url_param not matching key-only params (also testcases for fetchers)

2018-07-16 Thread Robin H. Johnson
I looked in tests & reg-tests, but didn't see any clear way to add tests for verifying that fetchers work correctly. I think my co-worker found an edge-case on smp_fetch_url_param/smp_fetch_param. Trying to identify URLs that have a URL parameter set, that MIGHT not have a value. This is

haproxy 1.8.12 / 1.9- 20180623 / stopping process hangs with threads (100% cpu) on -sf reload / FreeBSD

2018-07-16 Thread PiBa-NL
Hi List, With a build of 1.8.12 (and the 1.9 snapshot of 20180623 ) im getting the 'old' haproxy process take up 100% cpu usage when using 3 threads in the config and reloading with -sf parameter. I'm using FreeBSD.. (It also happens with the 14-7 snapshot.) It seems to happen after 1

Re: Building HAProxy 1.8 fails on Solaris

2018-07-16 Thread Thrawn
Ah, indeed, the GCC version provided on our server is 3.4.3. But the readme on  https://github.com/haproxy/haproxy says "GCC between 2.95 and 4.8". Can the build be changed to continue supporting older GCC, or do the docs need an update? Thanks for the quick help. On Monday, 16 July 2018,

Re: SSL: double free on reload

2018-07-16 Thread Willy Tarreau
Hi Thierry, On Fri, Jul 06, 2018 at 04:28:22PM +0200, Thierry Fournier wrote: > Hi list, > > I caught a double-free whien I reload haproxy-1.8: > > writev(2, [{"*** Error in `", 14}, {"/opt/o3-haproxy/sbin/haproxy", 28}, > {"': ", 3}, {"double free or corruption (!prev)", 33}, {": 0x", 4},

Re: SSL: double free on reload

2018-07-16 Thread Janusz Dziemidowicz
pon., 16 lip 2018 o 08:02 Willy Tarreau napisał(a): > This one looks a bit strange. I looked at it a little bit and it corresponds > to the line "free(bind_conf->keys_ref->tlskeys);". Unfortunately, there is no > other line in the code appearing to perfom a free on this element, and when >

Re: Using LUA to redirect a connection based-upon initial content and to redirect upon target disconnection

2018-07-16 Thread thierry . fournier
Hi, On Sun, 15 Jul 2018 17:14:01 +0100 Alistair Lowe wrote: > Hi folks, > > I'm looking to use LUA in HAProxy to enable two use cases: > >1. Redirect a connection based upon inspecting initial traffic for a >server name. >2. Redirect a connection when the target server closes its

Re: SSL: double free on reload

2018-07-16 Thread Thierry Fournier
On Mon, 16 Jul 2018 08:00:48 +0200 Willy Tarreau wrote: > Hi Thierry, > > On Fri, Jul 06, 2018 at 04:28:22PM +0200, Thierry Fournier wrote: > > Hi list, > > > > I caught a double-free whien I reload haproxy-1.8: > > > > writev(2, [{"*** Error in `", 14}, {"/opt/o3-haproxy/sbin/haproxy",

RE: TLS handshake works with certificate name mismatch using "verify required" and "verifyhost"

2018-07-16 Thread Martin RADEL
Hi, I think we found the issue: Seems that there was a misunderstanding from us regarding the haproxy documentation with the "verifyhost" option. If I get it right, the documentation says that if we have a haproxy config that - Has "verify required" - Does not use SNI - Has no "verifyhost" Then

RE: TLS handshake works with certificate name mismatch using "verify required" and "verifyhost"

2018-07-16 Thread Martin RADEL
Hi, The certificate subject and subject alternate name are set to “*.foo.bar” (I’m replacing real DNS name here with foo.bar here because of security reasons). There is no IP address included in the server’s certificate. We are not using SNI on our clients. BR Martin From:

Re: SSL: double free on reload

2018-07-16 Thread Willy Tarreau
On Mon, Jul 16, 2018 at 08:32:31AM +0200, Janusz Dziemidowicz wrote: > pon., 16 lip 2018 o 08:02 Willy Tarreau napisal(a): > > This one looks a bit strange. I looked at it a little bit and it corresponds > > to the line "free(bind_conf->keys_ref->tlskeys);". Unfortunately, there is > > no > >

