8462 Commits

Author SHA1 Message Date
Willy Tarreau
17af419a01 [BUG] acl: srv_id must return no match when the server is NULL
Reported by Hervé Commowick, causes crashes when the server is not known.
2011-02-23 15:32:15 +01:00
Willy Tarreau
dc23a92ee7 [BUG] startup: set the rlimits before binding ports, not after.
As reported by the Loadbalancer.org team, it was not possible to bind
more than 1024 ports. This is because the process' limits were set after
trying to bind the sockets, which defeats their purpose.

This fix must be backported to 1.4 and 1.3.
2011-02-16 11:14:30 +01:00
Willy Tarreau
c8b11090b0 [BUG] cfgparse: correctly count one socket per port in ranges
We used to only count one socket instead of one per listener. This makes
the socket count wrong, preventing from automatically computing the proper
number of sockets to bind.

This fix must be backported to 1.4 and 1.3.
2011-02-16 11:14:29 +01:00
Willy Tarreau
910ef306bc [BUG] http: use correct ACL pointer when evaluating authentication
req_acl was used instead of req_acl_final. As a matter of luck, both
happen to be the same at this point, but this is not granted in the
future.

This fix should be backported to 1.4.
2011-02-13 12:18:22 +01:00
Cyril Bonté
23b39d9859 [MINOR] stats: add support for several packets in stats admin
Some browsers send POST requests in several packets, which was not supported
by the "stats admin" function.

This patch allows to wait for more data when they are not fully received
(we are still limited to a certain size defined by the buffer size minus its
reserved space).
It also adds support for the "Expect: 100-Continue" header.
2011-02-12 13:10:18 +01:00
Willy Tarreau
5c4784f4b8 [BUG] http: update the header list's tail when removing the last header
Stefan Behte reported a strange case where depending on the position of
the Connection header in the header list, some headers added after it
were or were not usable in "balance hdr()". The reason is that when the
last header is removed, the list's tail was not updated, so any header
added after that one was not visible from the list.

This fix must be backported to 1.4 and possibly 1.3.
2011-02-12 13:07:35 +01:00
Andreas Kohn
16171e234b [MINOR] cfgparse: Check whether the path given for the stats socket actually fits into the sockaddr_un structure to avoid truncation.
while working further on the changes to allow for dynamic
adding/removing of backend servers we noticed a potential problem: the
path given for the 'stats socket' global option may get truncated when
copying it into the sockaddr_un.sun_path field.

Attached patch checks the length, and reports an error if truncation
would happen.

This issue was noticed by Joerg Sonnenberger <joerg@NetBSD.org>.
2011-01-23 07:26:05 +01:00
Willy Tarreau
7d286a0f63 [BUILD] frontend: shut a warning with TCP_MAXSEG
src/frontend.c: In function 'frontend_accept':
src/frontend.c:110: warning: pointer targets in passing argument 5 of 'getsockopt' differ in signedness

The argument should be socklen_t and not int.
2011-01-05 19:35:41 +01:00
Rauf Kuliyev
38b4156a69 [MINOR] checks: add PostgreSQL health check
I have written a small patch to enable a correct PostgreSQL health check
It works similar to mysql-check with the very same parameters.

E.g.:
listen pgsql 127.0.0.1:5432
   mode tcp
   option pgsql-check user pgsql
   server masterdb pgsql.server.com:5432 check inter 10000
2011-01-04 15:14:13 +01:00
Willy Tarreau
0013433b09 [MINOR] http: improve url_param pattern extraction to ignore empty values
It's better to avoid sticking on empty parameter values, as this almost
always indicates a missing parameter. Otherwise it's easy to enter a
situation where all new visitors stick to the same server.
2011-01-04 14:57:34 +01:00
Willy Tarreau
a0e5861302 [REVERT] undo the stick-table string key lookup fixes
Revert commits 035da6d1b0c436b85add48bc22120aa814c9cab9 and
f18b5f21bafef909901b7b5cf95625a63e609c75.

