Re: ModSecurity: First integration patches

2017-04-12 Thread Thierry Fournier
> On 12 Apr 2017, at 09:57, Aleksandar Lazic wrote: > > > > Am 11-04-2017 10:49, schrieb Thierry Fournier: >> Hi list >> I join one usage of HAProxy / SPOE, it is WAF offloading. >> These patches are a first version, it have some limitations describe >> in the README file

Re: ModSecurity: First integration patches

2017-04-12 Thread Aleksandar Lazic
Am 11-04-2017 10:49, schrieb Thierry Fournier: Hi list I join one usage of HAProxy / SPOE, it is WAF offloading. These patches are a first version, it have some limitations describe in the README file in the directory contrib/modsecurity. - Christopher, please check the patch "BUG/MINOR",

Re: ModSecurity: First integration patches

2017-04-12 Thread Christopher Faulet
Le 11/04/2017 à 10:49, Thierry Fournier a écrit : Hi list I join one usage of HAProxy / SPOE, it is WAF offloading. These patches are a first version, it have some limitations describe in the README file in the directory contrib/modsecurity. - Christopher, please check the patch "BUG/MINOR",

Re: [RFC][PATCHES] seamless reload

2017-04-12 Thread Olivier Houchard
On Wed, Apr 12, 2017 at 03:16:31PM +0200, Conrad Hoffmann wrote: > Hi Olivier, > > I was very eager to try out your patch set, thanks a lot! However, after > applying all of them (including the last three), it seems that using > environment variables in the config is broken (i.e. ${VARNAME} does

Re: [RFC][PATCHES] seamless reload

2017-04-12 Thread Conrad Hoffmann
On 04/12/2017 03:37 PM, Olivier Houchard wrote: > On Wed, Apr 12, 2017 at 03:16:31PM +0200, Conrad Hoffmann wrote: >> Hi Olivier, >> >> I was very eager to try out your patch set, thanks a lot! However, after >> applying all of them (including the last three), it seems that using >> environment

Re: [RFC][PATCHES] seamless reload

2017-04-12 Thread Olivier Houchard
On Wed, Apr 12, 2017 at 05:30:17PM +0200, Conrad Hoffmann wrote: > Hi again, > > so I tried to get this to work, but didn't manage yet. I also don't quite > understand how this is supposed to work. The first haproxy process is > started _without_ the -x option, is that correct? Where does that

Re: [RFC][PATCHES] seamless reload

2017-04-12 Thread Olivier Houchard
On Wed, Apr 12, 2017 at 05:30:17PM +0200, Conrad Hoffmann wrote: > Hi again, > > so I tried to get this to work, but didn't manage yet. I also don't quite > understand how this is supposed to work. The first haproxy process is > started _without_ the -x option, is that correct? Where does that

Re: [RFC][PATCHES] seamless reload

2017-04-12 Thread Olivier Houchard
On Wed, Apr 12, 2017 at 05:50:54PM +0200, Olivier Houchard wrote: > On Wed, Apr 12, 2017 at 05:30:17PM +0200, Conrad Hoffmann wrote: > > Hi again, > > > > so I tried to get this to work, but didn't manage yet. I also don't quite > > understand how this is supposed to work. The first haproxy

Re: [RFC][PATCHES] seamless reload

2017-04-12 Thread Conrad Hoffmann
Hi again, so I tried to get this to work, but didn't manage yet. I also don't quite understand how this is supposed to work. The first haproxy process is started _without_ the -x option, is that correct? Where does that instance ever create the socket for transfer to later instances? I have it

Re: [RFC][PATCHES] seamless reload

2017-04-12 Thread Conrad Hoffmann
Hi Olivier, I was very eager to try out your patch set, thanks a lot! However, after applying all of them (including the last three), it seems that using environment variables in the config is broken (i.e. ${VARNAME} does not get replaced with the value of the environment variable anymore). I am

Re: haproxy deleting domain socket on graceful reload if backlog overflows

2017-04-12 Thread Andrew Smalley
HI James When you do a graceful reload of haproxy this is what happens. 1. the old process will accept no more connections and the stats page is stopped and so is the socket 2. a new haproxy instance is started where new clients get connected to, and this has the live socket 3. when the old

Re: ModSecurity: First integration patches

2017-04-12 Thread Aleksandar Lazic
Hi. Am 12-04-2017 10:08, schrieb Thierry Fournier: On 12 Apr 2017, at 09:57, Aleksandar Lazic wrote: Am 11-04-2017 10:49, schrieb Thierry Fournier: Hi list I join one usage of HAProxy / SPOE, it is WAF offloading. These patches are a first version, it have some

Re: [RFC][PATCHES] seamless reload

2017-04-12 Thread Olivier Houchard
Yet another patch, on top of the previous ones. This one tries to get the default value of TCP_MAXSEG by creating a temporary TCP socket, so that one can remove the "mss" entry from its configuration file, and reset the mss value for any transferred socket from the old process. Olivier >From

Re: [RFC][PATCHES] seamless reload

2017-04-12 Thread Steven Davidovitz
I had a problem testing it on Mac OS X, because cmsghdr is aligned to 4 bytes. I changed the CMSG_ALIGN(sizeof(struct cmsghdr)) call to CMSG_LEN(0) to fix it. On Wed, Apr 12, 2017 at 10:41 AM, Olivier Houchard wrote: > Yet another patch, on top of the previous ones. >