Re: SSL: double free on reload

2018-07-16 Thread Nenad Merdanovic
Hello, On 7/16/2018 10:46 AM, Willy Tarreau wrote: On Mon, Jul 16, 2018 at 08:32:31AM +0200, Janusz Dziemidowicz wrote: pon., 16 lip 2018 o 08:02 Willy Tarreau napisal(a): This one looks a bit strange. I looked at it a little bit and it corresponds to the line

Re: SSL: double free on reload

2018-07-16 Thread Willy Tarreau
Hi Nenad, On Tue, Jul 17, 2018 at 03:37:37AM +0200, Nenad Merdanovic wrote: > Ugh, this was a long time ago. [FROM MEMORY] The element should not be > duplicated as far as I can remember. The references are stored in an ebtree > in order to prevent duplication and to provide consistent view when

Re: Building HAProxy 1.8 fails on Solaris

2018-07-16 Thread Lukas Tribus
Hello, On Mon, 16 Jul 2018 at 03:12, Thrawn wrote: > > Update: If I disable threading with > > USE_THREAD= > > then the build gets much further, but still fails eventually with: > > gcc -g -o haproxy src/ev_poll.o ebtree/ebtree.o ebtree/eb32sctree.o > ebtree/eb32tree.o ebtree/eb64tree.o

Re: Bug when passing variable to mapping function

2018-07-16 Thread Lukas Tribus
Hello, On Fri, 29 Jun 2018 at 07:15, Jarno Huuskonen wrote: > > Hi, > > On Thu, Jun 28, Jarno Huuskonen wrote: > > I think this is the commit that breaks map_regm in this case: > > b5997f740b21ebb197e10a0f2fe9dc13163e1772 (MAJOR: threads/map: Make > > acls/maps thread safe). > > > > If I

Re: TLS handshake works with certificate name mismatch using "verify required" and "verifyhost"

2018-07-16 Thread Lukas Tribus
On Mon, 16 Jul 2018 at 11:57, Martin RADEL wrote: > > Hi, > > I think we found the issue: > Seems that there was a misunderstanding from us regarding the haproxy > documentation with the "verifyhost" option. > > If I get it right, the documentation says that if we have a haproxy config > that >

Re: Building HAProxy 1.8 fails on Solaris

2018-07-16 Thread Olivier Houchard
Hi, On Mon, Jul 16, 2018 at 01:12:18AM +, Thrawn wrote: > Update: If I disable threading with > USE_THREAD= > then the build gets much further, but still fails eventually with: > gcc  -g -o haproxy src/ev_poll.o ebtree/ebtree.o ebtree/eb32sctree.o > ebtree/eb32tree.o ebtree/eb64tree.o

What to look out for when going from 1.6 to 1.8?

2018-07-16 Thread Tim Verhoeven
Hello all, We have been running the 1.6 branch of HAProxy, without any issues, for a while now. And reading the updates around 1.8 here in the mailing list it looks like its time to upgrade to this branch. So I was wondering if there are any things I need to look of for when doing this upgrade?

Re: What to look out for when going from 1.6 to 1.8?

2018-07-16 Thread Alex Evonosky
Tim- I can speak from a production point of view that we had HAproxy on the 1.6 branch inside docker containers for mesos load balancing with pretty much the same requirements as you spoke of. After compiling Haproxy to the 1.8x branch the same config worked without issues. -Alex On Mon, Jul

RE: TLS handshake works with certificate name mismatch using "verify required" and "verifyhost"

2018-07-16 Thread Martin RADEL
Hi Lukas, Right, "verify required ssl verifyhost www.ham.eggs" fails now as expected. My initial report that it doesn't work with "verifyhost" option was not completely right, because in fact we never tried what would happen if we set a non-matching pattern in the "verifyhost" directive. We

Re: What to look out for when going from 1.6 to 1.8?

2018-07-16 Thread Dave Chiluk
We have the same use case as Alex *(mesos load balancing), and also confirm that our config worked without change 1.6->1.8. Given our testing you should consider the seamless reload -x option, and the dynamic server configuration apis. Both have greatly alleviated issues we've faced in our