IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
testdir can be a very long directory since it depends on source
directory path, this can lead to failure during tests when UNIX socket
path exceeds maximum allowed length of 97 characters as defined in
str2sa_range().
16:48:14 [ALERT] *** h1 debug| (10082) : config : parsing [/tmp/haregtests-2022-12-17_16-47-39.4RNzIN/vtc.4850.5d0d728a/h1/cfg:19] : 'bind' : socket path 'unix@/local/p4clients/pkgbuild-bB20r/workspace/build/HAProxy/HAProxy-2.7.x.68.0/AL2_x86_64/DEV.STD.PTHREAD/build/private/HAProxy-2.7.x/src/reg-tests/lua/srv3' too long (max 97)
Also, it is not advisable to create UNIX socket in actual source
directory, but instead use dedicated temporary directory create for test
purpose.
This should be backported to 2.6
(cherry picked from commit 103966930afded03bf0e94b668f14f5802ec24b5)
Signed-off-by: William Lallemand <wlallemand@haproxy.org>
(cherry picked from commit ec0b6777d6ec17e7b208e29ad5dbf4cd988c2a39)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
The test still need to have more start condition, like ulimit checks
and less strict value checks.
To be backported where it was activated (as far as 2.5)
(cherry picked from commit 7332a123c1bec7b486df4e22a76d454a8c9a1ccf)
Signed-off-by: William Lallemand <wlallemand@haproxy.org>
(cherry picked from commit a384f2862b3ad162d0b5ba92448c9c2b76836709)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
The calculated maxconn could produce other values when compiled with
debug options.
Must be backported where 6b6f082 was backported (as far as 2.5).
(cherry picked from commit f98b3b1107208499d8b8d70f63356507c81edecd)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 20bd4a8d1507e3ee6d52cc5af6c23a006b0e3a75)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
change the expected maxconn from 10000 to 11000 in
automatic_maxconn.vtc
To be backported only if the test failed, the value might be the right
one in previous versions.
(cherry picked from commit 2a225390eb78c1b5fb0fc6c5352974e16fbdd952)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit e191844b64bdc894f424a6e30858c7c55d4fd7dc)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
Check if USE_OBSOLETE_LINK=1 was used so it could run this test when
ASAN is not built, since ASAN require this option.
For this test to work, the ulimit -n value must be big enough.
Could be backported at least to 2.5.
(cherry picked from commit 6b6f082969acf2694ac9d688d408e3ab6586b1ec)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit b6bfe7b905a4fb8197c30db7fe937840506812af)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
Check the maxconn computation with multiple -m parameters.
Broken with ASAN for now.
Could be backported as far as 2.2.
(cherry picked from commit 38c5b6ea971952e2fd5ca6949d2f4076d9c1f6ff)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 8ffe3f24e889c8406cfd29eb6807cb4f45cfad25)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
A "Connection: close" header is added to responses to avoid any connection
reuse. This should avoid any "HTTP header incomplete" errors.
(cherry picked from commit e1b866a28a53035106cb6d1b49b5951e26215d76)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 50339568f9aed04dda6955129e11f92164da30b7)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
VTEST does not properly handle 304-Not-Modified responses. If a
Transfer-Encoding header (and probably a Content-Lenght header too), it
waits for a body. Waiting for a fix, the Transfer-Encoding encoding of
cached responses in 2 VTEST scripts are removed.
Note it is now an issue because of a fix in the H1 multiplexer :
* 226082d13a "BUG/MINOR: mux-h1: Do not send a last null chunk on body-less answers"
This patch must be backported with the above commit.
(cherry picked from commit a0e1a87948cc1858e82c656d18344051838a4af0)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
Test the httpclient when the lua action timeout. The lua timeout is
reached before the httpclient is ended. This test that the httpclient
are correctly cleaned when destroying the hlua context.
Must be backported as far as 2.5.
(cherry picked from commit 4ed0a3a88384a3836cbf162025df7ca41cc4fa5e)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
At present option smtpchk closes the TCP connection abruptly on completion of service checking,
even if successful. This can result in a very high volume of errors in backend SMTP server logs.
This patch ensures an SMTP QUIT is sent and a positive 2xx response is received from the SMTP
server prior to disconnection.
This patch depends on the following one:
* MINOR: smtpchk: Update expect rule to fully match replies to EHLO commands
This patch should fix the issue #1812. It may be backported as far as 2.2
with the commit above On the 2.2, proxy_parse_smtpchk_opt() function is
located in src/check.c
[cf: I updated reg-tests script accordingly]
(cherry picked from commit 9a8d8a3fd0828a1cb64745318dcc5704a0b4b1a9)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
This patch adds support to the following authentication methods:
- AUTH_REQ_GSS (7)
- AUTH_REQ_SSPI (9)
- AUTH_REQ_SASL (10)
Note that since AUTH_REQ_SASL allows multiple authentication mechanisms
such as SCRAM-SHA-256 or SCRAM-SHA-256-PLUS, the auth payload length may
vary since the method is sent in plaintext. In order to allow this, the
regex now matches any payload length.
