Commit Graph

10 Commits

Author SHA1 Message Date
Aurelien DARRAGON
afd5f5d671 DEV: h2: fix h2-tracer.lua nil value index
Nick Ramirez reported the following error while testing the h2-tracer.lua
script:

  Lua filter 'h2-tracer' : [state-id 0] runtime error: /etc/haproxy/h2-tracer.lua:227: attempt to index a nil value (field '?') from /etc/haproxy/h2-tracer.lua:227: in function line 109.

It is caused by h2ff indexing with an out of bound value. Indeed, h2ff
is indexed with the frame type, which can potentially be > 9 (not common
nor observed during Willy's tests), while h2ff only defines indexes from
0 to 9.

The fix was provided by Willy, it consists in skipping h2ff indexing if
frame type is > 9. It was confirmed that doing so fixes the error.
2025-04-08 17:44:41 +02:00
Willy Tarreau
af5c07eee9 DEV: h2: fix flags for the continuation frame
It's flag 2 (end of headers) that's defined there, not 3 (padded).
2025-02-18 14:17:17 +01:00
Willy Tarreau
607aa57b2e DEV: h2: add a Lua-based HTTP/2 connection tracer
The following config is sufficient to trace H2 exchanges between a client
and a server:

   global
       lua-load "dev/h2/h2-tracer.lua"

   listen h2_sniffer
       mode tcp
       bind :8002
       filter lua.h2-tracer #hex
       server s1 127.0.0.1:8003

The commented "hex" argument will also display full frames in hex (not
recommended). The connections are prefixed with a 3-hex digit number in
order to also support a bit of multiplexing without impacting the reading
too much. The screen is split in two, with the request on the left and
the response on the right. Here's an example of what it does between an
haproxy backend and an haproxy frontend both in H2, when submitted a
curl request for /?s=30k handled by httpterm:

  [001] ### req start
  [001] [PREFACE len=24]
  [001] [SETTINGS sid=0 len=24 (bytes=24)]
  [001]                                          | ### res start
  [001]                                          | [SETTINGS sid=0 len=18 (bytes=27)]
  [001]                                          | [SETTINGS ACK sid=0 len=0 (bytes=0)]
  [001] [SETTINGS ACK sid=0 len=0 (bytes=56)]
  [001] [HEADERS EH+ES sid=1 len=47 (bytes=47)]
  [001]                                          | [HEADERS EH sid=1 len=101 (bytes=15351)]
  [001]                                          | [DATA sid=1 len=15126 (bytes=15241)]
  [001]                                          | [DATA sid=1 len=1258 (bytes=106)]
  [001]                                          |                  ... -106 = 1152
  [001]                                          |                    ... -1152 = 0
  [001] [WINDOW_UPDATE sid=1 len=4 (bytes=43)]
  [001] [WINDOW_UPDATE sid=0 len=4 (bytes=30)]
  [001] [WINDOW_UPDATE sid=1 len=4 (bytes=17)]
  [001] [WINDOW_UPDATE sid=0 len=4 (bytes=4)]
  [001]                                          | [DATA ES sid=1 len=14336 (bytes=14336)]
  [001] [WINDOW_UPDATE sid=0 len=4 (bytes=4)]
  [001] ### req end: 31080 bytes total
  [001]                                          | [GOAWAY sid=0 len=8 (bytes=8)]
  [001]                                          | ### res end: 31097 bytes total

It deserves some improvements. For instance at the moment it does not
verify the preface, any 24 bytes will work. It does not perform any
protocol validation either. Detecting some issues such as out-of-sequence
frames could be helpful. But it already helps as-is.
2025-02-18 09:26:15 +01:00
Willy Tarreau
f3a19e70e8 DEV: h2: support hex-encoded data sequences in mkhdr
For HPACK-encoded headers (particularly with huffman encoding), it's
really necessary to support hex sequences as they appear in RFC7541
examples, so let's support hex digit pairs with -R.

Now it's possible to do this to send GET https://www.example.com/ :

    (dev/h2/mkhdr.sh -t p; dev/h2/mkhdr.sh -t s;
     dev/h2/mkhdr.sh -t h -i 1 -f es,eh \
     -R '8286 8441 0f77 7777 2e65 7861 6d70 6c65 2e63 6f6d ') | nc 0 8080
2024-01-12 18:59:59 +01:00
Willy Tarreau
5bf19f8b57 DEV: h2: add support for multiple flags in mkhdr
The mkhdr script did not support passing multiple flags at once using
symbolic names. That's now done.
2024-01-12 18:59:59 +01:00
Willy Tarreau
57f8a4e879 DEV: h2: support passing raw data for a frame
With -r it's possible to pass raw data that will be interpreted by
printf so it even supports \x sequences. E.g. for a RST_STREAM, let's
just use \x00\x00\x00\x00.
2024-01-06 11:02:37 +01:00
Willy Tarreau
ec8ea73bc0 DEV: h2: add the preface as well in supported output types
It's annoying to always have to append it from a capture, let's also
support producing the preface.
2024-01-06 11:02:37 +01:00
Willy Tarreau
57b6c17099 DEV: h2: add the ability to emit literals in mkhdr
It's sometimes needed to be able to build a headers frame, let's
add this by permitting to encode key/value pairs as literal headers.
2024-01-06 11:02:37 +01:00
Willy Tarreau
e8ae99b111 DEV: h2: support reading frame payload from a file
Now we can build a series of data frames by reading from a file and
chunking it into frames of requested length. It's mostly useful for
data frames (e.g. post). One way to announce these upfront is to
capture the output of curl use without content-length:

  $ nc -lp4446 > post-h2-nocl.bin
  $ curl -v --http2-prior-knowledge http://127.0.0.1:4446/url -H "content-length:" -d @/dev/null

Then just change the 5th byte from the end from 1 to 0 to remove the
end-of-stream bit, it will allow to chain a file, then to send an
empty DATA frame with ES set :

  $ (dev/h2/mkhdr.sh -i 1 -t data -d CHANGELOG;
     dev/h2/mkhdr.sh -i 1 -t data -l 0 -f es) > h2-data-changelog.bin

Then post that to the server:
  $ cat post-h2-nocl.bin h2-data-changelog.bin | nc 0 4446
2023-04-26 11:36:02 +02:00
Willy Tarreau
78bb934607 DEV: h2: add a script "mkhdr" to build h2 frames from scratch
It's a real pain to try to trigger certain edge cases in h2, so let's
write a simple tool aiming at creating frames.
2023-04-26 11:35:45 +02:00