Commit Graph

17349 Commits

Author SHA1 Message Date
Willy Tarreau
3c69e08e96 CLEANUP: stick-table/cli: take the "show table" context definition out of the appctx
This makes use of the generic command context allocation so that the
appctx doesn't have to declare a specific one anymore. The context is
created during parsing. The code also uses st2 which deserves being
addressed in separate commit.
2022-05-06 18:13:35 +02:00
Willy Tarreau
0fd8f0e236 CLEANUP: proxy/cli: take the "show errors" context definition out of the appctx
This makes use of the generic command context allocation so that the
appctx doesn't have to declare a specific one anymore. The context is
created during parsing.

The code still has room for improvement, such as in the "flags" field
where bits are hard-coded, but they weren't modified.
2022-05-06 18:13:35 +02:00
Willy Tarreau
6177cfc3b5 CLEANUP: stream/cli: remove the now unneeded dump state from "show sess"
The state was a constant, let's remove what remains of the switch/case.
The code from the "case" statement was only reindented as can be checked
with "git show -b".
2022-05-06 18:13:35 +02:00
Willy Tarreau
bb4e289fa9 CLEANUP: stream/cli: remove the unneeded STATE_FIN state from "show sess"
This state is only an alias for "thr >= global.nbthread" which is the
sole condition that indicates the end and reaches it. Let's just drop
this state. There's only the STATE_LIST that's left.
2022-05-06 18:13:35 +02:00
Willy Tarreau
f3629f88ac CLEANUP: stream/cli: remove the unneeded init state from "show sess"
This state was only used to preset the list element. Now that we can
guarantee that the context can be properly preset during the parsing
we don't need this state anymore. The first pointer has to be set to
point to the first stream during the initial call which is detected
by the pointer not yet being set (null). Thanks to this we can also
remove one state check on the abort path.
2022-05-06 18:13:35 +02:00
Willy Tarreau
7fb591a4e4 CLEANUP: stream/cli: stop using appctx->st2 for the dump state
Let's instead define a 3-state enum solely for this use case, and place
it into the command's context.
2022-05-06 18:13:35 +02:00
Willy Tarreau
39f097d965 CLEANUP: stream/cli: take the "show sess" context definition out of the appctx
This makes use of the generic command context allocation so that the
appctx doesn't have to declare a specific one anymore. The context is
created during parsing.
2022-05-06 18:13:35 +02:00
Willy Tarreau
009e42bc59 CLEANUP: applet: make appctx_new() initialize the whole appctx
Till now, appctx_new() used to allocate an entry from the pool and
pass it through appctx_init() to initialize a debatable part of it that
didn't correspond anymore to the comments, and fill other fields. It's
hard to say what is fully initialized and what is not.

Let's get rid of that, and always zero the initialization (appctx are
not that big anyway, even with the cache there's no difference in
performance), and initialize what remains. this is cleaner and more
resistant to new field additions.

The appctx_init() function was removed.
2022-05-06 18:13:35 +02:00
Willy Tarreau
f12f32a0fa MINOR: applet: reserve some generic storage in the applet's context
Instead of using existing fields and having to put keyword-specific
contexts in the applet definition, let's have the appctx provide a
generic storage area that's currently large enough for existing CLI
commands and small applets, and a function to allocate that storage.

The function will be responsible for verifying that the requested size
fits in the area so that the caller doesn't need to add specific checks;
it is validated during development as this size is static and will
not change at runtime. In addition the caller doesn't even need to
free() the area since it's part of an existing context. For the
caller's convenience, a context pointer "svcctx" for the command is
also provided so that the allocated area can be placed there (or
possibly any other one in case a larger area is needed).

The struct's layout has been temporarily complicated by adding one
level of anonymous union on top of the "ctx" one. This will allow us
to preserve "ctx" during 2.6 for compatibility with possible external
code and get rid of it in 2.7. This explains why the diff extends to
the whole "ctx" union, but a "git show -b" shows that only one extra
layer was added. In order to make both the svcctx pointer and its
storage accessible without further enlarging the appctx structure,
both svcctx and the storage share the same storage as the ctx part.
This is done by having them placed in the union with a protected
overlapping area for svcctx, for which a shadow member is also
present in the storage area:

    union {
       void* svcctx;         // variable accessed by services
       struct {
           void *shadow;     // shadow of svcctx;
           char storage[];   // where most services store their data
       };
       union {               // older commands store here and ignore svcctx
          ...
       } ctx;
    };

I.e. new applications will use appctx->svcctx while older ones will be
able to continue to use appctx->ctx.*

