2565 Commits

Author SHA1 Message Date
Willy Tarreau
4348fad1c1 MAJOR: listeners: use dual-linked lists to chain listeners with frontends
Navigating through listeners was very inconvenient and error-prone. Not to
mention that listeners were linked in reverse order and reverted afterwards.
In order to definitely get rid of these issues, we now do the following :
  - frontends have a dual-linked list of bind_conf
  - frontends have a dual-linked list of listeners
  - bind_conf have a dual-linked list of listeners
  - listeners have a pointer to their bind_conf

This way we can now navigate from anywhere to anywhere and always find the
proper bind_conf for a given listener, as well as find the list of listeners
for a current bind_conf.
2012-09-20 16:48:07 +02:00
Willy Tarreau
81a8117b41 MINOR: config: set the bind_conf entry on listeners created from a "listen" line.
Otherwise we would risk a segfault when checking the config's validity
(eg: when looking for conflicts on ID assignments).

Note that the same issue exists with peers_fe and the global stats_fe. All
listeners should be reviewed and simplified to use a compatible declaration
mode.
2012-09-18 20:56:12 +02:00
Willy Tarreau
a020fbd593 MINOR: stats: fill the file and line numbers in the stats frontend
The stats frontend struct has config file and line which were not set.
They're not used right now but better fill them correctly anyway.
2012-09-18 20:05:00 +02:00
Willy Tarreau
28a47d6408 MINOR: config: pass the file and line to config keyword parsers
This will be needed when we need to create bind config settings.
2012-09-18 20:02:48 +02:00
Willy Tarreau
51fb7651c4 MINOR: listener: add a scope field in the bind keyword lists
This scope is used to report what the keywords are used for (eg: TCP,
UNIX, ...). It is now reported by bind_dump_kws().
2012-09-18 18:27:14 +02:00
Willy Tarreau
8638f4850f MEDIUM: config: enumerate full list of registered "bind" keywords upon error
When an unknown "bind" keyword is detected, dump the list of all
registered keywords. Unsupported default alternatives are also reported
as "not supported".
2012-09-18 18:27:14 +02:00
Willy Tarreau
d0a895d25f MEDIUM: config: move all unix-specific bind keywords to proto_uxst.c
The "mode", "uid", "gid", "user" and "group" bind options were moved to
proto_uxst as they are unix-specific.

Note that previous versions had a bug here, only the last listener was
updated with the specified settings. However, it almost never happens
that bind lines contain multiple UNIX socket paths so this is not that
much of a problem anyway.
2012-09-18 18:26:08 +02:00
Willy Tarreau
3dcc341720 MEDIUM: config: move the common "bind" settings to listener.c
These ones are better placed in listener.c than in cfgparse.c, by relying
on the bind keyword registration subsystem.
2012-09-18 17:17:28 +02:00
Willy Tarreau
dda322dec0 MINOR: config: improve error reporting for "bind" lines
We now report the bind argument, which was missing in all error reports. It
is now much more convenient to spot configuration mistakes.
2012-09-18 16:34:09 +02:00
Willy Tarreau
79eeafacb4 MEDIUM: move bind SSL parsing to ssl_sock
Registering new SSL bind keywords was not particularly handy as it required
many #ifdef in cfgparse.c. Now the code has moved to ssl_sock.c which calls
a register function for all the keywords.

Error reporting was also improved by this move, because the called functions
build an error message using memprintf(), which can span multiple lines if
needed, and each of these errors will be displayed indented in the context of
the bind line being processed. This is important when dealing with certificate
directories which can report multiple errors.
2012-09-18 16:20:01 +02:00
Willy Tarreau
4479124cda MEDIUM: config: move the "bind" TCP parameters to proto_tcp
Now proto_tcp.c is responsible for the 4 settings it handles :
  - defer-accept
  - interface
  - mss
  - transparent

These ones do not need to be handled in cfgparse anymore. If support for a
setting is disabled by a missing build option, then cfgparse correctly
reports :

