8076 Commits

Author SHA1 Message Date
Thierry FOURNIER
fd77e05f65 MINOR: vars: returns variable content
This patch copy the content of a variable in a sample. The function
returns 0 if the variable is not found.
2015-07-22 00:48:24 +02:00
Thierry FOURNIER
00c005c726 MEDIUM: sample: switch to saturated arithmetic
This patch check calculus for overflow and returns capped values.
This permits to protect against integer overflow in certain operations
involving ratios, percentages, limits or anything. That can sometimes
be critically important with some operations (eg: content-length < X).
2015-07-22 00:48:24 +02:00
Thierry FOURNIER
bf65cd4d77 MAJOR: arg: converts uint and sint in sint
This patch removes the 32 bits unsigned integer and the 32 bit signed
integer. It replaces these types by a unique type 64 bit signed.
2015-07-22 00:48:23 +02:00
Thierry FOURNIER
07ee64ef4d MAJOR: sample: converts uint and sint in 64 bits signed integer
This patch removes the 32 bits unsigned integer and the 32 bit signed
integer. It replaces these types by a unique type 64 bit signed.

This makes easy the usage of integer and clarify signed and unsigned use.
With the previous version, signed and unsigned are used ones in place of
others, and sometimes the converter loose the sign. For example, divisions
are processed with "unsigned", if one entry is negative, the result is
wrong.

Note that the integer pattern matching and dotted version pattern matching
are already working with signed 64 bits integer values.

There is one user-visible change : the "uint()" and "sint()" sample fetch
functions which used to return a constant integer have been replaced with
a new more natural, unified "int()" function. These functions were only
introduced in the latest 1.6-dev2 so there's no impact on regular
deployments.
2015-07-22 00:48:23 +02:00
Willy Tarreau
5b4dd683cb MINOR: standard: provide htonll() and ntohll()
These are the 64-bit equivalent of htonl() and ntohl(). They're a bit
tricky in order to avoid expensive operations.

The principle consists in letting the compiler detect we're playing
with a union and simplify most or all operations. The asm-optimized
htonl() version involving bswap (x86) / rev (arm) / other is a single
operation on little endian, or a NOP on big-endian. In both cases,
this lets the compiler "see" that we're rebuilding a 64-bit word from
two 32-bit quantities that fit into a 32-bit register. In big endian,
the whole code is optimized out. In little endian, with a decent compiler,
a few bswap and 2 shifts are left, which is the minimum acceptable.
2015-07-21 23:50:06 +02:00
Thierry FOURNIER
763a5d85f7 MINOR: standard: add 64 bits conversion functions
This patch adds 3 functions for 64 bit integer conversion.

 * lltoa_r : converts signed 64 bit integer to string
 * read_uint64 : converts from string to signed 64 bits integer with capping
 * read_int64 : converts from string to unsigned 64 bits integer with capping
2015-07-21 23:27:10 +02:00
Baptiste Assmann
19a106d24a MINOR: server: server_find functions: id, name, best_match
This patch introduces three new functions which can be used to find a
server in a farm using different server information:
- server unique id (srv->puid)
- server name
- find best match using either name or unique id

When performing best matching, the following applies:
 - use the server name first (if provided)
 - use the server id if provided
 in any case, the function can update the caller about mismatches
 encountered.
2015-07-21 23:24:16 +02:00
Baptiste Assmann
7cc419ae1d MINOR: server: new server flag: SRV_F_FORCED_ID
This flag aims at reporting whether the server unique id (srv->puid) has
been forced by the administrator in HAProxy's configuration.
If not set, it means HAProxy has generated automatically the server's
unique id.
2015-07-21 23:24:16 +02:00
Baptiste Assmann
8a027ccb38 MINOR: proxy: bit field for proxy_find_best_match diff status
function proxy_find_best_match can update the caller by updating an int
provided in argument.
For now, proxy_find_best_match hardcode bit values 0x01, 0x02 and 0x04,
which is not understandable when reading a code exploiting them.

