IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Add a new sample fetch, "ssl_fc_has_early", a boolean that will be true
if early data were sent, and a new action, "wait-for-handshake", if used,
the request won't be forwarded until the SSL handshake is done.
When compiled with Openssl >= 1.1.1, before attempting to do the handshake,
try to read any early data. If any early data is present, then we'll create
the session, read the data, and handle the request before we're doing the
handshake.
For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not
part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even
before an SSL handshake is completed.
As early data do have security implication, we let the origin server know
the request comes from early data by adding the "Early-Data" header, as
specified in this draft from the HTTP working group :
https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback.
Native multi certificate and SSL/TLS method per certificate is now supported by
Openssl >= 1.1.1.
Released version 1.8-dev3 with the following main changes :
- REORG: ssl: move defines and methodVersions table upper
- MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table
- MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list
- MEDIUM: ssl: disable SSLv3 per default for bind
- BUG/MAJOR: ssl: fix segfault on connection close using async engines.
- BUG/MAJOR: ssl: buffer overflow using offloaded ciphering on async engine
- BUG/MINOR: ssl: do not call directly the conn_fd_handler from async_fd_handler
- BUG/MINOR: haproxy/cli : fix for solaris/illumos distros for CMSG* macros
- BUG/MEDIUM: build without openssl broken
- BUG/MINOR: warning: need_resend may be used uninitialized
- BUG/MEDIUM: misplaced exit and wrong exit code
- BUG/MINOR: Makefile: fix compile error with USE_LUA=1 in ubuntu16.04
- BUILD: scripts: make publish-release support bare repositories
- BUILD: scripts: add an automatic mode for publish-release
- BUILD: scripts: add a "quiet" mode to publish-release
- BUG/MAJOR: http: call manage_client_side_cookies() before erasing the buffer
- BUG/MINOR: buffers: Fix bi/bo_contig_space to handle full buffers
- CONTRIB: plug qdiscs: Plug queuing disciplines mini HOWTO.
- BUG/MINOR: acls: Set the right refflag when patterns are loaded from a map
- BUG/MINOR: ssl: Be sure that SSLv3 connection methods exist for openssl < 1.1.0
- BUG/MINOR: http/filters: Be sure to wait if a filter loops in HTTP_MSG_ENDING
- BUG/MEDIUM: peers: Peers CLOSE_WAIT issue.
- BUG/MAJOR: server: Segfault after parsing server state file.
- BUG/MEDIUM: unix: never unlink a unix socket from the file system
- scripts: create-release pass -n to tail
- SCRIPTS: create-release: enforce GIT_COMMITTER_{NAME|EMAIL} validity
- BUG/MEDIUM: fix segfault when no argument to -x option
- MINOR: warning on multiple -x
- MINOR: mworker: don't copy -x argument anymore in copy_argv()
- BUG/MEDIUM: mworker: don't reuse PIDs passed to the master
- BUG/MINOR: Wrong peer task expiration handling during synchronization processing.
- BUG/MINOR: cfgparse: Check if tune.http.maxhdr is in the range 1..32767
- BUG/MINOR: log: pin the front connection when front ip/ports are logged
- DOC: fix references to the section about the unix socket
- BUG/MINOR: stream: flag TASK_WOKEN_RES not set if task in runqueue
- MAJOR: task: task scheduler rework.
- MINOR: task/stream: tasks related to a stream must be init by the caller.
- MINOR: queue: Change pendconn_get_next_strm into private function
- MINOR: backends: Change get_server_sh/get_server_uh into private function
- MINOR: queue: Change pendconn_from_srv/pendconn_from_px into private functions
- MEDIUM: stream: make stream_new() always set the target and analysers
- MINOR: frontend: initialize HTTP layer after the debugging code
- MINOR: connection: add a .get_alpn() method to xprt_ops
- MINOR: ssl: add a get_alpn() method to ssl_sock
- MINOR: frontend: retrieve the ALPN name when available
- MINOR: frontend: report the connection's ALPN in the debug output
- MINOR: stream: don't set backend's nor response analysers on SF_TUNNEL
- MINOR: connection: send data before receiving
- MAJOR: applet: applet scheduler rework.
- BUG/MAJOR: frontend: don't dereference a null conn on outgoing connections
- BUG/MAJOR: cli: fix custom io_release was crushed by NULL.
- BUG/MAJOR: map: fix segfault during 'show map/acl' on cli.
- BUG/MAJOR: compression: Be sure to release the compression state in all cases
- MINOR: compression: Use a memory pool to allocate compression states
- BUG/MAJOR: applet: fix a freeze if data is immedately forwarded.
- DOC: fix references to the section about time format.
- BUG/MEDIUM: map/acl: fix unwanted flags inheritance.
- BUG/MAJOR: http: fix buffer overflow on loguri buffer.
- MINOR: ssl: compare server certificate names to the SNI on outgoing connections
- BUG/MINOR: stream: Don't forget to remove CF_WAKE_ONCE flag on response channel
- BUG/MINOR: http: Don't reset the transaction if there are still data to send
- BUG/MEDIUM: filters: Be sure to call flt_end_analyze for both channels
- MINOR: peers: Add additional information to stick-table definition messages.
