Commit Graph

2270 Commits

Author SHA1 Message Date
Willy Tarreau
1ba30167a0 MEDIUM: h1: enlarge the scope of accepted version chars with accept-invalid-http-request
We used to support both RTSP and HTTP protocol version names with and
without accept-invalid-http-request, but since this is based on the
characters themselves, any protocol made of chars {0-9/.HPRST} was
possible and not others. Now that such non-standard protocols are
restricted to accept-invalid-http-request, there's no reason for not
allowing other letters. With this patch, characters {0-9./A-Z} are
permitted when the option is set.
2022-05-24 15:38:54 +02:00
Willy Tarreau
137c8fde78 [RELEASE] Released version 2.6-dev11
Released version 2.6-dev11 with the following main changes :
    - CI: determine actual LibreSSL version dynamically
    - BUG/MEDIUM: ncbuf: fix null buffer usage
    - MINOR: ncbuf: fix warnings for testing build
    - MEDIUM: http-ana: Add a proxy option to restrict chars in request header names
    - MEDIUM: ssl: Delay random generator initialization after config parsing
    - MINOR: ssl: Add 'ssl-propquery' global option
    - MINOR: ssl: Add 'ssl-provider' global option
    - CLEANUP: Add missing header to ssl_utils.c
    - CLEANUP: Add missing header to hlua_fcn.c
    - CLEANUP: Remove unused function hlua_get_top_error_string
    - BUILD: fix build warning on solaris based systems with __maybe_unused.
    - MINOR: tools: add get_exec_path implementation for solaris based systems.
    - BUG/MINOR: ssl: Fix crash when no private key is found in pem
    - CLEANUP: conn-stream: Remove cs_applet_shut declaration from header file
    - MINOR: applet: Prepare appctx to own the session on frontend side
    - MINOR: applet: Let the frontend appctx release the session
    - MINOR: applet: Change return value for .init callback function
    - MINOR: stream: Export stream_free()
    - MINOR: applet: Add appctx_init() helper fnuction
    - MINOR: applet: Add a function to finalize frontend appctx startup
    - MINOR: applet: Add function to release appctx on error during init stage
    - MEDIUM: dns: Refactor dns appctx creation
    - MEDIUM: spoe: Refactor SPOE appctx creation
    - MEDIUM: lua: Refactor cosocket appctx creation
    - MEDIUM: httpclient: Refactor http-client appctx creation
    - MINOR: sink: Add a ref to sink in the sink_forward_target structure
    - MEDIUM: sink: Refactor sink forwarder appctx creation
    - MINOR: peers: Add a ref to peers section in the peer structure
    - MEDIUM: peers: Refactor peer appctx creation
    - MINOR: applet: Add API to start applet on a thread subset
    - MEDIUM: applet: Add support for async appctx startup on a thread subset
    - MINOR: peers: Track number of applets run by thread
    - MEDIUM: peers: Balance applets across threads
    - MINOR: conn-stream/applet: Stop setting appctx as the endpoint context
    - CLEANUP: proxy: Remove dead code when parsing "http-restrict-req-hdr-names" option
    - REGTESTS: abortonclose: Fix some race conditions
    - MINOR: ssl: Add 'ssl-provider-path' global option
    - CLEANUP: http_ana: Make use of the return value of stream_generate_unique_id()
    - BUG/MINOR: spoe: Fix error handling in spoe_init_appctx()
    - CLEANUP: peers: Remove unreachable code in peer_session_create()
    - CLEANUP: httpclient: Remove useless test on ss_dst in httpclient_applet_init()
    - BUG/MEDIUM: quic: fix Rx buffering
    - OPTIM: quic: realign empty Rx buffer
    - BUG/MINOR: ncbuf: fix ncb_is_empty()
    - MINOR: ncbuf: refactor ncb_advance()
    - BUG/MINOR: mux-quic: update session's idle delay before stream creation
    - MINOR: h3: do not wait a complete frame for demuxing
    - MINOR: h3: flag demux as full on HTX full
    - MEDIUM: mux-quic: implement recv on io-cb
    - MINOR: mux-quic: remove qcc_decode_qcs() call in XPRT
    - MINOR: mux-quic: reorganize flow-control frames emission
    - MINOR: mux-quic: implement MAX_STREAM_DATA emission
    - MINOR: mux-quic: implement MAX_DATA emission
    - BUG/MINOR: mux-quic: support nul buffer with qc_free_ncbuf()
    - MINOR: mux-quic: free RX buf if empty
    - BUG/MEDIUM: config: Reset outline buffer size on realloc error in readcfgfile()
    - BUG/MINOR: check: Reinit the buffer wait list at the end of a check
    - MEDIUM: check: No longer shutdown the connection in .wake callback function
    - REORG: check: Rename and export I/O callback function
    - MEDIUM: check: Use the CS to handle subscriptions for read/write events
    - BUG/MINOR: quic: break for error on sendto
    - MINOR: quic: abort on unlisted errno on sendto()
    - MINOR: quic: detect EBADF on sendto()
    - BUG/MEDIUM: quic: fix initialization for local/remote TPs
    - CLEANUP: quic: adjust comment/coding style for TPs init
    - BUG/MINOR: cfgparse: abort earlier in case of allocation error
    - MINOR: quic: Dump initial derived secrets
    - MINOR: quic_tls: Add quic_tls_derive_retry_token_secret()
    - MINOR: quic_tls: Add quic_tls_decrypt2() implementation
    - MINOR: quic: Retry implementation
    - MINOR: cfgparse: Update for "cluster-secret" keyword for QUIC Retry
    - MINOR: quic: Move quic_lstnr_dgram_dispatch() out of xprt_quic.c
    - BUILD: stats: Missing headers inclusions from stats.h
    - MINOR: quic_stats: Add a new stats module for QUIC
    - MINOR: quic: Attach proxy QUIC stats counters to the QUIC connection
    - BUG/MINOR: quic: Fix potential memory leak during QUIC connection allocations
    - MINOR: quic: QUIC stats counters handling
    - MINOR: quic: Add tune.quic.retry-threshold keyword
    - MINOR: quic: Dynamic Retry implementation
    - MINOR: quic/mux-quic: define CONNECTION_CLOSE send API
    - MINOR: mux-quic: emit FLOW_CONTROL_ERROR
    - MINOR: mux-quic: emit STREAM_LIMIT_ERROR
    - MINOR: mux-quic: close connection on error if different data at offset
    - BUG/MINOR: peers: fix error reporting of "bind" lines
    - CLEANUP: config: improve address parser error report for unmatched protocols
    - CLEANUP: config: provide cleare hints about unsupported QUIC addresses
    - MINOR: protocol: replace ctrl_type with xprt_type and clarify it
    - MINOR: listener: provide a function to process all of a bind_conf's arguments
    - MINOR: config: use the new bind_parse_args_list() to parse a "bind" line
    - CLEANUP: listener: add a comment about what the BC_SSL_O_* flags are for
    - MINOR: listener: add a new "options" entry in bind_conf
    - CLEANUP: listener: replace all uses of bind_conf->is_ssl with BC_O_USE_SSL
    - CLEANUP: listener: replace bind_conf->generate_cers with BC_O_GENERATE_CERTS
    - CLEANUP: listener: replace bind_conf->quic_force_retry with BC_O_QUIC_FORCE_RETRY
    - CLEANUP: listener: store stream vs dgram at the bind_conf level
    - MINOR: listener: detect stream vs dgram conflict during parsing
    - MINOR: listener: set the QUIC xprt layer immediately after parsing the args
    - MINOR: listener/ssl: set the SSL xprt layer only once the whole config is known
    - MINOR: connection: add flag MX_FL_FRAMED to mark muxes relying on framed xprt
    - MINOR: config: detect and report mux and transport incompatibilities
    - MINOR: listener: automatically select a QUIC mux with a QUIC transport
    - MINOR: listener: automatically enable SSL if a QUIC transport is found
    - BUG/MINOR: quic: Fixe a typo in qc_idle_timer_task()
    - BUG/MINOR: quic: Missing <conn_opening> stats counter decrementation
    - BUILD/MINOR: cpuset fix build for FreeBSD 13.1
    - CI: determine actual OpenSSL version dynamically
2022-05-20 23:31:51 +02:00
Frédéric Lécaille
ad20a56971 MINOR: cfgparse: Update for "cluster-secret" keyword for QUIC Retry
The QUIC Retry feature is disabled if no "cluster-secret" setting was set.
2022-05-20 16:57:12 +02:00
Remi Tricot-Le Breton
ccc0355c41 MINOR: ssl: Add 'ssl-provider-path' global option
When loading providers with 'ssl-provider' global options, this
ssl-provider-path option can be used to set the search path that is to
be used by openssl. It behaves the same way as the OPENSSL_MODULES
environment variable.
2022-05-17 18:09:17 +02:00
Remi Tricot-Le Breton
1746a388c5 MINOR: ssl: Add 'ssl-provider' global option
When HAProxy is linked to an OpenSSLv3 library, this option can be used
to load a provider during init. You can specify multiple ssl-provider
options, which will be loaded in the order they appear. This does not
prevent OpenSSL from parsing its own configuration file in which some
other providers might be specified.
A linked list of the providers loaded from the configuration file is
kept so that all those providers can be unloaded during cleanup. The
providers loaded directly by OpenSSL will be freed by OpenSSL.
2022-05-17 10:56:05 +02:00
Remi Tricot-Le Breton
e80976526c MINOR: ssl: Add 'ssl-propquery' global option
This option can be used to define a default property query used when
fetching algorithms in OpenSSL providers. It follows the format
described in https://www.openssl.org/docs/man3.0/man7/property.html.
It is only available when haproxy is built with SSL support and linked
to OpenSSLv3 libraries.
2022-05-17 10:56:05 +02:00
Christopher Faulet
18c13d3bd8 MEDIUM: http-ana: Add a proxy option to restrict chars in request header names
The "http-restrict-req-hdr-names" option can now be set to restrict allowed
characters in the request header names to the "[a-zA-Z0-9-]" charset.

Idea of this option is to not send header names with non-alphanumeric or
hyphen character. It is especially important for FastCGI application because
all those characters are converted to underscore. For instance,
"X-Forwarded-For" and "X_Forwarded_For" are both converted to
"HTTP_X_FORWARDED_FOR". So, header names can be mixed up by FastCGI
applications. And some HAProxy rules may be bypassed by mangling header
names. In addition, some non-HTTP compliant servers may incorrectly handle
requests when header names contain characters ouside the "[a-zA-Z0-9-]"
charset.

When this option is set, the policy must be specify:

  * preserve: It disables the filtering. It is the default mode for HTTP
              proxies with no FastCGI application configured.

  * delete: It removes request headers with a name containing a character
            outside the "[a-zA-Z0-9-]" charset. It is the default mode for
            HTTP backends with a configured FastCGI application.