  [ALERT] 255/232700 (2701) : parsing [echo.cfg:114] : 'bind' : 'transparent' option is not implemented in this version (check build options).
2012-09-15 22:33:16 +02:00
Willy Tarreau
269826659d MEDIUM: listener: add a minimal framework to register "bind" keyword options
With the arrival of SSL, the "bind" keyword has received even more options,
all of which are processed in cfgparse in a cumbersome way. So it's time to
let modules register their own bind options. This is done very similarly to
the ACLs with a small difference in that we make the difference between an
unknown option and a known, unimplemented option.
2012-09-15 22:33:08 +02:00
Willy Tarreau
88500de69e CLEANUP: listener: remove unused conf->file and conf->line
These ones are already in bind_conf.
2012-09-15 22:29:33 +02:00
Willy Tarreau
2a65ff014e MEDIUM: config: replace ssl_conf by bind_conf
Some settings need to be merged per-bind config line and are not necessarily
SSL-specific. It becomes quite inconvenient to have this ssl_conf SSL-specific,
so let's replace it with something more generic.
2012-09-15 22:29:33 +02:00
Willy Tarreau
d1d5454180 REORG: split "protocols" files into protocol and listener
It was becoming confusing to have protocols and listeners in the same
files, split them.
2012-09-15 22:29:32 +02:00
Willy Tarreau
21c705b0f8 MINOR: config: add a function to indent error messages
Bind parsers may return multiple errors, so let's make use of a new function
to re-indent multi-line error messages so that they're all reported in their
context.
2012-09-15 22:29:27 +02:00
Willy Tarreau
3e394c903f BUG/MAJOR: ssl: missing tests in ACL fetch functions
Baptiste Assmann observed a crash of 1.5-dev12 occuring when the ssl_sni
fetch was used with no SNI on the input connection and without a prior
has_sni check. A code review revealed several issues :
   1) it was possible to call the has_sni and ssl_sni fetch functions with
      a NULL data_ctx if the handshake fails or if the connection is aborted
      during the handshake.
   2) when no SNI is present, strlen() was called with a NULL parameter in
      smp_fetch_ssl_sni().
2012-09-15 08:57:46 +02:00
Willy Tarreau
2e1dca8f52 MEDIUM: http: add "redirect scheme" to ease HTTP to HTTPS redirection
For instance :

   redirect scheme https if !{ is_ssl }
2012-09-12 08:43:15 +02:00
Willy Tarreau
69845dfcf3 DOC: add a special acknowledgement for the stud project
Really, the quality of their code deserves it, it would have been much
harder to figure how to get all the things right at once without looking
there from time to time !
2012-09-10 09:44:59 +02:00
Willy Tarreau
7875d0967f MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_*
This allows SNI presence and value to be checked on incoming SSL connections.
It is usable both for ACLs and stick tables.
2012-09-10 09:27:02 +02:00
Willy Tarreau
1ee0e302a1 BUILD: report openssl build settings in haproxy -vv
Since it's common enough to discover that some config options are not
supported due to some openssl version or build options, we report the
relevant ones in "haproxy -vv".
2012-09-10 09:27:02 +02:00
Emeric Brun
fc0421fde9 MEDIUM: ssl: add support for SNI and wildcard certificates
A side effect of this change is that the "ssl" keyword on "bind" lines is now
just a boolean and that "crt" is needed to designate certificate files or
directories.

Note that much refcounting was needed to have the free() work correctly due to
the number of cert aliases which can make a context be shared by multiple names.
2012-09-10 09:27:02 +02:00
Willy Tarreau
f5ae8f7637 MEDIUM: config: centralize handling of SSL config per bind line
SSL config holds many parameters which are per bind line and not per
listener. Let's use a per-bind line config instead of having it
replicated for each listener.

At the moment we only do this for the SSL part but this should probably
evolved to handle more of the configuration and maybe even the state per
bind line.
2012-09-08 08:31:50 +02:00
Willy Tarreau
aa52bef622 BUILD: shut a gcc warning introduced by commit 269ab31
Usual warning on unchecked write() on which no operation is possible.
2012-09-08 08:24:51 +02:00
Willy Tarreau
50acaaae5e MINOR: config: make the tasks "nice" value configurable on "bind" lines.
This is very convenient to reduce SSL processing priority compared to
other traffic. This applies to CPU usage only, but has a direct impact
on latency under congestion.
2012-09-06 14:28:58 +02:00
Willy Tarreau
58363cf193 MEDIUM: connection: improve error handling around the data layer
Better avoid calling the data functions upon error or handshake than
having to put conditions everywhere, which are too easy to forget (one
check for CO_FL_ERROR was missing, but this was harmless).
2012-09-06 14:12:03 +02:00
Willy Tarreau
184636e3e7 BUG: tcp: close socket fd upon connect error
When the data layer fails to initialize (eg: out of memory for SSL), we
must close the socket fd we just allocated.
2012-09-06 14:04:41 +02:00
Willy Tarreau
403edff4b8 MEDIUM: config: implement maxsslconn in the global section
SSL connections take a huge amount of memory, and unfortunately openssl
does not check malloc() returns and easily segfaults when too many
connections are used.

