Commit Graph

4855 Commits

Author SHA1 Message Date
Willy Tarreau
42529c38ac MINOR: stream: maintain consistence between channel_forward and HTTP forward
When the HTTP forwarder is used, it resets msg->sov so that we know that
the parsing pointer has advanced by exactly (msg->eoh + msg->eol - msg->sov)
bytes which may have to be rewound in case we want to perform an HTTP fetch
after forwarding has started (eg: upon connect).

But when the backend is in TCP mode, there may be no HTTP forwarding
analyser installed, still we may want to perform these HTTP fetches in
case we have already ensured at the TCP layer that we have a properly
parsed HTTP transaction.

In order to solve this, we reset msg->sov before doing a channel_forward()
so that we can still compute http_rewind() on the pending data. That ensures
the buffer is always rewindable even in mixed TCP+HTTP mode.
2015-07-10 11:37:29 +02:00
Willy Tarreau
28d976d5ee MINOR: args: add new context for servers
We'll have to support fetch expressions and args on server lines for
"usesrc", "usedst", "sni", etc...
2015-07-09 11:39:33 +02:00
Willy Tarreau
53e1a6d317 BUG/MINOR: log: missing some ARGC_* entries in fmt_directives()
ARGC_CAP was not added to fmt_directives() which is used to format
error messages when failing to parse log format expressions. The
whole switch/case has been reorganized to match the declaration
order making it easier to spot missing values. The default is not
the "log" directive anymore but "undefined" asking to report the
bug.

Backport to 1.5 is not strictly needed but is desirable at least
for code sanity.
2015-07-09 11:20:00 +02:00
Nenad Merdanovic
5fc7d7e8ce MINOR: Add sample fetch to detect Supported Elliptic Curves Extension
Clients that support ECC cipher suites SHOULD send the specified extension
within the SSL ClientHello message according to RFC4492, section 5.1. We
can use this extension to chain-proxy requests so that, on the same IP
address, a ECC compatible clients gets an EC certificate and a non-ECC
compatible client gets a regular RSA certificate. The main advantage of this
approach compared to the one presented by Dave Zhu on the mailing list
is that we can make it work with OpenSSL versions before 1.0.2.

Example:
frontend ssl-relay
        mode tcp
        bind 0.0.0.0:443
        use_backend ssl-ecc if { req.ssl_ec_ext 1 }
        default_backend ssl-rsa

backend ssl-ecc
        mode tcp
        server ecc unix@/var/run/haproxy_ssl_ecc.sock send-proxy-v2 check

backend ssl-rsa
        mode tcp
        server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2 check

listen  all-ssl
        bind unix@/var/run/haproxy_ssl_ecc.sock accept-proxy ssl crt /usr/local/haproxy/ecc.foo.com.pem user nobody
        bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt /usr/local/haproxy/www.foo.com.pem user nobody

Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-07-09 09:26:59 +02:00
Willy Tarreau
fc017fec48 CLEANUP: ssl: make ssl_sock_generate_certificate() use ssl_sock_generated_cert_serial()
It saves from open-coding the hashing method. Instead all serial
generation is done in a single function.
2015-07-07 18:09:34 +02:00
Willy Tarreau
646b864fe5 CLEANUP: ssl: make ssl_sock_generated_cert_serial() take a const
It doesn't modify the input.
2015-07-07 18:09:15 +02:00
Willy Tarreau
f67214554c MINOR: ssl: make self-generated certs also work with raw IPv6 addresses
The current method of retrieving the incoming connection's destination
address to hash it is not compatible with IPv6 nor the proxy protocol
because it directly tries to get an IPv4 address from the socket. Instead
we must ask the connection. This is only used when no SNI is provided.
2015-07-07 18:04:38 +02:00
Dragan Dosen
96a0be78ed BUG/MEDIUM: 51d: possible incorrect operations on smp->data.str.str
In src/51d.c, the function _51d_conv(), a final '\0' is added into
smp->data.str.str, which can cause a problem if the SMP_F_CONST flag is
set in smp->flags or if smp->data.str.size is not available.

This patch adds a check on smp->flags and smp->data.str.size, and copies
the smp->data.str.str to another buffer by using smp_dup(). If necessary,
the "const" flag is set after device detection. Also, this patch removes
the unnecessary call to chunk_reset() on temp argument.
2015-07-07 17:19:33 +02:00
Adis Nezirovic
2fbcafc9ce MEDIUM: http: Add new 'set-src' option to http-request
This option enables overriding source IP address in a HTTP request. It is
useful when we want to set custom source IP (e.g. front proxy rewrites address,
but provides the correct one in headers) or we wan't to mask source IP address
for privacy or compliance.

It acts on any expression which produces correct IP address.
2015-07-06 16:17:28 +02:00
Adis Nezirovic
79beb248b9 CLEANUP: sample: generalize sample_fetch_string() as sample_fetch_as_type()
This modification makes possible to use sample_fetch_string() in more places,
where we might need to fetch sample values which are not plain strings. This
way we don't need to fetch string, and convert it into another type afterwards.

When using aliased types, the caller should explicitly check which exact type
was returned (e.g. SMP_T_IPV4 or SMP_T_IPV6 for SMP_T_ADDR).

