IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The appctx owner is now always a conn-stream. Thus, it can be set during the
appctx allocation. But, to do so, the conn-stream must be created first. It
is not a problem on the server side because the conn-stream is created with
the stream. On the client side, we must take care to create the conn-stream
first.
This change should ease other changes about the applets bootstrapping.
This patch is mandatory to invert the endpoint and the context in the
conn-stream. There is no common type (at least for now) for the entity
representing a mux (h1s, h2s...), thus we must set its type when the
endpoint is attached to a conn-stream. There is 2 types for the conn-stream
endpoints: the mux (CS_FL_ENDP_MUX) and the applet (CS_FL_ENDP_APP).
For now there is no much change. Only the appctx is passed as argument when
the .init callback function is called. And it is not possible to yield at
this stage. It is not a problem because the feature is not used. Only the
lua defines this callback function for the lua TCP/HTTP services. The idea
is to be able to use it for all applets to initialize the appctx context.
cs_free() must not be called when we fail to allocate the conn-stream in
h1s_new_cs() function. This bug was introduced by the commit cda94accb
("MAJOR: stream/conn_stream: Move the stream-interface into the
conn-stream").
It is 2.6-specific, no backport is needed.
It was mentioned in issue #12 that expired entries would appear with a
negative expire delay in "show cache". Instead of listing them, let's
just evict them.
This could be backported to all versions since this was reported on
1.8 already.
It was reported in issue #13 that a GOAWAY frame was sent on timeout even
if no SETTINGS frame was sent. The approach imagined by then was to track
the fact that a SETTINGS frame was already sent to avoid this, but that's
already what is done through the state, though it doesn't stand due to the
fact that we switch the frame to the error state. Thus instead what we're
doing here is to instead set the GOAWAY_FAILED flag in h2c_error() before
switching to the ERROR state when the state indicates we've not yet sent
settings, and refrain from sending anything from the h2c_send_goaway_error()
function for such states.
This could be backported to all versions where it applies well.
qcs by_id field has been replaced by a new field named "id". Adjust the
h3_debug_printf traces. This is the case since the introduction of the
qc_stream_desc type.
In issue #1184, cppcheck found several issues in the printf formats
used to display integers, some of which are unsigned but which used to
still rely on "%d".
In issue #1184, cppcheck reports that an incorrect format "%d" was
used to print an unsigned in the debug code, though values are always
very small and this will never be an issue.
In issue #1184, cppcheck complains about some inconsistent printf
formats. At least the one in peer_prepare_hellomsg() that uses "%u"
for the int "min_ver" is wrong. Let's force other types to make it
happy, though constants cannot cause trouble.
cppcheck reports in issue #1184 a type mismatch between "%d" and the
unsigned int "misses" in the standalone debug code of lru.c. Let's
switch to "%u".
We used to check if the transport layer was ssl_sock to decide to log
"~" after a frontend's name. Now that QUIC is present, this doesn't work
anymore. Better rely on the transport layer's get_ssl_sock_ctx() method.
Coverity found in issue #1646 that I added a double-close bug in last
commit e4d09cedb ("MINOR: sock: check configured limits at the sock layer,
not the listener's") because the error path already closes the FD. No
backport needed.
In issue #1645, coverity suspects some dead code due to a pair of
remaining tests on "if (!ctx)". While all other functions test the
context earlier, these ones used to only test the connection and the
transport. It's still not very clear to me if there are certain error
cases that can lead to no SSL being initially set while the rest is
ready, and the SSL arriving later, but better preserve this original
construct by testing first the connection and only later the context.
First gcc, then now coverity report possible null derefs in situations
where we know these cannot happen since we call the functions in
contexts that guarantee the existence of the connection and the method
used. Let's introduce an unchecked version of the function for such
cases, just like we had to do with objt_*. This allows us to remove the
ALREADY_CHECKED() statements (which coverity doesn't see), and addresses
github issues #1643, #1644, #1647.