  * reject: It rejects the request with a 403-Forbidden response if it
            contains a header name with a character outside the
            "[a-zA-Z0-9-]" charset.

The option is evaluated per-proxy and after http-request rules evaluation.

This patch may be backported to avoid any secuirty issue with FastCGI
application (so as far as 2.2).
2022-05-16 16:00:26 +02:00
Willy Tarreau
370332572b [RELEASE] Released version 2.6-dev10
Released version 2.6-dev10 with the following main changes :
    - MINOR: ssl: ignore dotfiles when loading a dir w/ ca-file
    - MEDIUM: ssl: ignore dotfiles when loading a dir w/ crt
    - BUG/MINOR: ssl: Fix typos in crl-file related CLI commands
    - MINOR: compiler: add a new macro to set an attribute on an enum when possible
    - BUILD: stats: conditionally mark obsolete stats states as deprecated
    - BUILD: ssl: work around bogus warning in gcc 12's -Wformat-truncation
    - BUILD: debug: work around gcc-12 excessive -Warray-bounds warnings
    - BUILD: listener: shut report of possible null-deref in listener_accept()
    - BUG/MEDIUM: ssl: fix the gcc-12 broken fix :-(
    - DOC: install: update gcc version requirements
    - BUILD: makefile: add -Wfatal-errors to the default flags
    - BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes).
    - BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket
    - BUG/MINOR: mux-h2: mark the stream as open before processing it not after
    - MINOR: mux-h2: report a trace event when failing to create a new stream
    - DOC: configuration: add the httpclient keywords to the global keywords index
    - MINOR: quic: Add a debug counter for sendto() errors
    - BUG/MINOR: quic: Dropped peer transport parameters
    - BUG/MINOR: quic: Wrong unit for ack delay for incoming ACK frames
    - MINOR: quic: Congestion controller event trace fix (loss)
    - MINOR: quic: Add correct ack delay values to ACK frames
    - MINOR: config: Add "cluster-secret" new global keyword
    - MINOR: quic-tls: Add quic_hkdf_extract_and_expand() for HKDF
    - MINOR: quic: new_quic_cid() code moving
    - MINOR: quic: Initialize stateless reset tokens with HKDF secrets
    - MINOR: qc_new_conn() rework for stateless reset
    - MINOR: quic: Stateless reset token copy to transport parameters
    - MINOR: quic: Send stateless reset tokens
    - MINOR: quic: Short packets always embed a trailing AEAD TAG
    - CLEANUP: quic: wrong use of eb*entry() macro
    - CLEANUP: quic: Useless use of pointer for quic_hkdf_extract()
    - CLEANUP: quic_tls: QUIC_TLS_IV_LEN defined two times
    - MINOR: ncbuf: define non-contiguous buffer
    - MINOR: ncbuf: complete API and define block interal abstraction
    - MINOR: ncbuf: optimize storage for the last gap
    - MINOR: ncbuf: implement insertion
    - MINOR: ncbuf: define various insertion modes
    - MINOR: ncbuf: implement advance
    - MINOR: ncbuf: write unit tests
    - BUG/MEDIUM: lua: fix argument handling in data removal functions
    - DOC/MINOR: fix typos in the lua-api document
    - BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized
    - MINOR: mux-h1: Add global option accpet payload for any HTTP/1.0 requests
    - CLEANUP: mux-h1: Fix comments and error messages for global options
    - MINOR: conn_stream: make cs_set_error() work on the endpoint instead
    - CLEANUP: mux-h1: always take the endp from the h1s not the cs
    - CLEANUP: mux-h2: always take the endp from the h2s not the cs
    - CLEANUP: mux-pt: always take the endp from the context not the cs
    - CLEANUP: mux-fcgi: always take the endp from the fstrm not the cs
    - CLEANUP: mux-quic: always take the endp from the qcs not the cs
    - CLEANUP: applet: use the appctx's endp instead of cs->endp
    - MINOR: conn_stream: add a pointer back to the cs from the endpoint
    - MINOR: mux-h1: remove the now unneeded h1s->cs
    - MINOR: mux-h2: make sure any h2s always has an endpoint
    - MINOR: mux-h2: remove the now unneeded conn_stream from the h2s
    - MINOR: mux-fcgi: make sure any stream always has an endpoint
    - MINOR: mux-fcgi: remove the now unneeded conn_stream from the fcgi_strm
    - MINOR: mux-quic: remove the now unneeded conn_stream from the qcs
    - MINOR: mux-pt: remove the now unneeded conn_stream from the context
    - CLEANUP: muxes: make mux->attach/detach take a conn_stream endpoint
    - MINOR: applet: replace cs_applet_shut() with appctx_shut()
    - MINOR: applet: add appctx_strm() and appctx_cs() to access common fields
    - CLEANUP: applet: remove the unneeded appctx->owner
    - CLEANUP: conn_stream: merge cs_new_from_{mux,applet} into cs_new_from_endp()
    - MINOR: ext-check: indicate the transport and protocol of a server
    - BUG/MEDIUM: mux-quic: fix a thinko in the latest cs/endpoint cleanup
    - MINOR: tools: improve error message accuracy in str2sa_range
    - MINOR: config: make sure never to mix dgram and stream protocols on a bind line
    - BUG/MINOR: ncbuf: fix coverity warning on uninit sz_data
    - MINOR: xprt_quic: adjust flow-control according to bufsize
    - MEDIUM: mux-quic/h3/hq-interop: use ncbuf for bidir streams
    - MEDIUM: mux-quic/h3/qpack: use ncbuf for uni streams
    - CLEANUP: mux-quic: remove unused fields for Rx
    - CLEANUP: quic: remove unused quic_rx_strm_frm
2022-05-14 16:05:50 +02:00
Willy Tarreau
973cf90714 MINOR: ext-check: indicate the transport and protocol of a server
Valerio Pachera explained [1] that external checks would benefit from
having a variable indicating if SSL is being used or not on the server
being checked, and the discussion derived to also indicating the protocol
in use.

This patch adds two environment variables for external checks:
  - HAPROXY_SERVER_SSL: equals "0" when SSL is not used, "1" when it is
  - HAPROXY_SERVER_PROTO: contains one of the following words to describe
    the protocol used with this server:
      - "cli": the haproxy CLI. Normally not seen
      - "syslog": this is a syslog TCP server
      - "peers": this is a peers TCP server
      - "h1": this is an HTTP/1.x server
      - "h2": this is an HTTP/2 server
      - "tcp": this is any other TCP server

The patch is very simple, and may be backported to recent versions if
needed. This closes github issue #1692.

[1] https://www.mail-archive.com/haproxy@formilux.org/msg42233.html
2022-05-13 16:06:29 +02:00
Christopher Faulet
0f9c0f5801 MINOR: mux-h1: Add global option accpet payload for any HTTP/1.0 requests
Since the 2.5, for security reason, HTTP/1.0 GET/HEAD/DELETE requests with a
payload are rejected (See e136bd12a "MEDIUM: mux-h1: Reject HTTP/1.0
GET/HEAD/DELETE requests with a payload" for details). However it may be an
issue for old clients.

To avoid any compatibility issue with such clients,
"h1-accept-payload-with-any-method" global option was added. It must only be
set if there is a good reason to do so because it may lead to a request
smuggling attack on some servers or intermediaries.

This patch should solve the issue #1691. it may be backported to 2.5.
2022-05-13 12:04:24 +02:00
Boyang Li
60cfe8b823 DOC/MINOR: fix typos in the lua-api document
Fixes a few typos in the Lua API document.
2022-05-13 08:40:08 +02:00
Frédéric Lécaille
372508cc42 MINOR: config: Add "cluster-secret" new global keyword
It could be usefull to set a ASCII secret which could be used for different
usages. For instance, it will be used to derive QUIC stateless reset tokens.
2022-05-12 17:48:35 +02:00
William Lallemand
cfabb3526b DOC: configuration: add the httpclient keywords to the global keywords index
- httpclient.ssl.verify
    - httpclient.ssl.ca-file
    - httpclient.resolvers.id
    - httpclient.resolvers.prefer
2022-05-12 10:51:15 +02:00
William Lallemand
589570df1f MEDIUM: ssl: ignore dotfiles when loading a dir w/ crt
Ignore the files starting with a dot when trying to load a directory
with the "crt" directive.