All usages of sample_fetch_string() are converted to use new function.
2015-07-06 16:17:25 +02:00
Willy Tarreau
4e5d58e517 MINOR: stats: improve compression stats reporting
Compression stats were not easy to read and could be confusing because
the saving ratio could be taken for global savings while it was only
relative to compressible input. Let's make that a bit clearer using
the new tooltips with a bit more details and also report the effective
ratio over all output bytes.
2015-07-04 14:35:15 +02:00
Willy Tarreau
27f78241e6 BUG/MAJOR: tcp: tcp rulesets were still broken
Commit cc87a11 ("MEDIUM: tcp: add register keyword system.") broke the
TCP ruleset by merging custom rules and accept. It was fixed a first time
by commit e91ffd0 ("BUG/MAJOR: tcp: only call registered actions when
they're registered") but the accept action still didn't work anymore
and was causing the matching rule to simply be ignored.

Since the code introduced a very fragile behaviour by not even mentionning
that accept and custom were silently merged, let's fix this once for all by
adding an explicit check for the accept action. Nevertheless, as previously
mentionned, the action should be changed so that custom is the only action
and the continue vs break indication directly comes from the callee.

No backport is needed, this bug only affects 1.6-dev.
2015-07-04 11:36:30 +02:00
Cyril Bont
46175dd81d DOC: dns: fix chapters syntax
All chapters in the configuration documentation used to follow this syntax :
<chapter number>. <title>
-------------------------

The new chapters introduced to document the dns resolution didn't provide the
dot character after the chapter number, which breaks the parsing for the HTML
converter. Instead of adding new conditions in the converter, we can align the
chapters with this syntax.
2015-07-03 17:09:58 +02:00
KOVACS Krisztian
7209c204bd BUG/MAJOR: connection: fix TLV offset calculation for proxy protocol v2 parsing
Until now, the code assumed that it can get the offset to the first TLV
header just by subtracting the length of the TLV part from the length of
the complete buffer. However, if the buffer contains actual data after
the header, this computation is flawed and leads to haproxy trying to
parse TLV headers from the proxied data.

This change fixes this by making sure that the offset to the first TLV
header is calculated based from the start of the buffer -- simply by
adding the size of the proxy protocol v2 header plus the address
family-dependent size of the address information block.
2015-07-03 17:05:20 +02:00
Willy Tarreau
27187ab56a BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data
The function buffer_slow_realign() was initially designed for requests
only and did not consider pending outgoing data. This causes a problem
when called on responses where data remain in the buffer, which may
happen with pipelined requests when the client is slow to read data.

The user-visible effect is that if less than <maxrewrite> bytes are
present in the buffer from a previous response and these bytes cross
the <maxrewrite> boundary close to the end of the buffer, then a new
response will cause a realign and will destroy these pending data and
move the pointer to what's believed to contain pending output data.
Thus the client receives the crap that lies in the buffer instead of
the original output bytes.

This new implementation now properly realigns everything including the
outgoing data which are moved to the end of the buffer while the input
data are moved to the beginning.

This implementation still uses a buffer-to-buffer copy which is not
optimal in terms of performance and which should be replaced by a
buffer switch later.

Prior to this patch, the following script would return different hashes
on each round when run from a 100 Mbps-connected machine :

  i=0
  while usleep 100000; do
    echo round $((i++))
    set -- $(nc6 0 8001 < 1kreq5k.txt | grep -v '^[0-9A-Z]' | md5sum)
    if [ "$1" != "3861afbb6566cd48740ce01edc426020" ]; then echo $1;break;fi
  done

The file contains 1000 times this request with "Connection: close" on the
last one :

  GET /?s=5k&R=1 HTTP/1.1

The config is very simple :

  global
        tune.bufsize 16384
        tune.maxrewrite 8192

  defaults
        mode http
        timeout client 10s
        timeout server 5s
        timeout connect 3s

  listen px
        bind :8001
        option http-server-close
        server s1 127.0.0.1:8000

And httpterm-1.7.2 is used as the server on port 8000.

After the fix, 1 million requests were sent and all returned the same
contents.

Many thanks to Charlie Smurthwaite of atechmedia.com for his precious
help on this issue, which would not have been diagnosed without his
very detailed traces and numerous tests.

The patch must be backported to 1.5 which is where the bug was introduced.
2015-07-02 15:27:24 +02:00
David Carlier
b5714dab9d BUILD: add netbsd TARGET
For now it's the same as openbsd.
2015-07-02 11:33:03 +02:00
David Carlier
e6c3941668 BUILD/MINOR: tools: rename popcount to my_popcountl
This is in order to avoid conflicting with NetBSD popcount* functions
since 6.x release, the final l to mentions the argument is a long like
NetBSD does.

This patch could be backported to 1.5 to fix the build issue there as well.
2015-07-02 11:32:25 +02:00
Dragan Dosen
ae6d39af9c DOC: add notes about the "51degrees-cache-size" parameter 2015-06-30 10:43:03 +02:00
Dragan Dosen
105c8e6368 MEDIUM: 51d: add LRU-based cache on User-Agent string detection
This cache is used by 51d converter. The input User-Agent string, the
converter args and a random seed are used as a hashing key. The cached
entries contains a pointer to the resulting string for specific
User-Agent string detection.

The cache size can be tuned using 51degrees-cache-size parameter.
2015-06-30 10:43:03 +02:00
Dragan Dosen
93b38d9191 MEDIUM: 51Degrees code refactoring and cleanup
Moved 51Degrees code from src/haproxy.c, src/sample.c and src/cfgparse.c
into a separate files src/51d.c and include/import/51d.h.

Added two new functions init_51degrees() and deinit_51degrees(), updated
Makefile and other code reorganizations related to 51Degrees.
2015-06-30 10:43:03 +02:00
Willy Tarreau
e44136fe69 BUG/MEDIUM: vars: do not freeze the connection when the expression cannot be fetched
Commit 4834bc7 ("MEDIUM: vars: adds support of variables") brought a bug.
Setting a variable from an expression that doesn't resolve infinitely
blocks the processing.