This patch defines 3 macros with a more explicit wording, so further
reading of a code exploiting the magic bit values will be understandable
more easily.
2015-07-21 23:24:16 +02:00
Thierry FOURNIER
fac9ccfb70 BUG/MINOR: http/sample: gmtime/localtime can fail
The man said that gmtime() and localtime() can return a NULL value.
This is not tested. It appears that all the values of a 32 bit integer
are valid, but it is better to check the return of these functions.

However, if the integer move from 32 bits to 64 bits, some 64 values
can be unsupported.
2015-07-20 12:21:35 +02:00
Nenad Merdanovic
8a39a1fcc3 BUG/MINOR: payload: Add volatile flag to smp_fetch_req_ssl_ec_ext
This bug was introduced in 5fc7d7e. No backport to 1.5 needed.

Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-07-20 10:11:44 +02:00
Willy Tarreau
d7c7475ad6 MINOR: stream-int: only use si_release_endpoint() to release a connection
Change si_alloc_conn() to call si_release_endpoint() instead of
open-coding the connection releasing code when reuse is disabled.
This fuses the code with the one already dealing with applets, makes
it shorter and helps centralizing the connection freeing logic at a
single place.
2015-07-19 19:14:10 +02:00
Willy Tarreau
7a08d3b2d7 CLEANUP: stream-int: remove stream_int_unregister_handler() and si_detach()
The former was not used anymore and the latter was only used by the former.
They were only aliases to other existing functions anyway.
2015-07-19 18:48:20 +02:00
Willy Tarreau
a9ff5e64c1 CLEANUP: stream-int: fix a few outdated comments about stream_int_register_handler()
They were not updated after the infrastructure change.
2015-07-19 18:46:30 +02:00
Willy Tarreau
069b0c8e6f CLEANUP: stream: remove a useless call to si_detach()
It's pointless to call si_detach() after si_reset() since it does
nothing due to si->end being NULL.
2015-07-19 17:57:02 +02:00
Baptiste Assmann
4c5490ab9c BUG/MINOR: dns: wrong time unit for some DNS default parameters
Madison May reported that the timeout applied by the default
configuration is inproperly set up.
This patch fix this:
 - hold valid default to 10s
 - timeout retry default to 1s
2015-07-18 08:22:01 +02:00
Baptiste Assmann
91bd337d90 DOC usesrc root privileges requirments
The "usesrc" parameter of the source statement requires root privileges.
2015-07-18 07:33:40 +02:00
Thierry FOURNIER
25f4e3ef33 CLEANUP: vars: remove unused struct
The commit "MEDIUM: vars: move the session variables to the session, not the stream" (ebcd4844e82a4198ea5d98fe491a46267da1d1ec")
moves the variables from the stream to the session. It forgot to remove
the stream definition of the "vars_sess".
2015-07-10 16:30:08 +02:00
Thierry FOURNIER
29176f3ebb BUG/MINOR: lua: type error in the arguments wrapper
The expected arguments time and size are returned as int. This patch
fix this bug and returns the expected type.
2015-07-10 16:29:31 +02:00
Willy Tarreau
732eac41f4 MEDIUM: ssl: add sni support on the server lines
The new "sni" server directive takes a sample fetch expression and
uses its return value as a hostname sent as the TLS SNI extension.
A typical use case consists in forwarding the front connection's SNI
value to the server in a bridged HTTPS forwarder :

   sni ssl_fc_sni
2015-07-10 11:43:15 +02:00
Willy Tarreau
630764188b MINOR: ssl: provide ia function to set the SNI extension on a connection
ssl_sock_set_servername() is used to set the SNI hostname on an
outgoing connection. This function comes from code originally
provided by Christopher Faulet of Qualys.
2015-07-10 11:37:29 +02:00
Willy Tarreau
42529c38ac MINOR: stream: maintain consistence between channel_forward and HTTP forward
When the HTTP forwarder is used, it resets msg->sov so that we know that
the parsing pointer has advanced by exactly (msg->eoh + msg->eol - msg->sov)
bytes which may have to be rewound in case we want to perform an HTTP fetch
after forwarding has started (eg: upon connect).