- BUG/MINOR: http: properly handle all 1xx informational responses
- OPTIM: ssl: don't consider a small ssl_read() as an indication of end of buffer
- BUG/MINOR: peers: peer synchronization issue (with several peers sections).
- CLEANUP: hdr_idx: make some function arguments const where possible
- BUG/MINOR: Prevent a use-after-free on error scenario on option "-x".
- BUG/MINOR: lua: In error case, the safe mode is not removed
- BUG/MINOR: lua: executes the function destroying the Lua session in safe mode
- BUG/MAJOR: lua/socket: resources not detroyed when the socket is aborted
- BUG/MEDIUM: lua: bad memory access
- BUG/MINOR: Lua: variable already initialized
- DOC: update CONTRIBUTING regarding optional parts and message format
- DOC: update the list of OpenSSL versions in the README
- BUG/MINOR: http: Set the response error state in http_sync_res_state
- MINOR: http: Reorder/rewrite checks in http_resync_states
- MINOR: http: Switch requests/responses in TUNNEL mode only by checking txn flags
- BUG/MEDIUM: http: Switch HTTP responses in TUNNEL mode when body length is undefined
- MINOR: http: Rely on analyzers mask to end processing in forward_body functions
- BUG/MINOR: http: Fix bug introduced in previous patch in http_resync_states
- BUG/MINOR: contrib/modsecurity: BSD build fix
- BUG/MINOR: contrib/mod_defender: build fix
- BUG/MINOR: ssl: remove haproxy SSLv3 support when ssl lib have no SSLv3
- MINOR: ssl: remove an unecessary SSL_OP_NO_* dependancy
- BUILD: ssl: fix compatibility with openssl without TLSEXT_signature_*
- MINOR: tools: add a portable timegm() alternative
- BUILD: lua: replace timegm() with my_timegm() to fix build on Solaris 10
- DOC: Updated 51Degrees git URL to point to a stable version.
- BUG/MAJOR: http: Fix possible infinity loop in http_sync_(req|res)_state
- MINOR: memory: remove macros
- BUG/MINOR: lua: Fix Server.get_addr() port values
- BUG/MINOR: lua: Correctly use INET6_ADDRSTRLEN in Server.get_addr()
- MINOR: samples: Handle the type SMP_T_METH when we duplicate a sample in smp_dup
- MINOR: samples: Handle the type SMP_T_METH in smp_is_safe and smp_is_rw
- MINOR: samples: Don't allocate memory for SMP_T_METH sample when method is known
- BUG/MINOR: lua: always detach the tcp/http tasks before freeing them
- MINOR: task: always preinitialize the task's timeout in task_init()
- CLEANUP: task: remove all initializations to TICK_ETERNITY after task_new()
- BUG/MAJOR: lua: properly dequeue hlua_applet_wakeup() for new scheduler
- MINOR: lua: Add proxy as member of proxy object.
- DOC: lua: Proxy class doc update
- MINOR: lua: Add lists of frontends and backends
- BUG/MINOR: ssl: Fix check against SNI during server certificate verification
- BUG/MINOR: ssl: make use of the name in SNI before verifyhost
- MINOR: ssl: add a new error codes for wrong server certificates
- BUG/MEDIUM: stream: don't retry SSL connections which fail the SNI name check
- MINOR: ssl: add "no-ca-names" parameter for bind
- BUG/MINOR: lua: Fix bitwise logic for hlua_server_check_* functions.
- DOC: fix alphabetical order of "show commands" in management.txt
- MINOR: listener: add a function to return a listener's state as a string
- MINOR: cli: add a new "show fd" command
- BUG/MEDIUM: ssl: Fix regression about certificates generation
- MINOR: Add server port field to server state file.
- MINOR: ssl: allow to start without certificate if strict-sni is set
- MINOR: dns: Cache previous DNS answers.
- MINOR: obj: Add a new type of object, OBJ_TYPE_SRVRQ.
- Add a few functions to do unaligned access.
- MINOR: dns: Handle SRV records.
- MINOR: check: Fix checks when using SRV records.
- MINOR: doc: Document SRV label usage.
- BUILD/MINOR: cli: shut a minor gcc warning in "show fd"
- BUILD: ssl: replace SSL_CTX_get0_privatekey for openssl < 1.0.2
- BUILD/MINOR: build without openssl still broken
- BUG/MAJOR: stream: in stream_free(), close the front endpoint and not the origin
- CLEANUP: raw_sock: Use a better name for the constructor than __ssl_sock_deinit()
- MINOR: init: Fix CPU affinity setting on FreeBSD.
- MINOR: dns: Update analysis of TRUNCATED response for SRV records
- MINOR: dns: update record dname matching for SRV query types
- MINOR: dns: update dns response buffer reading pointer due to SRV record
- MINOR: dns: duplicate entries in resolution wait queue for SRV records
- MINOR: dns: make debugging function dump_dns_config() compatible with SRV records
- MINOR: dns: ability to use a SRV resolution for multiple backends
- MINOR: dns: enable caching of responses for server set by a SRV record
- MINOR: dns: new dns record type (RTYPE) for OPT
- MINOR: dns: enabled edns0 extension and make accpeted payload size tunable
- MINOR: dns: default "hold obsolete" timeout set to 0
- MINOR: chunks: add chunk_memcpy() and chunk_memcat()
- MINOR: session: add a streams field to the session struct
- MINOR: stream: link the stream to its session
- MEDIUM: session: do not free a session until no stream references it
- MINOR: ist: implement very simple indirect strings
- TESTS: ist: add a test file for the functions
- MINOR: http: export some of the HTTP parser macros
- BUG/MINOR: Wrong type used as argument for spoe_decode_buffer().