Some compilers see a possible null deref after conn_get_ssl_sock_ctx()
in ssl_sock_parse_heartbeat, which cannot happen there, so let's mark
it as safe. No backport needed.
It was supposed to be there, and probably was not placed there due to
historic limitations in listener_accept(), but now there does not seem
to be a remaining valid reason for keeping the quic_conn out of the
handle. In addition in new_quic_cli_conn() the handle->fd was incorrectly
set to the listener's FD.
By being able to return the ssl_sock_ctx, we're now enabling the whole
set of SSL sample fetch methods to work on the current SSL context of
the QUIC connection, as seen in the following test showing a request
forwarded to an HTTP/1 server with plenty of SSL headers filled:
00000001:decrypt.clireq[000f:ffffffff]: GET / HTTP/1.1
00000001:decrypt.clihdr[000f:ffffffff]: host: localhost
00000001:decrypt.clihdr[000f:ffffffff]: user-agent: nghttp3/ngtcp2 client
00000001:decrypt.clihdr[000f:ffffffff]: x-src: 127.0.0.1
00000001:decrypt.clihdr[000f:ffffffff]: x-dst: 127.0.0.4
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_f_serial: D16197E7D3E634E9
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_f_key_alg: rsaEncryption
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_f_sig_alg: RSA-SHA1
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc: 1
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_has_sni: 1
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_sni: blah
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_alpn: h3
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_protocol: TLSv1.3
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_cipher: TLS_AES_256_GCM_SHA384
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_alg_keysize: 256
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_use_keysize: 256
00000001:decrypt.clihdr[000f:ffffffff]: x-forwarded-for: 127.0.0.1
The code is trivial, but this is marked as medium as there's always
the risk that some of the callable functions do not like being called
on such SSL contexts.
The SSL functions must not use conn->xprt_ctx anymore but find the context
by calling conn_get_ssl_sock_ctx(), which will properly pass through the
transport layers to retrieve the desired information. Otherwise when the
functions are called on a QUIC connection, they refuse to work for not
being called on the proper transport.
Historically there was a single way to have an SSL transport on a
connection, so detecting if the transport layer was SSL and a context
was present was sufficient to detect SSL. With QUIC, things have changed
because QUIC also relies on SSL, but the context is embedded inside the
quic_conn and the transport layer doesn't match expectations outside,
making it difficult to detect that SSL is in use over the connection.
The approach taken here to improve this consists in adding a new method
at the transport layer, get_ssl_sock_ctx(), to retrieve this often needed
ssl_sock_ctx, and to use this to detect the presence of SSL. This will
even allow some simplifications and cleanups to be made in the SSL code
itself, and QUIC will be able to provide one to export its ssl_sock_ctx.
These functions will allow the connection layer to retrieve a quic_conn's
source or destination when possible. The quic_conn holds the peer's address
but not the local one, and the sockets API doesn't always makes that easy
for datagrams. Thus for frontend connection what we're doing here is to
retrieve the listener's address when the destination address is desired.
Now it finally becomes possible to fetch the source and destination using
"src" and "dst", and to pass an incoming connection's endpoints via the
proxy protocol.
Right now the proto_fam descriptor provides a family-specific
get_src() and get_dst() pair of calls to retrieve a socket's source
or destination address. However this only works for connected mode
sockets. QUIC provides its own stream protocol, which relies on a
datagram protocol underneath, so the get_src()/get_dst() at that
protocol's family will not work, and QUIC would need to provide its
own.
This patch implements get_src() and get_dst() at the protocol level
from a connection, and makes sure that conn_get_src()/conn_get_dst()
will automatically use them if defined before falling back to the
family's pair of functions.
We'll want conn_get_src/dst to support other means of retrieving these
respective IP addresses, but the functions as they're designed are a bit
too restrictive for now.
This patch arranges them to have a default error fallback allowing to
test different mechanisms. In addition we now make sure the underlying
protocol is of type stream before calling the family's get_src/dst as
it makes no sense to do that on dgram sockets for example.
