[PATCH v2 1/2] DOC: mworker: Update messages referencing exit-on-failure

2017-12-05 Thread Tim Duesterhus
Commit 4cfede87a313456fcbce7a185312460b4e1d05b7 removed `exit-on-failure` in favor of `no-exit-on-failure`, but failed to update references to the former in user facing messages. This should be backported to haproxy 1.8. --- src/cfgparse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

[PATCH v2 2/2] DOC: mworker: Improve wording in `void mworker_wait()`

2017-12-05 Thread Tim Duesterhus
Replace "left" / "leaving" with "exit" / "exiting". --- src/haproxy.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/haproxy.c b/src/haproxy.c index df8d34e74..108a02ab0 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -739,7 +739,7 @@ restart_wait:

[PATCH 2/2] MINOR: http: Add support for 421 Misdirected Request

2018-04-27 Thread Tim Duesterhus
This makes haproxy aware of HTTP 421 Misdirected Request, which is defined in RFC 7540, section 9.1.2. --- include/types/proto_http.h | 1 + src/proto_http.c | 11 +++ 2 files changed, 12 insertions(+) diff --git a/include/types/proto_http.h b/include/types/proto_http.h index

[PATCH 1/2] MINOR: sample: Add strcmp sample converter

2018-04-27 Thread Tim Duesterhus
This converter supplements the existing string matching by allowing strings to be converted to a variable. Example usage: http-request set-var(txn.host) hdr(host) # Check whether the client is attempting domain fronting. acl ssl_sni_http_host_match ssl_fc_sni,strcmp(txn.host) eq 0 ---

[PATCH 0/2] strcmp sample converter and HTTP 421

2018-04-27 Thread Tim Duesterhus
wsers, because it does not apply to me): > http-request set-var(txn.host) hdr(host) > acl ssl_sni_http_host_match ssl_fc_sni,strcmp(txn.host) eq 0 > http-request deny deny_status 421 if ! ssl_sni_http_host_match Best regards Tim Duesterhus (2): MINOR: sample: Add strcmp sample converter MIN

[PATCH] MINOR: http: Log warning if (add|set)-header fails

2018-05-20 Thread Tim Duesterhus
Willy, attached is a first attempt at a patch that adds logging (without any rate limiting). I have a few questions regarding the whole counters and logging infrastructure: 1. I noticed that there is ha_warning(...) and send_log(p, LOG_WARNING, ...), usually both are used in the same place.

[PATCH] MEDIUM: proxy_protocol: Send IPv4 addresses when possible

2018-06-29 Thread Tim Duesterhus
This patch changes the sending side of proxy protocol to convert IP addresses to IPv4 when possible (and converts them IPv6 otherwise). Previously the code failed to properly provide information under certain circumstances: 1. haproxy is being accessed using IPv4, http-request set-src sets a

[PATCH 1/1] BUG/MAJOR: stick_table: Complete incomplete SEGV fix

2018-06-26 Thread Tim Duesterhus
This commit completes the incomplete segmentation fault fix in commit ac1f3ed64b58bd178865c6f2cc8f6f306d9e1e15. Likewise it must be backported to haproxy 1.8. --- reg-tests/stick-table/h0.vtc | 30 ++ src/stick_table.c| 6 -- 2 files changed,

[PATCH 0/1] BUG/MAJOR: stick_table: Complete incomplete SEGV fix

2018-06-26 Thread Tim Duesterhus
regards Tim Duesterhus (1): BUG/MAJOR: stick_table: Complete incomplete SEGV fix reg-tests/stick-table/h0.vtc | 30 ++ src/stick_table.c| 6 -- 2 files changed, 34 insertions(+), 2 deletions(-) create mode 100644 reg-tests/stick-table/h0.vtc

[PATCH 1/2] BUG/MINOR: lua: Fix default value for pattern in Socket.receive

2018-01-04 Thread Tim Duesterhus
The default value of the pattern in `Socket.receive` is `*l` according to the documentation and in the `socket.tcp.receive` method of Lua. The default value of `wanted` in `int hlua_socket_receive(struct lua_State *)` reflects this requirement, but the function fails to ensure this nonetheless:

[PATCH 2/2] DOC: lua: Fix typos in comments of hlua_socket_receive

2018-01-04 Thread Tim Duesterhus
--- src/hlua.c | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/hlua.c b/src/hlua.c index 285d25589..3b4fc3b54 100644 --- a/src/hlua.c +++ b/src/hlua.c @@ -1810,19 +1810,19 @@ connection_empty: return 0; } -/* This Lus function gets two parameters.