- BUG/MINOR: dns: server set by SRV records stay in "no resolution" status
- MINOR: dns: Maximum DNS udp payload set to 8192
- MINOR: dns: automatic reduction of DNS accpeted payload size
- MINOR: dns: make SRV record processing more verbose
- CLEANUP: dns: remove duplicated code in dns_resolve_recv()
- CLEANUP: dns: remove duplicated code in dns_validate_dns_response()
- BUG/MINOR: dns: wrong resolution interval lead to 100% CPU
- BUG/MEDIUM: dns: fix accepted_payload_size parser to avoid integer overflow
- BUG/MAJOR: lua: fix the impact of the scheduler changes again
- BUG/MEDIUM: lua: HTTP services must take care of body-less status codes
- MINOR: lua: properly process the contents of the content-length field
- BUG/MEDIUM: stream: properly set the required HTTP analysers on use-service
- OPTIM: lua: don't use expensive functions to parse headers in the HTTP applet
- OPTIM: lua: don't add "Connection: close" on the response
- REORG/MEDIUM: connection: introduce the notion of connection handle
- BUG/MINOR: stream-int: don't check the CO_FL_CURR_WR_ENA flag
- MEDIUM: connection: get rid of data->init() which was not for data
- MEDIUM: stream: make stream_new() allocate its own task
- CLEANUP: listener: remove the unused handler field
- MEDIUM: session: add a pointer to a struct task in the session
- MINOR: stream: provide a new stream creation function for connections
- MEDIUM: connection: remove useless flag CO_FL_DATA_RD_SH
- CLEANUP: connection: remove the unused conn_sock_shutw_pending()
- MEDIUM: connection: remove useless flag CO_FL_DATA_WR_SH
- DOC: add CLI info on privilege levels
- DOC: Refer to Mozilla TLS info / config generator
- MINOR: ssl: remove duplicate ssl_methods in struct bind_conf
- BUG/MEDIUM: http: Fix a regression bug when a HTTP response is in TUNNEL mode
- DOC: Add note about "* " prefix in CSV stats
- CLEANUP: memory: Remove unused function pool_destroy
- MINOR: listeners: Change listener_full and limit_listener into private functions
- MINOR: listeners: Change enable_listener and disable_listener into private functions
- MINOR: fd: Don't forget to reset fdtab[fd].update when a fd is added/removed
- MINOR: fd: Set owner and iocb field before inserting a new fd in the fdtab
- MINOR: backends: Make get_server_* functions explicitly static
- MINOR: applet: Check applets_active_queue before processing applets queue
- MINOR: chunks: Use dedicated function to init/deinit trash buffers
- MEDIUM: chunks: Realloc trash buffers only after the config is parsed and checked
- MINOR: logs: Use dedicated function to init/deinit log buffers
- MINOR: logs: Realloc log buffers only after the config is parsed and checked
- MINOR: buffers: Move swap_buffer into buffer.c and add deinit_buffer function
- MINOR: stick-tables: Make static_table_key a struct variable instead of a pointer
- MINOR: http: Use a trash chunk to store decoded string of the HTTP auth header
- MINOR: fd: Add fd_active function
- MINOR: fd: Use inlined functions to check fd state in fd_*_send/recv functions
- MINOR: fd: Move (de)allocation of fdtab and fdinfo in (de)init_pollers
- MINOR: freq_ctr: Return the new value after an update
- MEDIUM: check: server states and weight propagation re-work
- BUG/MEDIUM: epoll: ensure we always consider HUP and ERR
- MINOR: fd: Add fd_update_events function
- MINOR: polling: Use fd_update_events to update events seen for a fd
- BUG/MINOR: server: Remove FQDN requirement for using init-addr and state file
- Revert "BUG/MINOR: server: Remove FQDN requirement for using init-addr and state file"
- MINOR: ssl: rework smp_fetch_ssl_fc_cl_str without internal ssl use
- BUG/MEDIUM: http: Close streams for connections closed before a redirect
- BUG/MINOR: Lua: The socket may be destroyed when we try to access.
- MINOR: xref: Add a new xref system
- MEDIUM: xref/lua: Use xref for referencing cosocket relation between stream and lua
- MINOR: tasks: Move Lua notification from Lua to tasks
- MINOR: net_helper: Inline functions meant to be inlined.