These fixes were wrong. They worked but they were fixing the symptom
instead of the root cause of the problem. The real issue was in the
ebtree lookup code and it has been fixed now so these patches are not
needed anymore. It's better not to copy memory blocks when we don't
need to, so let's revert them.
2011-01-04 14:50:49 +01:00
Willy Tarreau
f18b5f21ba [BUG] stick-table: use the private buffer when padding strings
Commit 035da6d1b0c436b85add48bc22120aa814c9cab9 was incorrect as it
could modify a live buffer. We must first ensure that we're on the
private buffer or perform a copy before modifying the data.
2011-01-04 06:29:44 +01:00
Willy Tarreau
5109196275 [BUG] acl: fix handling of empty lines in pattern files
Gabriel Sosa reported that haproxy unexpectedly reports an error
when a pattern file loaded by an ACL contains an empty line. The
test was present but inefficient as it did not consider the '\n'
as the end of the line. This fix relies on the line length instead.

It should be backported to 1.4.
2011-01-03 21:06:32 +01:00
David Cournapeau
16023eef0b [MINOR] http: add pattern extraction method to stick on query string parameter
This is an updated version of my patch for url parameter extraction on
stick table. It adds "url_param(name)" as a possible stick method.
2011-01-03 13:26:02 +01:00
Willy Tarreau
035da6d1b0 [BUG] stick-table: correctly terminate string keys during lookups
If a key to be looked up is extracted from data without being padded
and if it matches the beginning of another stored key, it is not
found in subsequent lookups because it does not end with a zero.

This bug was discovered and diagnosed by David Cournapeau.
2011-01-02 20:12:10 +01:00
Kevinm
48936af9a2 [MINOR] log: ability to override the syslog tag
One of the requirements we have is to run multiple instances of haproxy on a
single host; this is so that we can split the responsibilities (and change
permissions) between product teams. An issue we ran up against is how we
would distinguish between the logs generated by each instance. The solution
we came up with (please let me know if there is a better way) is to override
the application tag written to syslog. We can then configure syslog to write
these to different files.

I have attached a patch adding a global option 'log-tag' to override the
default syslog tag 'haproxy' (actually defaults to argv[0]).
2010-12-30 11:43:36 +01:00
Willy Tarreau
48a7e72c5d [MINOR] tcp: add support for dynamic MSS setting
By passing a negative value to the "mss" argument of "bind" lines, it
becomes possible to subtract this value to the MSS advertised by the
client, which results in segments smaller than advertised. The effect
is useful with some TCP stacks which ACK less often when segments are
not full, because they only ACK every other full segment as suggested
by RFC1122.

NOTE: currently this has no effect on Linux kernel 2.6, a kernel patch
is still required to change the MSS of established connections.
2010-12-30 09:50:23 +01:00
Joe Williams
df5b38fac1 [MINOR] log: add support for passing the forwarded hostname
Haproxy does not include the hostname rather the IP of the machine in
the syslog headers it sends. Unfortunately this means that for each log
line rsyslog does a reverse dns on the client IP and in the case of
non-routable IPs one gets the public hostname not the internal one.

While this is valid according to RFC3164 as one might imagine this is
troublsome if you have some machines with public IPs, internal IPs, no
reverse DNS entries, etc and you want a standardized hostname based log
directory structure. The rfc says the preferred value is the hostname.

This patch adds a global "log-send-hostname" statement which accepts an
optional string to force the host name. If unset, the local host name
is used.
2010-12-29 17:05:48 +01:00
Cyril Bonté
9ea2b9ac75 [BUG] http: fix http-pretend-keepalive and httpclose/tunnel mode
Since haproxy 1.4.9, combining option httpclose and option
http-pretend-keepalive can leave the connections opened until the backend
keep-alive timeout is reached, providing bad performances.
The same can occur when the proxy is in tunnel mode.

This patch ensures that the server side connection is closed after the
response and ignore http-pretend-keepalive in tunnel mode.
2010-12-29 15:24:48 +01:00
Willy Tarreau
b89cfca494 [BUG] session: release slot before processing pending connections
When a connection error is encountered on a server and the server's
connection pool is full, pending connections are not woken up because
the current connection is still accounted for on the server, so it
still appears full. This becomes visible on a server which has
"maxconn 1" because the pending connections will only be able to
expire in the queue.

Now we take care of releasing our current connection before trying to
offer it to another pending request, so that the server can accept a
next connection.