[PATCH] BUG/MEDIUM: lua: Fix IPv6 with separate port support for Socket.connect

2018-01-06 Thread Tim Duesterhus
The `socket.tcp.connect` method of Lua requires at least two parameters: The host and the port. The `Socket.connect` method of haproxy requires only one when a host with a combined port is provided. This stems from the fact that `str2sa_range` is used internally in `hlua_socket_connect`. This very

[PATCH] BUG/MINOR: lua: Fix return value of Socket.settimeout

2018-01-06 Thread Tim Duesterhus
The `socket.tcp.settimeout` method of Lua returns `1` in all cases, while the `Socket.settimeout` method of haproxy returns `0` in all cases. This breaks the `socket.http` module, because it validates the return value of `settimeout`. This bug was introduced in commit

[PATCH v3 8/8] MEDIUM: sample: Add IPv6 support to the ipmask converter

2018-01-14 Thread Tim Duesterhus
Add an optional second parameter to the ipmask converter that specifies the number of bits to mask off IPv6 addresses. If the second parameter is not given IPv6 addresses fail to mask (resulting in an empty string), preserving backwards compatibility: Previously a sample like `src,ipmask(24)`

[PATCH v4 8/8] MEDIUM: sample: Add IPv6 support to the ipmask converter

2018-01-21 Thread Tim Duesterhus
Add an optional second parameter to the ipmask converter that specifies the number of bits to mask off IPv6 addresses. If the second parameter is not given IPv6 addresses fail to mask (resulting in an empty string), preserving backwards compatibility: Previously a sample like `src,ipmask(24)`

[PATCH] BUG/MEDIUM: standard: Fix memory leak in str2ip2()

2018-01-21 Thread Tim Duesterhus
Hi attached is a patch that fixes a memory leak in str2ip2. I wasn't sure about the severity of this bug (it's only 140 Bytes per call for me) and opted for MEDIUM. Change if you think MAJOR (?) is more warranted for a memory leak. Also I wasn't sure how I would structure the code best. I did

[PATCH 8/8] MEDIUM: sample: Add IPv6 support to the ipmask converter

2018-01-13 Thread Tim Duesterhus
Add an optional second parameter to the ipmask converter that specifies the number of bits to mask off IPv6 addresses. If the second parameter is not given IPv6 addresses fail to mask (resulting in an empty string), preserving backwards compatibility: Previously a sample like `src,ipmask(24)`

[PATCH 5/8] CLEANUP: standard: Use len2mask4 in str2mask

2018-01-13 Thread Tim Duesterhus
The len2mask4 function was introduced in commit: 70473a5f8c56d8ec2e837b9b66443dc252b24da9 which is about six years later than the commit that introduced the str2mask function: 2937c0dd20f2f3c0065b671bbfe3fafcd8862eaf This is a clean up in preparation for a str2mask6 function which will use

[PATCH 6/8] MINOR: standard: Add str2mask6 function

2018-01-13 Thread Tim Duesterhus
This new function mirrors the str2mask() function for IPv4 addresses. This commit is in preparation to support ARGT_MSK6. --- include/common/standard.h | 6 ++ src/standard.c| 22 ++ 2 files changed, 28 insertions(+) diff --git a/include/common/standard.h

[PATCH 7/8] MINOR: config: Add support for ARGT_MSK6

2018-01-13 Thread Tim Duesterhus
This commit adds support for ARGT_MSK6 to make_arg_list(). --- src/arg.c | 11 +-- src/hlua.c | 7 +++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/src/arg.c b/src/arg.c index 52977b718..b31858d3b 100644 --- a/src/arg.c +++ b/src/arg.c @@ -206,8 +206,15 @@ int

[PATCH 4/8] DOC: Fix typo in ARGT_MSK6 comment

2018-01-13 Thread Tim Duesterhus
The incorrect comment was introduced in commit: 2ac5718dbd4ec722ece228e9f613d2be74eee9da v1.5-dev9 is the first tag containing this comment, the fix should be backported to haproxy 1.5 and newer. --- include/types/arg.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git

[PATCH 2/8] DOC: sample: Fix outdated comment about sample casts functions

2018-01-13 Thread Tim Duesterhus
The cast functions modify their output type as of commit: b805f71d1bb1487f01f78a6ffab26d44919e9944 v1.5-dev20 is the first tag containing this comment, the fix should be backported to haproxy 1.5 and newer. --- src/sample.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/sample.c

[PATCH 0/8] Add IPv6 support to the ipmask converter

2018-01-13 Thread Tim Duesterhus
logical patch series when reviewing. Tim Duesterhus (8): BUG/MINOR: sample: Fix encoding of sample.c DOC: sample: Fix outdated comment about sample casts functions BUG/MINOR: sample: Fix output type of c_ipv62ip DOC: Fix typo in ARGT_MSK6 comment CLEANUP: standard: Use len2mask4

[PATCH 3/8] BUG/MINOR: sample: Fix output type of c_ipv62ip

2018-01-13 Thread Tim Duesterhus
c_ipv62ip failed to set the output type of the cast to SMP_T_IPV4 even for a successful conversion. This bug exists as of commit cc4d1716a2e72516c2505a6459a9ddbbfb186da2 which is the first commit adding this function. v1.6-dev4 is the first tag containing this commit, the fix should be