But when the backend is in TCP mode, there may be no HTTP forwarding
analyser installed, still we may want to perform these HTTP fetches in
case we have already ensured at the TCP layer that we have a properly
parsed HTTP transaction.

In order to solve this, we reset msg->sov before doing a channel_forward()
so that we can still compute http_rewind() on the pending data. That ensures
the buffer is always rewindable even in mixed TCP+HTTP mode.
2015-07-10 11:37:29 +02:00
Willy Tarreau
28d976d5ee MINOR: args: add new context for servers
We'll have to support fetch expressions and args on server lines for
"usesrc", "usedst", "sni", etc...
2015-07-09 11:39:33 +02:00
Willy Tarreau
53e1a6d317 BUG/MINOR: log: missing some ARGC_* entries in fmt_directives()
ARGC_CAP was not added to fmt_directives() which is used to format
error messages when failing to parse log format expressions. The
whole switch/case has been reorganized to match the declaration
order making it easier to spot missing values. The default is not
the "log" directive anymore but "undefined" asking to report the
bug.

Backport to 1.5 is not strictly needed but is desirable at least
for code sanity.
2015-07-09 11:20:00 +02:00
Nenad Merdanovic
5fc7d7e8ce MINOR: Add sample fetch to detect Supported Elliptic Curves Extension
Clients that support ECC cipher suites SHOULD send the specified extension
within the SSL ClientHello message according to RFC4492, section 5.1. We
can use this extension to chain-proxy requests so that, on the same IP
address, a ECC compatible clients gets an EC certificate and a non-ECC
compatible client gets a regular RSA certificate. The main advantage of this
approach compared to the one presented by Dave Zhu on the mailing list
is that we can make it work with OpenSSL versions before 1.0.2.

Example:
frontend ssl-relay
        mode tcp
        bind 0.0.0.0:443
        use_backend ssl-ecc if { req.ssl_ec_ext 1 }
        default_backend ssl-rsa

backend ssl-ecc
        mode tcp
        server ecc unix@/var/run/haproxy_ssl_ecc.sock send-proxy-v2 check

backend ssl-rsa
        mode tcp
        server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2 check

listen  all-ssl
        bind unix@/var/run/haproxy_ssl_ecc.sock accept-proxy ssl crt /usr/local/haproxy/ecc.foo.com.pem user nobody
        bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt /usr/local/haproxy/www.foo.com.pem user nobody

Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-07-09 09:26:59 +02:00
Willy Tarreau
fc017fec48 CLEANUP: ssl: make ssl_sock_generate_certificate() use ssl_sock_generated_cert_serial()
It saves from open-coding the hashing method. Instead all serial
generation is done in a single function.
2015-07-07 18:09:34 +02:00
Willy Tarreau
646b864fe5 CLEANUP: ssl: make ssl_sock_generated_cert_serial() take a const
It doesn't modify the input.
2015-07-07 18:09:15 +02:00
Willy Tarreau
f67214554c MINOR: ssl: make self-generated certs also work with raw IPv6 addresses
The current method of retrieving the incoming connection's destination
address to hash it is not compatible with IPv6 nor the proxy protocol
because it directly tries to get an IPv4 address from the socket. Instead
we must ask the connection. This is only used when no SNI is provided.
2015-07-07 18:04:38 +02:00
Dragan Dosen
96a0be78ed BUG/MEDIUM: 51d: possible incorrect operations on smp->data.str.str
In src/51d.c, the function _51d_conv(), a final '\0' is added into
smp->data.str.str, which can cause a problem if the SMP_F_CONST flag is
set in smp->flags or if smp->data.str.size is not available.