The internal actions API must be changed to let the caller pass the various
flags regarding the state of the analysis (SMP_OPT_FINAL).

For now we only fix the issue by making the action_store() function always
return 1 to prevent any blocking.

No backport is needed.
2015-06-23 15:17:33 +02:00
Willy Tarreau
ebcd4844e8 MEDIUM: vars: move the session variables to the session, not the stream
It's important that the session-wide variables are in the session and not
in the stream.
2015-06-19 11:59:02 +02:00
Willy Tarreau
7233098da1 MINOR: vars: make the accounting not depend on the stream
We'll need to move the session variables to the session. For this, the
accounting must not depend on the stream. Instead we pass the pointers
to the different lists.
2015-06-19 11:21:56 +02:00
Willy Tarreau
57b8a53f03 BUG/MEDIUM: lru: fix possible memory leak when ->free() is used
Commit 7810ad7 ("BUG/MAJOR: lru: fix unconditional call to free due to
unexpected semi-colon") was not enough, it happens that the free() is
not performed at the right place because if the evicted node is recycled,
we must also release its data before it gets overwritten.

No backport is needed.
2015-06-17 20:33:30 +02:00
Willy Tarreau
ce7b4def74 BUILD/MINOR: lua: ensure that hlua_ctx_destroy is properly defined
When Lua is disabled, the alternate functions must have the same
prototype as the original ones, otherwise we get such warnings :

src/stream.c:278:27: warning: too many arguments in call to 'hlua_ctx_destroy'
        hlua_ctx_destroy(&s->hlua);
        ~~~~~~~~~~~~~~~~         ^
No backport is needed.
2015-06-17 20:18:54 +02:00
Willy Tarreau
b7636d1a10 BUG/MEDIUM: logs: fix improper systematic use of quotes with a few tags
Dmitry Sivachenko reported the following build warning using Clang, which
is a real bug :

  src/log.c:1538:22: warning: use of logical '&&' with constant operand
        [-Wconstant-logical-operand]
                                  if (tmp->options && LOG_OPT_QUOTE)
                                                   ^  ~~~~~~~~~~~~~
The effect is that recent log tags related to HTTP method, path, uri,
query have a bug making them always use quotes.

This bug was introduced in 1.6-dev2 with commit 0ebc55f ("MEDIUM: logs:
Add HTTP request-line log format directives"), so no backport is needed.
2015-06-17 19:58:02 +02:00
Willy Tarreau
7810ad7d59 BUG/MAJOR: lru: fix unconditional call to free due to unexpected semi-colon
Dmitry Sivachenko reported the following build warning using Clang, which
is a real bug :

  src/lru.c:133:32: warning: if statement has empty body [-Wempty-body]
                                  if (old->data && old->free);
                                                             ^
It results in calling old->free(old->data) even when old->free is NULL,
hence crashing on cached patterns.

The same bug appears a few lines below in lru64_destroy() :

  src/lru.c:195:33: warning: if statement has empty body [-Wempty-body]
                          if (elem->data && elem->free);
                                                       ^
Both were introduced in 1.6-dev2 with commit f90ac55 ("MINOR: lru: Add the
possibility to free data when an item is removed"), so no backport is needed.
2015-06-17 19:55:32 +02:00
Willy Tarreau
666f504906 BUILD/MINOR: stats: fix build warning due to condition always true
Dmitry Sivachenko reported the following harmless build warning using Clang :

  src/dumpstats.c:5196:48: warning: address of array 'strm_li(sess)->proto->name'
        will always evaluate to 'true' [-Wpointer-bool-conversion]
    ...strm_li(sess) && strm_li(sess)->proto->name ? strm_li(sess)->proto->nam...
                     ~~ ~~~~~~~~~~~~~~~~~~~~~~^~~~
proto->name cannot be null here as it's the protocol name which is stored
directly in the structure.

The same case is present in 1.5 though the code changed.
2015-06-17 19:49:52 +02:00
Willy Tarreau
22b0a68120 BUILD/MINOR: lua: fix a harmless build warning
Dmitry Sivachenko reported the following build warning using Clang,
though it's harmless :

  src/hlua.c:1911:13: warning: variable '_socket_info_expanded_form' is not needed
        and will not be emitted [-Wunneeded-internal-declaration]
  static char _socket_info_expanded_form[] = SOCKET_INFO_EXPANDED_FORM;
              ^
Indeed, the variable is not used except to compute a sizeof which is
taken from the string it is initialized from. It probably is a leftover
after various code refactorings. Let's get rid of it now since it's not
used anymore.

No backport is needed.
2015-06-17 19:46:16 +02:00
Willy Tarreau
745d412758 BUG/MINOR: ssl: fix smp_fetch_ssl_fc_session_id
Dmitry Sivachenko reported the following build warning using Clang
which is a real bug :

src/ssl_sock.c:4104:44: warning: address of 'smp->data.str.len' will always
      evaluate to 'true' [-Wpointer-bool-conversion]
        if (!smp->data.str.str || !&smp->data.str.len)

The impact is very low however, it will return an empty session_id
instead of no session id when none is found.