[PATCH 1/8] BUG/MINOR: sample: Fix encoding of sample.c

2018-01-13 Thread Tim Duesterhus
The file contained an 'e' with an gravis accent and thus was not US-ASCII, but ISO-8859-1. Also correct the spelling in the incorrect comment. The incorrect character was introduced in commit: 4d9a1d1a5c4720a169654ee47f9a4364261ffab4 v1.6-dev1 is the first tag containing this comment, the fix

[PATCH v2 1/8] BUG/MINOR: sample: Fix encoding of sample.c

2018-01-13 Thread Tim Duesterhus
I was made aware of a typo in private. Attached is the updated patch. Apply with `git am --scissors` to automatically cut the commit message. -- >8 -- Subject: [PATCH v2 1/8] BUG/MINOR: sample: Fix encoding of sample.c The file contained an 'e' with an gravis accent and thus was not US-ASCII,

[PATCH v5 4/8] DOC: Fix typo in ARGT_MSK6 comment

2018-01-25 Thread Tim Duesterhus
The incorrect comment was introduced in commit: 2ac5718dbd4ec722ece228e9f613d2be74eee9da v1.5-dev9 is the first tag containing this comment, the fix should be backported to haproxy 1.5 and newer. --- include/types/arg.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git

[PATCH v5 2/8] DOC: sample: Fix outdated comment about sample casts functions

2018-01-25 Thread Tim Duesterhus
The cast functions modify their output type as of commit: b805f71d1bb1487f01f78a6ffab26d44919e9944 v1.5-dev20 is the first tag containing this comment, the fix should be backported to haproxy 1.5 and newer. --- src/sample.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/sample.c

[PATCH v5 5/8] CLEANUP: standard: Use len2mask4 in str2mask

2018-01-25 Thread Tim Duesterhus
The len2mask4 function was introduced in commit: 70473a5f8c56d8ec2e837b9b66443dc252b24da9 which is about six years later than the commit that introduced the str2mask function: 2937c0dd20f2f3c0065b671bbfe3fafcd8862eaf This is a clean up in preparation for a str2mask6 function which will use

[PATCH v5 7/8] MINOR: config: Add support for ARGT_MSK6

2018-01-25 Thread Tim Duesterhus
This commit adds support for ARGT_MSK6 to make_arg_list(). --- src/arg.c | 11 +-- src/hlua.c | 7 +++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/src/arg.c b/src/arg.c index 52977b718..b31858d3b 100644 --- a/src/arg.c +++ b/src/arg.c @@ -206,8 +206,15 @@ int

[PATCH v5 6/8] MINOR: standard: Add str2mask6 function

2018-01-25 Thread Tim Duesterhus
This new function mirrors the str2mask() function for IPv4 addresses. This commit is in preparation to support ARGT_MSK6. --- include/common/standard.h | 6 ++ src/standard.c| 22 ++ 2 files changed, 28 insertions(+) diff --git a/include/common/standard.h

[PATCH v5 8/8] MEDIUM: sample: Add IPv6 support to the ipmask converter

2018-01-25 Thread Tim Duesterhus
Add an optional second parameter to the ipmask converter that specifies the number of bits to mask off IPv6 addresses. If the second parameter is not given IPv6 addresses fail to mask (resulting in an empty string), preserving backwards compatibility: Previously a sample like `src,ipmask(24)`

[PATCH v5 1/8] BUG/MINOR: sample: Fix encoding of sample.c

2018-01-25 Thread Tim Duesterhus
The file contained an 'e' with an gravis accent and thus was not US-ASCII, but ISO-8859-1. Also correct the spelling in the incorrect comment. The incorrect character was introduced in commit: 4d9a1d1a5c4720a169654ee47f9a4364261ffab4 v1.6-dev1 is the first tag containing this comment, the fix

[PATCH v5 3/8] BUG/MINOR: sample: Fix output type of c_ipv62ip

2018-01-25 Thread Tim Duesterhus
c_ipv62ip failed to set the output type of the cast to SMP_T_IPV4 even for a successful conversion. This bug exists as of commit cc4d1716a2e72516c2505a6459a9ddbbfb186da2 which is the first commit adding this function. v1.6-dev4 is the first tag containing this commit, the fix should be

[PATCH v5 0/8] Add IPv6 support to the ipmask converter

2018-01-25 Thread Tim Duesterhus
to modify the messages anyway. Attached comes the complete series (v5). Again: Be extra careful with the first patch, because it contains 8bit characters. Best regards Tim Duesterhus Tim Duesterhus (8): BUG/MINOR: sample: Fix encoding of sample.c DOC: sample: Fix outdated comment about sample casts

[PATCH] DOC: cfgparse: Warn on option (tcp|http)log in backend

2018-02-05 Thread Tim Duesterhus
The option does not seem to have any effect since at least haproxy 1.3. Also the `log-format` directive already warns when being used in a backend. --- doc/configuration.txt | 8 ++-- src/cfgparse.c| 12 2 files changed, 14 insertions(+), 6 deletions(-) diff --git