This patch adds a check on smp->flags and smp->data.str.size, and copies
the smp->data.str.str to another buffer by using smp_dup(). If necessary,
the "const" flag is set after device detection. Also, this patch removes
the unnecessary call to chunk_reset() on temp argument.
2015-07-07 17:19:33 +02:00
Adis Nezirovic
2fbcafc9ce MEDIUM: http: Add new 'set-src' option to http-request
This option enables overriding source IP address in a HTTP request. It is
useful when we want to set custom source IP (e.g. front proxy rewrites address,
but provides the correct one in headers) or we wan't to mask source IP address
for privacy or compliance.

It acts on any expression which produces correct IP address.
2015-07-06 16:17:28 +02:00
Adis Nezirovic
79beb248b9 CLEANUP: sample: generalize sample_fetch_string() as sample_fetch_as_type()
This modification makes possible to use sample_fetch_string() in more places,
where we might need to fetch sample values which are not plain strings. This
way we don't need to fetch string, and convert it into another type afterwards.

When using aliased types, the caller should explicitly check which exact type
was returned (e.g. SMP_T_IPV4 or SMP_T_IPV6 for SMP_T_ADDR).

All usages of sample_fetch_string() are converted to use new function.
2015-07-06 16:17:25 +02:00
Willy Tarreau
4e5d58e517 MINOR: stats: improve compression stats reporting
Compression stats were not easy to read and could be confusing because
the saving ratio could be taken for global savings while it was only
relative to compressible input. Let's make that a bit clearer using
the new tooltips with a bit more details and also report the effective
ratio over all output bytes.
2015-07-04 14:35:15 +02:00
Willy Tarreau
27f78241e6 BUG/MAJOR: tcp: tcp rulesets were still broken
Commit cc87a11 ("MEDIUM: tcp: add register keyword system.") broke the
TCP ruleset by merging custom rules and accept. It was fixed a first time
by commit e91ffd0 ("BUG/MAJOR: tcp: only call registered actions when
they're registered") but the accept action still didn't work anymore
and was causing the matching rule to simply be ignored.

Since the code introduced a very fragile behaviour by not even mentionning
that accept and custom were silently merged, let's fix this once for all by
adding an explicit check for the accept action. Nevertheless, as previously
mentionned, the action should be changed so that custom is the only action
and the continue vs break indication directly comes from the callee.

No backport is needed, this bug only affects 1.6-dev.
2015-07-04 11:36:30 +02:00
Cyril Bont
46175dd81d DOC: dns: fix chapters syntax
All chapters in the configuration documentation used to follow this syntax :
<chapter number>. <title>
-------------------------

The new chapters introduced to document the dns resolution didn't provide the
dot character after the chapter number, which breaks the parsing for the HTML
converter. Instead of adding new conditions in the converter, we can align the
chapters with this syntax.
2015-07-03 17:09:58 +02:00
KOVACS Krisztian
7209c204bd BUG/MAJOR: connection: fix TLV offset calculation for proxy protocol v2 parsing
Until now, the code assumed that it can get the offset to the first TLV
header just by subtracting the length of the TLV part from the length of
the complete buffer. However, if the buffer contains actual data after
the header, this computation is flawed and leads to haproxy trying to
parse TLV headers from the proxied data.

This change fixes this by making sure that the offset to the first TLV
header is calculated based from the start of the buffer -- simply by
adding the size of the proxy protocol v2 header plus the address
family-dependent size of the address information block.
2015-07-03 17:05:20 +02:00
Willy Tarreau
27187ab56a BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data
The function buffer_slow_realign() was initially designed for requests
only and did not consider pending outgoing data. This causes a problem
when called on responses where data remain in the buffer, which may
happen with pipelined requests when the client is slow to read data.

The user-visible effect is that if less than <maxrewrite> bytes are
present in the buffer from a previous response and these bytes cross
the <maxrewrite> boundary close to the end of the buffer, then a new
response will cause a realign and will destroy these pending data and
move the pointer to what's believed to contain pending output data.
Thus the client receives the crap that lies in the buffer instead of
the original output bytes.