The whole area (including the pointer's context) is zeroed before any
applet is initialized, and before CLI keyword processor's first invocation,
as it is an important part of the existing keyword processors, which makes
CLI keywords effectively behave like applets.
2022-05-06 18:13:35 +02:00
Willy Tarreau
1b948ef426 CLEANUP: ssl/cli: do not loop on unknown states in "add ssl crt-list" handler
The io_handler in "add ssl crt_list" is built around a "while" loop that
only makes forward progress and that doesn't handle its final state as
it's not supposed to be called again once reached. This makes the code
confusing because its construct implies an infinite loop for such a
state (or any other unhandled one). Let's just remove that unneeded loop.
2022-05-06 18:13:35 +02:00
Willy Tarreau
4fd9b4ddf0 BUG/MINOR: ssl/cli: fix "show ssl cert" not to mix cli+ssl contexts
The "show ssl cert" command mixes some generic pointers from the
"ctx.cli" struct with context-specific ones from "ctx.ssl" while both
are in a union. Amazingly, despite the use of both p0 and i0 to store
respectively a pointer to the current ckchs and a transaction id, there
was no overlap with the other pointers used during these operations,
but should these fields be reordered or slightly updated this will break.
Comments were added above the faulty functions to indicate which fields
they are using.

This needs to be backported to 2.5.
2022-05-06 18:13:35 +02:00
Willy Tarreau
4cf3ef8007 BUG/MINOR: ssl/cli: fix "show ssl crl-file" not to mix cli+ssl contexts
The "show ssl crl-file" command mixes some generic pointers from the
"ctx.cli" struct with context-specific ones from "ctx.ssl" while both
are in a union. It's fortunate that the p1 pointer in use is located
before the first one used (it overlaps with old_cafile_entry). But
should these fields be reordered or slightly updated this will break.

This needs to be backported to 2.5.
2022-05-06 18:13:35 +02:00
Willy Tarreau
06305798f7 BUG/MINOR: ssl/cli: fix "show ssl ca-file <name>" not to mix cli+ssl contexts
The "show ssl ca-file <name>" command mixes some generic pointers from
the "ctx.cli" struct and context-specific ones from "ctx.ssl" while both
are in a union. The i0 integer used to store the current ca_index overlaps
with new_crlfile_entry which is thus harmless for now but is at the mercy
of any reordering or addition of these fields. Let's add dedicated fields
into the ssl structure for this.

Comments were added on top of the affected functions to indicate what they
use.

This needs to be backported to 2.5.
2022-05-06 18:13:35 +02:00
Willy Tarreau
821c3b0b5e BUG/MINOR: ssl/cli: fix "show ssl ca-file/crl-file" not to mix cli+ssl contexts
The "show ca-file" and "show crl-file" commands mix some generic pointers
from the "ctx.cli" struct and context-specific ones from "ctx.ssl" while
both are in a union. It's fortunate that the p0 pointer in use is located
immediately before the first one used (it overlaps with next_ckchi_link,
and old_cafile_entry is safe). But should these fields be reordered or
slightly updated this will break.

Comments were added on top of the affected functions to indicate what they
use.

This needs to be backported to 2.5.
2022-05-06 18:13:35 +02:00
Willy Tarreau
1ae0c43244 BUG/MINOR: map/cli: make sure patterns don't vanish under "show map"'s init
When "show map" initializes itself, it first takes the reference to the
starting point under a lock, then releases it before switching to state
STATE_LIST, and takes the lock again. The problem is that it is possible
for another thread to remove the first element during this unlock/lock
sequence, and make the list run anywhere. This is of course extremely
unlikely but not impossible.

Let's initialize the pointer in the STATE_LIST part under the same lock,
which is simpler and more reliable.

This should be backported to all versions.
2022-05-06 18:13:35 +02:00
Willy Tarreau
2edaace575 BUG/MINOR: map/cli: protect the backref list during "show map" errors
In case of write error in "show map", the backref is detached but
the list wasn't locked when this is done. The risk is very low but
it may happen that two concurrent "show map" one of which would fail
or one "show map" failing while the same entry is being updated could
cause a crash.