[PATCH 2/4] CLEANUP: spoe: Remove unused label retry

2018-02-19 Thread Tim Duesterhus
This removes the retry labels from spoe_send_frame and spoe_recv_frame which are unused since d5216d474d69856a282e4443f180af2093a80d6c, which is unreleased, but was backported to haproxy 1.8 as f13f3a4babdb1ce23a7e982c765704bca728111a. --- src/flt_spoe.c | 2 -- 1 file changed, 2 deletions(-)

[PATCH 4/4] CLEANUP: pools: Remove unused end label in memory.h

2018-02-19 Thread Tim Duesterhus
This removes the end label from memory.h. The labels are unused as of cf975d46bca2515056a4f55e55fedbbc7b4eda59 which is unreleased (and incidentally the first commit containing those labels, thus they never have been used). --- include/common/memory.h | 4 ++-- 1 file changed, 2 insertions(+), 2

[PATCH 1/4] CLEANUP: cfgparse: Remove unused label end

2018-02-19 Thread Tim Duesterhus
This removes the end label from parse_process_number() which is unused since 5ab51775e736511b7e54f42e080dcef76a284da9, which first was released in haproxy 1.8.0. --- src/cfgparse.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/cfgparse.c b/src/cfgparse.c index 40facd5da..27d7eee7b 100644

[PATCH 3/4] CLEANUP: h2: Remove unused labels from mux_h2.c

2018-02-19 Thread Tim Duesterhus
This removes the unused next_header_block and try_again labels from mux_h2.c. try_again is unused as of a76e4c21839cafd036fbe755416569206502c1d9, which first appeared in haproxy 1.8.0. next_header_block is unused as of 872855998bd03d5224e0e5cd6aef9b91e2a6de1d, which was backported to haproxy

[PATCH] CLEANUP: standard: Fix typo in IPv6 mask example

2018-02-20 Thread Tim Duesterhus
IPv6 addresses with two double colons are invalid. This typo was introduced in commit 471851713af20d84b67b8966471ea758dc8c12b9. --- include/common/standard.h | 2 +- src/standard.c| 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/common/standard.h

[PATCH 2/2] MINOR: systemd: Add SystemD's SystemCallFilter option to the unit file

2018-02-22 Thread Tim Duesterhus
This option takes away system calls that are unneeded for haproxy's operation and thus is a good defense in depth measure. There are more system call sets available in newer SystemD versions, but using those would make SystemD ignore the whole option when they are not supported. This patch adds a

[PATCH 0/2] Add SystemD's sandboxing options

2018-02-22 Thread Tim Duesterhus
I'm running this exact settings on my Debian Stretch machine using haproxy 1.8.x, without issues so far. The first patch could cause issues for users that store their configuration in /home or /root, but I consider this unlikely. Tim Duesterhus (2): MINOR: systemd: Add SystemD's Protect

[PATCH 1/2] MINOR: systemd: Add SystemD's Protect*= options to the unit file

2018-02-22 Thread Tim Duesterhus
While the haproxy workers usually are running chrooted the master process is not. This patch is a pretty safe defense in depth measure to ensure haproxy cannot touch sensitive parts of the file system. ProtectSystem takes non-boolean arguments in newer SystemD versions, but setting those would

[PATCH] MEDIUM: proxy_protocol: Convert IPs to v6 when protocols are mixed

2018-07-27 Thread Tim Duesterhus
Willy, attached is an updated patch that: 1. Only converts the addresses to IPv6 if at least one of them is IPv6. But it does not convert them to IPv4 if both of them can be converted to IPv4. 2. Does not copy the whole `struct connection`, but performs the conversion inside

[PATCH 1/1] TMP: Add reg-test to check scoping of txn:get_priv()

2018-08-22 Thread Tim Duesterhus
see https://www.mail-archive.com/haproxy@formilux.org/msg31015.html --- reg-tests/lua/h1.lua | 15 +++ reg-tests/lua/h1.vtc | 36 2 files changed, 51 insertions(+) create mode 100644 reg-tests/lua/h1.lua create mode 100644

[PATCH 0/1] Re: BUG: LUA txn:get_priv() scoped to connection, not transaction

2018-08-22 Thread Tim Duesterhus
Düsterhus Tim Duesterhus (1): TMP: Add reg-test to check scoping of txn:get_priv() reg-tests/lua/h1.lua | 15 +++ reg-tests/lua/h1.vtc | 36 2 files changed, 51 insertions(+) create mode 100644 reg-tests/lua/h1.lua create mode 100644

[PATCH] MINOR: Generate sha256 checksums in publish-release

2018-07-19 Thread Tim Duesterhus
Currently only md5 signatures are generated. While md5 still is not broken with regard to preimage attacks, sha256 clearly is the current secure solution. This patch should be backported to all supported branches. --- scripts/publish-release | 7 --- 1 file changed, 4 insertions(+), 3

[PATCH v2 3/3] MINOR: systemd: Add SystemD's SystemCallFilter option to the unit file

2018-02-27 Thread Tim Duesterhus
This option takes away system calls that are unneeded for haproxy's operation and thus is a good defense in depth measure. --- contrib/systemd/haproxy.service.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in index