The fix should be backported to 1.5.
2015-06-17 19:46:14 +02:00
Willy Tarreau
ad90f0d1aa [RELEASE] Released version 1.6-dev2
Released version 1.6-dev2 with the following main changes :
    - BUG/MINOR: ssl: Display correct filename in error message
    - MEDIUM: logs: Add HTTP request-line log format directives
    - BUG/MEDIUM: check: tcpcheck regression introduced by e16c1b3f
    - BUG/MINOR: check: fix tcpcheck error message
    - MINOR: use an int instead of calling tcpcheck_get_step_id
    - MINOR: tcpcheck_rule structure update
    - MINOR: include comment in tcpcheck error log
    - DOC: tcpcheck comment documentation
    - MEDIUM: server: add support for changing a server's address
    - MEDIUM: server: change server ip address from stats socket
    - MEDIUM: protocol: add minimalist UDP protocol client
    - MEDIUM: dns: implement a DNS resolver
    - MAJOR: server: add DNS-based server name resolution
    - DOC: server name resolution + proto DNS
    - MINOR: dns: add DNS statistics
    - MEDIUM: http: configurable http result codes for http-request deny
    - BUILD: Compile clean when debug options defined
    - MINOR: lru: Add the possibility to free data when an item is removed
    - MINOR: lru: Add lru64_lookup function
    - MEDIUM: ssl: Add options to forge SSL certificates
    - MINOR: ssl: Export functions to manipulate generated certificates
    - MEDIUM: config: add DeviceAtlas global keywords
    - MEDIUM: global: add the DeviceAtlas required elements to struct global
    - MEDIUM: sample: add the da-csv converter
    - MEDIUM: init: DeviceAtlas initialization
    - BUILD: Makefile: add options to build with DeviceAtlas
    - DOC: README: explain how to build with DeviceAtlas
    - BUG/MEDIUM: http: fix the url_param fetch
    - BUG/MEDIUM: init: segfault if global._51d_property_names is not initialized
    - MAJOR: peers: peers protocol version 2.0
    - MINOR: peers: avoid re-scheduling of pending stick-table's updates still not pushed.
    - MEDIUM: peers: re-schedule stick-table's entry for sync when data is modified.
    - MEDIUM: peers: support of any stick-table data-types for sync
    - BUG/MAJOR: sample: regression on sample cast to stick table types.
    - CLEANUP: deinit: remove codes for cleaning p->block_rules
    - DOC: Fix L4TOUT typo in documentation
    - DOC: set-log-level in Logging section preamble
    - BUG/MEDIUM: compat: fix segfault on FreeBSD
    - MEDIUM: check: include server address and port in the send-state header
    - MEDIUM: backend: Allow redispatch on retry intervals
    - MINOR: Add TLS ticket keys reference and use it in the listener struct
    - MEDIUM: Add support for updating TLS ticket keys via socket
    - DOC: Document new socket commands "show tls-keys" and "set ssl tls-key"
    - MINOR: Add sample fetch which identifies if the SSL session has been resumed
    - DOC: Update doc about weight, act and bck fields in the statistics
    - BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten
    - MINOR: ssl: add a destructor to free allocated SSL ressources
    - MEDIUM: ssl: add the possibility to use a global DH parameters file
    - MEDIUM: ssl: replace standards DH groups with custom ones
    - MEDIUM: stats: Add enum srv_stats_state
    - MEDIUM: stats: Separate server state and colour in stats
    - MEDIUM: stats: Only report drain state in stats if server has SRV_ADMF_DRAIN set
    - MEDIUM: stats: Differentiate between DRAIN and DRAIN (agent)
    - MEDIUM: Lower priority of email alerts for log-health-checks messages
    - MEDIUM: Send email alerts when servers are marked as UP or enter the drain state
    - MEDIUM: Document when email-alerts are sent
    - BUG/MEDIUM: lua: bad argument number in analyser and in error message
    - MEDIUM: lua: automatically converts strings in proxy, tables, server and ip
    - BUG/MINOR: utf8: remove compilator warning
    - MEDIUM: map: uses HAProxy facilities to store default value
    - BUG/MINOR: lua: error in detection of mandatory arguments
    - BUG/MINOR: lua: set current proxy as default value if it is possible
    - BUG/MEDIUM: http: the action set-{method|path|query|uri} doesn't run.
    - BUG/MEDIUM: lua: undetected infinite loop
    - BUG/MAJOR: http: don't read past buffer's end in http_replace_value
    - BUG/MEDIUM: http: the function "(req|res)-replace-value" doesn't respect the HTTP syntax
    - MEDIUM/CLEANUP: http: rewrite and lighten http_transform_header() prototype
    - BUILD: lua: it miss the '-ldl' directive
    - MEDIUM: http: allows 'R' and 'S' in the protocol alphabet
    - MINOR: http: split the function http_action_set_req_line() in two parts
    - MINOR: http: split http_transform_header() function in two parts.
    - MINOR: http: export function inet_set_tos()
    - MINOR: lua: txn: add function set_(loglevel|tos|mark)
    - MINOR: lua: create and register HTTP class
    - DOC: lua: fix some typos
    - MINOR: lua: add log functions
    - BUG/MINOR: lua: Fix SSL initialisation
    - DOC: lua: some fixes
    - MINOR: lua: (req|res)_get_headers return more than one header value
    - MINOR: lua: map system integration in Lua
    - BUG/MEDIUM: http: functions set-{path,query,method,uri} breaks the HTTP parser
    - MINOR: sample: add url_dec converter
    - MEDIUM: sample: fill the struct sample with the session, proxy and stream pointers
    - MEDIUM: sample change the prototype of sample-fetches and converters functions
    - MINOR: sample: fill the struct sample with the options.
    - MEDIUM: sample: change the prototype of sample-fetches functions
    - MINOR: http: split the url_param in two parts
    - CLEANUP: http: bad indentation
    - MINOR: http: add body_param fetch
    - MEDIUM: http: url-encoded parsing function can run throught wrapped buffer
    - DOC: http: req.body_param documentation
    - MINOR: proxy: custom capture declaration
    - MINOR: capture: add two "capture" converters
    - MEDIUM: capture: Allow capture with slot identifier
    - MINOR: http: add array of generic pointers in http_res_rules
    - MEDIUM: capture: adds http-response capture
    - MINOR: common: escape CSV strings
    - MEDIUM: stats: escape some strings in the CSV dump
    - MINOR: tcp: add custom actions that can continue tcp-(request|response) processing
    - MINOR: lua: Lua tcp action are not final action
    - DOC: lua: schematics about lua socket organization
    - BUG/MINOR: debug: display (null) in place of "meth"
    - DOC: mention the "lua action" in documentation
    - MINOR: standard: add function that converts signed int to a string
    - BUG/MINOR: sample: wrong conversion of signed values
    - MEDIUM: sample: Add type any
    - MINOR: debug: add a special converter which display its input sample content.
    - MINOR: tcp: increase the opaque data array
    - MINOR: tcp/http/conf: extends the keyword registration options
    - MINOR: build: fix build dependency
    - MEDIUM: vars: adds support of variables
    - MINOR: vars: adds get and set functions
    - MINOR: lua: Variable access
    - MINOR: samples: add samples which returns constants
    - BUG/MINOR: vars/compil: fix some warnings
    - BUILD: add 51degrees options to makefile.
    - MINOR: global: add several 51Degrees members to global
    - MINOR: config: add 51Degrees config parsing.
    - MINOR: init: add 51Degrees initialisation code
    - MEDIUM: sample: add fiftyone_degrees converter.
    - MEDIUM: deinit: add cleanup for 51Degrees to deinit
    - MEDIUM: sample: add trie support to 51Degrees
    - DOC: add 51Degrees notes to configuration.txt.
    - DOC: add build indications for 51Degrees to README.
    - MEDIUM: cfgparse: introduce weak and strong quoting
    - BUG/MEDIUM: cfgparse: incorrect memmove in quotes management