Re: haproxy deleting domain socket on graceful reload if backlog overflows

2017-04-12 Thread James Brown
This just hit us again on a different set of load balancers... if there's a listen socket overflow on a domain socket during graceful, haproxy completely deletes the domain socket and becomes inaccessible. On Tue, Feb 21, 2017 at 6:47 PM, James Brown wrote: > Under load,

Lua memory allocator

2017-04-12 Thread Willy Tarreau
Thierry, while instrumenting my malloc/free functions to debug a problem, I was hit by a malloc/realloc inconsistency in the Lua allocator. The problem is that luaL_newstate() uses malloc() to create its first objects and only after this one we change the allocator to use ours. Thus on the first

Re: haproxy deleting domain socket on graceful reload if backlog overflows

2017-04-12 Thread James Brown
Hi Andrew: Thanks for you feedback, but I'm describing a very specific bug wherein the old haproxy will unlink the new haproxy's bound unix domain socket upon reload due to a race condition in the domain socket cleanup code if a listen overflow occurs while the graceful is in process. On Wed,

Re: haproxy deleting domain socket on graceful reload if backlog overflows

2017-04-12 Thread Andrew Smalley
HI James Thank you for your reply. I do not see how the old haproxy being on a separate PID could do anything with a socket created by a new PID. ​Do you bring up your new instance with real servers in a maintenance state? this seems to be required to do a correct handover before making them

Re: [RFC][PATCHES] seamless reload

2017-04-12 Thread Olivier Houchard
On Wed, Apr 12, 2017 at 11:19:37AM -0700, Steven Davidovitz wrote: > I had a problem testing it on Mac OS X, because cmsghdr is aligned to 4 > bytes. I changed the CMSG_ALIGN(sizeof(struct cmsghdr)) call to CMSG_LEN(0) > to fix it. > Oh right, I'll change that. Thanks a lot ! Olivier

Re: ModSecurity: First integration patches

2017-04-12 Thread Aleksandar Lazic
Am 12-04-2017 21:28, schrieb thierry.fourn...@arpalert.org: On Wed, 12 Apr 2017 21:21:58 +0200 Aleksandar Lazic wrote: Hi. Am 12-04-2017 10:08, schrieb Thierry Fournier: >> On 12 Apr 2017, at 09:57, Aleksandar Lazic wrote: >> >> >> >> Am 11-04-2017

Re: ModSecurity: First integration patches

2017-04-12 Thread Aleksandar Lazic
Am 12-04-2017 23:33, schrieb Aleksandar Lazic: Am 12-04-2017 21:28, schrieb thierry.fourn...@arpalert.org: On Wed, 12 Apr 2017 21:21:58 +0200 Aleksandar Lazic wrote: [snipp] Do you have the patches as files where I can download it? It's easier for docker to call a

Re: haproxy deleting domain socket on graceful reload if backlog overflows

2017-04-12 Thread Willy Tarreau
Hi Andrew, James, On Wed, Apr 12, 2017 at 11:46:57PM +0100, Andrew Smalley wrote: > I do not see how the old haproxy being on a separate PID could do anything > with a socket created by a new PID. That's what James explained. The old process tries to clean up before leaving and tries to clean

Re: haproxy deleting domain socket on graceful reload if backlog overflows

2017-04-12 Thread Michael Ezzell
On Apr 12, 2017 6:49 PM, "Andrew Smalley" wrote: HI James Thank you for your reply. I do not see how the old haproxy being on a separate PID could do anything with a socket created by a new PID. How? Easily. Unix domain sockets are presented as files. *Any*

Re: low load client payload intermittently dropped with a "cD" error (v1.7.3)

2017-04-12 Thread Willy Tarreau
Hi Lincoln, On Wed, Apr 12, 2017 at 08:24:41PM -0400, Lincoln Stern wrote: (...) > *haproxy finishes connecting to the server (SYNACK/ACK) (good)* > 38.120527 IP 99.99.99.99.8000 > 10.10.10.10.34289: Flags [S.], seq > 4125907118, ack 35568, win 28960, options [mss 1460,sackOK,TS val >

Re: low load client payload intermittently dropped with a "cD" error (v1.7.3)

2017-04-12 Thread Lincoln Stern
Thanks Bryan, The problem I'm having is isolated to the first one second of the connection not the end Here is a summary of the tcp traffic. Hopefully it makes the example more clear. *client connects to haproxy: (all good)* 38.057127 IP 127.0.0.1.39888 > 127.0.0.1.9011: Flags [S], seq

Re: ModSecurity: First integration patches

2017-04-12 Thread thierry . fournier
On Wed, 12 Apr 2017 21:21:58 +0200 Aleksandar Lazic wrote: > Hi. > > Am 12-04-2017 10:08, schrieb Thierry Fournier: > >> On 12 Apr 2017, at 09:57, Aleksandar Lazic wrote: > >> > >> > >> > >> Am 11-04-2017 10:49, schrieb Thierry Fournier: > >>> Hi list