This new implementation now properly realigns everything including the
outgoing data which are moved to the end of the buffer while the input
data are moved to the beginning.

This implementation still uses a buffer-to-buffer copy which is not
optimal in terms of performance and which should be replaced by a
buffer switch later.

Prior to this patch, the following script would return different hashes
on each round when run from a 100 Mbps-connected machine :

  i=0
  while usleep 100000; do
    echo round $((i++))
    set -- $(nc6 0 8001 < 1kreq5k.txt | grep -v '^[0-9A-Z]' | md5sum)
    if [ "$1" != "3861afbb6566cd48740ce01edc426020" ]; then echo $1;break;fi
  done

The file contains 1000 times this request with "Connection: close" on the
last one :

  GET /?s=5k&R=1 HTTP/1.1

The config is very simple :

  global
        tune.bufsize 16384
        tune.maxrewrite 8192

  defaults
        mode http
        timeout client 10s
        timeout server 5s
        timeout connect 3s

  listen px
        bind :8001
        option http-server-close
        server s1 127.0.0.1:8000

And httpterm-1.7.2 is used as the server on port 8000.

After the fix, 1 million requests were sent and all returned the same
contents.

Many thanks to Charlie Smurthwaite of atechmedia.com for his precious
help on this issue, which would not have been diagnosed without his
very detailed traces and numerous tests.

The patch must be backported to 1.5 which is where the bug was introduced.
2015-07-02 15:27:24 +02:00
David Carlier
b5714dab9d BUILD: add netbsd TARGET
For now it's the same as openbsd.
2015-07-02 11:33:03 +02:00
David Carlier
e6c3941668 BUILD/MINOR: tools: rename popcount to my_popcountl
This is in order to avoid conflicting with NetBSD popcount* functions
since 6.x release, the final l to mentions the argument is a long like
NetBSD does.

This patch could be backported to 1.5 to fix the build issue there as well.
2015-07-02 11:32:25 +02:00
Dragan Dosen
ae6d39af9c DOC: add notes about the "51degrees-cache-size" parameter 2015-06-30 10:43:03 +02:00
Dragan Dosen
105c8e6368 MEDIUM: 51d: add LRU-based cache on User-Agent string detection
This cache is used by 51d converter. The input User-Agent string, the
converter args and a random seed are used as a hashing key. The cached
entries contains a pointer to the resulting string for specific
User-Agent string detection.

The cache size can be tuned using 51degrees-cache-size parameter.
2015-06-30 10:43:03 +02:00
Dragan Dosen
93b38d9191 MEDIUM: 51Degrees code refactoring and cleanup
Moved 51Degrees code from src/haproxy.c, src/sample.c and src/cfgparse.c
into a separate files src/51d.c and include/import/51d.h.

Added two new functions init_51degrees() and deinit_51degrees(), updated
Makefile and other code reorganizations related to 51Degrees.
2015-06-30 10:43:03 +02:00
Willy Tarreau
e44136fe69 BUG/MEDIUM: vars: do not freeze the connection when the expression cannot be fetched
Commit 4834bc7 ("MEDIUM: vars: adds support of variables") brought a bug.
Setting a variable from an expression that doesn't resolve infinitely
blocks the processing.

The internal actions API must be changed to let the caller pass the various
flags regarding the state of the analysis (SMP_OPT_FINAL).

For now we only fix the issue by making the action_store() function always
return 1 to prevent any blocking.

No backport is needed.
2015-06-23 15:17:33 +02:00
Willy Tarreau
ebcd4844e8 MEDIUM: vars: move the session variables to the session, not the stream
It's important that the session-wide variables are in the session and not
in the stream.
2015-06-19 11:59:02 +02:00
Willy Tarreau
7233098da1 MINOR: vars: make the accounting not depend on the stream
We'll need to move the session variables to the session. For this, the
accounting must not depend on the stream. Instead we pass the pointers
to the different lists.
2015-06-19 11:21:56 +02:00
Willy Tarreau
57b8a53f03 BUG/MEDIUM: lru: fix possible memory leak when ->free() is used
Commit 7810ad7 ("BUG/MAJOR: lru: fix unconditional call to free due to
unexpected semi-colon") was not enough, it happens that the free() is
not performed at the right place because if the evicted node is recycled,
we must also release its data before it gets overwritten.