[PATCH v2 2/3] MINOR: systemd: Add SystemD's Protect*= options to the unit file

2018-02-27 Thread Tim Duesterhus
While the haproxy workers usually are running chrooted the master process is not. This patch is a pretty safe defense in depth measure to ensure haproxy cannot touch sensitive parts of the file system. ProtectSystem takes non-boolean arguments in newer SystemD versions, but setting those would

[PATCH v2 1/3] MINOR: systemd: Add section for SystemD sandboxing to unit file

2018-02-27 Thread Tim Duesterhus
This commit adds a warning for settings that possibly provide better sandboxing and explains their tradeoffs. --- contrib/systemd/haproxy.service.in | 6 ++ 1 file changed, 6 insertions(+) diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in index

[PATCH v2 0/3] Add SystemD's sandboxing options

2018-02-27 Thread Tim Duesterhus
n this thread as well! Best regards Tim Duesterhus (3): MINOR: systemd: Add section for SystemD sandboxing to unit file MINOR: systemd: Add SystemD's Protect*= options to the unit file MINOR: systemd: Add SystemD's SystemCallFilter option to the unit file contrib/systemd/haproxy.se

[PATCH] BUG/MEDIUM: lua: Fix segmentation fault if a Lua task exits

2018-04-24 Thread Tim Duesterhus
Pieter, try the attached patch, please. Apply with `git am --scissors` to automatically cut the commit message. -- >8 -- Subject: [PATCH] BUG/MEDIUM: lua: Fix segmentation fault if a Lua task exits PiBa-NL reported that haproxy crashes with a segmentation fault if a function registered using

[PATCH] BUG/MINOR: cli: Fix memory leak

2018-11-07 Thread Tim Duesterhus
Valgrind's memcheck reports memory leaks in cli.c, because the out parameter of memprintf is not properly freed: ==31035== 11 bytes in 1 blocks are definitely lost in loss record 16 of 101 ==31035==at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31035==

[PATCH] MINOR: hpack: Add support for AFL's persistent mode to hpack/decode

2018-09-21 Thread Tim Duesterhus
It now makes use of the __AFL_LOOP macro to save on expensive exec(3) calls. --- contrib/hpack/decode.c | 77 +++--- 1 file changed, 43 insertions(+), 34 deletions(-) diff --git a/contrib/hpack/decode.c b/contrib/hpack/decode.c index 9ef80f03..880c4571 100644

[PATCH v2] BUG/MINOR: mworker: Do not attempt to close(2) fd -1

2018-11-25 Thread Tim Duesterhus
Valgrind reports: ==3389== Warning: invalid file descriptor -1 in syscall close() Check for >= 0 before closing. This bug was introduced in commit ce83b4a5dd48c000dec68f9d551945d21e9ac7ac and is specific to 1.9. No backport needed. --- src/haproxy.c | 3 ++- 1 file changed, 2 insertions(+), 1

BUG: Warning: invalid file descriptor -1 in syscall close()

2018-11-25 Thread Tim Duesterhus
Valgrind reports an invalid close of file descriptor -1. After this patch haproxy that is started with: ./haproxy -d -Sa /scratch/haproxy/cli.sock -Ws -f ./haproxy.cfg aborts in the child process to outline the place where the bug needs to be fixed. Best regards --- src/haproxy.c | 2 ++ 1

[PATCH] CLEANUP: http: Fix typo in init_http's comment

2018-09-15 Thread Tim Duesterhus
It read "non-zero" where it should read zero. --- src/http.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/http.c b/src/http.c index 932f3cf7..1ca1805b 100644 --- a/src/http.c +++ b/src/http.c @@ -905,7 +905,7 @@ int http_find_next_url_param(const char **chunks, }

[PATCH] CLEANUP: h2: Remove debug printf in mux_h2.c

2019-01-24 Thread Tim Duesterhus
It was introduced by 1915ca273832ba542d72eb0645dd7ccb6d5b945f and should be backported to 1.9. --- src/mux_h2.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/mux_h2.c b/src/mux_h2.c index 586ff516..2972ca29 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -2092,8 +2092,6 @@ static int

[PATCH 2/2] CLEANUP: stream: Remove bogus loop in conn_si_send_proxy

2019-02-26 Thread Tim Duesterhus
The if-statement was converted into a while-loop in 7fe45698f58a53dda9182a5970a2ea4bda9f92fe to handle EINTR. This special handling was later replaced in 0a03c0f022faf2773995fc8b9d14256c8a306e5a by conn_sock_send. The while-loop was not changed back and is not unconditionally exited after one

[PATCH 1/2] CLEANUP: http: Remove unreachable code in parse_http_req_capture

2019-02-26 Thread Tim Duesterhus
`len` has already been checked to be strictly positive a few lines above. This unreachable code was introduced in 82bf70dff4eff42397fecfcb9e97a0a7ce721c49. --- src/http_act.c | 6 -- 1 file changed, 6 deletions(-) diff --git a/src/http_act.c b/src/http_act.c index 4f51d4a2..0346be0c 100644