Should fix issue #1689.
2022-05-09 10:41:51 +02:00
William Lallemand
e4b93eb947 MINOR: ssl: ignore dotfiles when loading a dir w/ ca-file
Ignore the files starting with a dot when trying to load a directory
with the "ca-file directive".
2022-05-09 09:33:25 +02:00
Willy Tarreau
e979796584 [RELEASE] Released version 2.6-dev9
Released version 2.6-dev9 with the following main changes :
    - MINOR: mux-quic: support full request channel buffer
    - BUG/MINOR: h3: fix parsing of unknown frame type with null length
    - CLEANUP: backend: make alloc_{bind,dst}_address() idempotent
    - MEDIUM: stream: remove the confusing SF_ADDR_SET flag
    - MINOR: conn_stream: remove the now unused CS_FL_ADDR_*_SET flags
    - CLEANUP: protocol: make sure the connect_* functions always receive a dst
    - MINOR: connection: get rid of the CO_FL_ADDR_*_SET flags
    - MINOR: session: get rid of the now unused SESS_FL_ADDR_*_SET flags
    - CLEANUP: mux: Useless xprt_quic-t.h inclusion
    - MINOR: quic: Make the quic_conn be aware of the number of streams
    - BUG/MINOR: quic: Dropped retransmitted STREAM frames
    - BUG/MINOR: mux_quic: Dropped packet upon retransmission for closed streams
    - MEDIUM: httpclient: remove url2sa to use a more flexible parser
    - MEDIUM: httpclient: http-request rules for resolving
    - MEDIUM: httpclient: allow address and port change for resolving
    - CLEANUP: httpclient: remove the comment about resolving
    - MINOR: httpclient: handle unix and other socket types in dst
    - MINOR: httpclient: rename dash by dot in global option
    - MINOR: init: exit() after pre-check upon error
    - MINOR: httpclient: cleanup the error handling in init
    - MEDIUM: httpclient: hard-error when SSL is configured
    - MINOR: httpclient: allow to configure the ca-file
    - MINOR: httpclient: configure the resolvers section to use
    - MINOR: httpclient: allow ipv4 or ipv6 preference for resolving
    - DOC: configuration: httpclient global option
    - MINOR: conn-stream: Add mask from flags set by endpoint or app layer
    - BUG/MEDIUM: conn-stream: Only keep app layer flags of the endpoint on reset
    - BUG/MEDIUM: mux-fcgi: Be sure to never set EOM flag on an empty HTX message
    - BUG/MEDIUM: mux-h1: Be able to handle trailers when C-L header was specified
    - DOC: config: Update doc for PR/PH session states to warn about rewrite failures
    - MINOR: resolvers: cleanup alert/warning in parse-resolve-conf
    - MINOR: resolvers: move the resolv.conf parser in parse_resolv_conf()
    - MINOR: resolvers: resolvers_new() create a resolvers with default values
    - BUILD: debug: unify the definition of ha_backtrace_to_stderr()
    - BUG/MINOR: tcp/http: release the expr of set-{src,dst}[-port]
    - MEDIUM: resolvers: create a "default" resolvers section at startup
    - DOC: resolvers: default resolvers section
    - BUG/MINOR: startup: usage() when no -cc arguments
    - BUG/MEDIUM: resolvers: make "show resolvers" properly yield
    - BUG/MEDIUM: cli: make "show cli sockets" really yield
    - BUG/MINOR: proxy/cli: don't enumerate internal proxies on "show backend"
    - BUG/MINOR: map/cli: protect the backref list during "show map" errors
    - BUG/MINOR: map/cli: make sure patterns don't vanish under "show map"'s init
    - BUG/MINOR: ssl/cli: fix "show ssl ca-file/crl-file" not to mix cli+ssl contexts
    - BUG/MINOR: ssl/cli: fix "show ssl ca-file <name>" not to mix cli+ssl contexts
    - BUG/MINOR: ssl/cli: fix "show ssl crl-file" not to mix cli+ssl contexts
    - BUG/MINOR: ssl/cli: fix "show ssl cert" not to mix cli+ssl contexts
    - CLEANUP: ssl/cli: do not loop on unknown states in "add ssl crt-list" handler
    - MINOR: applet: reserve some generic storage in the applet's context
    - CLEANUP: applet: make appctx_new() initialize the whole appctx
    - CLEANUP: stream/cli: take the "show sess" context definition out of the appctx
    - CLEANUP: stream/cli: stop using appctx->st2 for the dump state
    - CLEANUP: stream/cli: remove the unneeded init state from "show sess"
    - CLEANUP: stream/cli: remove the unneeded STATE_FIN state from "show sess"
    - CLEANUP: stream/cli: remove the now unneeded dump state from "show sess"
    - CLEANUP: proxy/cli: take the "show errors" context definition out of the appctx
    - CLEANUP: stick-table/cli: take the "show table" context definition out of the appctx
    - CLEANUP: stick-table/cli: stop using appctx->st2 for the dump state
    - CLEANUP: stick-table/cli: remove the unneeded STATE_INIT for "show table"
    - CLEANUP: map/cli: take the "show map" context definition out of the appctx
    - CLEANUP: map/cli: stop using cli.i0/i1 to store the generation numbers
    - CLEANUP: map/cli: stop using appctx->st2 for the dump state
    - CLEANUP: map/cli: always detach the backref from the list after "show map"
    - CLEANUP: peers/cli: take the "show peers" context definition out of the appctx
    - CLEANUP: peers/cli: stop using appctx->st2 for the dump state
    - CLEANUP: peers/cli: remove unneeded state STATE_INIT
    - CLEANUP: cli: initialize the whole appctx->ctx, not just the stats part
    - CLEANUP: promex: make the applet use its own context
    - CLEANUP: promex: stop using appctx->st2
    - CLEANUP: stats/cli: take the "show stat" context definition out of the appctx
    - CLEANUP: stats/cli: stop using appctx->st2
    - CLEANUP: hlua/cli: take the hlua_cli context definition out of the appctx
    - CLEANUP: ssl/cli: use a local context for "show cafile"
    - CLEANUP: ssl/cli: use a local context for "show crlfile"
    - CLEANUP: ssl/cli: use a local context for "show ssl cert"
    - CLEANUP: ssl/cli: use a local context for "commit ssl cert"
    - CLEANUP: ssl/cli: stop using appctx->st2 for "commit ssl cert"
    - CLEANUP: ssl/cli: use a local context for "set ssl cert"
    - CLEANUP: ssl/cli: use a local context for "set ssl cafile"
    - CLEANUP: ssl/cli: use a local context for "set ssl crlfile"
    - CLEANUP: ssl/cli: use a local context for "commit ssl {ca|crl}file"
    - CLEANUP: ssl/cli: stop using appctx->st2 for "commit ssl ca/crl"
    - CLEANUP: ssl/cli: stop using ctx.cli.i0/i1/p0 for "show tls-keys"
    - CLEANUP: ssl/cli: add a new "dump_entries" field to "show_keys_ref"
    - CLEANUP: ssl/cli: make "show tlskeys" not use appctx->st2 anymore
    - CLEANUP: ssl/cli: make "show ssl ocsp-response" not use cli.p0 anymore
    - CLEANUP: ssl/cli: make "{show|dump} ssl crtlist" use its own context
    - CLEANUP: ssl/cli: make "add ssl crtlist" use its own context
    - CLEANUP: ssl/cli: make "add ssl crtlist" not use st2 anymore
    - CLEANUP: dns: stop abusing the sink forwarder's context
    - CLEANUP: sink: use the generic context to store the forwarder's context
    - CLEANUP: activity/cli: make "show profiling" not use ctx.cli anymore
    - CLEANUP: debug/cli: make "debug dev fd" not use ctx.cli anymore
    - CLEANUP: debug/cli: make "debug dev memstats" not use ctx.cli anymore
    - CLEANUP: ring: pass the ring watch flags to ring_attach_cli(), not in ctx.cli
    - CLEANUP: ring/cli: use a locally-defined context instead of using ctx.cli
    - CLEANUP: resolvers/cli: make "show resolvers" use a locally-defined context
    - CLEANUP: resolvers/cli: remove the unneeded appctx->st2 from "show resolvers"
    - CLEANUP: cache/cli: make use of a locally defined context for "show cache"
    - CLEANUP: proxy/cli: make use of a locally defined context for "show servers"
    - CLEANUP: proxy/cli: get rid of appctx->st2 in "show servers"
    - CLEANUP: proxy/cli: make "show backend" only use the generic context
    - CLEANUP: cli: make "show fd" use its own context
    - CLEANUP: cli: make "show env" use its own context
    - CLEANUP: cli: simplify the "show cli sockets" I/O handler
    - CLEANUP: cli: make "show cli sockets" use its own context
    - CLEANUP: httpclient/cli: use a locally-defined context instead of ctx.cli
    - CLEANUP: httpclient: do not use the appctx.ctx anymore
    - CLEANUP: peers: do not use appctx.ctx anymore
    - CLEANUP: spoe: do not use appctx.ctx anymore
    - BUILD: applet: mark the CLI's generic variables as deprecated
    - BUILD: applet: mark the appctx's st2 variable as deprecated
    - CLEANUP: cache: take the context out of appctx.ctx
    - MEDIUM: lua: move the cosocket storage outside of appctx.ctx
    - MINOR: lua: move the tcp service storage outside of appctx.ctx
    - MINOR: lua: move the http service context out of appctx.ctx
    - CLEANUP: cli: move the status print context into its own context
    - CLEANUP: stats: rename the stats state values an mark the old ones deprecated
    - DOC: internal: document the new cleaner approach to the appctx
    - MINOR: tcp: socket translate TCP_KEEPIDLE for macOs equivalent
    - DOC: fix typo "ant" for "and" in INSTALL
    - CI: dynamically determine actual version of h2spec
2022-05-08 11:44:15 +02:00
Willy Tarreau
8f7133e242 DOC: internal: document the new cleaner approach to the appctx
It explains the problems with the previous union, the temporary state
for the transition between 2.6 and 2.7, and how to perform the changes.
2022-05-06 18:33:49 +02:00
William Lallemand
c33df2e524 DOC: resolvers: default resolvers section
Add a paragraph about the default resolvers section generated by
HAProxy.
2022-05-06 17:16:23 +02:00
Christopher Faulet
24dda9403a DOC: config: Update doc for PR/PH session states to warn about rewrite failures
When an HTTP header rewrite failure is triggered, and 500-internal-error
response is returned. A "PR" termination state is logged if the error
occurred on the request and "PH" if the error is reported for the response.

The documentation was updated accordingly.

This patch is related to issue #1597.
2022-05-05 12:27:08 +02:00
William Lallemand
de1803f8a9 DOC: configuration: httpclient global option
Documentation about the 4 options in the global section for the
httpclient:

