
To my understanding Maps are not scoped per request and thus would not
be usable for haproxy-auth-request.
Best regards
Tim Düsterhus
issue:
https://github.com/haproxy/haproxy/issues/623
Best regards
Tim Düsterhus
t of memory. The output type
> is an unsigned integer.
Thus you only have a hash value of the URL in question. However the IP
address is stored in clear at the end of the resulting key. You might
need to hex decode it.
Best regards
Tim Düsterhus
INOR, first one merged on 2020-04-02
>
> Thus the computed ideal release date for 2.0.15 would be 2020-04-30, which
> was two weeks ago.
Is there any date planned for 2.1.5? I'm still running 2.1.3 on one
machine, because I use Dovecot.
Best regards
Tim Düsterhus
r you. If it is
>> of any help to you: This is definitely not how it usually goes.
>
> Then here is my next try. ;-)
>
> I've rebased my changes to reflect the recent changes and added the
> missing description to the first patch.
I've now taken a look at both patches now and both are:
Reviewed-by: Tim Duesterhus
Best regards
Tim Düsterhus
like haproxy and want to give something back, but I'm not sure
> if I want to do that in the future with the experience I had so far. :-(
>
Liking HAProxy and wanting to give something back is my motivation as
well. I am very sorry to see how this experience went for you. If it is
of any help to you: This is definitely not how it usually goes.
Best regards
Tim Düsterhus
Patrick,
Am 07.05.20 um 13:03 schrieb Patrick Gansterer:
> Hi,
>
> On 22.04.20 18:30, Tim Düsterhus wrote:
>> I don't find anything to complain about now. I'll now leave it up to the
>> authority to either apply or complain.
>
> How long does it usually take
14 ... any hint ?
This sounds like this issue we've seen with Dovecot:
https://www.mail-archive.com/haproxy@formilux.org/msg36890.html
Try applying this commit:
https://github.com/haproxy/haproxy/commit/02c88036a61e09d0676a2b6b4086af677b023b94
Best regards
Tim Düsterhus
(idle). If at least 6 requests
come in at the same time then PHP will reach 10 worker processes,
because PHP is configured to keep 4 idle processes at all times. A 7th
request would violate the minimum number of idle processes.
Now if the number of concurrent requests goes down to 4 you will still
see the 10 processes, because PHP is allowed to keep 6 idle processes
around.
Best regards
Tim Düsterhus
ld say that the dead
store should remain in there.
In short: This patch should carefully be checked and probably not all
changes should be applied.
Best regards
Tim Düsterhus
y: Tim Duesterhus
Best regards
Tim Düsterhus
then.
> + Please note that this converter is only available when haproxy has been
> + compiled with USE_OPENSSL.
> +
> http_date([])
>Converts an integer supposed to contain a date since epoch to a string
>representing this date in a format suitable for use in HTTP header fields.
> If
Best regards
Tim Düsterhus
h each.
Best regards
Tim Düsterhus
t CVE. The difference to my understanding
is that his version is more efficient, because it's not fork+exec()ing
new processes all the time and instead just uses function calls.
Best regards
Tim Düsterhus
smp->data.type = SMP_T_BIN;
> + smp->flags &= ~SMP_F_CONST;
> + return 1;
> +}
> +
> +static struct sample_conv_kw_list sample_conv_kws = {ILH, {
> + { "digest", sample_conv_crypto_digest, ARG1(1,STR), NULL,
> SMP_T_BIN, SMP_T_BIN },
> + { "hmac", sample_conv_crypto_hmac, ARG2(2,STR,STR), NULL,
> SMP_T_BIN, SMP_T_BIN },
Add a validation function that checks whether the given hash algorithm
is valid at configuration checking time.
Best regards
Tim Düsterhus
a
C developer, but is not something that's specifically acknowledged
within the H2 specification. Negative values however are clearly invalid
when talking about a byte range.
Best regards
Tim Düsterhus
network" input from
stdin and patched HAProxy to exit after serving a single request. Then I
used a simplistic configuration pointing to an nginx and seeded AFL
using some HTTP/2 requests I generated using nghttp against `nc -l >
request`. However that dirty hackery resulted in AFL not reliably
detecting whether something changed because the input changed or whether
it just randomly changed.
Best regards
Tim Düsterhus
Olivier,
Am 21.04.20 um 16:34 schrieb Olivier D:
> ;)
> Patch updated attached.
>
Now LGTM.
Reviewed-by: Tim Duesterhus
Best regards
Tim Düsterhus
oder. For CVE-2018-20615 I worked with preeny/desock and saw
that issues with branches being non-deterministic (I assume slight
timing issues or packets being cut differently or something like that).