[RFC PATCH] MEDIUM: compression: Add support for brotli compression

2019-02-13 Thread Tim Duesterhus
ed completely. One more thing: brotli theoretically supports passing a custom allocator. I attempted to use a pool for that, but `BrotliEncoderState` is an opaque struct. Best regards Tim Duesterhus Apply with `git am --scissors` to automatically cut the commit message. -- >8 --

[RFC PATCH v2] BUG/MEDIUM: compression: Rewrite strong ETags

2019-01-29 Thread Tim Duesterhus
with it. Best regards Tim Duesterhus Apply with `git am --scissors` to automatically cut the commit message. -- >8 -- RFC 7232 section 2.3.3 states: > Note: Content codings are a property of the representation data, > so a strong entity-tag for a content-encoded represent

[RFC PATCH] BUG/MEDIUM: compression: Rewrite strong ETags

2019-01-28 Thread Tim Duesterhus
od you can merge despite the RFC tag. I don't plan doing any more changes unless you complain. Best regards Tim Duesterhus Apply with `git am --scissors` to automatically cut the commit message. -- >8 -- RFC 7232 section 2.3.3 states: > Note: Content codings are a property of the represent

[PATCH] DOC: compression: Update the reasons for disabled compression

2019-01-30 Thread Tim Duesterhus
- Update the list of status codes to include 201 - 203. - Remove the fact about the temporary workaround for chunked responses (this is verified using reg-test compression/h0.vtc). - Add malformed ETags see b229f018eedef4d18571ce6da23d8e153249a836 This commit should be backported together

[PATCH v2] MINOR: travis: Extend .travis.yml

2019-04-23 Thread Tim Duesterhus
This commit extends the Travis CI configuration to build HAProxy with gcc on Linux, clang on Mac and cleans up the build flag configuration to be easier extendable. Note: At the moment HAProxy fails on Travis for two configurations - on Linux with build flags enabled - on OS X Thus these two

[PATCH] MINOR: travis: Extend .travis.yml

2019-04-23 Thread Tim Duesterhus
From: Tim Düsterhus This commit extends the Travis CI configuration to build HAProxy with gcc on Linux, clang on Mac and cleans up the build flag configuration to be easier extendable. Note: At the moment HAProxy fails on Travis for two configurations - on Linux with build flags enabled - on OS

[PATCH] MINOR: systemd: Make use of master socket in systemd unit

2019-04-25 Thread Tim Duesterhus
This commit adds the -S option to the ExecStart= line of the provided systemd unit file. This patch may be backported to 1.9. --- contrib/systemd/haproxy.service.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/systemd/haproxy.service.in

[PATCH v2 1/2] MINOR: systemd: Use the variables from /etc/default/haproxy

2019-05-06 Thread Tim Duesterhus
://salsa.debian.org/haproxy-team/haproxy/blob/master/debian/patches/haproxy.service-use-environment-variables.patch Co-authored-by: Tim Duesterhus --- contrib/systemd/haproxy.service.in | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd

[PATCH v2 2/2] MINOR: systemd: Make use of master socket in systemd unit

2019-05-06 Thread Tim Duesterhus
Unless the EXTRAOPTS variable is overriden in /etc/default/haproxy the unit file will use the master socket by default. This patch may be backported to 1.9 and depends on MINOR: systemd: Use the variables from /etc/default/haproxy. --- contrib/systemd/haproxy.service.in | 2 +- 1 file changed, 1

[PATCH v2 0/2] systemd: Make use of master socket in systemd unit

2019-05-06 Thread Tim Duesterhus
iable, and add > "EXTRAOPTS=-S /run/haproxy-master.sock" at the end of the Environment line. Okay, I've taken the patch from the Debian project and added Apollon (the author) and Vincent (the Debian developer I most frequently see on the list) to the Cc. Please object if you are unhappy wi

[PATCH 2/2] DOC: Fix typo in keyword matrix

2019-05-05 Thread Tim Duesterhus
It should read 'deprecated' instead of 'deprectated'. --- doc/configuration.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 80c32863d..1fbe45272 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -2284,7

[PATCH 1/2] CLEANUP: Remove appsession documentation

2019-05-05 Thread Tim Duesterhus
I was about to partly revert 294d0f08b3d100fcae0e71c26d4f9f93d26e3569, because there were no 'X' for 'appsession' in the keyword matrix until I checked the blame, realizing that the feature does not exist any more. Clearly the documentation is confusing here, the removal note is only listed

[PATCH 2/2] BUG/MINOR: mworker: Fix memory leak of mworker_proc members

2019-05-13 Thread Tim Duesterhus
The struct mworker_proc is not uniformly freed everywhere, sometimes leading to leaks of the `id` string (and possibly the other strings). Introduce a mworker_free_child function instead of duplicating the freeing logic everywhere to prevent this kind of issues. This leak was reported in issue

[PATCH 1/2] BUG/MINOR: mworker: Prevent potential use-after-free in mworker_env_to_proc_list