- MINOR: cli: add socket commands and config to prepend informational messages with severity
- MINOR: add severity information to cli feedback messages
- BUILD: Makefile: add a function to detect support by the compiler of certain options
- BUILD: Makefile: shut certain gcc/clang stupid warnings
- BUILD: Makefile: improve detection of support for compiler warnings
- MINOR: peers: don't reference the incoming listener on outgoing connections
- MINOR: frontend: don't retrieve ALPN on the critical path
- MINOR: protocols: always pass a "port" argument to the listener creation
- MINOR: protocols: register the ->add function and stop calling them directly
- MINOR: unix: remove the now unused proto_uxst.h file
- MINOR: listeners: new function create_listeners
- MINOR: listeners: make listeners count consistent with reality
- MEDIUM: session: take care of incrementing/decrementing jobs
- MINOR: listener: new function listener_release
- MINOR: session: small cleanup of conn_complete_session()
- MEDIUM: session: factor out duplicated code for conn_complete_session
- MEDIUM: session: count the frontend's connections at a single place
- BUG/MEDIUM: compression: Fix check on txn in smp_fetch_res_comp_algo
- BUG/MINOR: compression: Check response headers before http-response rules eval
- BUG/MINOR: spoe: Don't rely on SPOE ctx in debug message when its creation failed
- BUG/MINOR: dns: Fix check on nameserver in snr_resolution_cb
- MINOR: ssl: Remove useless checks on bind_conf or bind_conf->is_ssl
- BUG/MINOR: contrib/mod_defender: close the va_list argp before return
- BUG/MINOR: contrib/modsecurity: close the va_list ap before return
- MINOR: tools: make my_htonll() more efficient on x86_64
- MINOR: buffer: add b_del() to delete a number of characters
- MINOR: buffer: add b_end() and b_to_end()
- MINOR: net_helper: add functions to read from vectors
- MINOR: net_helper: add write functions
- MINOR: net_helper: add 64-bit read/write functions
- MINOR: connection: adjust CO_FL_NOTIFY_DATA after removal of flags
- MINOR: ist: add a macro to ease const array initialization
- BUG/MEDIUM: server: unwanted behavior leaving maintenance mode on tracked stopping server
- BUG/MEDIUM: server: unwanted behavior leaving maintenance mode on tracked stopping server (take2)
- BUG/MINOR: log: fixing small memory leak in error code path.
- BUG/MINOR: contrib/halog: fixing small memory leak
- BUG/MEDIUM: tcp/http: set-dst-port action broken
- CLEANUUP: checks: don't set conn->handle.fd to -1
- BUG/MEDIUM: tcp-check: properly indicate polling state before performing I/O
- BUG/MINOR: tcp-check: don't quit with pending data in the send buffer
- BUG/MEDIUM: tcp-check: don't call tcpcheck_main() from the I/O handlers!
- BUG/MINOR: unix: properly check for octal digits in the "mode" argument
- MINOR: checks: make chk_report_conn_err() take a check, not a connection
- CLEANUP: checks: remove misleading comments and statuses for external process
- CLEANUP: checks: don't report report the fork() error twice
- CLEANUP: checks: do not allocate a connection for process checks
- TESTS: checks: add a simple test config for external checks
- BUG/MINOR: tcp-check: don't initialize then break a connection starting with a comment
- TESTS: checks: add a simple test config for tcp-checks
- MINOR: tcp-check: make tcpcheck_main() take a check, not a connection
- MINOR: checks: don't create then kill a dummy connection before tcp-checks
- MEDIUM: checks: make tcpcheck_main() indicate if it recycled a connection
- MEDIUM: checks: do not allocate a permanent connection anymore
- BUG/MEDIUM: cli: fix "show fd" crash when dumping closed FDs
- BUG/MEDIUM: http: Return an error when url_dec sample converter failed
- BUG/MAJOR: stream-int: don't re-arm recv if send fails
- BUILD/MINOR: 51d: fix warning when building with 51Degrees release version 3.2.12.12
- DOC: 51d: add 51Degrees git URL that points to release version 3.2.12.12
- DOC: 51d: Updated git URL and instructions for getting Hash Trie data files.
- MINOR: compiler: restore the likely() wrapper for gcc 5.x
- MINOR: session: remove the list of streams from struct session
- DOC: fix some typos
- MINOR: server: add the srv_queue() sample fetch method
- MINOR: payload: add new sample fetch functions to process distcc protocol
- MAJOR: servers: propagate server status changes asynchronously.
- BUG/MEDIUM: ssl: fix OCSP expiry calculation
- BUG/MINOR: stream-int: don't set MSG_MORE on SHUTW_NOW without AUTO_CLOSE
- MINOR: server: Handle weight increase in consistent hash.
- MINOR: checks: Add a new keyword to specify a SNI when doing SSL checks.
- BUG/MINOR: tools: fix my_htonll() on x86_64
- BUG/MINOR: stats: Clear a bit more counters with in cli_parse_clear_counters().
- BUG/MAJOR: lua: scheduled task is freezing.
- MINOR: buffer: add bo_del() to delete a number of characters from output
- MINOR: buffer: add a function to match against string patterns
- MINOR: buffer: add two functions to inject data into buffers
- MINOR: buffer: add buffer_space_wraps()
- REORG: channel: finally rename the last bi_* / bo_* functions
- MINOR: buffer: add bo_getblk() and bo_getblk_nc()
- MINOR: channel: make use of bo_getblk{,_nc} for their channel equivalents
- MINOR: channel: make the channel be a const in all {ci,co}_get* functions
- MINOR: ist: add ist0() to add a trailing zero to a string.
- BUG/MEDIUM: log: check result details truncated.