- httpclient.ssl.verify
- httpclient.ssl.ca-file
- httpclient.resolvers.id
- httpclient.resolvers.prefer
2022-05-04 18:14:25 +02:00
Willy Tarreau
026fef98a0 [RELEASE] Released version 2.6-dev8
Released version 2.6-dev8 with the following main changes :
    - BUG/MINOR: quic: fix use-after-free with trace on ACK consume
    - BUG/MINOR: rules: Forbid captures in defaults section if used by a backend
    - BUG/MEDIUM: rules: Be able to use captures defined in defaults section
    - BUG/MINOR: rules: Fix check_capture() function to use the right rule arguments
    - BUG/MINOR: http-act: make release_http_redir() more robust
    - BUG/MINOR: sample: add missing use_backend/use-server contexts in smp_resolve_args
    - MINOR: sample: don't needlessly call c_none() in sample_fetch_as_type()
    - MINOR: sample: make the bool type cast to bin
    - MEDIUM: backend: add new "balance hash <expr>" algorithm
    - MINOR: init: add global setting "fd-hard-limit" to bound system limits
    - BUILD: pollers: use an initcall to register the pollers
    - BUILD: xprt: use an initcall to register the transport layers
    - BUILD: thread: use initcall instead of a constructor
    - BUILD: http: remove the two unused constructors in rules and ana
    - CLEANUP: compression: move the default setting of maxzlibmem to defaults
    - MINOR: tree-wide: always consider EWOULDBLOCK in addition to EAGAIN
    - BUG/MINOR: connection: "connection:close" header added despite 'close-spread-time'
    - MINOR: fd: add functions to set O_NONBLOCK and FD_CLOEXEC
    - CLEANUP: tree-wide: use fd_set_nonblock() and fd_set_cloexec()
    - CLEANUP: tree-wide: remove 25 occurrences of unneeded fcntl.h
    - REGTESTS: fix the race conditions in be2dec.vtc ad field.vtc
    - REGTESTS: webstats: remove unused stats socket in /tmp
    - MEDIUM: httpclient: disable SSL when the ca-file couldn't be loaded
    - BUG/MINOR: httpclient/lua: error when the httpclient_start() fails
    - BUG/MINOR: ssl: free the cafile entries on deinit
    - BUG/MINOR: ssl: memory leak when trying to load a directory with ca-file
    - MEDIUM: httpclient: re-enable the verify by default
    - BUG/MEDIUM: ssl/cli: fix yielding in show_cafile_detail
    - BUILD: compiler: properly distinguish weak and global symbols
    - MINOR: connection: Add way to disable active connection closing during soft-stop
    - BUG/MEDIUM: http-ana: Fix memleak in redirect rules with ignore-empty option
    - CLEANUP: Destroy `http_err_chunks` members during deinit
    - BUG/MINOR: resolvers: Fix memory leak in resolvers_deinit()
    - MINOR: Call deinit_and_exit(0) for `haproxy -vv`
    - BUILD: fd: disguise the fd_set_nonblock/cloexec result
    - BUG/MINOR: pools: make sure to also destroy shared pools in pool_destroy_all()
    - MINOR: ssl: add a new global option "tune.ssl.hard-maxrecord"
    - CLEANUP: errors: also call deinit_errors_buffers() on deinit()
    - CLEANUP: chunks: release trash also in deinit
    - CLEANUP: deinit: release the pre-check callbacks
    - CLEANUP: deinit: release the config postparsers
    - CLEANUP: listeners/deinit: release accept queue tasklets on deinit
    - CLEANUP: connections/deinit: destroy the idle_conns tasks
    - BUG/MINOR: mux-quic: fix build in release mode
    - MINOR: mux-quic: adjust comment on emission function
    - MINOR: mux-quic: remove unused bogus qcc_get_stream()
    - BUG/MINOR: mux-quic: fix leak if cs alloc failure
    - MINOR: mux-quic: count local flow-control stream limit on reception
    - BUG/MINOR: h3: fix incomplete POST requests
    - BUG/MEDIUM: h3: fix use-after-free on mux Rx buffer wrapping
    - MINOR: mux-quic: partially copy Rx frame if almost full buf
    - MINOR: h3: change frame demuxing API
    - MINOR: mux-quic: add a app-layer context in qcs
    - MINOR: h3: implement h3 stream context
    - MINOR: h3: support DATA demux if buffer full
    - MINOR: quic: decode as much STREAM as possible
    - MINOR: quic: Improve qc_prep_pkts() flexibility
    - MINOR: quic: Prepare quic_frame struct duplication
    - MINOR: quic: Do not retransmit frames from coalesced packets
    - MINOR: quic: Add traces about TX frame memory releasing
    - MINOR: quic: process_timer() rework
    - MEDIUM: quic: New functions for probing rework
    - MEDIUM: quic: Retransmission functions rework
    - MEDIUM: quic: qc_requeue_nacked_pkt_tx_frms() rework
    - MINOR: quic: old data distinction for qc_send_app_pkt()
    - MINOR: quic: Mark packets as probing with old data
    - MEDIUM: quic: Mark copies of acknowledged frames as acknowledged
    - MEDIUM: quic: Enable the new datagram probing process
    - MINOR: quic: Do not send ACK frames when probing
    - BUG/MINOR: quic: Wrong returned status by qc_build_frms()
    - BUG/MINOR: quic: Avoid sending useless PADDING frame
    - BUG/MINOR: quic: Traces fix about remaining frames upon packet build failure
    - MINOR: quic: Wake up the mux to probe with new data
    - BUG/MEDIUM: quic: Possible crash on STREAM frame loss
    - BUG/MINOR: quic: Missing Initial packet length check
    - CLEANUP: quic: Rely on the packet length set by qc_lstnr_pkt_rcv()
    - MINOR: quic: Drop 0-RTT packets if not allowed
    - BUG/MINOR: httpclient/ssl: use the correct verify constant
    - BUG/MEDIUM: conn-stream: Don't erase endpoint flags on reset
    - BUG/MEDIUM: httpclient: Fix loop consuming HTX blocks from the response channel
    - BUG/MINOR: httpclient: Count metadata in size to transfer via htx_xfer_blks()
    - MINOR: httpclient: Don't use co_set_data() to decrement output
    - BUG/MINOR: conn_stream: do not confirm a connection from the frontend path
    - MEDIUM: quic: do not ACK packet with STREAM if MUX not present
    - MEDIUM: quic: do not ack packet with invalid STREAM
    - MINOR: quic: Drop 0-RTT packets without secrets
    - CLEANUP: quic: Remaining fprintf() debug trace
    - MINOR: quic: moving code for QUIC loss detection
    - BUG/MINOR: quic: Missing time threshold multiplifier for loss delay computation
    - CI: github actions: update LibreSSL to 3.5.2
    - SCRIPTS: announce-release: add URL of dev packages
2022-04-30 14:17:51 +02:00
Thomas Prckl
10243938db MINOR: ssl: add a new global option "tune.ssl.hard-maxrecord"
Low footprint client machines may not have enough memory to download a
complete 16KB TLS record at once. With the new option the maximum
record size can be defined on the server side.

Note: Before limiting the the record size on the server side, a client should
consider using the TLS Maximum Fragment Length Negotiation Extension defined
in RFC6066.

This patch fixes GitHub issue #1679.
2022-04-27 16:53:43 +02:00
Remi Tricot-Le Breton
4d7fdc65d4 MINOR: connection: Add way to disable active connection closing during soft-stop
If the "close-spread-time" option is set to "infinite", active
connection closing during a soft-stop can be disabled. The 'connection:
close' header or the GOAWAY frame will not be added anymore to the
server's response and active connections will only be closed once the
clients disconnect. Idle connections will not be closed all at once when
the soft-stop starts anymore, and each idle connection will follow its
own timeout based on the multiple timeouts set in the configuration (as
is the case during regular execution).

This feature request was described in GitHub issue #1614.
This patch should be backported to 2.5. It depends on 'MEDIUM: global:
Add a "close-spread-time" option to spread soft-stop on time window'.
2022-04-26 19:56:47 +02:00
Willy Tarreau
2df1fbf816 MINOR: init: add global setting "fd-hard-limit" to bound system limits
On some systems, the hard limit for ulimit -n may be huge, in the order
of 1 billion, and using this to automatically compute maxconn doesn't
work as it requires way too much memory. Users tend to hard-code maxconn
but that's not convenient to manage deployments on heterogenous systems,
nor when porting configs to developers' machines. The ulimit-n parameter
doesn't work either because it forces the limit. What most users seem to
want (and it makes sense) is to respect the system imposed limits up to
a certain value and cap this value. This is exactly what fd-hard-limit
does.

This addresses github issue #1622.
2022-04-25 18:04:49 +02:00
Willy Tarreau
7c9a0fe2a6 MEDIUM: backend: add new "balance hash <expr>" algorithm
Almost all of our hash-based LB algorithms are implemented as special
cases of something that can now be achieved using sample expressions,
and some of them have adopted some options to adapt their behavior in
ways that could also be achieved using converters.

There are users who want to hash other parameters that are combined
into variables, and who set headers from these values and use
"balance hdr(name)" for this.

Instead of constantly implementing specific options and having users
hack around when they want a real hash, let's implement a native hash
mode that applies to a standard sample expression. This way, any
fetchable element (including variables) may be used to construct the
hash, even modified by any converter if desired.
2022-04-25 16:09:26 +02:00
Willy Tarreau
3e69fcc240 [RELEASE] Released version 2.6-dev7
Released version 2.6-dev7 with the following main changes :
    - BUILD: calltrace: fix wrong include when building with TRACE=1
    - MINOR: ssl: Use DH parameters defined in RFC7919 instead of hard coded ones
    - MEDIUM: ssl: Disable DHE ciphers by default
    - BUILD: ssl: Fix compilation with OpenSSL 1.0.2
    - MINOR: mux-quic: split xfer and STREAM frames build
    - REORG: quic: use a dedicated module for qc_stream_desc
    - MINOR: quic-stream: use distinct tree nodes for quic stream and qcs
    - MINOR: quic-stream: add qc field
    - MEDIUM: quic: implement multi-buffered Tx streams
    - MINOR: quic-stream: refactor ack management
    - MINOR: quic: limit total stream buffers per connection
    - MINOR: mux-quic: implement immediate send retry
    - MINOR: cfg-quic: define tune.quic.conn-buf-limit
    - MINOR: ssl: Add 'show ssl providers' cli command and providers list in -vv option
    - REGTESTS: ssl: Update error messages that changed with OpenSSLv3.1.0-dev
    - BUG/MEDIUM: quic: Possible crash with released mux
    - BUG/MINOR: mux-quic: unsubscribe on release
    - BUG/MINOR: mux-quic: handle null timeout
    - BUG/MEDIUM: logs: fix http-client's log srv initialization
    - BUG/MINOR: mux-quic: remove dead code in qcs_xfer_data()
    - DEV: stream: Fix conn-streams dump in full stream message
    - CLEANUP: conn-stream: Rename cs_conn_close() and cs_conn_drain_and_close()
    - CLEANUP: conn-stream: Rename cs_applet_release()
    - MINOR: conn-stream: Rely on endpoint shutdown flags to shutdown an applet
    - BUG/MINOR: cache: Disable cache if applet creation fails
    - BUG/MINOR: backend: Don't allow to change backend applet
    - BUG/MEDIUM: conn-stream: Set back CS to RDY state when the appctx is created
    - MINOR: stream: Don't needlessly detach server endpoint on early client abort
    - MINOR: conn-stream: Make cs_detach_* private and use cs_destroy() from outside
    - MINOR: init: add the pre-check callback
    - MEDIUM: httpclient: change the init sequence
    - MEDIUM: httpclient/ssl: verify required
    - MINOR: httpclient/mworker: disable in the master process
    - MEDIUM: httpclient/ssl: verify is configurable and disabled by default
    - BUG/MAJOR: connection: Never remove connection from idle lists outside the lock
    - BUG/MEDIUM: mux-quic: fix stalled POST requets
    - BUG/MINOR: mux-quic: fix POST with abortonclose
    - MINOR: task: add a new task_instant_wakeup() function
    - MEDIUM: queue: use tasklet_instant_wakeup() to wake tasks
    - DOC: remove my name from the config doc
2022-04-23 04:38:36 +02:00
Willy Tarreau
1401b9cd3a DOC: remove my name from the config doc
I was surprised to notice that my name was still present as the author
at the top of the config manual. It turns out that this line and a few
other ones in this file remained unchanged since commit 6a06a40501 that
added this doc 15 years ago! It's long been time to get rid of this!
2022-04-23 04:32:43 +02:00
William Lallemand
b53eb8790e MINOR: init: add the pre-check callback
This adds a call to function <fct> to the list of functions to be called at
the step just before the configuration validity checks. This is useful when you
need to create things like it would have been done during the configuration
parsing and where the initialization should continue in the configuration
check.
It could be used for example to generate a proxy with multiple servers using
the configuration parser itself. At this step the trash buffers are allocated.
Threads are not yet started so no protection is required. The function is
expected to return non-zero on success, or zero on failure. A failure will make
the process emit a succinct error message and immediately exit.
2022-04-22 15:45:47 +02:00
Remi Tricot-Le Breton
f87c67e5e4 MINOR: ssl: Add 'show ssl providers' cli command and providers list in -vv option
Starting from OpenSSLv3, providers are at the core of cryptography
functions. Depending on the provider used, the way the SSL
functionalities work could change. This new 'show ssl providers' CLI
command allows to show what providers were loaded by the SSL library.
This is required because the provider configuration is exclusively done
in the OpenSSL configuration file (/usr/local/ssl/openssl.cnf for
instance).
A new line is also added to the 'haproxy -vv' output containing the same
information.
2022-04-21 14:54:45 +02:00
Amaury Denoyelle
97e84c6c69 MINOR: cfg-quic: define tune.quic.conn-buf-limit
Add a new global configuration option to set the limit of buffers per
QUIC connection. By default, this value is set to 30.
2022-04-21 12:04:04 +02:00
Remi Tricot-Le Breton
1d6338ea96 MEDIUM: ssl: Disable DHE ciphers by default
DHE ciphers do not present a security risk if the key is big enough but
they are slow and mostly obsoleted by ECDHE. This patch removes any
default DH parameters. This will effectively disable all DHE ciphers
unless a global ssl-dh-param-file is defined, or
tune.ssl.default-dh-param is set, or a frontend has DH parameters
included in its PEM certificate. In this latter case, only the frontends
that have DH parameters will have DHE ciphers enabled.
Adding explicitely a DHE ciphers in a "bind" line will not be enough to
actually enable DHE. We would still need to know which DH parameters to
use so one of the three conditions described above must be met.