This patch should be backported to 1.4.
2010-12-29 14:38:29 +01:00
Willy Tarreau
32d3ee99ee [CRITICAL] session: correctly leave turn-around and queue states on abort
When a client connection aborts while the server-side connection is in
turn-around after a failed connection attempt, the turn-around timeout
is reset in shutw() but the state is not changed. The session then
remains stuck in this state forever. Change the QUE and TAR states to
DIS just as we do for CER to fix this.

This patch should be backported to 1.4.
2010-12-29 14:38:15 +01:00
Willy Tarreau
ed2fd2daea [BUG] http: fix incorrect error reporting during data transfers
We've had several issues related to data transfers. First, if a
client aborted an upload before the server started to respond, it
would get a 502 followed by a 400. The same was true (in the other
way around) if the server suddenly aborted while the client was
uploading the data.

The flags reported in the logs were misleading. Request errors could
be reported while the transfer was stopped during the data phase. The
status codes could also be overwritten by a 400 eventhough the start
of the response was transferred to the client.

The stats were also wrong in case of data aborts. The server or the
client could sometimes be miscredited for being the author of the
abort depending on where the abort was detected. Some client aborts
could also be accounted as request errors and some server aborts as
response errors.

Now it seems like all such issues are fixed. Since we don't have a
specific state for data flowing from the client to the server
before the server responds, we're still counting the client aborted
transfers as "CH", and they become "CD" when the server starts to
respond. Ideally a "P" state would be desired.

This patch should be backported to 1.4.
2010-12-29 13:55:32 +01:00
Willy Tarreau
9c3bc229ec [CLEANUP] frontend: only apply TCP-specific settings to TCP/TCP6 sockets
It's useless to apply keep-alive or lingering to non-TCP sockets.
2010-12-24 14:49:37 +01:00
Willy Tarreau
0499e3575c [BUG] http: analyser optimizations broke pipelining
HTTP pipelining currently needs to monitor the response buffer to wait
for some free space to be able to send a response. It was not possible
for the HTTP analyser to be called based on response buffer activity.
Now we introduce a new buffer flag BF_WAKE_ONCE which is set when the
HTTP request analyser is set on the response buffer and some activity
is detected. This is not clean at all but once of the only ways to fix
the issue before we make it possible to register events for analysers.

Also it appeared that one realign condition did not cover all cases.
2010-12-17 07:15:57 +01:00
Hervé COMMOWICK
35ed8019e3 [MINOR] acl: add be_id/srv_id to match backend's and server's id
These ones can be useful in responses.
2010-12-15 23:36:59 +01:00
Cyril Bonté
02ff8ef677 [MINOR] add warnings on features not compatible with multi-process mode
Using haproxy in multi-process mode (nbproc > 1), some features can be
not fully compatible or not work at all. haproxy will now display a warning on
startup for :
- appsession
- sticking rules
- stats / stats admin
- stats socket
- peers (fatal error in that case)
2010-12-15 07:28:11 +01:00
Willy Tarreau
10479e4bac [MINOR] stats: add global event ID and count
This counter will help quickly spot whether there are new errors or not.
It is also assigned to each capture so that a script can keep trace of
which capture was taken when.
2010-12-12 14:00:34 +01:00
Willy Tarreau
e1582eb7f6 [MINOR] http: capture incorrectly chunked message bodies
It is possible to block on incorrectly chunked requests or responses,
but this becomes very hard to debug when it happens once in a while.
This patch adds the ability to also capture incorrectly chunked requests
and responses. The chunk will appear in the error buffer and will be
verifiable with the usual "show errors". The incorrect byte will match
the error location.
2010-12-12 13:10:11 +01:00
Willy Tarreau
81f2fb97fe [MINOR] http: support wrapping messages in error captures
Error captures did only support contiguous messages. This is annoying
for capturing chunking errors, so let's ensure the function is able to
copy wrapped messages.
2010-12-12 13:09:08 +01:00
Willy Tarreau
798e128a4d [BUG] stream_interface: truncate buffers when sending error messages
When an error message is returned to a client, all buffer contents
were left intact. Since the analysers were removed, the potentially
invalid data that were read had a chance to be sent too.