Best regards
Tim Düsterhus
won't be the last. Can we please allocate some
resources on making HAProxy more fuzzer friendly after 2.2 is out?
I would also be interested in how Felix Wilhelm performed the fuzzing,
do you happen to have details about that?
Best regards
Tim Düsterhus
t; instead of "[DOC]".
2. All subsequent calls to src field will return this value (see example).
-> It's not "field", but "fetch". Not sure whether "src" should also
be quoted in there.
Other than that it looks good to me now.
Best regards
Tim D
ons
based on the IP address with the last octet zeroed out.
> +# This will track connection based on header IP
> +http-request set-src hdr(x-forwarded-for)
> +http-request track-sc0 src
> +
>When possible, set-src preserves the original source port as long as the
>address family allows it, otherwise the source port is set to 0.
Best regards
Tim Düsterhus
image of the Docker Official Images
program now, so any obvious issues in the future should be detected.
https://github.com/docker-library/haproxy/pull/111
Best regards
Tim Düsterhus
ctions.
>http-request track-sc0 req.hdr( X-Forwarded-For )
>http-request deny deny_status 429 if { sc0_conn_cur ge 20 }
>
Best regards
Tim Düsterhus
official-images/pulls?q=is%3Apr+label%3Alibrary%2Fhaproxy+is%3Aclosed.
Within the PRs there's always a comment with the results of the tests
for all the versions.
Best regards
Tim Düsterhus
b.com/docker-library/haproxy/blob/3dd3917d3a70c230d8b192541ee08764e1da16af/2.2-rc/alpine/Dockerfile#L31-L45
Basic smoke test (Reverse Proxy to example.com) is here:
https://github.com/docker-library/official-images/tree/master/test/tests/haproxy-basics
Best regards
Tim Düsterhus
articles. And in fact the
second link uses a very non-committal language by saying that these
disclaimers "[...] may not be legally enforceable". Any statement with a
"may" in it is absolutely useless.
Best regards
Tim Düsterhus
sending mail to this list from $COMPANY email you would
need to live with a 14 line signature that is not a disclaimer, but
similarly is snail mail information of $COMPANY that I'm required to add
by law.
Best regards
Tim Düsterhus
Willy,
Am 04.04.20 um 13:29 schrieb Willy Tarreau:
>> Am 04.04.20 um 12:41 schrieb Tim Düsterhus:
>>> The Dovecot source code is here:
>>> https://github.com/dovecot/core/blob/de9968d623e331a18b43dfe8a00421f72f7f7962/src/lib-master/master-service-haproxy.c#L35
Hativ,
Willy,
Am 04.04.20 um 12:41 schrieb Tim Düsterhus:
> The Dovecot source code is here:
> https://github.com/dovecot/core/blob/de9968d623e331a18b43dfe8a00421f72f7f7962/src/lib-master/master-service-haproxy.c#L354
>
> A quick glance at the Dovecot code looks like Dovecot pars
ooks like Dovecot parses the proxy
protocol correctly with regard to TLVs.
Best regards
Tim Düsterhus
Hativ,
Am 03.04.20 um 00:38 schrieb Hativ:
> Any ideas what's wrong?
>
I would assume that this patch changed the behavior there:
https://github.com/haproxy/haproxy/commit/7f26391bc51ad56c31480d03f56e1db604f1c617
Can you try reverting that to check whether it is the cause?
Best regar
rs! Exiting.
I suppose this commit might be at fault here:
https://github.com/haproxy/haproxy/commit/a2cfd7e356f4d744294b510b05d88bf58304db25
Try reverting it to see whether it fixes the issue.
Best regards
Tim Düsterhus
ly because we already started to
> deploy part of v2.2...
>
> Sorry for that, please ignore this patch :)
>
For 2.1 we used the 'next' branch to already take these type of patches.
It was simply rebased after the release:
http://git.haproxy.org/?p=haproxy.git;a=shortlog;h=refs/heads/next
Best regards
Tim Düsterhus
ha_warning("[%s.main()] Cannot raise FD limit
> to %d, limit is %d.\n",
> argv[0], global.rlimit_nofile,
> (int)limit.rlim_cur);
I believe the `ha_warning` should be changed to `ha_alert` then. Or the
function used should depend on whet
/ the RNG changes have been picked
out-of-order.
> Could you please cut a release ? there are many fixes that just cherry
> picking it in my fork would make sense.
I second that. I was already thinking about asking after yesterday's
2.2-dev5.
Best regards
Tim Düsterhus
ed to look into the code anyway,
because the docs are incomplete (as I outlined before in this thread).
Changing the code will cause larger breakage during a HAProxy bugfix
upgrade if not all machines in a cluster are upgraded simultaneously.
Best regards
Tim Düsterhus
tic analyzers is acceptable to me.