This partially fixes Github issue #1508 since user authentication is
still broken but should restore pre-2.2 behavior.
This should be backported up to 2.2.
Signed-off-by: Fatih Acar <facar@scaleway.com>
(cherry picked from commit 0d6fb7a3eb0a9754348ec15be14a017a1c84df0f)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
The s1 server is acting like a SMTP server. But it sends two CRLF at the end of
each line, while only one CRLF must be returned. It only works becaue both CRLF
are received at the same time.
(cherry picked from commit 330af2d7ed2d8d72800fc7761253ff6965681742)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
in 2f2a2884b7464ccb56469cb94d8a1ae4015a8cb6 grep should have use regex flag -E, but flag
was lost by mistake
(cherry picked from commit b6189bc268255b799a77fdffcaaa7b221ca2d7a9)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
on Ubuntu-22.04 openssl-3.0.5 is shipped which has changed ec curve
description to "Server Temp Key: ECDH, secp384r1, 384 bits"
(cherry picked from commit 2f2a2884b7464ccb56469cb94d8a1ae4015a8cb6)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
on Ubuntu-22.04 openssl-3.0.5 is shipped which has changed ec curve
description to "Server Temp Key: ECDH, prime256v1, 256 bits"
(cherry picked from commit 0865160b93b1ac8326ac0e5b57be24504070c2c1)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
Test the log-forward section with an SSL server and an SSL bind.
Must be backported as far as 2.3.
(cherry picked from commit 23bc0b20bd82c983bccb289825c6024730aaf405)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
This reg-test test the log-forward feature by chaining a UDP and a TCP
log-forwarder.
It could be backported as far as 2.3.
(cherry picked from commit ebf600a8384040a023b5278c1005ee1a2c04d712)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
Depending on the timing, the conneciton on lisrv listener may be fully
accepted before any reject. Thus, instead of getting a socket error, an
invalid L7 response is reported. There is no reason to be strick on the
error type. Any failure is good here, because we just want to test the
email-alert feature.
This patch should fix issue #1857. It may be backported as far as 2.2.
(cherry picked from commit 28bc152aa4a42ba91818aaf2af33ccb76f75a426)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
Depending on the timing, time to time, the log messages can be mixed. A
client can start and be fully handled by HAProxy (including its log message)
before the log message of the previous client was emitted or received. To
fix the issue, a barrier was added to be sure to eval the "expect" rule on
logs before starting the next client.
This patch should fix the issue #1847. It may be backported to all branches
containing this reg-tests.
(cherry picked from commit 05ed05b84a4898122568df48bebfd59746ebe2a2)
Signed-off-by: Willy Tarreau <w@1wt.eu>
Write a regtest to test RFC 7540 compliance in regards to multiple
cookie headers concatenation.
(cherry picked from commit d23435df28357ac6a61407685c8ffae4ad550dad)
Signed-off-by: Willy Tarreau <w@1wt.eu>
TCP Health-checks are enabled on server "s2". However it expects to receive
an HTTP requests. So HAProxy configuration must be changed to perform HTTP
health-checks instead. Otherwise, depending on the timing, an error can be
triggered if a check is performed before the end of the script.
This scripts never failed because TCP_QUICKACK was disabled, adding some
latency on health-checks. But since the last fix, it is an issue.
This patch should be backported as far as 2.4.
(cherry picked from commit 529b6a3a2c5e977bd585c75963ef29ce83138a05)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
When using `option http-restrict-req-hdr-names delete`, HAproxy may
crash or delete wrong header after receiving request containing multiple
forbidden characters in single header name; exact behavior depends on
number of request headers, number of forbidden characters and position
of header containing them.
This patch fixes GitHub issue #1822.
Must be backported as far as 2.2 (buggy feature got included in 2.2.25,
2.4.18 and 2.5.8).
(cherry picked from commit 4b85a963be4bfc5aab9295ec627b332662f9e3b3)
Signed-off-by: Willy Tarreau <w@1wt.eu>
An invalid CONNECT request was used and make the script failed because of a
recent fix.
(cherry picked from commit 887a2b5bc4a0d10be771a7ef65c38cc03f7e9abe)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
From time to time, users complain to get 400-Bad-request responses for
totally valid CONNECT requests. After analysis, it is due to the H1 parser
performs an exact match between the authority and the host header value. For
non-CONNECT requests, it is valid. But for CONNECT requests the authority
must contain a port while it is often omitted from the host header value
(for default ports).