Now we ensure we only keep the already scheduled data in the buffer
and we truncate it after that. That means that responses with data
that must be blocked will really be blocked, and that incorrectly
chunked data will be stopped at the point where the chunking fails.
2010-12-12 13:06:00 +01:00
Willy Tarreau
3fe693b4d6 [BUG] http chunking: don't report a parsing error on connection errors
When haproxy parses chunk-encoded data that are scheduled to be sent, it is
possible that the other end is closed (mainly due to a client abort returning
as an error). The message state thus changes to HTTP_MSG_ERROR and the error
is reported as a chunk parsing error ("PD--") while it is not. Detect this
case before setting the flags and set the appropriate flag in this case.
2010-12-12 12:50:05 +01:00
Willy Tarreau
078272e115 [MINOR] stats: report HTTP message state and buffer flags in error dumps
Debugging parsing errors can be greatly improved if we know what the parser
state was and what the buffer flags were (especially for closed inputs/outputs
and full buffers). Let's add that to the error snapshots.
2010-12-12 12:46:33 +01:00
Willy Tarreau
57f5c12c04 [OPTIM] http: don't send each chunk in a separate packet
When forwarding chunk-encoded data, each chunk gets a TCP PUSH flag when
going onto the wire simply because the send() function does not know that
some data remain after it (next chunk). Now we set the BF_EXPECT_MORE flag
on the buffer if the chunk size is not null. That way we can reduce the
number of packets sent, which is particularly noticeable when forwarding
compressed data, especially as it requires less ACKs from the client.
2010-12-02 00:39:33 +01:00
Willy Tarreau
342b11c4d4 [BUG] http: do not re-enable the PROXY analyser on keep-alive
The PROXY analyser is connection-oriented and must only be set once. When
an HTTP transaction is done, we must not re-enable it.
2010-11-29 07:32:02 +01:00
Willy Tarreau
798a39cdc9 [MEDIUM] hash: add support for an 'avalanche' hash-type
When the number of servers is a multiple of the size of the input set,
map-based hash can be inefficient. This typically happens with 64
servers when doing URI hashing. The "avalanche" hash-type applies an
avalanche hash before performing a map lookup in order to smooth the
distribution. The result is slightly less smooth than the map for small
numbers of servers, but still better than the consistent hashing.
2010-11-29 07:28:16 +01:00
Willy Tarreau
4c14eaa0d4 [CLEANUP] hash: move the avalanche hash code globally available
We'll use this hash at other places, let's make it globally available.
The function has also been renamed because its "chash_hash" name was
not appropriate.
2010-11-29 07:28:16 +01:00
Willy Tarreau
26db59ea6b [BUG] http: correctly update the header list when removing two consecutive headers
When a header is removed, the previous header's next pointer is updated
to reflect the next of the current header. However, when cycling through
the loop, we update the prev pointer to point to the deleted header, which
means that if we delete another header, it's the deleted header's next
pointer that will be updated, leaving the deleted header in the list with
a null length, which is forbidden.

We must just not update the prev pointer after a removal.

This bug was present when either "reqdel" and "rspdel" removed two consecutive
headers. It could also occur when removing cookies in either requests or
responses, but since headers were the last header processing, the issue
remained unnoticed.

Issue reported by Hank A. Paulson.