No backport is needed.
2015-06-17 20:33:30 +02:00
Willy Tarreau
ce7b4def74 BUILD/MINOR: lua: ensure that hlua_ctx_destroy is properly defined
When Lua is disabled, the alternate functions must have the same
prototype as the original ones, otherwise we get such warnings :

src/stream.c:278:27: warning: too many arguments in call to 'hlua_ctx_destroy'
        hlua_ctx_destroy(&s->hlua);
        ~~~~~~~~~~~~~~~~         ^
No backport is needed.
2015-06-17 20:18:54 +02:00
Willy Tarreau
b7636d1a10 BUG/MEDIUM: logs: fix improper systematic use of quotes with a few tags
Dmitry Sivachenko reported the following build warning using Clang, which
is a real bug :

  src/log.c:1538:22: warning: use of logical '&&' with constant operand
        [-Wconstant-logical-operand]
                                  if (tmp->options && LOG_OPT_QUOTE)
                                                   ^  ~~~~~~~~~~~~~
The effect is that recent log tags related to HTTP method, path, uri,
query have a bug making them always use quotes.

This bug was introduced in 1.6-dev2 with commit 0ebc55f ("MEDIUM: logs:
Add HTTP request-line log format directives"), so no backport is needed.
2015-06-17 19:58:02 +02:00
Willy Tarreau
7810ad7d59 BUG/MAJOR: lru: fix unconditional call to free due to unexpected semi-colon
Dmitry Sivachenko reported the following build warning using Clang, which
is a real bug :

  src/lru.c:133:32: warning: if statement has empty body [-Wempty-body]
                                  if (old->data && old->free);
                                                             ^
It results in calling old->free(old->data) even when old->free is NULL,
hence crashing on cached patterns.

The same bug appears a few lines below in lru64_destroy() :

  src/lru.c:195:33: warning: if statement has empty body [-Wempty-body]
                          if (elem->data && elem->free);
                                                       ^
Both were introduced in 1.6-dev2 with commit f90ac55 ("MINOR: lru: Add the
possibility to free data when an item is removed"), so no backport is needed.
2015-06-17 19:55:32 +02:00
Willy Tarreau
666f504906 BUILD/MINOR: stats: fix build warning due to condition always true
Dmitry Sivachenko reported the following harmless build warning using Clang :

  src/dumpstats.c:5196:48: warning: address of array 'strm_li(sess)->proto->name'
        will always evaluate to 'true' [-Wpointer-bool-conversion]
    ...strm_li(sess) && strm_li(sess)->proto->name ? strm_li(sess)->proto->nam...
                     ~~ ~~~~~~~~~~~~~~~~~~~~~~^~~~
proto->name cannot be null here as it's the protocol name which is stored
directly in the structure.

The same case is present in 1.5 though the code changed.
2015-06-17 19:49:52 +02:00
Willy Tarreau
22b0a68120 BUILD/MINOR: lua: fix a harmless build warning
Dmitry Sivachenko reported the following build warning using Clang,
though it's harmless :

  src/hlua.c:1911:13: warning: variable '_socket_info_expanded_form' is not needed
        and will not be emitted [-Wunneeded-internal-declaration]
  static char _socket_info_expanded_form[] = SOCKET_INFO_EXPANDED_FORM;
              ^
Indeed, the variable is not used except to compute a sizeof which is
taken from the string it is initialized from. It probably is a leftover
after various code refactorings. Let's get rid of it now since it's not
used anymore.

No backport is needed.
2015-06-17 19:46:16 +02:00