This request was described in GitHub issue #1604.
2022-04-20 17:30:55 +02:00
Willy Tarreau
a8b1065b6b [RELEASE] Released version 2.6-dev6
Released version 2.6-dev6 with the following main changes :
    - CLEANUP: connection: reduce the with of the mux dump output
    - CI: Update to actions/checkout@v3
    - CI: Update to actions/cache@v3
    - DOC: adjust QUIC instruction in INSTALL
    - BUG/MINOR: stats: define the description' background color in dark color scheme
    - BUILD: ssl: add USE_ENGINE and disable the openssl engine by default
    - BUILD: makefile: pass USE_ENGINE to cflags
    - BUILD: xprt-quic: replace ERR_func_error_string() with ERR_peek_error_func()
    - DOC: install: document the fact that SSL engines are not enabled by default
    - CI: github actions: disable -Wno-deprecated
    - BUILD: makefile: silence unbearable OpenSSL deprecation warnings
    - MINOR: sock: check configured limits at the sock layer, not the listener's
    - MINOR: connection: add a new flag CO_FL_FDLESS on fd-less connections
    - MINOR: connection: add conn_fd() to retrieve the FD only when it exists
    - MINOR: stream: only dump connections' FDs when they are valid
    - MINOR: connection: use conn_fd() when displaying connection errors
    - MINOR: connection: skip FD-based syscalls for FD-less connections
    - MEDIUM: connection: panic when calling FD-specific functions on FD-less conns
    - MINOR: mux-quic: properly set the flags and name fields
    - MINOR: connection: rearrange conn_get_src/dst to be a bit more extensible
    - MINOR: protocol: add get_src() and get_dst() at the protocol level
    - MINOR: quic-sock: provide a pair of get_src/get_dst functions
    - MEDIUM: ssl: improve retrieval of ssl_sock_ctx and SSL detection
    - MEDIUM: ssl: stop using conn->xprt_ctx to access the ssl_sock_ctx
    - MEDIUM: xprt-quic: implement get_ssl_sock_ctx()
    - MEDIUM: quic: move conn->qc into conn->handle
    - BUILD: ssl: fix build warning with previous changes to ssl_sock_ctx
    - BUILD: ssl: add an unchecked version of __conn_get_ssl_sock_ctx()
    - MINOR: ssl: refine the error testing for fc_err and fc_err_str
    - BUG/MINOR: sock: do not double-close the accepted socket on the error path
    - CI: cirrus: switch to FreeBSD-13.0
    - MINOR: log: add '~' to frontend when the transport layer provides SSL
    - BUILD/DEBUG: lru: fix printf format in debug code
    - BUILD: peers: adjust some printf format to silence cppcheck
    - BUILD/DEBUG: hpack-tbl: fix format string in standalone debug code
    - BUILD/DEBUG: hpack: use unsigned int in printf format in debug code
    - BUILD: halog: fix some incorrect signs in printf formats for integers
    - BUG/MINOR: h3: fix build with DEBUG_H3
    - BUG/MINOR: mux-h2: do not send GOAWAY if SETTINGS were not sent
    - BUG/MINOR: cache: do not display expired entries in "show cache"
    - BUG/MINOR: mux-h1: Don't release unallocated CS on error path
    - MINOR: applet: Make .init callback more generic
    - MINOR: conn-stream: Add flags to set the type of the endpoint
    - MEDIUM: applet: Set the appctx owner during allocation
    - MAJOR: conn-stream: Invert conn-stream endpoint and its context
    - REORG: Initialize the conn-stream by hand in cs_init()
    - MEDIUM: conn-stream: Add an endpoint structure in the conn-stream
    - MINOR: conn-stream: Move some CS flags to the endpoint
    - MEDIUM: conn-stream: Be able to pass endpoint to create a conn-stream
    - MEDIUM: conn-stream: Pre-allocate endpoint to create CS from muxes and applets
    - REORG: applet: Uninline appctx_new function
    - MAJOR: conn-stream: Share endpoint struct between the CS and the mux/applet
    - MEDIUM: conn-stream: Move remaning flags from CS to endpoint
    - MINOR: mux-pt: Rely on the endpoint instead of the conn-stream when possible
    - MINOR: conn-stream: Add ISBACK conn-stream flag
    - MINOR: conn-stream: Add header file with util functions related to conn-streams
    - MEDIUM: tree-wide: Use CS util functions instead of SI ones
    - MINOR: stream-int/txn: Move buffer for L7 retries in the HTTP transaction
    - CLEANUP: http-ana: Remove http_alloc_txn() function
    - MINOR: stream-int/stream: Move conn_retries counter in the stream
    - MINOR: stream: Simplify retries counter calculation
    - MEDIUM: stream-int/conn-stream: Move src/dst addresses in the conn-stream
    - MINOR: stream-int/conn-stream: Move half-close timeout in the conn-stream
    - MEDIUM: stream-int/stream: Use connect expiration instead of SI expiration
    - MINOR: stream-int/conn-stream: Report error to the CS instead of the SI
    - MEDIUM: conn-stream: Use endpoint error instead of conn-stream error
    - MINOR: channel: Use conn-streams as channel producer and consumer
    - MINOR: stream-int: Remove SI_FL_KILL_CON to rely on conn-stream endpoint only
    - MINOR: mux-h2/mux-fcgi: Fully rely on CS_EP_KILL_CONN
    - MINOR: stream-int: Remove SI_FL_NOLINGER/NOHALF to rely on CS flags instead
    - MINOR: stream-int: Remove SI_FL_DONT_WAKE to rely on CS flags instead
    - MINOR: stream-int: Remove SI_FL_INDEP_STR to rely on CS flags instead
    - MINOR: stream-int: Remove SI_FL_SRC_ADDR to rely on stream flags instead
    - CLEANUP: stream-int: Remove unused SI_FL_CLEAN_ABRT flag
    - MINOR: stream: Only save previous connection state for the server side
    - MEDIUM: stream-int: Move SI err_type in the stream
    - MEDIUM: stream-int/conn-stream: Move stream-interface state in the conn-stream
    - MINOR: stream-int/stream: Move si_retnclose() in the stream scope
    - MINOR: stream-int/backend: Move si_connect() in the backend scope
    - MINOR: stream-int/conn-stream: Move si_conn_ready() in the conn-stream scope
    - MINOR: conn-stream/connection: Move SHR/SHW modes in the connection scope
    - MEDIUM: conn-stream: Be prepared to fail to attach a cs to a mux
    - MEDIUM: stream-int/conn-stream: Handle I/O subscriptions in the conn-stream
    - MINOR: conn-stream: Rename CS functions dedicated to connections
    - MINOR: stream-int/conn-stream: Move si_shut* and si_chk* in conn-stream scope
    - MEDIUM: stream-int/conn-stream: Move si_ops in the conn-stream scope
    - MINOR: applet: Use the CS to register and release applets instead of SI
    - MINOR: connection: unconst mux's get_fist_cs() callback function
    - MINOR: stream-int/connection: Move conn_si_send_proxy() in the connection scope
    - REORG: stream-int: Export si_cs_recv(), si_cs_send() and si_cs_process()
    - REORG: stream-int: Move si_is_conn_error() in the header file
    - REORG: conn-stream: Move cs_shut* and cs_chk* in cs_utils
    - REORG: conn-stream: Move cs_app_ops in conn_stream.c
    - MINOR: stream-int-conn-stream: Move si_update_* in conn-stream scope
    - MINOR: stream-int/stream: Move si_update_both in stream scope
    - MEDIUM: conn-stream/applet: Add a data callback for applets
    - MINOR: stream-int/conn-stream: Move stream_int_read0() in the conn-stream scope
    - MINOR: stream-int/conn-stream: Move stream_int_notify() in the conn-stream scope
    - MINOR: stream-int/conn-stream: Move si_cs_io_cb() in the conn-stream scope
    - MINOR: stream-int/conn-stream: Move si_sync_recv/send() in conn-stream scope
    - MINOR: conn-stream: Move si_conn_cb in the conn-stream scope
    - MINOR: stream-int/conn-stream Move si_is_conn_error() in the conn-stream scope
    - MINOR: stream-int/conn-stream: Move si_alloc_ibuf() in the conn-stream scope
    - CLEANUP: stream-int:  Remove unused SI functions
    - MEDIUM: stream-int/conn-stream: Move blocking flags from SI to CS
    - MEDIUM: stream-int/conn-stream: Move I/O functions to conn-stream
    - REORG: stream-int/conn-stream: Move remaining functions to conn-stream
    - MINOR: stream: Use conn-stream to report server error
    - MINOR: http-ana: Use CS to perform L7 retries
    - MEDIUM: stream: Don't use the stream-int anymore in process_stream()
    - MINOR: conn-stream: Remove the stream-interface from the conn-stream
    - DEV: flags: No longer dump SI flags
    - CLEANUP: tree-wide: Remove any ref to stream-interfaces
    - CLEANUP: conn-stream: Don't export internal functions
    - DOC: conn-stream: Add comments on functions of the new CS api
    - MEDIUM: check: Use a new conn-stream for each health-check run
    - CLEANUP: muxes: Remove MX_FL_CLEAN_ABRT flag
    - MINOR: conn-stream: Use a dedicated function to conditionally remove a CS
    - CLEANUP: conn-stream: rename cs_register_applet() to cs_applet_create()
    - MINOR: muxes: Improve show_fd callbacks to dump endpoint flags
    - MINOR: mux-h1: Rely on the endpoint instead of the conn-stream when possible
    - BUG/MINOR: quic: Avoid starting the mux if no ALPN sent by the client
    - BUILD: debug: mark the __start_mem_stats/__stop_mem_stats symbols as weak
    - BUILD: initcall: mark the __start_i_* symbols as weak, not global
    - BUG/MINOR: mux-h2: do not use timeout http-keep-alive on backend side
    - BUG/MINOR: mux-h2: use timeout http-request as a fallback for http-keep-alive
    - MINOR: muxes: Don't expect to have a mux without connection in destroy callback
    - MINOR: muxes: Don't handle proto upgrade for muxes not supporting it
    - MINOR: muxes: Don't expect to call release function with no mux defined
    - MINOR: conn-stream: Use unsafe functions to get conn/appctx in cs_detach_endp
    - BUG/MEDIUM: mux-h1: Don't request more room on partial trailers
    - BUILD: http-client: Avoid dead code when compiled without SSL support
    - BUG/MINOR: mux-quic: prevent a crash in session_free on mux.destroy
    - BUG/MINOR: quic-sock: do not double free session on conn init failure
    - BUG/MINOR: quic: fix return value for error in start
    - MINOR: quic: emit CONNECTION_CLOSE on app init error
    - BUILD: sched: workaround crazy and dangerous warning in Clang 14
    - BUILD: compiler: use a more portable set of asm(".weak") statements
    - BUG/MEDIUM: stream: do not abort connection setup too early