This should be backported to all stable versions.
2022-05-06 18:13:35 +02:00
Willy Tarreau
4f9f157537 BUG/MINOR: proxy/cli: don't enumerate internal proxies on "show backend"
Commit e7f74623e ("MINOR: stats: don't output internal proxies (PR_CAP_INT)")
in 2.5 ensured we don't dump internal proxies on the stats page, but the
same is needed for "show backend", as since the addition of the HTTP client
it now appears there:

  $ socat /tmp/sock1 - <<< "show backend"
  # name
  <HTTPCLIENT>

This needs to be backported to 2.5.
2022-05-06 18:13:35 +02:00
Willy Tarreau
241a006d79 BUG/MEDIUM: cli: make "show cli sockets" really yield
This command was introduced in 1.8 with commit eceddf722 ("MEDIUM: cli:
'show cli sockets' list the CLI sockets") but its yielding doesn't work.
Each time it enters, it restarts from the last bind_conf but enumerates
all listening sockets again, thus it loops forever. The risk that it
happens in field is low but it easily triggers on port ranges after
400-500 sockets depending on the length of their addresses:

  global
     stats socket /tmp/sock1 level admin
     stats socket 192.168.8.176:30000-31000 level operator

  $ socat /tmp/sock1 - <<< "show cli sockets"
  (...)
  ipv4@192.168.8.176:30426 operator all
  ipv4@192.168.8.176:30427 operator all
  ipv4@192.168.8.176:30428 operator all
  ipv4@192.168.8.176:30000 operator all
  ipv4@192.168.8.176:30001 operator all
  ipv4@192.168.8.176:30002 operator all
  ^C

This patch adds the minimally needed restart point for the listener so
that it can easily be backported. Some more cleanup is needed though.
2022-05-06 18:13:35 +02:00
Willy Tarreau
4e047e7d0e BUG/MEDIUM: resolvers: make "show resolvers" properly yield
The "show resolvers" command is bogus, it tries to implement a yielding
mechanism except that if it yields it restarts from the beginning, until
it manages to fill the buffer with only line breaks, and faces error -2
that lets it reach the final state and exit.

The risk is low since it requires about 50 name servers to reach that
state, but it's not impossible, especially when using multiple sections.

In addition, the extraneous line breaks, if sent over an interactive
connection, will desynchronize the commands and make the client believe
the end was reached after the first nameserver. This cannot be fixed
separately because that would turn this bug into an infinite loop since
it's the line feed that manages to fill the buffer and stop it.

The fix consists in saving the current resolvers section into ctx.cli.p1
and the current nameserver into ctx.cli.p2.

This should be backported, but that code moved a lot since it was
introduced and has always been bogus. It looks like it has mostly
stabilized in 2.4 with commit c943799c86 so the fix might be backportable
to 2.4 without too much effort.
2022-05-06 18:13:35 +02:00
William Lallemand
89e236f246 BUG/MINOR: startup: usage() when no -cc arguments
Exit correctly with usage() instead of segfaulting when no argument
were passed to -cc.

Must be backported in 2.5.
2022-05-06 17:22:36 +02:00
William Lallemand
c33df2e524 DOC: resolvers: default resolvers section
Add a paragraph about the default resolvers section generated by
HAProxy.
2022-05-06 17:16:23 +02:00
William Lallemand
7867f63313 MEDIUM: resolvers: create a "default" resolvers section at startup
Try to create a "default" resolvers section at startup, but does not
display any error nor warning. This section is initialized using the
/etc/resolv.conf of the system.

This is opportunistic and with no guarantee that it will work (but it should
on most systems).

This is useful for the httpclient as it allows to use the DNS resolver
without any configuration in most of the cases.

The function is called from the httpclient_pre_check() function to
ensure than we tried to create the section before trying to initiate the
httpclient. But it is also called from the resolvers.c to ensure the
section is created when the httpclient init was disabled.
2022-05-06 17:02:15 +02:00
William Lallemand
0164a40c59 BUG/MINOR: tcp/http: release the expr of set-{src,dst}[-port]
Release the expression used by the set-{src,dst}[-port] actions so we
keep valgrind happy upon an exit or an haproxy -c.

Could be backported in every supported version.
2022-05-06 17:02:15 +02:00
Willy Tarreau
7831e0272e BUILD: debug: unify the definition of ha_backtrace_to_stderr()
It was both defined as ha_backtrace_to_stderr(void) and
ha_backtrace_to_stderr(), and tcc is not happy with this, so let's
adjust this tiny detail.
2022-05-06 15:16:19 +02:00
William Lallemand
e7f5776800 MINOR: resolvers: resolvers_new() create a resolvers with default values
Split the creation of the resolve structure from the parser to
resolvers_new();
2022-05-05 18:27:48 +02:00
William Lallemand
73edfe402e MINOR: resolvers: move the resolv.conf parser in parse_resolv_conf()
Move the resolv.conf parser from the cfg_parse_resolvers so it could be
used separately.

