11510 Commits

Author SHA1 Message Date
Willy Tarreau
3ebb1163ba MINOR: backend: rework the LC definition to support other connection-based algos
The leastconn algorithm should be of kind "connection-based", not "leastconn"
if we want to later support other connection-based LB algos.
2012-02-13 17:02:31 +01:00
Willy Tarreau
ff67813f58 MINOR: config: emit a warning when 'default_backend' masks servers
When a "listen" instance uses a "default_backned" rule and has servers,
the servers will never be used. Report it so that users don't get trapped.
2012-02-13 14:32:34 +01:00
Willy Tarreau
32d0272394 BUILD: make it possible to look for pcre in the default system paths
If running "make PCREDIR=" will not force to add -I nor -L anymore.
2012-02-10 19:46:59 +01:00
William Lallemand
4894040fa0 DOC: log-format documentation 2012-02-09 17:03:28 +01:00
William Lallemand
a1cc381151 MEDIUM: log: make http_sess_log use log_format
http_sess_log now use the logformat linked list to make the log
string, snprintf is not used for speed issue.

CLF mode also uses logformat.

NOTE: as of now, empty fields in CLF now are "" not "-" anymore.
2012-02-09 17:03:28 +01:00
William Lallemand
421f5b5882 MINOR: Date and time fonctions that don't use snprintf
Also move human_time() to standard.c since it's not related to
timeval calculations.
2012-02-09 17:03:28 +01:00
William Lallemand
e7340ec111 MINOR: add ultoa, ulltoa, ltoa, lltoa implementations
Implementations that write result from left to right
2012-02-09 17:03:28 +01:00
William Lallemand
723b73ad75 MINOR: config: Parse the string of the log-format config keyword
parse_logformat_string: parse the string, detect the type: text,
        separator or variable

parse_logformat_var: dectect variable name

parse_logformat_var_args: parse arguments and flags

add_to_logformat_list: add to the logformat linked list
2012-02-09 17:03:24 +01:00
William Lallemand
2a4a44f0f9 REORG: log: split send_log function
send_log function is now splited in 3 functions
* hdr_log: generate the syslog header
* send_log: send a syslog message with a printf format string
* __send_log: send a syslog message
2012-02-09 15:54:43 +01:00
William Lallemand
d9e9066e71 BUILD: fix declaration inside a scope block 2012-02-06 09:46:16 +01:00
Willy Tarreau
8b15ba19c3 MEDIUM: improve config check return codes
When checking a configuration file using "-c -f xxx", sometimes it is
reported that a config is valid while it will later fail (eg: no enabled
listener). Instead, let's improve the return values :
  - return 0 if config is 100% OK
  - return 1 if config has errors
  - return 2 if config is OK but no listener nor peer is enabled
2012-02-02 17:53:37 +01:00
Willy Tarreau
6f9b003c2b BUG: fix double free in peers config error path
If the local host is not found as a peer in a "peers" section, we have a
double free, and possibly a use-after-free because the peers section is
freed since it's aliased as the table's name.
2012-02-02 17:53:37 +01:00
Patrick Mézard
b7aeec6333 DOC: mention that default checks are TCP connections 2012-01-29 14:16:25 +01:00
Willy Tarreau
b05405a3a8 BUILD: fix build error on FreeBSD
Marcello Gorlani reported that commit 5e205524ad24003ecc4dbb435066aebe7ed58d95
(BUG: http: re-enable TCP quick-ack upon incomplete HTTP requests) broke build
on FreeBSD.

Moving the include lower fixes the issue. This must be backported to 1.4 too.
2012-01-23 15:35:52 +01:00
Willy Tarreau
615674cdec MINOR: halog: add some help on the command line 2012-01-23 08:17:59 +01:00
Willy Tarreau
f8e8b76ed3 BUG/MEDIUM: zero-weight servers must not dequeue requests from the backend
It was reported that a server configured with a zero weight would
sometimes still take connections from the backend queue. This issue is
real, it happens this way :
  1) the disabled server accepts a request with a cookie
  2) many cookie-less requests accumulate in the backend queue
  3) when the disabled server completes its request, it checks its own
     queue and the backend's queue
  4) the server takes a pending request from the backend queue and
     processes it. In response, the server's cookie is assigned to
     the client, which ensures that some requests will continue to
     be served by this server, leading back to point 1 above.

The fix consists in preventing a zero-weight server from dequeuing pending
requests from the backend. Making use of srv_is_usable() in such tests makes
the tests more robust against future changes.

This fix must be backported to 1.4 and 1.3.
2012-01-20 16:18:53 +01:00
Willy Tarreau
62c3be28ed BUG/MEDIUM: correctly disable servers tracking another disabled servers.
In a config where server "s1" is marked disabled and "s2" tracks "s1",
s2 appears disabled on the stats but is still inserted into the LB farm
because the tracking is resolved too late in the configuration process.