Best regards
Tim Düsterhus
$PRIVATE_TOKEN` to
the configuration within their pull requests.
Of course one could also simply add their own repository to Travis to
test it out without the need for a pull request. In fact I believe Ilya
does: https://travis-ci.com/github/chipitsine/haproxy
Best regards
Tim Düsterhus
aproxy/pulls?q=is%3Apr+is%3Aclosed
GitHub Actions would need to be explicitly enabled for pull requests.
Best regards
Tim Düsterhus
meone would need to step up to provide the runners,
though.
I'm also using it for my haproxy-auth-request Lua script and VTest:
https://github.com/TimWolla/haproxy-auth-request/blob/master/.github/workflows/vtest.yml
Best regards
Tim Düsterhus
This looks like an issue
on Travis' end to me. Maybe a bug report should be filed with their
support. It seems to consistently hang somewhere around the installation
of libpcre2.
Best regards
Tim Düsterhus
y/blob/67b095e797a156ae27b7b52f6ccf57171717dd16/.travis.yml#L108
It probably needs to read `if [ "$CC" = "clang*" ]` (unless I got my
bash syntax wrong).
Best regards
Tim Düsterhus
tion]
> ABORT_NOW();
> ^
Best regards
Tim Düsterhus
some internal enum.
Best regards
Tim Düsterhus
'm seeing, we should document that on the wire we
> have this:
>
>2 = signed int
>4 = IPv4
>5 = IPv6
>6 = string
>7 = binary
>
Perfect, I'll use those values within my implementation.
> From now, the best solution likely is to check where the table type is
> used and instead go back to a table-specific type with hard-coded values
> matching what we have now.
>
Should I file an issue for tracking that?
Best regards
Tim Düsterhus
Willy,
Am 14.03.20 um 11:14 schrieb Willy Tarreau:
> Now done. I've also cleaned up the null-derefw warning in the debugging
> code of the pools.
>
Can't the pools simply use `ABORT_NOW()` instead of `*DISGUISE((volatile
int *)0) = 0;`?
Best regards
Tim Düsterhus
f a circular dependency. If it's a small obvious change feel free to
adapt the patch. If it requires larger changes please fix it yourself
and ignore my patch.
Best regards
Tim Düsterhus
its you best :-) If you want me to take it now I can.
In fact I added a blank line in that patch.
The v2-series is good from my side. I don't plan any more changes. If
you are happy as well then please take it.
Best regards
Tim Düsterhus
^
While checking my list of outgoing patches I noticed that this one
wasn't acknowledged yet. It will become important with:
https://github.com/haproxy/haproxy/issues/546
Best regards
Tim Düsterhus
xpert Ilya to look into that:
https://github.com/haproxy/haproxy/issues/546
Best regards
Tim Düsterhus
struct
connection` refactoring before actually taking it or would you like me
to make any changes to it?
Best regards
Tim Düsterhus
pes are only added at the end)? Or rather: Is the peer protocol stable
enough for third party implementations or can it change at will during
HAProxy upgrades?
Best regards
Tim Düsterhus
b.io/haproxy-dconv/2.1/configuration.html#7.3.1-word
Untested example:
acl image1 path,word(1,/) -m int le 10005
Best regards
Tim Düsterhus
updated, because does not pass in any case.
Best regards
Tim Düsterhus
_version/src/snapshot/haproxy-ss-LATEST.tar.gz
> |tar xz --strip-components=1 --wildcards --to-stdout '*/SUBVERS'
>end
> 1.8
> -beacaef
>
> 1.9
> -bea2911
>
> 2.0
> -4ab0efb
>
> 2.1
> -$Format:%h$
>
> 2.2
> -ee3bcdd
>
Best regards
Tim Düsterhus
rg/download/2.2/src/snapshot/
for some reason I only saw the `-patches` tarball and missed / ignored
the `-ss` one. I guess that'll work for me, thanks.
Best regards
Tim Düsterhus
to CI?). The check in there does not even compile (facepalm).
In any case: I just fixed that build failure locally and can confirm
that the BUG_ON does not trigger. Consider that line a "Please carefully
check my assumptions, Willy".
Best regards
Tim Düsterhus
Willy,
when looking at the newest PRNG commits I noticed that some places that
now use ha_random() still refer to RAND_MAX. You should check whether
that still is appropriate, because my understanding is that you are now
guaranteed to receive a specific number of bits.
Best regards
Tim Düsterhus
> today :-)
Perfect, thank you. Expect my patch series with unique IDs in proxy
protocol sooner rather than later :-) I assume you'll have a bit more to
complain about that, because it wasn't as straight forward as this clean up.
Best regards
Tim Düsterhus
1 - 100 of 436 matches
Mail list logo