This fix must be ported to 1.4 and possibly 1.3.
2010-11-28 07:06:23 +01:00
Willy Tarreau
b810554f8f [CRITICAL] cookies: mixing cookies in indirect mode and appsession can crash the process
Cookies in indirect mode are removed from the cookie header. Three pointers
ought to be updated when appsession cookies are processed next, but were not.
The result is that a memcpy() can be called with a negative value causing the
process to crash. It is not sure whether this can be remotely exploited or not.
(cherry picked from commit c5f3749aa3ccfdebc4992854ea79823d26f66213)
2010-11-28 07:06:22 +01:00
Willy Tarreau
77eb9b8a2d [BUG] appsession: fix possible double free in case of out of memory
In out of memory conditions, the ->destroy function would free all
possibly allocated pools from the current appsession, including those
that were not yet allocated nor assigned, which used to point to a
previous allocation, obviously resulting in a segfault.
(cherry picked from commit 75eae485921d3a6ce197915c769673834ecbfa5c)
2010-11-19 13:25:11 +01:00
Willy Tarreau
f70fc75296 [BUG] capture: do not capture a cookie if there is no memory left
In case of out of memory, it was possible to write to a null pointer
when capturing response cookies due to a missing "else" block. The
request handling was fine though.
(cherry picked from commit 62e3604d7dd27741c0b4c9e27d9e7c73495dfc32)
2010-11-19 13:25:11 +01:00
Willy Tarreau
e79c3b24fb [BUG] debug: report the correct poller list in verbose mode
When running with -vv or -V -d, the list of usable polling systems
is reported. The final selection did not take into account the
possible failures during the tests, which is misleading and could
make one think that a non-working poller will be used, while it is
not the case. Fix that to really report the correct ones.
(cherry picked from commit 6d0e354e0171f08b7b3868ad2882c3663bd068a7)
2010-11-19 13:25:10 +01:00
Cyril Bonté
1f5848a460 [CLEANUP] unix sockets : move create_uxst_socket() in uxst_bind_listener()
The code of create_uxst_socket() is moved in uxst_bind_listener() so that we
don't need to pass a lot of parameters, as it was only called there.
2010-11-14 17:21:44 +01:00
Cyril Bonté
e4cbbe2a0e [MINOR] unix sockets : inherits the backlog size from the listener
Since unix sockets are supported for bind, the default backlog size was not
enough to accept the traffic. The size is now inherited from the listener
to behave like the tcp listeners.

This also affects the "stats socket" backlog, which is now determined by
"stats maxconn".
2010-11-14 17:21:31 +01:00
Willy Tarreau
48d84c10b5 [OPTIM] linux: add support for bypassing libc to force using vsyscalls
Some distros' libc are built for CPUs earlier than i686 and as such do
not offer support for Linux kernel's faster vsyscalls. This code adds
a new build option USE_VSYSCALLS to bypass libc for most commonly used
system calls. A net gain of about 10% can be observed with this change
alone.

It only works when /proc/sys/abi/vsyscall32 equals exactly 2. When it's
set to 1, the VDSO is randomized and cannot be used.
2010-11-14 17:09:33 +01:00
Willy Tarreau
11f49408f2 [OPTIM] stream_sock: don't clear FDs that are already cleared
We can on average two calls to __fd_clr() per session by avoiding to
call it unnecessarily.
2010-11-11 23:08:17 +01:00
Willy Tarreau
2f976e18b8 [OPTIM] session: don't recheck analysers when buffer flags have not changed
Analysers were re-evaluated when some flags were still present in the
buffers, even if they had not changed since previous pass, resulting
in a waste of CPU cycles.

Ensuring that the flags have changed has saved some useless calls :

  function            min calls per session (before -> after)

  http_request_forward_body       5 -> 4
  http_response_forward_body      3 -> 2
  http_sync_req_state            10 -> 8
  http_sync_res_state             8 -> 6
  http_resync_states              8 -> 6
2010-11-11 14:28:47 +01:00
Willy Tarreau
abe8ea5c1d [BUG] accept: don't close twice upon error
The stream_sock's accept() used to close the FD upon error, but this
was also sometimes performed by the frontend's accept() called via the
session's accept(). Those interlaced calls were also responsible for the
spaghetti-looking error unrolling code in session.c and stream_sock.c.

Now the frontend must not close the FD anymore, the session is responsible
for that. It also takes care of just closing the FD or also removing from
the FD lists, depending on its state. The socket-level accept() does not
have to care about that anymore.
2010-11-11 11:05:20 +01:00
Willy Tarreau
bd55e3167b [BUILD] peers: shut a printf format warning (key_size is a size_t)
Also fix a few misleading comments.
2010-11-11 11:05:04 +01:00
Willy Tarreau
fffe1325df [CLEANUP] accept: replace some inappropriate Alert() calls with send_log()
Some Alert() messages were remaining in the accept() path, which they
would have no chance to be detected. Remove some of them (the impossible
ones) and replace the relevant ones with send_log() so that the admin
has a chance to catch them.
2010-11-11 09:51:38 +01:00
Emeric Brun
5a8c0a9f52 [MEDIUM] Manage soft stop on peers proxy 2010-11-11 09:29:08 +01:00