The mux didn't have its flags nor name set, as seen in this output of
"haproxy -vv":
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
quic : mode=HTTP side=FE mux= flags=
h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|CLEAN_ABRT|HOL_RISK|NO_UPG
This might have random impacts at certain points like forcing some
connections to close instead of aborting a stream, or not always
handling certain streams as fully HTX-compliant.
Certain functions cannot be called on an FD-less conn because they are
normally called as part of the protocol-specific setup/teardown sequence.
Better place a few BUG_ON() to make sure none of them is called in other
situations. If any of them would trigger in ambiguous conditions, it would
always be possible to replace it with an error.
Some syscalls at the TCP level act directly on the FD. Some of them
are used by TCP actions like set-tos, set-mark, silent-drop, others
try to retrieve TCP info, get the source or destination address. These
ones must not be called with an invalid FD coming from an FD-less
connection, so let's add the relevant tests for this. It's worth
noting that all these ones already have fall back plans (do nothing,
error, or switch to alternate implementation).
There are plenty of places (particularly in debug code) where we try to
dump the connection's FD only when the connection is defined. That's
already a pain but now it gets one step further with QUIC because we do
*not* want to dump this FD in this case.
conn_fd() checks if the connection exists, is ready and is not fd-less,
and returns the FD only in this case, otherwise returns -1. This aims at
simplifying most of these conditions.
QUIC connections do not use a file descriptor, instead they use the
quic equivalent which is the quic_conn. A number of our historical
functions at the connection level continue to unconditionally touch
the file descriptor and this may have consequences once QUIC starts
to be used.
This patch adds a new flag on QUIC connections, CO_FL_FDLESS, to
mention that the connection doesn't have a file descriptor, hence the
FD-based API must never be used on them.
From now on it will be possible to intrument existing functions to
panic when this flag is present.
listener_accept() used to continue to enforce the FD limits relative to
global.maxsock by itself while it's the last FD-specific test in the
whole file. This test has nothing to do there, it ought to be placed in
sock_accept_conn() which is the one in charge of FD allocation and tests.
Similar tests are already located there by the way. The only tiny
difference is that listener_accept() used to pause for one second when
this limit was reached, while other similar conditions were pausing only
100ms, so now the same 100ms will apply. But that's not important and
could even be considered as an improvement.
OpenSSL 3.0 emits tons of deprecation warnings for the engine API, and
it becomes a real problem because these hide other real warnings and
will prevent distros from building with -Werror. Fortunately there's a
macro to shut this one, OPENSSL_SUPPRESS_DEPRECATED, that is sufficient
to get things back to normal, so let's define it when USE_ENGINE is set.
This way we still get a chance to see other deprecation warnings when
engines are not used.
SSL engines used to be built by default for a long time but they're now
disabled consecutive to the API change that makes OpenSSL 3.0 spew plenty
of warnings. Support may still be enabled by passing USE_ENGINE=1.
OpenSSL 3.0 warns that ERR_func_error_string() is deprecated. Using
ERR_peek_error_func() solves it instead, and this function was added to
the compat layer by commit 1effd9aa0 ("MINOR: ssl: Remove call to
ERR_func_error_string with OpenSSLv3").
Previous patch forgot to add USE_ENGINE to the list of options to be
transferred to CFLAGS, so USE_ENGINE had no effect and engines would
remain disabled.
The OpenSSL engine API is deprecated starting with OpenSSL 3.0.
In order to have a clean build this feature is now disabled by default.
It can be reactivated with USE_ENGINE=1 on the build line.
Shawn Heisey reported that the proxy's description was unreadable in dark
color scheme. This is because the text color is changed in the table but
not the cell's background.
This should be backported to 2.5.
In "haproxy -vv" we produce a list of available muxes with their
capabilities, but that list is often quite large for terminals due
to excess of spaces, so let's reduce them a bit to make the output
more readable.