2019-05-13 Thread Tim Duesterhus
This was found by reading the code while investigating issue #96 and not verified with any tools: If `child->pid` is falsy `child` will be freed instead of being added to `proc_list`. The setting of `PROC_O_LEAVING` happens unconditionally after this check. Fix the issue by mising the setting of

[PATCH 4/6] CLEANUP: Make '(cli|con|srv)timeout' directive fatal

2019-05-14 Thread Tim Duesterhus
They were deprecated with HAProxy 1.5. Time to remove them. --- doc/configuration.txt | 139 ++--- examples/haproxy.vim | 4 +- include/types/global.h | 6 +- src/proxy.c| 29 - 4 files changed, 25 insertions(+), 153 deletions(-)

[PATCH 6/6] CLEANUP: Remove 'option independant-streams'

2019-05-14 Thread Tim Duesterhus
It is deprecated with HAProxy 1.5. Time to remove it. --- doc/configuration.txt | 4 src/proxy.c | 1 - 2 files changed, 5 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 85309bcc9..86251768c 100644 --- a/doc/configuration.txt +++

[PATCH 0/6] Kill deprecated configuration options

2019-05-14 Thread Tim Duesterhus
parser it appears to set different flags compared to 'option transparent'. Can you please take a look at this and either add an appropriate warning or remove the deprecated note from the docs? Best regards Tim Duesterhus (6): CLEANUP: Make 'resolution_pool_size' directive fatal CLEANUP: Make

[PATCH 2/6] CLEANUP: Make 'block' directive fatal

2019-05-14 Thread Tim Duesterhus
It was deprecated with HAProxy 1.5. Time to remove it. --- doc/configuration.txt | 30 -- include/types/global.h | 2 +- src/cfgparse-listen.c | 30 -- 3 files changed, 5 insertions(+), 57 deletions(-) diff --git a/doc/configuration.txt

[PATCH 5/6] CLEANUP: Make 'option forceclose' actually warn

2019-05-14 Thread Tim Duesterhus
It is deprecated since 315b39c3914f4c2301ce19a93564566caa2ede50 (1.9-dev), but only was deprecated in the docs. Make it warn when being used and remove it from the docs. --- doc/configuration.txt | 8 examples/haproxy.vim | 2 +- include/types/global.h | 1 + src/cfgparse-listen.c |

[PATCH 1/6] CLEANUP: Make 'resolution_pool_size' directive fatal

2019-05-14 Thread Tim Duesterhus
This directive never appeared in a stable release and instead was introduced and deprecated within 1.8-dev. While it technically could be outright removed we detect it and error out for good measure. --- doc/configuration.txt | 5 - src/cfgparse.c| 4 ++-- 2 files changed, 2

[PATCH 3/6] CLEANUP: Make 'redispatch' directive fatal

2019-05-14 Thread Tim Duesterhus
It was deprecated with HAProxy 1.5. Time to remove it. --- doc/configuration.txt | 26 -- include/types/global.h | 2 +- src/cfgparse-listen.c | 14 +++--- 3 files changed, 4 insertions(+), 38 deletions(-) diff --git a/doc/configuration.txt

[PATCH v2 2/2] BUG/MINOR: mworker: Fix memory leak of mworker_proc members

2019-05-13 Thread Tim Duesterhus
The struct mworker_proc is not uniformly freed everywhere, sometimes leading to leaks of the `id` string (and possibly the other strings). Introduce a mworker_free_child function instead of duplicating the freeing logic everywhere to prevent this kind of issues. This leak was reported in issue

[PATCH v2 0/2] mworker: Fix memory leak of mworker_proc members

2019-05-13 Thread Tim Duesterhus
Oops, my patch was incomplete, because I noticed that I missed one location after creating the commit and forgot to amend after making the necessary adjustments. So here's version 2 that fixes the leak on SIGTERM in addition to the leak on SIGUSR2. Best regards Tim Duesterhus Tim Duesterhus (2

[PATCH v2 1/2] BUG/MINOR: mworker: Prevent potential use-after-free in mworker_env_to_proc_list

2019-05-13 Thread Tim Duesterhus
This was found by reading the code while investigating issue #96 and not verified with any tools: If `child->pid` is falsy `child` will be freed instead of being added to `proc_list`. The setting of `PROC_O_LEAVING` happens unconditionally after this check. Fix the issue by mising the setting of

[PATCH] BUG/MINOR: vars: Fix memory leak in vars_check_arg

2019-05-10 Thread Tim Duesterhus
vars_check_arg previously leaked the string containing the variable name: Consider this config: frontend fe1 mode http bind :8080 http-request set-header X %[var(txn.host)] Starting HAProxy and immediately stopping it by sending a SIGINT makes Valgrind report this

[PATCH v2 0/1] BUG/MINOR: mworker: Fix memory leak of mworker_proc members

2019-05-16 Thread Tim Duesterhus
William, rebased the memory leak fix on top of master. Please review. Best regards Tim Duesterhus (1): BUG/MINOR: mworker: Fix memory leak of mworker_proc members include/proto/mworker.h | 2 ++ src/haproxy.c | 3 ++- src/mworker-prog.c | 19 +-- src