    - MINOR: cfgparse: remove line size limitation
    - MEDIUM: cfgparse: expand environment variables
    - BUG/MINOR: cfgparse: fix typo in 'option httplog' error message
    - BUG/MEDIUM: cfgparse: segfault when userlist is misused
    - CLEANUP: cfgparse: remove reference to 'ruleset' section
    - MEDIUM: cfgparse: check section maximum number of arguments
    - MEDIUM: cfgparse: max arguments check in the global section
    - MEDIUM: cfgparse: check max arguments in the proxies sections
    - CLEANUP: stream-int: remove a redundant clearing of the linger_risk flag
    - MINOR: connection: make conn_sock_shutw() actually perform the shutdown() call
    - MINOR: stream-int: use conn_sock_shutw() to shutdown a connection
    - MINOR: connection: perform the call to xprt->shutw() in conn_data_shutw()
    - MEDIUM: stream-int: replace xprt->shutw calls with conn_data_shutw()
    - MINOR: checks: use conn_data_shutw_hard() instead of call via xprt
    - MINOR: connection: implement conn_sock_send()
    - MEDIUM: stream-int: make conn_si_send_proxy() use conn_sock_send()
    - MEDIUM: connection: make conn_drain() perform more controls
    - REORG: connection: move conn_drain() to connection.c and rename it
    - CLEANUP: stream-int: remove inclusion of fd.h that is not used anymore
    - MEDIUM: channel: don't always set CF_WAKE_WRITE on bi_put*
    - CLEANUP: lua: don't use si_ic/si_oc on known stream-ints
    - BUG/MEDIUM: peers: correctly configure the client timeout
    - MINOR: peers: centralize configuration of the peers frontend
    - MINOR: proxy: store the default target into the frontend's configuration
    - MEDIUM: stats: use frontend_accept() as the accept function
    - MEDIUM: peers: use frontend_accept() instead of peer_accept()
    - CLEANUP: listeners: remove unused timeout
    - MEDIUM: listener: store the default target per listener
    - BUILD: fix automatic inclusion of libdl.
    - MEDIUM: lua: implement a simple memory allocator
    - MEDIUM: compression: postpone buffer adjustments after compression
    - MEDIUM: compression: don't send leading zeroes with chunk size
    - BUG/MINOR: compression: consider the expansion factor in init
    - MINOR: http: check the algo name "identity" instead of the function pointer
    - CLEANUP: compression: statify all algo-specific functions
    - MEDIUM: compression: add a distinction between UA- and config- algorithms
    - MEDIUM: compression: add new "raw-deflate" compression algorithm
    - MEDIUM: compression: split deflate_flush() into flush and finish
    - CLEANUP: compression: remove unused reset functions
    - MAJOR: compression: integrate support for libslz
    - BUG/MEDIUM: http: hdr_cnt would not count any header when called without name
    - BUG/MAJOR: http: null-terminate the http actions keywords list
    - CLEANUP: lua: remove the unused hlua_sleep memory pool
    - BUG/MAJOR: lua: use correct object size when initializing a new converter
    - CLEANUP: lua: remove hard-coded sizeof() in object creations and mallocs
    - CLEANUP: lua: fix confusing local variable naming in hlua_txn_new()
    - CLEANUP: hlua: stop using variable name "s" alternately for hlua_txn and hlua_smp
    - CLEANUP: lua: get rid of the last "*ht" for struct hlua_txn.
    - CLEANUP: lua: rename last occurrences of "*s" to "*htxn" for hlua_txn
    - CLEANUP: lua: rename variable "sc" for struct hlua_smp
    - CLEANUP: lua: get rid of the last two "*hs" for hlua_smp
    - REORG/MAJOR: session: rename the "session" entity to "stream"
    - REORG/MEDIUM: stream: rename stream flags from SN_* to SF_*
    - MINOR: session: start to reintroduce struct session
    - MEDIUM: stream: allocate the session when a stream is created
    - MEDIUM: stream: move the listener's pointer to the session
    - MEDIUM: stream: move the frontend's pointer to the session
    - MINOR: session: add a pointer to the session's origin
    - MEDIUM: session: use the pointer to the origin instead of s->si[0].end
    - CLEANUP: sample: remove useless tests in fetch functions for l4 != NULL
    - MEDIUM: http: move header captures from http_txn to struct stream
    - MINOR: http: create a dedicated pool for http_txn
    - MAJOR: http: move http_txn out of struct stream
    - MAJOR: sample: don't pass l7 anymore to sample fetch functions
    - CLEANUP: lua: remove unused hlua_smp->l7 and hlua_txn->l7
    - MEDIUM: http: remove the now useless http_txn from {req/res} rules
    - CLEANUP: lua: don't pass http_txn anymore to hlua_request_act_wrapper()
    - MAJOR: sample: pass a pointer to the session to each sample fetch function
    - MINOR: stream: provide a few helpers to retrieve frontend, listener and origin
    - CLEANUP: stream: don't set ->target to the incoming connection anymore
    - MINOR: stream: move session initialization before the stream's
    - MINOR: session: store the session's accept date
    - MINOR: session: don't rely on s->logs.logwait in embryonic sessions
    - MINOR: session: implement session_free() and use it everywhere
    - MINOR: session: add stick counters to the struct session
    - REORG: stktable: move the stkctr_* functions from stream to sticktable
    - MEDIUM: streams: support looking up stkctr in the session
    - MEDIUM: session: update the session's stick counters upon session_free()
    - MEDIUM: proto_tcp: track the session's counters in the connection ruleset
    - MAJOR: tcp: make tcp_exec_req_rules() only rely on the session
    - MEDIUM: stream: don't call stream_store_counters() in kill_mini_session() nor session_accept()
    - MEDIUM: stream: move all the session-specific stuff of stream_accept() earlier
    - MAJOR: stream: don't initialize the stream anymore in stream_accept
    - MEDIUM: session: remove the task pointer from the session
    - REORG: session: move the session parts out of stream.c
    - MINOR: stream-int: make appctx_new() take the applet in argument
    - MEDIUM: peers: move the appctx initialization earlier
    - MINOR: session: introduce session_new()
    - MINOR: session: make use of session_new() when creating a new session
    - MINOR: peers: make use of session_new() when creating a new session
    - MEDIUM: peers: initialize the task before the stream
    - MINOR: session: set the CO_FL_CONNECTED flag on the connection once ready
    - CLEANUP: stream.c: do not re-attach the connection to the stream
    - MEDIUM: stream: isolate connection-specific initialization code
    - MEDIUM: stream: also accept appctx as origin in stream_accept_session()
    - MEDIUM: peers: make use of stream_accept_session()
    - MEDIUM: frontend: make ->accept only return +/-1
    - MEDIUM: stream: return the stream upon accept()
    - MEDIUM: frontend: move some stream initialisation to stream_new()
    - MEDIUM: frontend: move the fd-specific settings to session_accept_fd()
    - MEDIUM: frontend: don't restrict frontend_accept() to connections anymore
    - MEDIUM: frontend: move some remaining stream settings to stream_new()
    - CLEANUP: frontend: remove one useless local variable
    - MEDIUM: stream: don't rely on the session's listener anymore in stream_new()
    - MEDIUM: lua: make use of stream_new() to create an outgoing connection
    - MINOR: lua: minor cleanup in hlua_socket_new()
    - MINOR: lua: no need for setting timeouts / conn_retries in hlua_socket_new()
    - MINOR: peers: no need for setting timeouts / conn_retries in peer_session_create()
    - CLEANUP: stream-int: swap stream-int and appctx declarations
    - CLEANUP: namespaces: fix protection against multiple inclusions
    - MINOR: session: maintain the session count stats in the session, not the stream
    - MEDIUM: session: adjust the connection flags before stream_new()