Released version 2.6-dev5 with the following main changes :
- DOC: reflect H2 timeout changes
- BUG/MEDIUM: mux-fcgi: Properly handle return value of headers/trailers parsing
- BUG/MEDIUM: mux-h1: Properly detect full buffer cases during message parsing
- BUG/MINOR: log: Initialize the list element when allocating a new log server
- BUG/MINOR: samples: add missing context names for sample fetch functions
- MINOR: management: add some basic keyword dump infrastructure
- MINOR: config: add a function to dump all known config keywords
- MINOR: filters: extend flt_dump_kws() to dump to stdout
- MINOR: services: extend list_services() to dump to stdout
- MINOR: cli: add a new keyword dump function
- MINOR: acl: add a function to dump the list of known ACL keywords
- MINOR: samples: add a function to list register sample fetch keywords
- MINOR: sample: list registered sample converter functions
- MINOR: tools: add strordered() to check whether strings are ordered
- MINOR: action: add a function to dump the list of actions for a ruleset
- MINOR: config: alphanumerically sort config keywords output
- MINOR: sample: alphanumerically sort sample & conv keyword dumps
- MINOR: acl: alphanumerically sort the ACL dump
- MINOR: cli: alphanumerically sort the dump of supported commands
- MINOR: filters: alphabetically sort the list of filter names
- MINOR: services: alphabetically sort service names
- MEDIUM: httpclient/lua: be stricter with httpclient parameters
- MINOR: ssl: split the cert commit io handler
- MINOR: ssl: move the cert_exts and the CERT_TYPE enum
- MINOR: ssl: simplify the certificate extensions array
- MINOR: ssl: export ckch_inst_rebuild()
- MINOR: ssl: add "crt" in the cert_exts array
- MINOR: ssl/lua: CertCache.set() allows to update an SSL certificate file
- BUILD: ssl/lua: CacheCert needs OpenSSL
- DOC: lua: CertCache class documentation
- BUG/MEDIUM: quic: do not use qcs from quic_stream on ACK parsing
- MINOR: mux-quic: return qcs instance from qcc_get_qcs
- MINOR: mux-quic: reorganize qcs free
- MINOR: mux-quic: define release app-ops
- BUG/MINOR: h3: release resources on close
- BUG/MINOR: mux-quic: ensure to free all qcs on MUX release
- CLEANUP: quic: complete comment on qcs_try_to_consume
- MINOR: quic: implement stream descriptor for transport layer
- MEDIUM: quic: move transport fields from qcs to qc_conn_stream
- MEDIUM: mux-quic: remove qcs tree node
- BUG/MINOR: cli/stream: fix "shutdown session" to iterate over all threads
- DOC: management: add missing dot in 9.4.1
- BUG/MAJOR: mux_pt: always report the connection error to the conn_stream
- DOC: remove double blanks in configuration.txt
- CI: github actions: update OpenSSL to 3.0.2
- BUG/MEDIUM: quic: Possible crash in ha_quic_set_encryption_secrets()
- CLEANUP: quic: Remove all atomic operations on quic_conn struct
- CLEANUP: quic: Remove all atomic operations on packet number spaces
- MEDIUM: quic: Send ACK frames asap
- BUG/MINOR: quic: Missing probing packets when coalescing
- BUG/MINOR: quic: Discard Initial packet number space only one time
- MINOR: quic: Do not display any timer value from process_timer()
- BUG/MINOR: quic: Do not probe from an already probing packet number space
- BUG/MINOR: quic: Non duplicated frames upon fast retransmission
- BUG/MINOR: quic: Too much prepared retransmissions due to anti-amplification
- MINOR: quic: Useless call to SSL_CTX_set_default_verify_paths()
- MINOR: quic: Add traces about list of frames
- BUG/MINOR: h3: Missing wait event struct field initialization
- BUG/MINOR: quic: QUIC TLS secrets memory leak
- BUG/MINOR: quic: Missing ACK range deallocations
- BUG/MINOR: quic: Missing TX packet deallocations
- CLEANUP: hpack: be careful about integer promotion from uint8_t
- OPTIM: hpack: read 32 bits at once when possible.
