mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-12-02 00:01:37 +01:00
e5658c52d0
As reported in github issue #3192, in certain situations with transparent listeners, it is possible to get the incoming connection's destination wrong via SO_ORIGINAL_DST. Two cases were identified thus far: - incorrect conntrack configuration where NOTRACK is used only on incoming packets, resulting in reverse connections being created from response packets. It's then mostly a matter of timing, i.e. whether or not the connection is confirmed before the source is retrieved, but in this case the connection's destination address as retrieved by SO_ORIGINAL_DST is the client's address. - late outgoing retransmit that recreates a just expired conntrack entry, in reverse direction as well. It's possible that combinations of RST or FIN might play a role here in speeding up conntrack eviction, as well as the rollover of source ports on the client whose new connection matches an older one and simply refreshes it due to nf_conntrack_tcp_loose being set by default. TPROXY doesn't require conntrack, only REDIRECT, DNAT etc do. However the system doesn't offer any option to know how a conntrack entry was created (i.e. normally or via a response packet) to let us know that it's pointless to check the original destination, nor does it permit to access the local vs peer addresses in opposition to src/dst which can be wrong in this case. One alternate approach could consist in only checking SO_ORIGINAL_DST for listening sockets not configured with the "transparent" option, but the problem here is that our low-level API only works with FDs without knowing their purpose, so it's unknown there that the fd corresponds to a listener, let alone in transparent mode. A (slightly more expensive) variant of this approach here consists in checking on the socket itself that it was accepted in transparent mode using IP_TRANSPARENT, and skip SO_ORIGINAL_DST if this is the case. This does the job well enough (no more client addresses appearing in the dst field) and remains a good compromise. A future improvement of the API could permit to pass the transparent flag down the stack to that function. This should be backported to stable versions after some observation in latest -dev. For reference, here are some links to older conversations on that topic that Lukas found during this analysis: https://lists.openwall.net/netdev/2019/01/12/34 https://discourse.haproxy.org/t/send-proxy-not-modifying-some-traffic-with-proxy-ip-port-details/3336/9 https://www.mail-archive.com/haproxy@formilux.org/msg32199.html https://lists.openwall.net/netdev/2019/01/23/114
HAProxy
HAProxy is a free, very fast and reliable reverse-proxy offering high availability, load balancing, and proxying for TCP and HTTP-based applications.
Installation
The INSTALL file describes how to build HAProxy. A list of packages is also available on the wiki.
Getting help
The discourse and the mailing-list are available for questions or configuration assistance. You can also use the slack or IRC channel. Please don't use the issue tracker for these.
The issue tracker is only for bug reports or feature requests.
Documentation
The HAProxy documentation has been split into a number of different files for ease of use. It is available in text format as well as HTML. The wiki is also meant to replace the old architecture guide.
Please refer to the following files depending on what you're looking for:
- INSTALL for instructions on how to build and install HAProxy
- BRANCHES to understand the project's life cycle and what version to use
- LICENSE for the project's license
- CONTRIBUTING for the process to follow to submit contributions
The more detailed documentation is located into the doc/ directory:
- doc/intro.txt for a quick introduction on HAProxy
- doc/configuration.txt for the configuration's reference manual
- doc/lua.txt for the Lua's reference manual
- doc/SPOE.txt for how to use the SPOE engine
- doc/network-namespaces.txt for how to use network namespaces under Linux
- doc/management.txt for the management guide
- doc/regression-testing.txt for how to use the regression testing suite
- doc/peers.txt for the peers protocol reference
- doc/coding-style.txt for how to adopt HAProxy's coding style
- doc/internals for developer-specific documentation (not all up to date)
License
HAProxy is licensed under GPL 2 or any later version, the headers under LGPL 2.1. See the LICENSE file for a more detailed explanation.