The only solution against this is to provide a global maxsslconn setting
to reject SSL connections above the limit in order to avoid reaching
unsafe limits.
2012-09-06 12:10:43 +02:00
Willy Tarreau
cbaaec475c MINOR: session: do not send an HTTP/500 error on SSL sockets
If a session fails its initialization, we don't want to send HTTP/500
over the socket if it's not a raw data layer.
2012-09-06 11:32:07 +02:00
Willy Tarreau
32368ceba4 MEDIUM: config: support per-listener backlog and maxconn
With SSL, connections are much more expensive, so it is important to be
able to limit concurrent connections per listener in order to limit the
memory usage.
2012-09-06 11:10:55 +02:00
Willy Tarreau
269ab318ef BUG/MEDIUM: workaround an eglibc bug which truncates the pidfiles when nbproc > 1
Thomas Heil reported that when using nbproc > 1, his pidfiles were
regularly truncated. The issue could be tracked down to the presence
of a call to lseek(pidfile, 0, SEEK_SET) just before the close() call
in the children, resulting in the file being truncated by the children
while the parent was feeding it. This unexpected lseek() is transparently
performed by fclose().

Since there is no way to have the file automatically closed during the
fork, the only solution is to bypass the libc and use open/write/close
instead of fprintf() and fclose().

The issue was observed on eglibc 2.15.
2012-09-05 15:04:20 +02:00
Willy Tarreau
ee2e3a4027 BUILD: ssl: use MAP_ANON instead of MAP_ANONYMOUS
FreeBSD uses the former, Linux uses the latter but generally also
defines the former as an alias of the latter. Just checked on other
OSes and AIX defines both. So better use MAP_ANON which seems to be
more commonly defined.
2012-09-04 15:45:21 +02:00
David BERARD
e566ecbea8 MEDIUM: ssl: add support for prefer-server-ciphers option
I wrote a small path to add the SSL_OP_CIPHER_SERVER_PREFERENCE OpenSSL option
to frontend, if the 'prefer-server-ciphers' keyword is set.

Example :
	bind 10.11.12.13 ssl /etc/haproxy/ssl/cert.pem ciphers RC4:HIGH:!aNULL:!MD5 prefer-server-ciphers

This option mitigate the effect of the BEAST Attack (as I understand), and it
equivalent to :
	- Apache HTTPd SSLHonorCipherOrder option.
	- Nginx ssl_prefer_server_ciphers option.

[WT: added a test for the support of the option]
2012-09-04 15:35:32 +02:00
Willy Tarreau
ff9f7698fc BUILD: fix build error without SSL (ssl_cert)
One last-minute optimization broke the build without SSL support.
Move ssl_cert out of the #ifdef/#endif and it's OK.
2012-09-04 15:13:20 +02:00
Willy Tarreau
18b2059a75 BUILD: ssl: fix shctx build on RHEL with futex
On RHEL/CentOS, linux/futex.h uses an u32 type which is never declared
anywhere. Let's set it with a #define in order to fix the issue without
causing conflicts with possible typedefs on other platforms.
2012-09-04 12:26:26 +02:00
Willy Tarreau
783f25800c BUILD: http: rename error_message http_error_message to fix conflicts on RHEL
Duncan Hall reported a build issue on CentOS where error_message conflicts
with another system declaration when SSL is enabled. Rename the function.
2012-09-04 12:19:04 +02:00
Willy Tarreau
0573747da0 BUG: ssl: mark the connection as waiting for an SSL connection during the handshake
The WAIT_L6_CONN was designed especially to ensure that the connection
was not marked ready before the SSL layer was OK, but we forgot to set
the flag, resulting in a rejected handshake when ssl was combined with
accept-proxy because accept-proxy would validate the connection alone
and the SSL handshake would then believe in a client-initiated reneg
and kill it.
2012-09-04 08:03:39 +02:00
Willy Tarreau
c230b8bfb6 MEDIUM: config: add "nosslv3" and "notlsv1" on bind and server lines
This is aimed at disabling SSLv3 and TLSv1 respectively. SSLv2 is always
disabled. This can be used in some situations where one version looks more
suitable than the other.
2012-09-03 23:55:16 +02:00
Willy Tarreau
d7aacbffcb MEDIUM: config: add a "ciphers" keyword to set SSL cipher suites
This is supported for both servers and listeners. The cipher suite
simply follows the "ciphers" keyword.
2012-09-03 23:43:25 +02:00
Emeric Brun
fc32acafcd MINOR: ssl add global setting tune.sslcachesize to set SSL session cache size.
This new global setting allows the user to change the SSL cache size in
number of sessions. It defaults to 20000.
2012-09-03 22:36:33 +02:00
Emeric Brun
aa35f1fad7 MEDIUM: ssl: replace OpenSSL's session cache with the shared cache
OpenSSL's session cache is now totally disabled and we use our own
implementation instead.
2012-09-03 22:36:33 +02:00
Emeric Brun
3e541d1c03 MEDIUM: ssl: add shared memory session cache implementation.
This SSL session cache was developped at Exceliance and is the same that
was proposed for stunnel and stud. It makes use of a shared memory area
between the processes so that sessions can be handled by any process. It
is only useful when haproxy runs with nbproc > 1, but it does not hurt
performance at all with nbproc = 1. The aim is to totally replace OpenSSL's
internal cache.