- MEDIUM: ssl: allow loading of a directory with the ca-file directive
- BUG/MINOR: ssl: continue upon error when opening a directory w/ ca-file
- MINOR: ssl: ca-file @system-ca loads the system trusted CA
- DOC: configuration: add the ca-file changes
- MINOR: sample: converter: Add add_item convertor
- BUG/MINOR: ssl: handle X509_get_default_cert_dir() returning NULL
- BUG/MINOR: ssl/cli: Remove empty lines from CLI output
- MINOR: httpclient: enable request buffering
- MEDIUM: httpclient: enable l7-retry
- BUG/MINOR: httpclient: end callback in applet release
- MINOR: quic: Add draining connection state.
- MINOR: quic: Add closing connection state
- BUG/MEDIUM: quic: ensure quic-conn survives to the MUX
- CLEANUP: quic: use static qualifer on quic_close
- CLEANUP: mux-quic: remove unused QC_CF_CC_RECV
- BUG/MINOR: fix memleak on quic-conn streams cleaning
- MINOR: mux-quic: factorize conn-stream attach
- MINOR: mux-quic: adjust timeout to accelerate closing
- MINOR: mux-quic: define is_active app-ops
- MINOR: mux-quic: centralize send operations in qc_send
- MEDIUM: mux-quic: report CO_FL_ERROR on send
- MEDIUM: mux-quic: report errors on conn-streams
- MEDIUM: quic: report closing state for the MUX
- BUG/MINOR: fcgi-app: Don't add C-L header on response to HEAD requests
- BUG/MEDIUM: stats: Be sure to never set EOM flag on an empty HTX message
- BUG/MEDIUM: hlua: Don't set EOM flag on an empty HTX message in HTTP applet
- BUG/MEDIUM: promex: Be sure to never set EOM flag on an empty HTX message
- BUG/MEDIUM: mux-h1: Set outgoing message to DONE when payload length is reached
- BUG/MINOR: http_client: Don't add input data on an empty request buffer
- BUG/MEDIUM: http-conv: Fix url_enc() to not crush const samples
- BUG/MEDIUM: http-act: Don't replace URI if path is not found or invalid
- CLEANUP: mux-quic: remove uneeded TODO in qc_detach
- BUG/MEDIUM: mux-quic: properly release conn-stream on detach
- BUG/MINOR: quic: set the source not the destination address on accept()
- BUG/MEDIUM: quic: Possible crash from quic_free_arngs()
- MINOR: quic_tls: Add reusable cipher contexts to QUIC TLS contexts
- MINOR: quic_tls: Stop hardcoding cipher IV lengths
- CLEANUP: quic: Do not set any cipher/group from ssl_quic_initial_ctx()
- MINOR: quic: Add short packet key phase bit values to traces
- MINOR: quic_tls: Make key update use of reusable cipher contexts
- BUG/MINOR: opentracing: setting the return value in function flt_ot_var_set()
- BUG/BUILD: opentracing: fixed OT_DEFINE variable setting
- EXAMPLES: opentracing: refined shell scripts for testing filter performance
- DOC: opentracing: corrected comments in function descriptions
- CLEANUP: opentracing: removed unused function flt_ot_var_unset()
- CLEANUP: opentracing: removed unused function flt_ot_var_get()
- Revert "MINOR: opentracing: change the scope of the variable 'ot.uuid' from 'sess' to 'txn'"
- MINOR: opentracing: only takes the variables lock on shared entries
- CLEANUP: opentracing: added flt_ot_smp_init() function
- CLEANUP: opentracing: added variable to store variable length
- MINOR: opentracing: improved normalization of context variable names
- DEBUG: opentracing: show return values of all functions in the debug output
- CLEANUP: opentracing: added FLT_OT_PARSE_INVALID_enum enum
- DEBUG: opentracing: display the contents of the err variable after setting
- MAJOR: opentracing: reenable usage of vars to transmit opentracing context
- Revert "BUILD: opentracing: display warning in case of using OT_USE_VARS at compile time"
- MEDIUM: global: Add a "close-spread-time" option to spread soft-stop on time window
The new 'close-spread-time' global option can be used to spread idle and
active HTTP connction closing after a SIGUSR1 signal is received. This
allows to limit bursts of reconnections when too many idle connections
are closed at once. Indeed, without this new mechanism, in case of
soft-stop, all the idle connections would be closed at once (after the
grace period is over), and all active HTTP connections would be closed
by appending a "Connection: close" header to the next response that goes
over it (or via a GOAWAY frame in case of HTTP2).