- MINOR: buffer: make bo_getblk_nc() not return 2 for a full buffer
- REORG: http: move some very http1-specific parts to h1.{c,h}
- REORG: http: move the HTTP/1 chunk parser to h1.{c,h}
- REORG: http: move the HTTP/1 header block parser to h1.c
- MEDIUM: http: make the chunk size parser only depend on the buffer
- MEDIUM: http: make the chunk crlf parser only depend on the buffer
- MINOR: h1: add struct h1m for basic HTTP/1 messages
- MINOR: http: add very simple header management based on double strings
- MEDIUM: h1: reimplement the http/1 response parser for the gateway
- REORG: connection: rename CO_FL_DATA_* -> CO_FL_XPRT_*
- MEDIUM: connection: make conn_sock_shutw() aware of lingering
- MINOR: connection: ensure conn_ctrl_close() also resets the fd
- MINOR: connection: add conn_stop_tracking() to disable tracking
- MINOR: tcp: use conn_full_close() instead of conn_force_close()
- MINOR: unix: use conn_full_close() instead of conn_force_close()
- MINOR: checks: use conn_full_close() instead of conn_force_close()
- MINOR: session: use conn_full_close() instead of conn_force_close()
- MINOR: stream: use conn_full_close() instead of conn_force_close()
- MINOR: stream: use conn_full_close() instead of conn_force_close()
- MINOR: backend: use conn_full_close() instead of conn_force_close()
- MINOR: stream-int: use conn_full_close() instead of conn_force_close()
- MINOR: connection: remove conn_force_close()
- BUG/MINOR: ssl: ocsp response with 'revoked' status is correct
When using haproxy in front of distccd, it's possible to provide significant
improvements by only connecting when the preprocessing is completed, and by
selecting different farms depending on the payload size. This patch provides
two new sample fetch functions :
distcc_param(<token>[,<occ>]) : integer
distcc_body(<token>[,<occ>]) : binary
srv_queue([<backend>/]<server>) : integer
Returns an integer value corresponding to the number of connections currently
pending in the designated server's queue. If <backend> is omitted, then the
server is looked up in the current backend. It can sometimes be used together
with the "use-server" directive to force to use a known faster server when it
is not much loaded. See also the "srv_conn", "avg_queue" and "queue" sample
fetch methods.
Adds cli commands to change at runtime whether informational messages
are prepended with severity level or not, with support for numeric and
worded severity in line with syslog severity level.
Adds stats socket config keyword severity-output to set default behavior
per socket on startup.
smp_fetch_ssl_fc_cl_str as very limited usage (only work with openssl == 1.0.2
compiled with the option enable-ssl-trace). It use internal cipher.algorithm_ssl
attribut and SSL_CIPHER_standard_name (available with ssl-trace).
This patch implement this (debug) function in a standard way. It used common
SSL_CIPHER_get_name to display cipher name. It work with openssl >= 1.0.2
and boringssl.
As per a recent mailing list discussion, suggesting specific cipher
settings is not too helpful, because they depend on a lot of factors,
ranging from client capabilities, available TLS libraries, new
security research, and others.
To avoid the documentation from become stale -- and potentially
wrong/dangerous, this commit adds links to Mozilla's well-reknowned
TLS blog, as well as to their configuration generator.
Following up DNS extension introduction, this patch aims at making the
computation of the maximum number of records in DNS response dynamic.
This computation is based on the announced payload size accepted by
HAProxy.
The "hold obsolete" timer is used to prevent HAProxy from moving a server to
an other IP or from considering the server as DOWN if the IP currently
affected to this server has not been seen for this period of time in DNS
responses.
That said, historically, HAProxy used to update servers as soon as the IP
has disappeared from the response. Current default timeout break this
historical behavior and may change HAProxy's behavior when people will
upgrade to 1.8.
This patch changes the default value to 0 to keep backward compatibility.
Edns extensions may be used to negotiate some settings between a DNS
client and a server.
For now we only use it to announce the maximum response payload size accpeted
by HAProxy.
This size can be set through a configuration parameter in the resolvers
section. If not set, it defaults to 512 bytes.
As DNS servers may not return all IPs in one answer, we want to cache the
previous entries. Those entries are removed when considered obsolete, which
happens when the IP hasn't been returned by the DNS server for a time
defined in the "hold obsolete" parameter of the resolver section. The default
is 30s.
Commit 2ab8867 ("MINOR: ssl: compare server certificate names to the SNI
on outgoing connections") introduced the ability to check server cert
names against the name provided with in the SNI, but verifyhost was kept
as a way to force the name to check against. This was a mistake, because :
- if an SNI is used, any static hostname in verifyhost will be wrong ;
worse, if it matches and doesn't match the SNI, the server presented
the wrong certificate ;
- there's no way to have a default name to check against for health
checks anymore because the point above mandates the removal of the
verifyhost directive
This patch reverses the ordering of the check : whenever SNI is used, the
name provided always has precedence (ie the server must always present a
certificate that matches the requested name). And if no SNI is provided,
then verifyhost is used, and will be configured to match the server's
default certificate name. This will work both when SNI is not used and
for health checks.
If the commit 2ab8867 is backported in 1.7 and/or 1.6, this one must be
backported too.
When support for passing SNI to the server was added in 1.6-dev3, there
was no way to validate that the certificate presented by the server would
really match the name requested in the SNI, which is quite a problem as
it allows other (valid) certificates to be presented instead (when hitting
the wrong server or due to a man in the middle).
This patch adds the missing check against the value passed in the SNI.