We now resolve tracked servers before building LB maps and we also mark
the tracking server in maintenance mode, which previously was not done,
causing half of the issue.

Last point is that we also protect srv_is_usable() against electing a
server marked for maintenance. This is not absolutely needed but is a
safe choice and makes a lot of sense.

This fix must be backported to 1.4.
2012-01-20 16:18:30 +01:00
Stathis Voukelatos
09a030a9a4 BUG/MINOR: fix typo in processing of http-send-name-header
I downloaded version 1.4.19 this morning. While merging the code changes
to a custom build that we have here for our project I noticed a typo in
'session.c', in the new code for inserting the server name in the HTTP
header. The fix that I did is shown in the patch below.

[WT: the bug is harmless, it is only suboptimal]
2012-01-09 14:27:13 +01:00
Willy Tarreau
8fa52f4e0e BUG/MINOR: cli: correctly remove the whole table on "clear table"
Joe Price reported that "clear table xxx" sent on the CLI would only clear
the last entry. This is true, some code was missing to remove an entry from
within the loop, and only the final condition was able to remove an entry.
The fix is obvious. No backport is needed.
2012-01-09 11:53:09 +01:00
Willy Tarreau
2f1feb99a5 DOC: add some documentation from RFC3986 about URI format 2012-01-07 23:58:54 +01:00
Willy Tarreau
422246eb26 MEDIUM: http: block non-ASCII characters in URIs by default
These ones are invalid and blocked unless "option accept-invalid-http-request"
is specified in the frontend. In any case, the faulty request is logged.

Note that some of the remaining invalid chars are still not checked against,
those are the invalid ones between 32 and 127 :

    34 ('"'), 60 ('<'), 62 ('>'), 92 ('\'), 94 ('^'),
    96 ('`'), 123 ('{'), 124 ('|'), 125 ('}')

Using a lookup table might be better at some point.
2012-01-07 23:55:20 +01:00
Willy Tarreau
2e9506d771 BUG: http: tighten the list of allowed characters in a URI
The HTTP request parser was considering that any non-LWS char was
par of the URI. Unfortunately, this allows control chars to be sent
in the URI, sometimes resulting in backend servers misbehaving, for
instance when they interprete \0 as an end of string and respond
with plain HTTP/0.9 without headers, that haproxy blocks as invalid
responses.

RFC3986 clearly states the list of allowed characters in a URI. Even
non-ASCII chars are not allowed. Unfortunately, after having run 10
years with these chars allowed, we can't block them right now without
an optional workaround. So the first step consists in only blocking
control chars. A later patch will allow non-ASCII only when an appropriate
option is enabled in the frontend.

Control chars are 0..31 and 127, with the exception of 9, 10 and 13
(\t, \n, \r).
2012-01-07 23:22:31 +01:00
Willy Tarreau
7b77c9fd6d CLEANUP: silence a warning when building on sparc
On Solaris/sparc, getpid() returns pid_t which is not an int :

  src/peers.c: In function `peer_io_handler':
  src/peers.c:508: warning: int format, pid_t arg (arg 6)
2012-01-07 22:52:12 +01:00
Mark Lamourine
c2247f0b8d MEDIUM: http: add support for sending the server's name in the outgoing request
New option "http-send-name-header" specifies the name of a header which
will hold the server name in outgoing requests. This is the name of the
server the connection is really sent to, which means that upon redispatches,
the header's value is updated so that it always matches the server's name.
2012-01-05 15:17:31 +01:00
Willy Tarreau
e1a908c369 OPTIM: halog: keep a fast path for the lines-count only
Using "halog -c" is still something quite common to perform on logs,
but unfortunately since the recent added controls, it was sensibly
slowed down due to the parsing of the accept date field.