The cache is optimized for Linux >= 2.6 and specifically for x86 platforms.
On Linux/x86, it makes use of futexes for inter-process locking, with some
x86 assembly for the locked instructions. On other architectures, GCC
builtins are used instead, which are available starting from gcc 4.1.

On other operating systems, the locks fall back to pthread mutexes so
libpthread is automatically linked. It is not recommended since pthreads
are much slower than futexes. The lib is only linked if SSL is enabled.
2012-09-03 22:36:33 +02:00
Willy Tarreau
fbac6638c1 MINOR: ssl: disable TCP quick-ack by default on SSL listeners
Since the SSL handshake involves an immediate reply from the server
to the client, there's no point responding with a quick-ack before
sending the data, so disable quick-ack by default, just as it is done
for HTTP.

This shows a 2-2.5% transaction rate increase on a dual-core atom.
2012-09-03 22:36:27 +02:00
Emeric Brun
e1f38dbb44 MEDIUM: ssl: protect against client-initiated renegociation
CVE-2009-3555 suggests that client-initiated renegociation should be
prevented in the middle of data. The workaround here consists in having
the SSL layer notify our callback about a handshake occurring, which in
turn causes the connection to be marked in the error state if it was
already considered established (which means if a previous handshake was
completed). The result is that the connection with the client is immediately
aborted and any pending data are dropped.
2012-09-03 22:03:17 +02:00
Emeric Brun
01f8e2f61b MEDIUM: config: add support for the 'ssl' option on 'server' lines
This option currently takes no option and simply turns SSL on for all
connections going to the server. It is likely that more options will
be needed in the future.
2012-09-03 22:02:21 +02:00
Emeric Brun
6e159299f1 MEDIUM: config: add the 'ssl' keyword on 'bind' lines
"bind" now supports "ssl" followed by a PEM cert+key file name.
2012-09-03 20:49:14 +02:00
Emeric Brun
4659195e31 MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer
This data layer supports socket-to-buffer and buffer-to-socket operations.
No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does
not provide any benefit with data transformation. At best it could save a
memcpy() and avoid keeping a buffer allocated but that does not seem very
useful.

An init function and a close function are provided because the SSL context
needs to be allocated/freed.

A data-layer shutw() function is also provided because upon successful
shutdown, we want to store the SSL context in the cache in order to reuse
it for future connections and avoid a new key generation.

The handshake function is directly called from the connection handler.
At this point it is not certain whether this will remain this way or
if a new ->handshake callback will be added to the data layer so that
the connection handler doesn't care about SSL.

The sock-to-buf and buf-to-sock functions are all capable of enabling
the SSL handshake at any time. This also implies polling in the opposite
direction to what was expected. The upper layers must take that into
account (it is OK right now with the stream interface).
2012-09-03 20:49:14 +02:00
Willy Tarreau
dd2f85eb3b CLEANUP: includes: fix includes for a number of users of fd.h
It appears that fd.h includes a number of unneeded files and was
included from standard.h, and as such served as an intermediary
to provide almost everything to everyone.

By removing its useless includes, a long dependency chain broke
but could easily be fixed.
2012-09-03 20:49:14 +02:00
Willy Tarreau
45dab73788 CLEANUP: fdtab: flatten the struct and merge the spec struct with the rest
The "spec" sub-struct was using 8 bytes for only 5 needed. There is no
reason to keep it as a struct, it doesn't bring any value. By flattening
it, we can merge the single byte with the next single byte, resulting in
an immediate saving of 4 bytes (20%). Interestingly, tests have shown a
steady performance gain of 0.6% after this change, which can possibly be
attributed to a more cache-line friendly struct.
2012-09-03 20:49:14 +02:00
Willy Tarreau
40ff59d820 CLEANUP: fd: remove fdtab->flags
These flags were added for TCP_CORK. They were only set at various places
but never checked by any user since TCP_CORK was replaced with MSG_MORE.
Simply get rid of this now.
2012-09-03 20:49:14 +02:00