The "verifyhost" value keeps precedence if set. If no SNI is used and
no verifyhost directive is specified, then the certificate name is not
checked (this is unchanged).
In order to extract the SNI value, it was necessary to make use of
SSL_SESSION_get0_hostname(), which appeared in openssl 1.1.0. This is
a trivial function which returns the value of s->tlsext_hostname, so
it was provided in the compat layer for older versions. After some
refinements from Emmanuel, it now builds with openssl 1.0.2, openssl
1.1.0 and boringssl. A test file was provided to ease testing all cases.
After some careful observation period it may make sense to backport
this to 1.7 and 1.6 as some users rightfully consider this limitation
as a bug.
Cc: Emmanuel Hocdet <manu@gandi.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
We cannot store more than 32K headers in the structure hdr_idx, because
internaly we use signed short integers. To avoid any bugs (due to an integers
overflow), a check has been added on tune.http.maxhdr to be sure to not set a
value greater than 32767 and lower than 1 (because this is a nonsense to set
this parameter to a value <= 0).
The documentation has been updated accordingly.
This patch can be backported in 1.7, 1.6 and 1.5.
The Openssl's ASYNC API does'nt support moving buffers on SSL_read/write
This patch disables the ASYNC mode dynamically when the handshake
is left and re-enables it on reneg.
SSL/TLS version can be changed per certificat if and only if openssl lib support
earlier callback on handshake and, of course, is implemented in haproxy. It's ok
for BoringSSL. For Openssl, version 1.1.1 have such callback and could support it.
Released version 1.8-dev2 with the following main changes :
- CLEANUP: server: moving netinet/tcp.h inclusion
- DOC: changed "block"(deprecated) examples to http-request deny
- DOC: add few comments to examples.
- DOC: update sample code for PROXY protocol
- DOC: mention lighttpd 1.4.46 implements PROXY
- MINOR server: Restrict dynamic cookie check to the same proxy.
- DOC: stick-table is available in frontend sections
- BUG/MINOR: server : no transparent proxy for DragonflyBSD
- BUILD/MINOR: stats: remove unexpected argument to stats_dump_json_header()
- BUILD/MINOR: tools: fix build warning in debug_hexdump()
- BUG/MINOR: dns: Wrong address family used when creating IPv6 sockets.
- BUG/MINOR: config: missing goto out after parsing an incorrect ACL character
- BUG/MINOR: arg: don't try to add an argument on failed memory allocation
- MEDIUM: server: Inherit CLI weight changes and agent-check weight responses
- BUG/MEDIUM: arg: ensure that we properly unlink unresolved arguments on error
- BUG/MEDIUM: acl: don't free unresolved args in prune_acl_expr()
- BUG/MEDIUM: servers: unbreak server weight propagation
- MINOR: lua: ensure the memory allocator is used all the time
- MINOR: cli: Add a command to send listening sockets.
- MINOR: global: Add an option to get the old listening sockets.
- MINOR: tcp: When binding socket, attempt to reuse one from the old proc.
- MINOR: doc: document the -x flag
- MINOR: proxy: Don't close FDs if not our proxy.
- MINOR: socket transfer: Set a timeout on the socket.
- MINOR: systemd wrapper: add support for passing the -x option.
- BUG/MINOR: server: Fix a wrong error message during 'usesrc' keyword parsing.
- BUG/MAJOR: Broken parsing for valid keywords provided after 'source' setting.
- CLEANUP: logs: typo: simgle => single
- BUG/MEDIUM: acl: proprely release unused args in prune_acl_expr()
- MEDIUM: config: don't check config validity when there are fatal errors
- BUG/MAJOR: Use -fwrapv.
- BUG/MINOR: server: don't use "proxy" when px is really meant.
- BUG/MEDIUM: http: Drop the connection establishment when a redirect is performed
- BUG/MINOR: server: missing default server 'resolvers' setting duplication.
- MINOR: server: Extract the code responsible of copying default-server settings.
- MINOR: server: Extract the code which finalizes server initializations after 'server' lines parsing.
- MINOR: server: Add 'server-template' new keyword supported in backend sections.
- MINOR: server: Add server_template_init() function to initialize servers from a templates.
- DOC: Add documentation for new "server-template" keyword.
- DOC: add layer 4 links/cross reference to "block" keyword.
- DOC: errloc/errorloc302/errorloc303 missing status codes.
- BUG/MEDIUM: lua: memory leak
- CLEANUP: lua: remove test
- BUG/MINOR: hash-balance-factor isn't effective in certain circumstances
- BUG/MINOR: change header-declared function to static inline
- REORG: spoe: move spoe_encode_varint / spoe_decode_varint from spoe to common
- MINOR: Add binary encoding request header sample fetch
- MINOR: proto-http: Add sample fetch wich returns all HTTP headers
- MINOR: Add ModSecurity wrapper as contrib
- BUG/MINOR: ssl: fix warnings about methods for opensslv1.1.
- DOC: update RFC references
- CONTRIB: tcploop: add action "X" to execute a command
- MINOR: server: cli: Add server FQDNs to server-state file and stats socket.
- BUG/MINOR: contrib/mod_security: fix build on FreeBSD
- BUG/MINOR: checks: don't send proxy protocol with agent checks
- MINOR: ssl: add prefer-client-ciphers
- MEDIUM: ssl: revert ssl/tls version settings relative to default-server.
- MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx
- MEDIUM: ssl: calculate the real min/max TLS version and find holes
- MINOR: ssl: support TLSv1.3 for bind and server
- MINOR: ssl: show methods supported by openssl
- MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server
- MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility.
- CLEANUP: retire obsoleted USE_GETSOCKNAME build option
- BUG/MAJOR: dns: Broken kqueue events handling (BSD systems).
- MINOR: sample: Add b64dec sample converter
- BUG/MEDIUM: lua: segfault if a converter or a sample doesn't return anything
- MINOR: cli: add ACCESS_LVL_MASK to store the access level
- MINOR: cli: add 'expose-fd listeners' to pass listeners FDs
- MEDIUM: proxy: zombify proxies only when the expose-fd socket is bound
- MEDIUM: ssl: add basic support for OpenSSL crypto engine
- MAJOR: ssl: add openssl async mode support
- MEDIUM: ssl: handle multiple async engines
- MINOR: boringssl: basic support for OCSP Stapling
- MEDIUM: mworker: replace systemd mode by master worker mode
- MEDIUM: mworker: handle reload and signals
- MEDIUM: mworker: wait mode on reload failure
- MEDIUM: mworker: try to guess the next stats socket to use with -x
- MEDIUM: mworker: exit-on-failure option
- MEDIUM: mworker: workers exit when the master leaves
- DOC: add documentation for the master-worker mode
- MEDIUM: systemd: Type=forking in unit file
- MAJOR: systemd-wrapper: get rid of the wrapper
- MINOR: log: Add logurilen tunable.
- CLEANUP: server.c: missing prototype of srv_free_dns_resolution
- MINOR: dns: smallest DNS fqdn size
- MINOR: dns: functions to manage memory for a DNS resolution structure
- MINOR: dns: parse_server() now uses srv_alloc_dns_resolution()
- REORG: dns: dns_option structure, storage of hostname_dn
- MINOR: dns: new snr_check_ip_callback function
- MAJOR: dns: save a copy of the DNS response in struct resolution
- MINOR: dns: implement a LRU cache for DNS resolutions
- MINOR: dns: make 'ancount' field to match the number of saved records
- MINOR: dns: introduce roundrobin into the internal cache (WIP)
- MAJOR/REORG: dns: DNS resolution task and requester queues
- BUILD: ssl: fix build with OPENSSL_NO_ENGINE
- MINOR: Add Mod Defender integration as contrib
- CLEANUP: str2mask return code comment: non-zero -> zero.
- MINOR: tools: make debug_hexdump() use a const char for the string
- MINOR: tools: make debug_hexdump() take a string prefix
- CLEANUP: connection: remove unused CO_FL_WAIT_DATA
This patch is a major upgrade of the internal run-time DNS resolver in
HAProxy and it brings the following 2 main changes:
1. DNS resolution task
Up to now, DNS resolution was triggered by the health check task.
From now, DNS resolution task is autonomous. It is started by HAProxy
right after the scheduler is available and it is woken either when a
network IO occurs for one of its nameserver or when a timeout is
matched.
From now, this means we can enable DNS resolution for a server without
enabling health checking.
2. Introduction of a dns_requester structure
Up to now, DNS resolution was purposely made for resolving server
hostnames.
The idea, is to ensure that any HAProxy internal object should be able
to trigger a DNS resolution. For this purpose, 2 things has to be done:
- clean up the DNS code from the server structure (this was already
quite clean actually) and clean up the server's callbacks from
manipulating too much DNS resolution
- create an agnostic structure which allows linking a DNS resolution
and a requester of any type (using obj_type enum)
3. Manage requesters through queues
Up to now, there was an uniq relationship between a resolution and it's
owner (aka the requester now). It's a shame, because in some cases,
multiple objects may share the same hostname and may benefit from a
resolution being performed by a third party.
This patch introduces the notion of queues, which are basically lists of
either currently running resolution or waiting ones.
The resolutions are now available as a pool, which belongs to the resolvers.
The pool has has a default size of 64 resolutions per resolvers and is
allocated at configuration parsing.
The default len of request uri in log messages is 1024. In some use
cases, you need to keep the long trail of GET parameters. The only
way to increase this len is to recompile with DEFINE=-DREQURI_LEN=2048.
This commit introduces a tune.http.logurilen configuration directive,
allowing to tune this at runtime.
This patch adds the support of a maximum of 32 engines
in async mode.
Some tests have been done using 2 engines simultaneously.
This patch also removes specific 'async' attribute from the connection
structure. All the code relies only on Openssl functions.
ssl-mode-async is a global configuration parameter which enables
asynchronous processing in OPENSSL for all SSL connections haproxy
handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a
retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous
capable engine is used to perform cryptographic operations. Currently
async mode only supports one async-capable engine.
This is the latest version of the patchset which includes Emeric's
updates :
- improved async fd cleaning when openssl reports an fd to delete
- prevent conn_fd_handler from calling SSL_{read,write,handshake} until
the async fd is ready, as these operations are very slow and waste CPU
- postpone of SSL_free to ensure the async operation can complete and
does not cause a dereference a released SSL.
- proper removal of async fd from the fdtab and removal of the unused async
flag.
This patch adds the global 'ssl-engine' keyword. First arg is an engine
identifier followed by a list of default_algorithms the engine will
operate.