So, to be sure to not reject valid CONNECT requests, a basic authority
validation is now performed during the message parsing. In addition, the
host header value is normalized. It means the default port is removed if
possible.
This patch should solve the issue #1761. It must be backported to 2.6 and
probably as far as 2.4.
(cherry picked from commit 3f5fbe940733bba84b5ee875af5b13aa3144aa41)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
Add the same certificate in server and bind line so we can try to catch
problems like in issue #1748 when updating over the CLI.
(cherry picked from commit ae6547f65fc7cf63046c854fd8f196759c7656ee)
Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
The crash occures when the same certificate which is used on both a
server line and a bind line is inserted in a crt-list over the CLI.
This is quite uncommon as using the same file for a client and a server
certificate does not make sense in a lot of environments.
This patch fixes the issue by skipping the insertion of the SNI when no
bind_conf is available in the ckch_inst.
Change the reg-test to reproduce this corner case.
Should fix issue #1748.
Must be backported as far as 2.2. (it was previously in ssl_sock.c)
(cherry picked from commit cb6c5f468341e1902fae7527bfe76921d9d2aea6)
Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
The info field in the log message may change. For instance, on FreeBSD, a
"broken pipe" is reported. Thus, the expected log message must be more
generic.
(cherry picked from commit af936762d0548bae80bd9898fb3d4465570aedb5)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
This reg-test is broken since a while. It was simplified to be
functionnal. Now, it only test email alerts.
(cherry picked from commit 52912579eea3680952c7dd9e80c8ea5c298eeca3)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
This reg-test was backported as far as 2.0. Thus, extend supported versions
accordingly.
This patch must be backported as far as 2.0.
(cherry picked from commit fdf693477a4efed4625b7d61f0f9bd655f562dbb)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
This reg-test was backported as far as 2.0. Thus, extend supported versions
accordingly.
This patch must be backported as far as 2.0.
(cherry picked from commit 3d1da9a4408a483104ebe81d35dabcc7692db09e)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
The default client timeout is too small to be sure to always wait end of
slow clients (the last 2 clients use a delay to send their request). But it
cannot be increased because it will slow down the regtest execution. So a
dedicated frontend with a higher client timeout has been added. This
frontend is used by "slow" clients. The other one is used for normal
requests.
(cherry picked from commit 33a2745c8738f2b163196d88f23188166a579643)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
Depending on the timing, time to time, the log message for "/c4" request can
be received before the one for "/c2" request. To (hopefully) fix the issue,
a barrier has been added to wait "/c2" log message before sending other
requests.
(cherry picked from commit 0f98a156a71120e566c715a08683f0a93e9b02d3)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
Introduced in:
18c13d3bd MEDIUM: http-ana: Add a proxy option to restrict chars in request header names
see also:
fbbbc33df REGTESTS: Do not use REQUIRE_VERSION for HAProxy 2.5+
Depending on the timing, the second client that should be reported as a
client abort during connection attempt ("CC--" termination state) is
sometime logged as a server close ("SC--" termination state) instead. It
happens because sometime the connection failure to the server s1 is detected
by haproxy before the client c2 aborts. There is no retries and the
connection timeout is set to 100ms. So, to work, the client abort must be
performed and detected by haproxy in less than 100ms.
To fix the issue, the c2 client is now routed to a backend with a connection
timeout set to 1 second and 10 retries. It should be large enough to detect
the client aborts (~10s)
In addition, there is another race condition when the script is
started. sometime, server s1 is not stopped when the first client sends its
request. So a barrier was added to be sure it is stopped before starting to
send requests. And we wait to be sure the server is detected as DOWN to
unblock the barrier. It is performed by a dedicated backend with an
healthcheck on the server s1.
This patch should solve issue #1664.
The "http-restrict-req-hdr-names" option can now be set to restrict allowed
characters in the request header names to the "[a-zA-Z0-9-]" charset.
Idea of this option is to not send header names with non-alphanumeric or
hyphen character. It is especially important for FastCGI application because
all those characters are converted to underscore. For instance,
"X-Forwarded-For" and "X_Forwarded_For" are both converted to
"HTTP_X_FORWARDED_FOR". So, header names can be mixed up by FastCGI
applications. And some HAProxy rules may be bypassed by mangling header
names. In addition, some non-HTTP compliant servers may incorrectly handle
requests when header names contain characters ouside the "[a-zA-Z0-9-]"
charset.
When this option is set, the policy must be specify:
* preserve: It disables the filtering. It is the default mode for HTTP
proxies with no FastCGI application configured.
* delete: It removes request headers with a name containing a character
outside the "[a-zA-Z0-9-]" charset. It is the default mode for
HTTP backends with a configured FastCGI application.
* reject: It rejects the request with a 403-Forbidden response if it
contains a header name with a character outside the
"[a-zA-Z0-9-]" charset.