Now we use a specific loop for the case where nothing is needed from
the input, and this sped up the line counting by 2.5x. A 2.4 GHz Xeon
now counts lines at a rate of 2 GB of logs per second.
2012-01-03 09:28:05 +01:00
Willy Tarreau
7f051b39d2 DOC: add a coding-style file
This will help newcomers adapt to existing (or desired) style and will
save them some time.
2011-12-30 17:33:27 +01:00
Willy Tarreau
6cee7ddd5e DOC: add minimal documentation on how ACLs work internally
This will help complete the ACL to pattern migration.
2011-12-30 17:33:27 +01:00
Willy Tarreau
e428fb7b4e MEDIUM: patterns: the hdr() pattern is now of type string
This pattern previously was limited to type IP. With the new header
extraction function, it becomes possible to extract strings, so that
the header can be returned as a string. This will not change anything
to existing configs, as string will automatically be converted to IP
when needed. However, new configs will be able to use IPv6 addresses
from headers in stick-tables, as well as stick on any non-IP header
(eg: host, user-agent, ...).
2011-12-30 17:33:27 +01:00
Willy Tarreau
294c473756 MEDIUM: http: replace get_ip_from_hdr2() with http_get_hdr()
The new function does not return IP addresses but header values instead,
so that the caller is free to make what it want of them. The conversion
is not quite clean yet, as the previous test which considered that address
0.0.0.0 meant "no address" is still used. A different IP parsing function
should be used to take this into account.
2011-12-30 17:33:26 +01:00
Willy Tarreau
aff79da207 CLEANUP: acl: remove last data fields from the acl_test struct
acl_test doesn't hold ptr nor len anymore, since everything has moved to
the temporary pattern.
2011-12-30 17:33:26 +01:00
Willy Tarreau
664092ccc1 MEDIUM: acl: use temp_pattern to store any string-type information
Now strings and data blocks are stored in the temp_pattern's chunk
and matched against this one.

The rdp_cookie currently makes extensive use of acl_fetch_rdp_cookie()
and will be a good candidate for the initial rework so that ACLs use
the patterns framework and not the other way around.
2011-12-30 17:33:26 +01:00
Willy Tarreau
31d1b01211 CLEANUP: acl: integer part of acl_test is not used anymore 2011-12-30 17:33:26 +01:00
Willy Tarreau
f4362b3e3b MEDIUM: acl: use temp_pattern to store any address-type information
IPv4 and IPv6 addresses are now stored into temp_pattern instead of
the dirty hack consisting into storing them into the consumer's target
address.

Some refactoring should now be possible since the methods used to fetch
source and destination addresses are similar between patterns and ACLs.
2011-12-30 17:33:26 +01:00
Willy Tarreau
a5e375646c MEDIUM: acl: use temp_pattern to store any integer-type information
All ACL fetches which return integer value now store the result into
the temporary pattern struct. All ACL matches which rely on integer
also get their value there.

Note: the pattern data types are not set right now.
2011-12-30 17:33:26 +01:00
Willy Tarreau
b666bc7d51 MEDIUM: pattern: change the pattern data integer from unsigned to signed
Till now the pattern data integer type was unsigned without any
particular reason. In order to make ACLs use it, we must switch it
to signed int instead.
2011-12-30 17:33:25 +01:00
Willy Tarreau
918458439e MINOR: acl: include pattern.h to make pattern migration more transparent 2011-12-30 17:33:25 +01:00
Willy Tarreau
8e5e955c50 MEDIUM: acl: use temp_pattern to store fetched information in the "method" match
This match was using both the int and ptr part of the acl_test struct. Let's
change this to be able to store it into a chunk with a special encoding.
2011-12-30 17:33:25 +01:00
Willy Tarreau
1ded605ad5 CLEANUP: patterns: get rid of pattern_data_setstring()
This function was only used to call chunk_init_len() from another chunk,
which in the end consists in simply assigning the source chunk to the
destination chunk. Let's remove this indirection to make the code clearer.
Anyway it was the only place such a function was used.
2011-12-30 17:33:25 +01:00
Willy Tarreau
5e6cc4aad8 MINOR: pattern: export the global temporary pattern
The global pattern is used for pattern conversions. Export it under the
name "temp_pattern" so that it can later be used by ACLs.
2011-12-30 17:33:25 +01:00
Willy Tarreau
5dc1e98905 BUG: proto_tcp: don't try to bind to a foreign address if sin_family is unknown
This is 1.5-specific. It causes issues with transparent source binding involving
hdr_ip. We must not try to bind() to a foreign address when the family is not set,
and we must set the family when an address is set.
2011-12-30 17:33:24 +01:00
Willy Tarreau
5e205524ad BUG: http: re-enable TCP quick-ack upon incomplete HTTP requests
By default we disable TCP quick-acking on HTTP requests so that we
avoid sending a pure ACK immediately followed by the HTTP response.
However, if the client sends an incomplete request in a short packet,
its TCP stack might wait for this packet to be ACKed before sending
the rest of the request, delaying incoming requests by up to 40-200ms.

We can detect this undesirable situation when parsing the request :
  - if an incomplete request is received
  - if a full request is received and uses chunked encoding or advertises
    a content-length larger than the data available in the buffer

In these situations, we re-enable TCP quick-ack if we had previously
disabled it.
2011-12-17 16:45:29 +01:00
Willy Tarreau
b6672b547a MINOR: acl: add support for TLS server name matching using SNI
Server Name Indication (SNI) is a TLS extension which makes a client
present the name of the server it is connecting to in the client hello.
It allows a transparent proxy to take a decision based on the beginning
of an SSL/TLS stream without deciphering it.