    - MINOR: stream: pass the pointer to the origin explicitly to stream_new()
    - CLEANUP: poll: move the conditions for waiting out of the poll functions
    - BUG/MEDIUM: listener: don't report an error when resuming unbound listeners
    - BUG/MEDIUM: init: don't limit cpu-map to the first 32 processes only
    - BUG/MAJOR: tcp/http: fix current_rule assignment when restarting over a ruleset
    - BUG/MEDIUM: stream-int: always reset si->ops when si->end is nullified
    - DOC: update the entities diagrams
    - BUG/MEDIUM: http: properly retrieve the front connection
    - MINOR: applet: add a new "owner" pointer in the appctx
    - MEDIUM: applet: make the applet not depend on a stream interface anymore
    - REORG: applet: move the applet definitions out of stream_interface
    - CLEANUP: applet: rename struct si_applet to applet
    - REORG: stream-int: create si_applet_ops dedicated to applets
    - MEDIUM: applet: add basic support for an applet run queue
    - MEDIUM: applet: implement a run queue for active appctx
    - MEDIUM: stream-int: add a new function si_applet_done()
    - MAJOR: applet: now call si_applet_done() instead of si_update() in I/O handlers
    - MAJOR: stream: use a regular ->update for all stream interfaces
    - MEDIUM: dumpstats: don't unregister the applet anymore
    - MEDIUM: applet: centralize the call to si_applet_done() in the I/O handler
    - MAJOR: stream: do not allocate request buffers anymore when the left side is an applet
    - MINOR: stream-int: add two flags to indicate an applet's wishes regarding I/O
    - MEDIUM: applet: make the applets only use si_applet_{cant|want|stop}_{get|put}
    - MEDIUM: stream-int: pause the appctx if the task is woken up
    - BUG/MAJOR: tcp: only call registered actions when they're registered
    - BUG/MEDIUM: peers: fix applet scheduling
    - BUG/MEDIUM: peers: recent applet changes broke peers updates scheduling
    - MINOR: tools: provide an rdtsc() function for time comparisons
    - IMPORT: lru: import simple ebtree-based LRU functions
    - IMPORT: hash: import xxhash-r39
    - MEDIUM: pattern: add a revision to all pattern expressions
    - MAJOR: pattern: add LRU-based cache on pattern matching
    - BUG/MEDIUM: http: remove content-length from chunked messages
    - DOC: http: update the comments about the rules for determining transfer-length
    - BUG/MEDIUM: http: do not restrict parsing of transfer-encoding to HTTP/1.1
    - BUG/MEDIUM: http: incorrect transfer-coding in the request is a bad request
    - BUG/MEDIUM: http: remove content-length form responses with bad transfer-encoding
    - MEDIUM: http: restrict the HTTP version token to 1 digit as per RFC7230
    - MEDIUM: http: disable support for HTTP/0.9 by default
    - MEDIUM: http: add option-ignore-probes to get rid of the floods of 408
    - BUG/MINOR: config: clear proxy->table.peers.p for disabled proxies
    - MEDIUM: init: don't stop proxies in parent process when exiting
    - MINOR: stick-table: don't attach to peers in stopped state
    - MEDIUM: config: initialize stick-tables after peers, not before
    - MEDIUM: peers: add the ability to disable a peers section
    - MINOR: peers: store the pointer to the signal handler
    - MEDIUM: peers: unregister peers that were never started
    - MEDIUM: config: propagate the table's process list to the peers sections
    - MEDIUM: init: stop any peers section not bound to the correct process
    - MEDIUM: config: validate that peers sections are bound to exactly one process
    - MAJOR: peers: allow peers section to be used with nbproc > 1
    - DOC: relax the peers restriction to single-process
    - DOC: document option http-ignore-probes
    - DOC: fix the comments about the meaning of msg->sol in HTTP
    - BUG/MEDIUM: http: wait for the exact amount of body bytes in wait_for_request_body
    - BUG/MAJOR: http: prevent risk of reading past end with balance url_param
    - MEDIUM: stream: move HTTP request body analyser before process_common
    - MEDIUM: http: add a new option http-buffer-request
    - MEDIUM: http: provide 3 fetches for the body
    - DOC: update the doc on the proxy protocol
    - BUILD: pattern: fix build warnings introduced in the LRU cache
    - BUG/MEDIUM: stats: properly initialize the scope before dumping stats
    - CLEANUP: config: fix misleading information in error message.
    - MINOR: config: report the number of processes using a peers section in the error case
    - BUG/MEDIUM: config: properly compute the default number of processes for a proxy
    - MEDIUM: http: add new "capture" action for http-request
    - BUG/MEDIUM: http: fix the http-request capture parser
    - BUG/MEDIUM: http: don't forward client shutdown without NOLINGER except for tunnels
    - BUILD/MINOR: ssl: fix build failure introduced by recent patch
    - BUG/MAJOR: check: fix breakage of inverted tcp-check rules
    - CLEANUP: checks: fix double usage of cur / current_step in tcp-checks
    - BUG/MEDIUM: checks: do not dereference head of a tcp-check at the end
    - CLEANUP: checks: simplify the loop processing of tcp-checks
    - BUG/MAJOR: checks: always check for end of list before proceeding
    - BUG/MEDIUM: checks: do not dereference a list as a tcpcheck struct
    - BUG/MAJOR: checks: break infinite loops when tcp-checks starts with comment
    - MEDIUM: http: make url_param iterate over multiple occurrences
    - BUG/MEDIUM: peers: apply a random reconnection timeout
    - MEDIUM: config: reject invalid config with name duplicates
    - MEDIUM: config: reject conflicts in table names
    - CLEANUP: proxy: make the proxy lookup functions more user-friendly
    - MINOR: proxy: simply ignore duplicates in proxy name lookups
    - MINOR: config: don't open-code proxy name lookups
    - MEDIUM: config: clarify the conflicting modes detection for backend rules
    - CLEANUP: proxy: remove now unused function findproxy_mode()
    - MEDIUM: stick-table: remove the now duplicate find_stktable() function
    - MAJOR: config: remove the deprecated reqsetbe / reqisetbe actions
    - MINOR: proxy: add a new function proxy_find_by_id()
    - MINOR: proxy: add a flag to memorize that the proxy's ID was forced
    - MEDIUM: proxy: add a new proxy_find_best_match() function
    - CLEANUP: http: explicitly reference request in http_apply_redirect_rules()
    - MINOR: http: prepare support for parsing redirect actions on responses
    - MEDIUM: http: implement http-response redirect rules
    - MEDIUM: http: no need to close the request on redirect if data was parsed
    - BUG/MEDIUM: http: fix body processing for the stats applet
    - BUG/MINOR: da: fix log-level comparison to emove annoying warning
    - CLEANUP: global: remove one ifdef USE_DEVICEATLAS
    - CLEANUP: da: move the converter registration to da.c
    - CLEANUP: da: register the config keywords in da.c
    - CLEANUP: adjust the envelope name in da.h to reflect the file name
    - CLEANUP: da: remove ifdef USE_DEVICEATLAS from da.c
    - BUILD: make 51D easier to build by defaulting to 51DEGREES_SRC
    - BUILD: fix build warning when not using 51degrees
    - BUILD: make DeviceAtlas easier to build by defaulting to DEVICEATLAS_SRC
    - BUILD: ssl: fix recent build breakage on older SSL libs
2015-06-17 15:53:25 +02:00
Willy Tarreau
c8ad3beded BUILD: ssl: fix recent build breakage on older SSL libs
Commit 31af49d ("MEDIUM: ssl: Add options to forge SSL certificates")
introduced some dependencies on SSL_CTRL_SET_TLSEXT_HOSTNAME for which
a few checks were missing, breaking the build on openssl 0.9.8.
2015-06-17 15:50:40 +02:00
Thierry FOURNIER
0b243fd63b BUG/MINOR: vars/compil: fix some warnings
A switch case doesn't have default entry, and the compilator sends
a warning about uninitilized var.