Some changes were made in the memprintf in order to use a char **
instead of a char *. Also the variable is tested before each memprintf
so could skip them if no warnmsg nor errmsg were set.
2022-05-05 17:38:48 +02:00
William Lallemand
106bd29dd0 MINOR: resolvers: cleanup alert/warning in parse-resolve-conf
Cleanup the alert and warning handling in the "parse-resolve-conf"
parser to use the errmsg and warnmsg variables and memprintf.

This will allow to split the parser and shut the alert/warning if
needed.
2022-05-05 17:33:42 +02:00
Christopher Faulet
24dda9403a DOC: config: Update doc for PR/PH session states to warn about rewrite failures
When an HTTP header rewrite failure is triggered, and 500-internal-error
response is returned. A "PR" termination state is logged if the error
occurred on the request and "PH" if the error is reported for the response.

The documentation was updated accordingly.

This patch is related to issue #1597.
2022-05-05 12:27:08 +02:00
Christopher Faulet
d934e8d963 BUG/MEDIUM: mux-h1: Be able to handle trailers when C-L header was specified
The commit 2eb5243e7 ("BUG/MEDIUM: mux-h1: Set outgoing message to DONE when
payload length is reached") introduced a regression. An internal error is
reported when we try to forward a message with trailers while the
content-length header was specified. Indeed, this case does not exist for H1
messages but it is possible in H2.

This patch should solve the issue #1684. It must be backported as far as
2.4.
2022-05-05 09:39:43 +02:00
Christopher Faulet
2db904e86c BUG/MEDIUM: mux-fcgi: Be sure to never set EOM flag on an empty HTX message
This bug was already fixed at many places (stats, promex, lua) but the FCGI
multiplexer is also affected. When there is no content-length specified in
the response and when the END_REQUEST record is delayed, the response may be
truncated because an abort is erroneously detected. If the connection is not
closed because "keep-conn" option is set, the response is aborted at the end
of the server timeout.

This bug is a design issue with the HTX. It should be addressed. But it will
probably not be possible to backport them as far as 2.4. So, for now, the
only solution is to explicitly add an EOT block with the EOM flag in this
case.

This patch should fix the issue #1682. It must be backported as far as 2.4.
2022-05-05 09:24:55 +02:00
Christopher Faulet
c41f93c5cd BUG/MEDIUM: conn-stream: Only keep app layer flags of the endpoint on reset
The commit a6c4a4834 ("BUG/MEDIUM: conn-stream: Don't erase endpoint flags
on reset") was too laxy on reset. Only app layer flags must be preserved. On
reset, the endpoint is detached. Thus all flags set by the endpoint itself
or concerning its type must be removed.

Without this fix, we can experienced crashes when a stream is released while
a server connection attempt failed. Indeed, in this case, endpoint of the
backend conn-stream is reset. But the endpoint type is still set. Thus when
the stream is released, the endpoint is detached again.

This patch is 2.6-specific. No backport needed. This commit depends on the
previous one ("MINOR: conn-stream: Add mask from flags set by endpoint or
app layer").
2022-05-05 09:23:44 +02:00
Christopher Faulet
fa24379aeb MINOR: conn-stream: Add mask from flags set by endpoint or app layer
In flags set on the endpoints, some are set by endpoints itself and some are
set by the app layer. To help flags manipulations, 2 masks have been
added. The first one, CS_EP_ENDP_MASK, for all flags that an endpoint may
set. The other one, CS_EP_APP_MASK, for flags that the app layer may set.

This patch is mandatory for the next commit.
2022-05-05 09:23:35 +02:00
William Lallemand
de1803f8a9 DOC: configuration: httpclient global option
Documentation about the 4 options in the global section for the
httpclient:

- httpclient.ssl.verify
- httpclient.ssl.ca-file
- httpclient.resolvers.id
- httpclient.resolvers.prefer
2022-05-04 18:14:25 +02:00
William Lallemand
7c5a7ef32b MINOR: httpclient: allow ipv4 or ipv6 preference for resolving
The httpclient.resolvers.prefer global keyword allows to configure an
ipv4 or ipv6 preference when resolving. This could be useful in
environment where the ipv6 is not supported.
2022-05-04 16:14:42 +02:00
William Lallemand
8a734cbae3 MINOR: httpclient: configure the resolvers section to use
By default the httpclient uses the resolvers section whose ID is
"default", the httpclient.resolvers.id global option allows to configure
another section to use.
2022-05-04 16:14:35 +02:00
William Lallemand
683fbb86be MINOR: httpclient: allow to configure the ca-file
The global keyword httpclient.ssl.ca-file allows to configure the
ca-file used for the httpclient verify.
2022-05-04 16:14:35 +02:00
William Lallemand
6fce46a910 MEDIUM: httpclient: hard-error when SSL is configured
The hard_error_ssl flag is set when the configuration is explicitely
done for the ssl in the httpclient.