    - CLEANUP: extcheck: do not needlessly preset the server's address/port
    - MINOR: extcheck: fill in the server's UNIX socket address when known
    - BUG/MEDIUM: connection: Don't crush context pointer location if it is a CS
    - BUG/MEDIUM: quic: properly clean frames on stream free
    - BUG/MEDIUM: fcgi-app: Use http_msg flags to know if C-L header can be added
    - BUG/MEDIUM: compression: Don't forget to update htx_sl and http_msg flags
    - MINOR: tcp_sample: clarifying samples support per os, for further expansion.
    - MINOR: tcp_sample: extend support for get_tcp_info to macOs.
    - SCRIPTS: announce-release: update the doc's URL
    - DOC: lua: update a few doc URLs
    - SCRIPTS: announce-release: add shortened links to pending issues
2022-04-16 12:15:47 +02:00
Willy Tarreau
77ec462670 DOC: lua: update a few doc URLs
The HAProxy doc was updated to point to docs.haproxy.org.
The HAProxy API doc was returning a 404, let's point to version 2.6.
This should be backported with 1.9dev modified to match the respective
versions.
2022-04-16 07:58:19 +02:00
Christopher Faulet
a97ccedf6f CLEANUP: muxes: Remove MX_FL_CLEAN_ABRT flag
This flag is unused. Thus, it may be removed. No reason to still set it. It
also cleans up "haproxy -vv" output.
2022-04-13 15:10:16 +02:00
Willy Tarreau
d3b4cd11f7 [RELEASE] Released version 2.6-dev5
Released version 2.6-dev5 with the following main changes :
    - DOC: reflect H2 timeout changes
    - BUG/MEDIUM: mux-fcgi: Properly handle return value of headers/trailers parsing
    - BUG/MEDIUM: mux-h1: Properly detect full buffer cases during message parsing
    - BUG/MINOR: log: Initialize the list element when allocating a new log server
    - BUG/MINOR: samples: add missing context names for sample fetch functions
    - MINOR: management: add some basic keyword dump infrastructure
    - MINOR: config: add a function to dump all known config keywords
    - MINOR: filters: extend flt_dump_kws() to dump to stdout
    - MINOR: services: extend list_services() to dump to stdout
    - MINOR: cli: add a new keyword dump function
    - MINOR: acl: add a function to dump the list of known ACL keywords
    - MINOR: samples: add a function to list register sample fetch keywords
    - MINOR: sample: list registered sample converter functions
    - MINOR: tools: add strordered() to check whether strings are ordered
    - MINOR: action: add a function to dump the list of actions for a ruleset
    - MINOR: config: alphanumerically sort config keywords output
    - MINOR: sample: alphanumerically sort sample & conv keyword dumps
    - MINOR: acl: alphanumerically sort the ACL dump
    - MINOR: cli: alphanumerically sort the dump of supported commands
    - MINOR: filters: alphabetically sort the list of filter names
    - MINOR: services: alphabetically sort service names
    - MEDIUM: httpclient/lua: be stricter with httpclient parameters
    - MINOR: ssl: split the cert commit io handler
    - MINOR: ssl: move the cert_exts and the CERT_TYPE enum
    - MINOR: ssl: simplify the certificate extensions array
    - MINOR: ssl: export ckch_inst_rebuild()
    - MINOR: ssl: add "crt" in the cert_exts array
    - MINOR: ssl/lua: CertCache.set() allows to update an SSL certificate file
    - BUILD: ssl/lua: CacheCert needs OpenSSL
    - DOC: lua: CertCache class documentation
    - BUG/MEDIUM: quic: do not use qcs from quic_stream on ACK parsing
    - MINOR: mux-quic: return qcs instance from qcc_get_qcs
    - MINOR: mux-quic: reorganize qcs free
    - MINOR: mux-quic: define release app-ops
    - BUG/MINOR: h3: release resources on close
    - BUG/MINOR: mux-quic: ensure to free all qcs on MUX release
    - CLEANUP: quic: complete comment on qcs_try_to_consume
    - MINOR: quic: implement stream descriptor for transport layer
    - MEDIUM: quic: move transport fields from qcs to qc_conn_stream
    - MEDIUM: mux-quic: remove qcs tree node
    - BUG/MINOR: cli/stream: fix "shutdown session" to iterate over all threads
    - DOC: management: add missing dot in 9.4.1
    - BUG/MAJOR: mux_pt: always report the connection error to the conn_stream
    - DOC: remove double blanks in configuration.txt
    - CI: github actions: update OpenSSL to 3.0.2
    - BUG/MEDIUM: quic: Possible crash in ha_quic_set_encryption_secrets()
    - CLEANUP: quic: Remove all atomic operations on quic_conn struct
    - CLEANUP: quic: Remove all atomic operations on packet number spaces
    - MEDIUM: quic: Send ACK frames asap
    - BUG/MINOR: quic: Missing probing packets when coalescing
    - BUG/MINOR: quic: Discard Initial packet number space only one time
    - MINOR: quic: Do not display any timer value from process_timer()
    - BUG/MINOR: quic: Do not probe from an already probing packet number space
    - BUG/MINOR: quic: Non duplicated frames upon fast retransmission
    - BUG/MINOR: quic: Too much prepared retransmissions due to anti-amplification
    - MINOR: quic: Useless call to SSL_CTX_set_default_verify_paths()
    - MINOR: quic: Add traces about list of frames
    - BUG/MINOR: h3: Missing wait event struct field initialization
    - BUG/MINOR: quic: QUIC TLS secrets memory leak
    - BUG/MINOR: quic: Missing ACK range deallocations
    - BUG/MINOR: quic: Missing TX packet deallocations
    - CLEANUP: hpack: be careful about integer promotion from uint8_t
    - OPTIM: hpack: read 32 bits at once when possible.
    - MEDIUM: ssl: allow loading of a directory with the ca-file directive
    - BUG/MINOR: ssl: continue upon error when opening a directory w/ ca-file
    - MINOR: ssl: ca-file @system-ca loads the system trusted CA
    - DOC: configuration: add the ca-file changes
    - MINOR: sample: converter: Add add_item convertor
    - BUG/MINOR: ssl: handle X509_get_default_cert_dir() returning NULL
    - BUG/MINOR: ssl/cli: Remove empty lines from CLI output
    - MINOR: httpclient: enable request buffering
    - MEDIUM: httpclient: enable l7-retry
    - BUG/MINOR: httpclient: end callback in applet release
    - MINOR: quic: Add draining connection state.
    - MINOR: quic: Add closing connection state
    - BUG/MEDIUM: quic: ensure quic-conn survives to the MUX
    - CLEANUP: quic: use static qualifer on quic_close
    - CLEANUP: mux-quic: remove unused QC_CF_CC_RECV
    - BUG/MINOR: fix memleak on quic-conn streams cleaning
    - MINOR: mux-quic: factorize conn-stream attach
    - MINOR: mux-quic: adjust timeout to accelerate closing
    - MINOR: mux-quic: define is_active app-ops
    - MINOR: mux-quic: centralize send operations in qc_send
    - MEDIUM: mux-quic: report CO_FL_ERROR on send
    - MEDIUM: mux-quic: report errors on conn-streams
    - MEDIUM: quic: report closing state for the MUX
    - BUG/MINOR: fcgi-app: Don't add C-L header on response to HEAD requests
    - BUG/MEDIUM: stats: Be sure to never set EOM flag on an empty HTX message
    - BUG/MEDIUM: hlua: Don't set EOM flag on an empty HTX message in HTTP applet
    - BUG/MEDIUM: promex: Be sure to never set EOM flag on an empty HTX message
    - BUG/MEDIUM: mux-h1: Set outgoing message to DONE when payload length is reached
    - BUG/MINOR: http_client: Don't add input data on an empty request buffer
    - BUG/MEDIUM: http-conv: Fix url_enc() to not crush const samples
    - BUG/MEDIUM: http-act: Don't replace URI if path is not found or invalid
    - CLEANUP: mux-quic: remove uneeded TODO in qc_detach
    - BUG/MEDIUM: mux-quic: properly release conn-stream on detach
    - BUG/MINOR: quic: set the source not the destination address on accept()
    - BUG/MEDIUM: quic: Possible crash from quic_free_arngs()
    - MINOR: quic_tls: Add reusable cipher contexts to QUIC TLS contexts
    - MINOR: quic_tls: Stop hardcoding cipher IV lengths
    - CLEANUP: quic: Do not set any cipher/group from ssl_quic_initial_ctx()
    - MINOR: quic: Add short packet key phase bit values to traces
    - MINOR: quic_tls: Make key update use of reusable cipher contexts
    - BUG/MINOR: opentracing: setting the return value in function flt_ot_var_set()
    - BUG/BUILD: opentracing: fixed OT_DEFINE variable setting
    - EXAMPLES: opentracing: refined shell scripts for testing filter performance
    - DOC: opentracing: corrected comments in function descriptions
    - CLEANUP: opentracing: removed unused function flt_ot_var_unset()
    - CLEANUP: opentracing: removed unused function flt_ot_var_get()
    - Revert "MINOR: opentracing: change the scope of the variable 'ot.uuid' from 'sess' to 'txn'"
    - MINOR: opentracing: only takes the variables lock on shared entries
    - CLEANUP: opentracing: added flt_ot_smp_init() function
    - CLEANUP: opentracing: added variable to store variable length
    - MINOR: opentracing: improved normalization of context variable names
    - DEBUG: opentracing: show return values of all functions in the debug output
    - CLEANUP: opentracing: added FLT_OT_PARSE_INVALID_enum enum
    - DEBUG: opentracing: display the contents of the err variable after setting
    - MAJOR: opentracing: reenable usage of vars to transmit opentracing context
    - Revert "BUILD: opentracing: display warning in case of using OT_USE_VARS at compile time"
    - MEDIUM: global: Add a "close-spread-time" option to spread soft-stop on time window
2022-04-09 11:31:40 +02:00
Remi Tricot-Le Breton
b5d968d9b2 MEDIUM: global: Add a "close-spread-time" option to spread soft-stop on time window
The new 'close-spread-time' global option can be used to spread idle and
active HTTP connction closing after a SIGUSR1 signal is received. This
allows to limit bursts of reconnections when too many idle connections
are closed at once. Indeed, without this new mechanism, in case of
soft-stop, all the idle connections would be closed at once (after the
grace period is over), and all active HTTP connections would be closed
by appending a "Connection: close" header to the next response that goes
over it (or via a GOAWAY frame in case of HTTP2).