   warning: 'vars' may be used uninitialized in this function [-Wmaybe-uninitialized]
2015-06-17 10:42:45 +02:00
Emeric Brun
31c56530b8 BUG/MAJOR: sample: regression on sample cast to stick table types.
This regression was introduce by commit
9c627e84b2 (MEDIUM: sample: Add type any)

New sample type 'any' was not handled in the matrix used to cast
to stick-tables types.
2015-06-16 18:34:50 +02:00
Emeric Brun
9490095abb MEDIUM: peers: support of any stick-table data-types for sync
It is possible to propagate entries of any data-types in stick-tables between
several haproxy instances over TCP connections in a multi-master fashion. Each
instance pushes its local updates and insertions to remote peers. The pushed
values overwrite remote ones without aggregation. Interrupted exchanges are
automatically detected and recovered from the last known point.
2015-06-16 16:11:59 +02:00
Emeric Brun
57056f0347 MEDIUM: peers: re-schedule stick-table's entry for sync when data is modified.
This was correctly done for data of type 'serverid' but it is now
necessary for all stick-tables data-types if we want to perform their
sync.
2015-06-16 16:11:36 +02:00
Emeric Brun
aaf5860fd6 MINOR: peers: avoid re-scheduling of pending stick-table's updates still not pushed. 2015-06-16 16:11:12 +02:00
Thierry FOURNIER
cc103299c7 MINOR: samples: add samples which returns constants
This patch adds sample which returns constants values. This is useful
for intialising variables.
2015-06-13 23:01:37 +02:00
Thierry FOURNIER
053ba8adfd MINOR: lua: Variable access
This patch adds two Lua function for using HAPRoxy's
vraibles. The function are stored in the TXN class,
and her name is "set_var" and "get_var".
2015-06-13 23:01:37 +02:00
Thierry FOURNIER
c365d99a07 MINOR: vars: adds get and set functions
This patch adds two functions used for variable acces using the
variable full name. If the variable doesn't exists in the variable
pool name, it is created.
2015-06-13 23:01:37 +02:00
Thierry FOURNIER
4834bc773c MEDIUM: vars: adds support of variables
This patch adds support of variables during the processing of each stream. The
variables scope can be set as 'session', 'transaction', 'request' or 'response'.
The variable type is the type returned by the assignment expression. The type
can change while the processing.