If the openssl version is too old, an error is reported when the option
is used.
When HAProxy is running with multiple processes and some listeners
arebound to processes, the unused sockets were not closed in the other
processes. The aim was to be able to send those listening sockets using
the -x option.
However to ensure the previous behavior which was to close those
sockets, we provided the "no-unused-socket" global option.
This patch changes this behavior, it will close unused sockets which are
not in the same process as an expose-fd socket, making the
"no-unused-socket" option useless.
The "no-unused-socket" option was removed in this patch.
This patch changes the stats socket rights for allowing the sending of
listening sockets.
The previous behavior was to allow any unix stats socket with admin
level to send sockets. It's not possible anymore, you have to set this
option to activate the socket sending.
Example:
stats socket /var/run/haproxy4.sock mode 666 expose-fd listeners level user process 4
Add "b64dec" as a new converter which can be used to decode a base64
encoded string into its binary representation. It performs the inverse
operation of the "base64" converter.
'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2
or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver
and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning
and documentation are set accordingly.
Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx.
min-tlsxx and max-tlsxx can be overwrite on local definition. This directives
should be the only ones needed in default-server.
To simplify next patches (rework of tls versions settings with min/max) all
ssl/tls version settings relative to default-server are reverted first:
remove: 'sslv3', 'tls*', 'no-force-sslv3', 'no-force-tls*'.
remove from default-server: 'no-sslv3', 'no-tls*'.
Note:
. force-tlsxx == min-tlsxx + max-tlsxx : would be ok in default-server.
. no-tlsxx is keep for compatibility: should not be propagated to default-server.
Currently we unconditionally set SSL_OP_CIPHER_SERVER_PREFERENCE [1],
which may not always be a good thing.
The benefit of server side cipher prioritization may not apply to all
cases out there, and it appears that the various SSL libs are going away
from this recommendation ([2], [3]), as insecure ciphers suites are
properly blacklisted/removed and honoring the client's preference is
more likely to improve user experience (for example using SW-friendly
ciphers on devices without HW AES support).
This is especially true for TLSv1.3, which will restrict the cipher
suites to just AES-GCM and Chacha20/Poly1305.
Apache [4], nginx [5] and others give admins full flexibility, we should
as well.
The initial proposal to change the current default and add a
"prefer-server-ciphers" option (as implemented in e566ecb) has been
declined due to the possible security impact.
This patch implements prefer-client-ciphers without changing the defaults.
[1] https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html
[2] https://github.com/openssl/openssl/issues/541
[3] https://github.com/libressl-portable/portable/issues/66
[4] https://httpd.apache.org/docs/2.0/en/mod/mod_ssl.html#sslhonorcipherorder
[5] https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
The sample fetch returns all headers including the last jump line.
The last jump line is used to determine if the block of headers is
truncated or not.
Idea from Aleksandar Lazic: add explanation/links about layer4
tcp-request connection or content reject to "block" keyword.
Add http-request cross ref. to "tcp-request content".
When running with multiple process, if some proxies are just assigned
to some processes, the other processes will just close the file descriptors
for the listening sockets. However, we may still have to provide those
sockets when reloading, so instead we just try hard to pretend those proxies
are dead, while keeping the sockets opened.
A new global option, no-reused-socket", has been added, to restore the old
behavior of closing the sockets not bound to this process.
This reverts commit 266b1a8 ("MEDIUM: server: Inherit CLI weight changes and
agent-check weight responses") from Michal Idzikowski, which is still broken.
It stops propagating weights at the first error encountered, leaving servers
in a random state depending on what LB algorithms are used on other servers
tracking the one experiencing the weight change. It's unsure what the best
way to address this is, but we cannot leave the servers in an inconsistent
state between farms. For example :
backend site1
mode http
balance uri
hash-type consistent
server s1 127.0.0.1:8001 weight 10 track servers/s1
backend site2
mode http
balance uri
server s1 127.0.0.1:8001 weight 10 track servers/s1
backend site3
mode http
balance uri
hash-type consistent
server s1 127.0.0.1:8001 weight 10 track servers/s1
backend servers
server s1 127.0.0.1:8001 weight 10 check inter 1s
The weight change is applied on "servers/s1". It tries to propagate
to the servers tracking it, which are site1/s1, site2/s1 and site3/s1.
Let's say that "weight 50%" is requested. The servers are linked in
reverse-order, so the change is applied to "servers/s1", then to
"site3/s1", then to "site2/s1" and this one fails and rejects the
change. The change is aborted and never propagated to "site1/s1",
which keeps the server in a different state from "site3/s1". At the
very least, in case of error, the changes should probably be unrolled.
Also the error reported on the CLI (when changing from the CLI) simply says :
Backend is using a static LB algorithm and only accepts weights '0%' and '100%'.
Without more indications what the faulty backend is.
Let's revert this change for now, as initially feared it will definitely
cause more harm than good and at least needs to be revisited. It was never
backported to any stable branch so no backport is needed.
When agent-check or CLI command executes relative weight change this patch
propagates it to tracking server allowing grouping many backends running on
same server underneath. Additionaly in case with many src IPs many backends
can have shared state checker, so there won't be unnecessary health checks.
[wt: Note: this will induce some behaviour change on some setups]