The new ACL "req_ssl_sni" matches the name extracted from the TLS
handshake against a list of names which may be loaded from a file if
needed.
2011-12-12 17:26:23 +01:00
Willy Tarreau
82a04566ec OPTIM: stream_sock: save a failed recv syscall when splice returns EAGAIN
When splice() returns EAGAIN, on old kernels it could be caused by a read
shutdown which was not detected. Due to this behaviour, we had to fall
back to recv(), which in turn says if it's a real EAGAIN or a shutdown.
Since this behaviour was fixed in 2.6.27.14, on more recent kernels we'd
prefer to avoid the fallback to recv() when possible. For this, we set a
variable the first time splice() detects a shutdown, to indicate that it
works. We can then rely on this variable to adjust our behaviour.

Doing this alone increased the overall performance by about 1% on medium
sized objects.
2011-12-12 00:03:55 +01:00
Willy Tarreau
eb9fd5178e OPTIM: stream_sock: reduce the amount of in-flight spliced data
First, it's a waste not to call chk_snd() when spliced data are available,
because the pipe can almost always be transferred into the outgoing socket
buffers. Starting from now, when we splice data in, we immediately try to
send them. This results in less pipes used, and possibly less kernel memory
in use at once.

Second, if a pipe cannot be transferred into the outgoing socket buffers,
it means this buffer is full. There's no point trying again then, as space
will almost never be available, resulting in a useless syscall returning
EAGAIN.
2011-12-12 00:03:55 +01:00
Willy Tarreau
007257ebab BUG: ebtree: ebst_lookup() could return the wrong entry
(from ebtree 6.0.7)

Julien Thomas provided a reproducible test case where a string lookup
could return the wrong node. The issue is caused by the jump to a node
which contains less bit in common than the previous node, making the
string_equal_bits() function return -1. We must not remember more bits
than the number on the node, otherwise we can be tempted to trust them
while they can change while running down.

For a valid test case, enter : "0", "WW", "W", "S", and lookup "W".
Previously, "S" was returned.

Note: string-based ebtrees are used in haproxy in ACL, peers and
stick-tables. ACLs are not affected because all patterns are
interchangeable. stick-tables are not affected because lookups are
performed using ebmb_lookup(). Only peers might be affected though
it is not easy to infirm or confirm the issue.

(cherry picked from commit dd47a54103597458887d3cc8414853a541aee9c1)
2011-12-02 17:09:50 +01:00
Willy Tarreau
6258f7b883 CLEANUP: ebtree: remove another typo, a wrong initialization in insertion code
(from ebtree 6.0.7)

root_right was wrongly initialized first to <root> which is not the same
type, to be later initialized to root->b[EB_RGHT].

Let's simply remove the wrong and useless initialization.
(cherry picked from commit e63a0c2f56369b52c4d00221d83c2c4569605c06)
2011-12-02 17:09:50 +01:00
Willy Tarreau
655c84a9f0 CLEANUP: ebtree: remove 4-year old harmless typo in duplicates insertion code
(from ebtree 6.0.7)

This typo has been there since we introduced duplicates. A "struct eb_troot *"
which apparently the compiler doesn't complain about while it is never declared
anywhere. Amazing...

(cherry picked from commit 2879648db5d32cf009ae571cb0e8e1df75152281)
2011-12-02 17:09:50 +01:00
Willy Tarreau
f3bfede52e CLEANUP: ebtree: clarify licence and update to 6.0.6
(from ebtree 6.0.6)

This version is mainly aimed at clarifying the fact that the ebtree license
is LGPL. Some files used to indicate LGPL and other ones GPL, while the goal
clearly is to have it LGPL. A LICENSE file has also been added.

No code is affected, but it's better to have the local tree in sync anyway.

(cherry picked from commit 24dc7cca051f081600fe8232f33e55ed30e88425)
2011-12-02 17:09:49 +01:00
Willy Tarreau
22c0a93c63 CLEANUP: ebtree: remove a few annoying signedness warnings
(from ebtree 6.0.6)

Care has been taken not to make the code bigger (it even got smaller
due to a possible simplification).
(cherry picked from commit 7a2c1df646049c7daac52677ec11ed63048cd150)
2011-12-02 17:09:49 +01:00
Willy Tarreau
f6f8225390 BUG: tcp: option nolinger does not work on backends
Daniel Rankov reported that "option nolinger" is inefficient on backends.
The reason is that it is set on the file descriptor only, which does not
prevent haproxy from performing a clean shutdown() before closing. We must
set the flag on the stream_interface instead if we want an RST to be emitted
upon active close.
2011-11-30 18:06:23 +01:00