If no configuration was made, the features are simply disabled and no
alert is emitted.
2022-05-04 16:13:17 +02:00
William Lallemand
85af49c5c8 MINOR: httpclient: cleanup the error handling in init
Cleanup the error handling in the initialization so we rely on the
ERR_CODE and use memprintf() to set the errmsg before printing it at the
end of the functions.
2022-05-04 14:33:57 +02:00
William Lallemand
8b9a2df969 MINOR: init: exit() after pre-check upon error
Add a test on the err_code variable so we don't go further if one of the
pre-check callback failed.
2022-05-04 14:29:46 +02:00
William Lallemand
9ff95e2269 MINOR: httpclient: rename dash by dot in global option
Rename the httpclient-ssl-verify into httpclient.ssl.verify.
2022-05-04 13:52:29 +02:00
William Lallemand
853327390e MINOR: httpclient: handle unix and other socket types in dst
httpclient_set_dst() allows one to set the destination address instead
of using the one in the URL or resolving one from the host.
This function also support other types of socket like sockpair@, unix@,
anything that could be used on a server line.

In order to still support this behavior, the address must be set on the
backend in this particular case because the frontend connection does not
support anything other than ipv4 or ipv6.
2022-05-04 11:21:01 +02:00
William Lallemand
0e23526a2c CLEANUP: httpclient: remove the comment about resolving
remove the comment of httpclient_start which states there is no
resolver.
2022-05-04 11:21:01 +02:00
William Lallemand
1218d19921 MEDIUM: httpclient: allow address and port change for resolving
To allow the http-request set-dst to work for the httpclient DNS
resolving, some changes need to be done:

- The destination address need to be set in the frontend (s->csf->dst)
  instead of the backend (s->csb->dst) to be able to use
  tcp_action_req_set_dst()

- SRV_F_MAPPORTS need to be set on the proxy in order to allow the port
  change in alloc_dst_address()
2022-05-04 11:21:01 +02:00
William Lallemand
5392ff6e3c MEDIUM: httpclient: http-request rules for resolving
The httpclient_resolve_init() adds http-request actions which does the
resolving using the Host header of the HTTP request.

The parse_http_req_cond function is directly used over an array of http
rules.

The do-resolve rule uses the "default" resolvers section. If this
section does not exist in the configuration, the resolving is disabling.
2022-05-04 11:21:01 +02:00
William Lallemand
7f1df8ff1a MEDIUM: httpclient: remove url2sa to use a more flexible parser
The httpclient DNS resolver will need a more efficient URL parser which
splits the URL into parts and does not try to resolve.

httpclient_spliturl uses the http_uri_parser in order to split the URL
into several ist.

The result of the function host part is then processed into str2ip2(),
and fails if it it not an IP, allowing us to resolve the domain later.
2022-05-04 11:21:01 +02:00
Frédéric Lécaille
b57de07a21 BUG/MINOR: mux_quic: Dropped packet upon retransmission for closed streams
We rely on the largest ID which was used to open streams to know if the
stream we received STREAM frames for is closed or not. If closed, we return the
same status as the one for a STREAM frame which  was a already received one for
on open stream.
2022-05-03 10:13:40 +02:00
Frédéric Lécaille
d62240c9e5 BUG/MINOR: quic: Dropped retransmitted STREAM frames
It is possible that we continue to receive retransmitted STREAM frames after
the mux have been released. We rely on the ->rx.streams[].nb_streams counter
to check the stream was closed. If not, at this time we drop the packet.
2022-05-03 10:13:40 +02:00
Frédéric Lécaille
664741e1c5 MINOR: quic: Make the quic_conn be aware of the number of streams
This is required when the retransmitted frame types when the mux is released.
We add a counter for the number of streams which were opened or closed by the mux.
After the mux has been released, we can rely on this counter to know if the STREAM
frames are retransmitted ones or not.
2022-05-03 10:13:40 +02:00
Frédéric Lécaille
b074966634 CLEANUP: mux: Useless xprt_quic-t.h inclusion
This inclusion is useless for mux_quic-t.h. Furthermore this fixes compilation
issues when we need to refer to mux_quic-t.h from xprt_quic-t.h.
2022-05-03 10:13:40 +02:00
Willy Tarreau
0367b4cf63 MINOR: session: get rid of the now unused SESS_FL_ADDR_*_SET flags
That's similar to what was done for conn_streams and connections. The
flags were only set exactly when the relevant pointers were allocated,
so better test the pointer than the flag and stop setting the flag.
2022-05-02 17:51:51 +02:00