This patch adds the support of this new option for HTTP as well as HTTP2
connections. It works differently on active and idle connections.

On active connections, instead of sending systematically the GOAWAY
frame or adding the 'Connection: close' header like before once the
soft-stop has started, a random based on the remainder of the close
window is calculated, and depending on its result we could decide to
keep the connection alive. The random will be recalculated for any
subsequent request/response on this connection so the GOAWAY will still
end up being sent, but we might wait a few more round trips. This will
ensure that goaways are distributed along a longer time window than
before.

On idle connections, a random factor is used when determining the expire
field of the connection's task, which should naturally spread connection
closings on the time window (see h2c_update_timeout).

This feature request was described in GitHub issue #1614.
This patch should be backported to 2.5. It depends on "BUG/MEDIUM:
mux-h2: make use of http-request and keep-alive timeouts" which
refactorized the timeout management of HTTP2 connections.
2022-04-08 18:15:21 +02:00
Nikola Sale
0dbf03871f MINOR: sample: converter: Add add_item convertor
This new converter is similar to the concat converter and can be used to
build new variables made of a succession of other variables but the main
difference is that it does the checks if adding a delimiter makes sense as
wouldn't be the case if e.g the current input sample is empty. That
situation would require 2 separate rules using concat converter where the
first rule would have to check if the current sample string is empty before
adding a delimiter. This resolves GitHub Issue #1621.
2022-04-04 07:30:58 +02:00
William Lallemand
34107800dd DOC: configuration: add the ca-file changes
Add the documentation about the directory support and @system-ca for the
"ca-file" directive.
2022-04-01 23:52:50 +02:00
Aleksandar Lazic
332258a778 DOC: remove double blanks in configuration.txt
Double blanks in keywords are not good for the html documentation parser.
This commit fixes the double blanks for tcp-request content use-service.
2022-03-31 16:58:52 +02:00
William Lallemand
a662275e84 DOC: management: add missing dot in 9.4.1
The 9.4.1 chapter is missing the dot at the end of the chapter numbers.
Which broke the haproxy-dconv html generation.

No backport needed, 2.6 only.
2022-03-31 15:28:42 +02:00
William Lallemand
10cea5cd6d DOC: lua: CertCache class documentation
Document the CertCache API which is used to update a certificate file in
memory using lua.
2022-03-30 16:02:43 +02:00
Willy Tarreau
76871a4f8c MINOR: management: add some basic keyword dump infrastructure
It's difficult from outside haproxy to detect the supported keywords
and syntax. Interestingly, many of our modern keywords are enumerated
since they're registered from constructors, so it's not very hard to
enumerate most of them.

This patch creates some basic infrastructure to support dumping existing
keywords from different classes on stdout. The format will differ depending
on the classes, but the idea is that the output could easily be passed to
a script that generates some simple syntax highlighting rules, completion
rules for editors, syntax checkers or config parsers.

The principle chosen here is that if "-dK" is passed on the command-line,
at the end of the parsing the registered keywords will be dumped for the
requested classes passed after "-dK". Special name "help" will show known
classes, while "all" will execute all of them. The reason for doing that
after the end of the config processor is that it will also enumerate
internally-generated keywords, Lua or even those loaded from external
code (e.g. if an add-on is loaded using LD_PRELOAD). A typical way to
call this with a valid config would be:

    ./haproxy -dKall -q -c -f /path/to/config

If there's no config available, feeding /dev/null will also do the job,
though it will not be able to detect dynamically created keywords, of
course.

This patch also updates the management doc.

For now nothing but the help is listed, various subsystems will follow
in subsequent patches.
2022-03-29 17:55:54 +02:00
Lukas Tribus
4646e9c9cb DOC: reflect H2 timeout changes
Reverts 75df9d7a7 ("DOC: explain HTTP2 timeout behavior") since H2
connections now respect "timeout http-keep-alive".

If commit 15a4733d5d ("BUG/MEDIUM: mux-h2: make use of http-request
and keep-alive timeouts") is backported, this DOC change needs to
be backported along with it.
2022-03-26 22:46:44 +01:00
Willy Tarreau
0541c2b978 [RELEASE] Released version 2.6-dev4
Released version 2.6-dev4 with the following main changes :
    - BUG/MEDIUM: httpclient: don't consume data before it was analyzed
    - CLEANUP: htx: remove unused co_htx_remove_blk()
    - BUG/MINOR: httpclient: consume partly the blocks when necessary
    - BUG/MINOR: httpclient: remove the UNUSED block when parsing headers
    - BUG/MEDIUM: httpclient: must manipulate head, not first
    - REGTESTS: fix the race conditions in be2hex.vtc
    - BUG/MEDIUM: quic: Blocked STREAM when retransmitted
    - BUG/MAJOR: quic: Possible crash with full congestion control window
    - BUG/MINOR: httpclient/lua: stuck when closing without data
    - BUG/MEDIUM: applet: Don't call .release callback function twice
    - BUG/MEDIUM: cli/debug: Properly get the stream-int in all debug I/O handlers
    - BUG/MEDIUM: sink: Properly get the stream-int in appctx callback functions
    - DEV: udp: switch parser to getopt() instead of positional arguments
    - DEV: udp: add support for random packet corruption
    - MINOR: server: export server_parse_sni_expr() function
    - BUG/MINOR: httpclient: send the SNI using the host header
    - BUILD: httpclient: fix build without SSL
    - BUG/MINOR: server/ssl: free the SNI sample expression
    - BUG/MINOR: logs: fix logsrv leaks on clean exit
    - MINOR: actions: add new function free_act_rule() to free a single rule
    - BUG/MINOR: tcp-rules: completely free incorrect TCP rules on error
    - BUG/MINOR: http-rules: completely free incorrect TCP rules on error
    - BUG/MINOR: httpclient: only check co_data() instead of HTTP_MSG_DATA
    - BUG/MINOR: httpclient: process the response when received before the end of the request
    - BUG/MINOR: httpclient: CF_SHUTW_NOW should be tested with channel_is_empty()
    - CI: github actions: switch to LibreSSL-3.5.1
    - BUG/MEDIUM: mux-h1: only turn CO_FL_ERROR to CS_FL_ERROR with empty ibuf
    - BUG/MEDIUM: stream-int: do not rely on the connection error once established
    - BUG/MEDIUM: trace: avoid race condition when retrieving session from conn->owner
    - MEDIUM: mux-h2: slightly relax timeout management rules
    - BUG/MEDIUM: mux-h2: make use of http-request and keep-alive timeouts
    - BUG/MINOR: rules: Initialize the list element when allocating a new rule
    - BUG/MINOR: http-rules: Don't free new rule on allocation failure
    - DEV: coccinelle: Fix incorrect replacement in ist.cocci
    - CLEANUP: Reapply ist.cocci with `--include-headers-for-types --recursive-includes`
    - DEV: coccinelle: Add a new pattern to ist.cocci
    - CLEANUP: Reapply ist.cocci
    - REGTESTS: Do not use REQUIRE_VERSION for HAProxy 2.5+
    - MINOR: quic: Code factorization (TX buffer reuse)
    - CLEANUP: quic: "largest_acked_pn" pktns struc member moving
    - MEDIUM: quic: Limit the number of ACK ranges
    - MEDIUM: quic: Rework of the TX packets memory handling
    - BUG/MINOR: quic: Possible crash in parse_retry_token()
    - BUG/MINOR: quic: Possible leak in quic_build_post_handshake_frames()
    - BUG/MINOR: quic: Unsent frame because of qc_build_frms()
    - BUG/MINOR: mux-quic: Access to empty frame list from qc_send_frames()
    - BUG/MINOR: mux-quic: Missing I/O handler events initialization
    - BUG/MINOR: quic: Missing TX packet initializations
    - BUG/MINOR: quic: 1RTT packets ignored after mux was released
    - BUG/MINOR: quic: Incorrect peer address validation
    - BUG/MINOR: quic: Non initialized variable in quic_build_post_handshake_frames()
    - BUG/MINOR: quic: Wrong TX packet related counters handling
    - MEDIUM: mqtt: support mqtt_is_valid and mqtt_field_value converters for MQTTv3.1
    - DOC: config: Explictly add supported MQTT versions
    - MINOR: quic: Add traces about stream TX buffer consumption
    - MINOR: quic: Add traces in qc_set_timer() (scheduling)
    - CLEANUP: mux-quic: change comment style to not mess with git conflict
    - CLEANUP: mux-quic: adjust comment for coding-style
    - MINOR: mux-quic: complete trace when stream is not found
    - MINOR: mux-quic: add comments for send functions
    - MINOR: mux-quic: use shorter name for flow-control fields
    - MEDIUM: mux-quic: respect peer bidirectional stream data limit
    - MEDIUM: mux-quic: respect peer connection data limit
    - MINOR: mux-quic: support MAX_STREAM_DATA frame parsing
    - MINOR: mux-quic: support MAX_DATA frame parsing
    - BUILD: stream-int: avoid a build warning when DEBUG is empty
    - BUG/MINOR: quic: Wrong buffer length passed to generate_retry_token()
    - BUG/MINOR: tools: fix url2sa return value with IPv4
    - MINOR: mux-quic: convert fin on push-frame as boolean
    - BUILD: quic: add missing includes
    - REORG: quic: use a dedicated quic_loss.c
    - MINOR: mux-quic: declare the qmux trace module
    - MINOR: mux-quic: replace printfs by traces
    - MINOR: mux-quic: add trace event for frame sending
    - MINOR: mux-quic: add trace event for qcs_push_frame
    - MINOR: mux-quic: activate qmux traces on stdout via macro
    - BUILD: qpack: fix unused value when not using DEBUG_HPACK
    - CLEANUP: qpack: suppress by default stdout traces
    - CLEANUP: h3: suppress by default stdout traces
    - BUG/MINOR: tools: url2sa reads too far when no port nor path
2022-03-26 08:31:33 +01:00
Christopher Faulet
140a357660 DOC: config: Explictly add supported MQTT versions
This avoids any ambiguities on supported versions. This patch depends on
129579813 ("MEDIUM: mqtt: support mqtt_is_valid and mqtt_field_value
converters for MQTTv3.1").