[PATCH v2 1/1] BUG/MINOR: mworker: Fix memory leak of mworker_proc members

2019-05-16 Thread Tim Duesterhus
The struct mworker_proc is not uniformly freed everywhere, sometimes leading to leaks of the `id` string (and possibly the other strings). Introduce a mworker_free_child function instead of duplicating the freeing logic everywhere to prevent this kind of issues. This leak was reported in issue

[PATCH] BUG/MINOR: Fix memory leak in cfg_parse_peers

2019-05-12 Thread Tim Duesterhus
cfg_parse_peers previously leaked the contents of the `kws` string, as it was unconditionally filled using bind_dump_kws, but only used (and freed) within the error case. Move the dumping into the error case to: 1. Ensure that the registered keywords are actually printed as least once. 2. The

[PATCH 1/1] BUG/MEDIUM: compression: Set Vary: Accept-Encoding if the response would be compressed

2019-06-12 Thread Tim Duesterhus
Make HAProxy set the `Vary: Accept-Encoding` response header if the server response would normally be compressed based off the current configuration. Specifically make sure to: 1. Disregard the *request* headers ... 2. Disregard the current compression rate and other temporary conditions ... ...

[PATCH 0/1] compression: Set Vary: Accept-Encoding

2019-06-12 Thread Tim Duesterhus
ing cached multiple times (once per `Accept-Encoding` request header). Best regards Tim Duesterhus (1): BUG/MEDIUM: compression: Set Vary: Accept-Encoding if the response would be compressed reg-tests/compression/vary.vtc | 187 + src/flt_http_comp.c

[PATCH v2 1/1] BUG/MEDIUM: compression: Set Vary: Accept-Encoding if the response would be compressed

2019-06-12 Thread Tim Duesterhus
Willy, read the cover letter of this thread before ignoring the first patch, just because this one has a higher version number to avoid mistakes. Apply with `git am --scissors` to automatically cut the commit message. -- >8 -- Make HAProxy set the `Vary: Accept-Encoding` response header if the

[PATCH] BUILD: Silence gcc warning about unused return value

2019-06-12 Thread Tim Duesterhus
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609 Copyright (C) 2015 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. complains: > src/debug.c: In function

[PATCH] DOC: Fix typos in CONTRIBUTING

2019-06-15 Thread Tim Duesterhus
Fixes typos introduced in 09e0d7422e64645ad6b03b66e94e5df80a6177fa as well as anything found by `spell`. --- CONTRIBUTING | 41 + 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/CONTRIBUTING b/CONTRIBUTING index 29a5c8d78..0fcd921e8 100644

[PATCH v3] BUG/MEDIUM: compression: Set Vary: Accept-Encoding for compressed responses

2019-06-17 Thread Tim Duesterhus
Make HAProxy set the `Vary: Accept-Encoding` response header if it compressed the server response. Technically the `Vary` header SHOULD also be set for responses that would normally be compressed based off the current configuration, but are not due to a missing or invalid `Accept-Encoding`

[PATCH] MINOR: sample: Add sha2([]) converter

2019-06-17 Thread Tim Duesterhus
This adds a converter for the SHA-2 family, supporting SHA-224, SHA-256 SHA-384 and SHA-512. The converter relies on the OpenSSL implementation, thus only being available when HAProxy is compiled with USE_OPENSSL. See GitHub issue #123. The hypothetical `ssl_?_sha256` fetch can then be simulated

[PATCH 6/9] BUG/MINOR: debug: Silence warning about ignored return value

2019-06-23 Thread Tim Duesterhus
We can't use `shut_your_big_mouth_gcc` here. Use the `!` trick suggested by Vincent Bernat in the list in Message-ID: m3ftoek0k6@luffy.cx --- include/common/debug.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/common/debug.h b/include/common/debug.h index

[PATCH 5/9] BUG/MINOR: spoe: Fix memory leak if failing to allocate memory

2019-06-23 Thread Tim Duesterhus
Technically harmless, but it annoys clang analyzer. This bug was introduced in 336d3ef0e77192582c98b3c578927a529ceadd9b. This fix should be backported to HAProxy 1.9+. --- src/flt_spoe.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/flt_spoe.c b/src/flt_spoe.c index

[PATCH 2/9] BUG/MINOR: log: Detect missing sampling ranges in config

2019-06-23 Thread Tim Duesterhus
Consider a config like: global log 127.0.0.1:10001 sample :10 local0 No sampling ranges are given here, leading to NULL being passed as the first argument to qsort. This configuration does not make sense anyway, a log without ranges would never log. Thus output an error if no ranges

[PATCH 0/9] Fix issues detected by clang analyzer.

2019-06-23 Thread Tim Duesterhus
* adjustments. The one in `proxy_parse_declare` might be questionable, though. 2. Actually fix an issue I could reproduce with a carefully crafted example configuration. Cc'd William on patch 4 (worker) and Christopher on 5 (spoe). Tim Duesterhus (9): BUG/MINOR: cfgparse: Pass correct type

  1   2   >