The option is evaluated per-proxy and after http-request rules evaluation.
This patch may be backported to avoid any secuirty issue with FastCGI
application (so as far as 2.2).
Since the 2.5, it is possible to define TCP/HTTP ruleset in defaults
sections. However, rules defining a capture in defaults sections was not
properly handled because they was not shared with the proxies inheriting
from the defaults section. This led to crash when haproxy tried to store a
new capture.
So now, to fix the issue, when a new proxy is created, the list of captures
points to the list of its defaults section. It may be NULL or not. All new
caputres are prepended to this list. It is not a problem to share the same
defaults section between several proxies, because it is not altered and we
take care to not release it when corresponding proxies are freed but only
when defaults proxies are freed. To do so, defaults proxies are now
unreferenced at the end of free_proxy() function instead of the beginning.
This patch should fix the issue #1674. It must be backported to 2.5.
DHE ciphers do not present a security risk if the key is big enough but
they are slow and mostly obsoleted by ECDHE. This patch removes any
default DH parameters. This will effectively disable all DHE ciphers
unless a global ssl-dh-param-file is defined, or
tune.ssl.default-dh-param is set, or a frontend has DH parameters
included in its PEM certificate. In this latter case, only the frontends
that have DH parameters will have DHE ciphers enabled.
Adding explicitely a DHE ciphers in a "bind" line will not be enough to
actually enable DHE. We would still need to know which DH parameters to
use so one of the three conditions described above must be met.
This request was described in GitHub issue #1604.
This new converter is similar to the concat converter and can be used to
build new variables made of a succession of other variables but the main
difference is that it does the checks if adding a delimiter makes sense as
wouldn't be the case if e.g the current input sample is empty. That
situation would require 2 separate rules using concat converter where the
first rule would have to check if the current sample string is empty before
adding a delimiter. This resolves GitHub Issue #1621.
In MQTTv3.1, protocol name is "MQIsdp" and protocol level is 3. The mqtt
converters(mqtt_is_valid and mqtt_field_value) did not work for clients on
mqttv3.1 because the mqtt_parse_connect() marked the CONNECT message invalid
if either the protocol name is not "MQTT" or the protocol version is other than
v3.1.1 or v5.0. To fix it, we have added the mqttv3.1 protocol name and version
as part of the checks.
This patch fixes the mqtt converters to support mqttv3.1 clients as well (issue #1600).
It must be backported to 2.4.
In the same way than for be2hex.vtc, a "Connection: close" header is added
to all responses to avoid any connection reuse. This should avoid any "HTTP
header incomplete" errors.
Dynamic servers feature is now judged to be stable enough. Remove the
experimental-mode requirement for "add/del server" commands. This should
facilitate dynamic servers adoption.
These two sample fetch methods report respectively the file name and the
line number where was located the last rule that was final. This is aimed
at being used on log-format lines to help admins figure what rule in the
configuration gave a final verdict, and help understand the condition
that led to the action.
For example, it's now possible to log the last matched rule by adding
this to the log-format:
... lr=%[last_rule_file]:%[last_rule_line]
A regtest is provided to test various combinations of final rules, some
even on top of each other from different rulesets.
In the same way than for normalize_uri.vtc, a "Connection: close" header is
added to all responses to avoid any connection reuse. This should avoid any
"HTTP header incomplete" errors.
There is no connection reuse to avoid race conditions in HTTP reg-tests. But
time to time, normalize_uri.vtc still report "HTTP header incomplete"
error. It seems to be because HTTP keep-alive is still used at the session
level. Thus when the same server section is used to handle multiple requests
for the same client, via a "-repeat" statement, a new request for this client
may be handled by HAProxy before the server is restarted.
To avoid any trouble, HTTP keep-alive is disabled on the server side by
adding "Connection: close" header in responses. It seems to be ok now. We
let the CI decide.
This one started to randomly fail on me again and I could figure the
problem. It mixes one checked server with one unchecked on in each
backend, and tries to make sure that each checked server receives
exactly one request. But that doesn't work and is entirely time-
dependent because if the check starts before the client, a pure
TCP check is sent to the server, which sees an aborted connection
and makes the whole check fail.
Here what is done is that we make sure that only the second server
and not the first one is checked. The traffic is delivered to all
first servers, and each HTTP server must always receive a valid HTTP
request. In parallel, checks must not fail as they're delivered to
dummy servers. The check doesn't fail anymore, even when started on
a single thread at nice +5 while 8 processes are fighting on the same
core to inject HTTP traffic at 25 Gbps, which used to systematically
make it fail previously.
Since it took more than one hour to fix the "expect" line for the stats
output, I did it using a small script that I pasted into the vtc file
in case it's needed later. The relevance of this test is questionable
once its complexity is factored in. Let's keep it as long as it works
without too much effort.