It must be backported with the above commit.
2022-03-22 09:41:13 +01:00
Willy Tarreau
bc8b7a14ff [RELEASE] Released version 2.6-dev3
Released version 2.6-dev3 with the following main changes :
    - DEBUG: rename WARN_ON_ONCE() to CHECK_IF()
    - DEBUG: improve BUG_ON output message accuracy
    - DEBUG: implement 4 levels of choices between warn and crash.
    - DEBUG: add two new macros to enable debugging in hot paths
    - DEBUG: buf: replace some sensitive BUG_ON() with BUG_ON_HOT()
    - DEBUG: buf: add BUG_ON_HOT() to most buffer management functions
    - MINOR: channel: don't use co_set_data() to decrement output
    - DEBUG: channel: add consistency checks using BUG_ON_HOT() in some key functions
    - MINOR: conn-stream: Improve API to have safe/unsafe accessors
    - MEDIUM: tree-wide: Use unsafe conn-stream API when it is relevant
    - CLEANUP: stream-int: Make si_cs_send() function static
    - REORG: stream-int: Uninline si_sync_recv() and make si_cs_recv() private
    - BUG/MEDIUM: mux-fcgi: Don't rely on SI src/dst addresses for FCGI health-checks
    - BUG/MEDIUM: htx: Fix a possible null derefs in htx_xfer_blks()
    - REGTESTS: fix the race conditions in normalize_uri.vtc
    - DEBUG: stream-int: Fix BUG_ON used to test appctx in si_applet_ops callbacks
    - BUILD: debug: fix build warning on older compilers around DEBUG_STRICT_ACTION
    - CLEANUP: connection: Indicate unreachability to the compiler in conn_recv_proxy
    - MINOR: connection: Transform safety check in PROXYv2 parsing into BUG_ON()
    - DOC: install: it's DEBUG_CFLAGS, not DEBUG, which is set to -g
    - DOC: install: describe the DEP variable
    - DOC: install: describe how to choose options used in the DEBUG variable
    - MINOR: queue: Replace if() + abort() with BUG_ON()
    - CLEANUP: adjust indentation in bidir STREAM handling function
    - MINOR: quic: simplify copy of STREAM frames to RX buffer
    - MINOR: quic: handle partially received buffered stream frame
    - MINOR: mux-quic: define flag for last received frame
    - BUG/MINOR: quic: support FIN on Rx-buffered STREAM frames
    - MEDIUM: quic: rearchitecture Rx path for bidirectional STREAM frames
    - REGTESTS: fix the race conditions in secure_memcmp.vtc
    - CLEANUP: stream: Remove useless tests on conn-stream in stream_dump()
    - BUILD: ssl: another build warning on LIBRESSL_VERSION_NUMBER
    - MINOR: quic: Ensure PTO timer is not set in the past
    - MINOR: quic: Post handshake I/O callback switching
    - MINOR: quic: Drop the packets of discarded packet number spaces
    - CLEANUP: quic: Useless tests in qc_try_rm_hp()
    - CLEANUP: quic: Indentation fix in qc_prep_pkts()
    - MINOR: quic: Assemble QUIC TLS flags at the same level
    - BUILD: conn_stream: avoid null-deref warnings on gcc 6
    - BUILD: connection: do not declare register_mux_proto() inline
    - BUILD: http_rules: do not declare http_*_keywords_registre() inline
    - BUILD: trace: do not declare trace_registre_source() inline
    - BUILD: tcpcheck: do not declare tcp_check_keywords_register() inline
    - DEBUG: reduce the footprint of BUG_ON() calls
    - BUG/MEDIUM: httpclient/lua: infinite appctx loop with POST
    - BUG/MINOR: pool: always align pool_heads to 64 bytes
    - DEV: udp: add a tiny UDP proxy for testing
    - DEV: udp: implement pseudo-random reordering/loss
    - DEV: udp: add an optional argument to set the prng seed
    - BUG/MINOR: quic: fix segfault on CC if mux uninitialized
    - BUG/MEDIUM: pools: fix ha_free() on area in the process of being freed
    - CLEANUP: tree-wide: remove a few rare non-ASCII chars
    - CI: coverity: simplify debugging options
    - CLEANUP: quic: complete ABORT_NOW with a TODO comment
    - MINOR: quic: qc_prep_app_pkts() implementation
    - MINOR: quic: Send short packet from a frame list
    - MINOR: quic: Make qc_build_frms() build ack-eliciting frames from a list
    - MINOR: quic: Export qc_send_app_pkts()
    - MINOR: mux-quic: refactor transport parameters init
    - MINOR: mux-quic: complete functions to detect stream type
    - MINOR: mux-quic: define new unions for flow-control fields
    - MEDIUM: mux-quic: use direct send transport API for STREAMs
    - MINOR: mux-quic: retry send opportunistically for remaining frames
    - MEDIUM: mux-quic: implement MAX_STREAMS emission for bidir streams
    - BUILD: fix kFreeBSD build.
    - MINOR: quic: Retry on qc_build_pkt() failures
    - BUG/MINOR: quic: Missing recovery start timer reset
    - CLEANUP: quic: Remove QUIC path manipulations out of the congestion controller
    - MINOR: quic: Add a "slow start" callback to congestion controller
    - MINOR: quic: Persistent congestion detection outside of controllers
    - CLEANUP: quic: Remove useless definitions from quic_cc_event struct
    - BUG/MINOR: quic: Confusion betwen "in_flight" and "prep_in_flight" in quic_path_prep_data()
    - MINOR: quic: More precise window update calculation
    - CLEANUP: quic: Remove window redundant variable from NewReno algorithm state struct
    - MINOR: quic: Add quic_max_int_by_size() function
    - BUG/MAJOR: quic: Wrong quic_max_available_room() returned value
    - MINOR: pools: add a new global option "no-memory-trimming"
    - BUG/MINOR: add missing modes in proxy_mode_str()
    - BUG/MINOR: cli: shows correct mode in "show sess"
    - BUG/MEDIUM: quic: do not drop packet on duplicate stream/decoding error
    - MINOR: stats: Add dark mode support for socket rows
    - BUILD: fix recent build breakage of freebsd caused by kFreeBSD build fix
    - BUG/MINOR: httpclient: Set conn-stream/channel EOI flags at the end of request
    - BUG/MINOR: hlua: Set conn-stream/channel EOI flags at the end of request
    - BUG/MINOR: stats: Set conn-stream/channel EOI flags at the end of request
    - BUG/MINOR: cache: Set conn-stream/channel EOI flags at the end of request
    - BUG/MINOR: promex: Set conn-stream/channel EOI flags at the end of request
    - BUG/MEDIUM: stream: Use the front analyzers for new listener-less streams
    - DEBUG: cache: Update underlying buffer when loading HTX message in cache applet
    - BUG/MEDIUM: mcli: Properly handle errors and timeouts during reponse processing
    - DEBUG: stream: Add the missing descriptions for stream trace events
    - DEBUG: stream: Fix stream trace message to print response buffer state
    - MINOR: proxy: Store monitor_uri as a `struct ist`
    - MINOR: proxy: Store fwdfor_hdr_name as a `struct ist`
    - MINOR: proxy: Store orgto_hdr_name as a `struct ist`
    - MEDIUM: proxy: Store server_id_hdr_name as a `struct ist`
    - CLEANUP: fcgi: Replace memcpy() on ist by istcat()
    - CLEANUP: fcgi: Use `istadv()` in `fcgi_strm_send_params`
    - BUG/MAJOR: mux-pt: Always destroy the backend connection on detach
    - DOC: sample fetch methods: move distcc_* to the right locations
    - MINOR: rules: record the last http/tcp rule that gave a final verdict
    - MINOR: stream: add "last_rule_file" and "last_rule_line" samples
    - BUG/MINOR: session: fix theoretical risk of memleak in session_accept_fd()
    - MINOR: quic: Add max_idle_timeout advertisement handling
    - MEDIUM: quic: Remove the QUIC connection reference counter
    - BUG/MINOR: quic: ACK_REQUIRED and ACK_RECEIVED flag collision
    - BUG/MINOR: quic: Missing check when setting the anti-amplification limit as reached
    - MINOR: quic: Add a function to compute the current PTO
    - MEDIUM: quic: Implement the idle timeout feature
    - BUG/MEDIUM: quic: qc_prep_app_pkts() retries on qc_build_pkt() failures
    - CLEANUP: quic: Comments fix for qc_prep_(app)pkts() functions
    - MINOR: mux-quic: prevent push frame for unidir streams
    - MINOR: mux-quic: improve opportunistic retry sending for STREAM frames
    - MINOR: quic: implement sending confirmation
    - MEDIUM: mux-quic: improve bidir STREAM frames sending
    - MEDIUM: check: do not auto configure SSL/PROXY for dynamic servers
    - REGTESTS: server: test SSL/PROXY with checks for dynamic servers
    - MEDIUM: server: remove experimental-mode for dynamic servers
    - BUG/MINOR: buffer: fix debugging condition in b_peek_varint()
2022-03-11 18:09:24 +01:00
Amaury Denoyelle
76e8b70e43 MEDIUM: server: remove experimental-mode for dynamic servers
Dynamic servers feature is now judged to be stable enough. Remove the
experimental-mode requirement for "add/del server" commands. This should
facilitate dynamic servers adoption.
2022-03-11 14:28:28 +01:00
Amaury Denoyelle
7d098bea2b MEDIUM: check: do not auto configure SSL/PROXY for dynamic servers
For server checks, SSL and PROXY is automatically inherited from the
server settings if no specific check port is specified. Change this
behavior for dynamic servers : explicit "check-ssl"/"check-send-proxy"
are required for them.

Without this change, it is impossible to add a dynamic server with
SSL/PROXY settings and checks without, if the check port is not
explicit. This is because "no-check-ssl"/"no-check-send-proxy" keywords
are not available for dynamic servers.

This change respects the principle that dynamic servers on the CLI
should not reuse the same shortcuts used during the config file parsing.
Mostly because we expect this feature to be manipulated by automated
tools, contrary to the config file which should aim to be the shortest
possible for human readability.

Update the documentation of the "check" keyword to reflect this change.
2022-03-11 14:28:28 +01:00
Willy Tarreau
0657b93385 MINOR: stream: add "last_rule_file" and "last_rule_line" samples
These two sample fetch methods report respectively the file name and the
line number where was located the last rule that was final. This is aimed
at being used on log-format lines to help admins figure what rule in the
configuration gave a final verdict, and help understand the condition
that led to the action.

For example, it's now possible to log the last matched rule by adding
this to the log-format:

  ... lr=%[last_rule_file]:%[last_rule_line]

A regtest is provided to test various combinations of final rules, some
even on top of each other from different rulesets.
2022-03-10 11:51:34 +01:00
Willy Tarreau
3ec1461b03 DOC: sample fetch methods: move distcc_* to the right locations
The distcc* sample fetch methods were surprisingly located within the
"internal state" section, while they in fact depend on L6 contents.
This can be backported to all versions where they appear.
2022-03-10 11:51:34 +01:00