This patch adds the support of this new option for HTTP as well as HTTP2
connections. It works differently on active and idle connections.
On active connections, instead of sending systematically the GOAWAY
frame or adding the 'Connection: close' header like before once the
soft-stop has started, a random based on the remainder of the close
window is calculated, and depending on its result we could decide to
keep the connection alive. The random will be recalculated for any
subsequent request/response on this connection so the GOAWAY will still
end up being sent, but we might wait a few more round trips. This will
ensure that goaways are distributed along a longer time window than
before.
On idle connections, a random factor is used when determining the expire
field of the connection's task, which should naturally spread connection
closings on the time window (see h2c_update_timeout).
This feature request was described in GitHub issue #1614.
This patch should be backported to 2.5. It depends on "BUG/MEDIUM:
mux-h2: make use of http-request and keep-alive timeouts" which
refactorized the timeout management of HTTP2 connections.
This reverts commit 6c9f7faa62a00a4d028704d7b11e290c83f8a49d.
This warning is no longer needed because source code can be compiled with
enabled support for OpenTracing context transfer via HAProxy variables.
This patch must be backported in 2.5.
Since commit 3a4bedccc ("MEDIUM: vars: replace the global name index with
a hash") the names of HAProxy variables are no longer saved, ie their
64-bit hashes are saved instead.
This is very convenient for the HAProxy itself, but for the OpenTracing
module it is a problem because the names of the variables are important
when transferring the OpenTracing context. Namely, this context consists
of an unknown amount of data stored in a key-value format. The number
of these data (and the name of the variable used for this purpose) is
determined with the configuration of the OpenTracing filter, as well as
with the tracer used. The two previous sentences seem to be in conflict,
but that is only so at first glance. The function in the OpenTracing
filter used to read the context does not really know this, neither their
number nor its name. The only thing that function actually knows is the
prefix of the variable names used for context transfer, and by that it
could find all the necessary data. Of course, until the application of
the above-mentioned commit.
The problem is solved in a very simple way: in a common variable that
the filter always knows its name, the names of all variables that are the
product of the OpenTracing context are saved. The names of these context
variables can only be added to that common variable. When that variable
is no longer needed (when we no longer need context), it is deleted.
The format for saving data to this common variable is as follows:
+-----+---------------+-- .. --+-----+---------------+
| len | variable name | | len | variable name |
+-----+---------------+-- .. --+-----+---------------+
The amount of memory space used to store the length of the name is 1 byte,
with a sign (the minus sign is provided for inactive records, but this is
not currently used). This means that the maximum length of the variable
name to be saved is 127 characters, which is quite enough for use in the
filter. The buffer size for such data storage is global.tune.bufsize.
This patch must be backported in 2.5.
A display of the contents of the err variable has been added to the
FLT_OT_ERR() macro, once it has been set.
This patch must be backported as far as 2.4.
It's always good to replace "hard-coded" values with something that looks
less "hard-coded" (even though that doesn't change anything in the code).
This is done here using FLT_OT_PARSE_INVALID_enum enum.
This patch must be backported as far as 2.4.