The allocated memory can be controlled for each scope and each request, and for
the global process.
2015-06-13 23:01:37 +02:00
Thierry FOURNIER
a9ff994461 MINOR: build: fix build dependency
fix include dependency. The header file sample.h don't need to known
the content of the struct arg, so I remove the include, and replace
it by a simple pointer declaration.

This prevent an include dependecy issue with the next patch.
2015-06-13 23:01:37 +02:00
Thierry FOURNIER
0e11863a6f MINOR: tcp/http/conf: extends the keyword registration options
This patch permits to register a new keyword with the keyword "tcp-request content"
'tcp-request connection", tcp-response content", http-request" and "http-response"
which is identified only by matching the start of the keyword.

for example, we register the keyword "set-var" with the option "match_pfx"
and the configuration keyword "set-var(var_name)" matchs this entry.
2015-06-13 23:01:37 +02:00
Thierry FOURNIER
fbdb77582d MINOR: tcp: increase the opaque data array
This patch increase the opaque data array for the tcp_rules.
It is used by the "store" action (next commited) which deal
with variables.
2015-06-13 23:01:37 +02:00
Thierry FOURNIER
9687c77c91 MINOR: debug: add a special converter which display its input sample content.
This converter displays its input sample type and content. It is useful
for debugging some complex configurations.
2015-06-13 23:01:36 +02:00
Thierry FOURNIER
9c627e84b2 MEDIUM: sample: Add type any
This type is used to accept any type of sample as input, and prevent
any automatic "cast". It runs like the type "ADDR" which accept the
type "IPV4" and "IPV6".
2015-06-13 22:59:14 +02:00
Thierry FOURNIER
0f811440d5 BUG/MINOR: sample: wrong conversion of signed values
The signed values are casted as unsigned before conversion. This patch
use the good converters according with the sample type.

Note: it depends on previous patch to parse signed ints.
2015-06-13 22:59:14 +02:00
Thierry FOURNIER
1480bd8dd2 MINOR: standard: add function that converts signed int to a string
This function is the same as "ultoa_r", but it takes a signed value
as input.
2015-06-13 22:59:14 +02:00
Thierry FOURNIER
69717b4b9b DOC: mention the "lua action" in documentation
Fix some precision about lua.
2015-06-13 22:59:14 +02:00
Baptiste Assmann
3863f97349 MINOR: dns: add DNS statistics
add a new command on the stats socket to print a DNS resolvers section
(including per server) statistics: "show stats resolvers <id>"
2015-06-13 22:07:35 +02:00