RFC7919 defined sets of DH parameters supposedly strong enough to be
used safely. We will then use them when we can instead of our hard coded
ones (namely the ffdhe2048 and ffdhe4096 named groups).
The ffdhe2048 and ffdhe4096 named groups were integrated in OpenSSL
starting with version 1.1.1. Instead of duplicating those parameters in
haproxy for older versions of OpenSSL, we will keep using our own
parameters when they are not provided by the SSL library.
We will also need to keep our 1024 bits DH parameters since they are
considered not safe enough to have a dedicated named group in RFC7919
but we must still keep it for retrocompatibility with old Java clients.
This request was described in GitHub issue #1604.
Released version 2.6-dev6 with the following main changes :
- CLEANUP: connection: reduce the with of the mux dump output
- CI: Update to actions/checkout@v3
- CI: Update to actions/cache@v3
- DOC: adjust QUIC instruction in INSTALL
- BUG/MINOR: stats: define the description' background color in dark color scheme
- BUILD: ssl: add USE_ENGINE and disable the openssl engine by default
- BUILD: makefile: pass USE_ENGINE to cflags
- BUILD: xprt-quic: replace ERR_func_error_string() with ERR_peek_error_func()
- DOC: install: document the fact that SSL engines are not enabled by default
- CI: github actions: disable -Wno-deprecated
- BUILD: makefile: silence unbearable OpenSSL deprecation warnings
- MINOR: sock: check configured limits at the sock layer, not the listener's
- MINOR: connection: add a new flag CO_FL_FDLESS on fd-less connections
- MINOR: connection: add conn_fd() to retrieve the FD only when it exists
- MINOR: stream: only dump connections' FDs when they are valid
- MINOR: connection: use conn_fd() when displaying connection errors
- MINOR: connection: skip FD-based syscalls for FD-less connections
- MEDIUM: connection: panic when calling FD-specific functions on FD-less conns
- MINOR: mux-quic: properly set the flags and name fields
- MINOR: connection: rearrange conn_get_src/dst to be a bit more extensible
- MINOR: protocol: add get_src() and get_dst() at the protocol level
- MINOR: quic-sock: provide a pair of get_src/get_dst functions
- MEDIUM: ssl: improve retrieval of ssl_sock_ctx and SSL detection
- MEDIUM: ssl: stop using conn->xprt_ctx to access the ssl_sock_ctx
- MEDIUM: xprt-quic: implement get_ssl_sock_ctx()
- MEDIUM: quic: move conn->qc into conn->handle
- BUILD: ssl: fix build warning with previous changes to ssl_sock_ctx
- BUILD: ssl: add an unchecked version of __conn_get_ssl_sock_ctx()
- MINOR: ssl: refine the error testing for fc_err and fc_err_str
- BUG/MINOR: sock: do not double-close the accepted socket on the error path
- CI: cirrus: switch to FreeBSD-13.0
- MINOR: log: add '~' to frontend when the transport layer provides SSL
- BUILD/DEBUG: lru: fix printf format in debug code
- BUILD: peers: adjust some printf format to silence cppcheck
- BUILD/DEBUG: hpack-tbl: fix format string in standalone debug code
- BUILD/DEBUG: hpack: use unsigned int in printf format in debug code
- BUILD: halog: fix some incorrect signs in printf formats for integers
- BUG/MINOR: h3: fix build with DEBUG_H3
- BUG/MINOR: mux-h2: do not send GOAWAY if SETTINGS were not sent
- BUG/MINOR: cache: do not display expired entries in "show cache"
- BUG/MINOR: mux-h1: Don't release unallocated CS on error path
- MINOR: applet: Make .init callback more generic
- MINOR: conn-stream: Add flags to set the type of the endpoint
- MEDIUM: applet: Set the appctx owner during allocation
- MAJOR: conn-stream: Invert conn-stream endpoint and its context
- REORG: Initialize the conn-stream by hand in cs_init()
- MEDIUM: conn-stream: Add an endpoint structure in the conn-stream
- MINOR: conn-stream: Move some CS flags to the endpoint
- MEDIUM: conn-stream: Be able to pass endpoint to create a conn-stream
- MEDIUM: conn-stream: Pre-allocate endpoint to create CS from muxes and applets
- REORG: applet: Uninline appctx_new function
- MAJOR: conn-stream: Share endpoint struct between the CS and the mux/applet
- MEDIUM: conn-stream: Move remaning flags from CS to endpoint
- MINOR: mux-pt: Rely on the endpoint instead of the conn-stream when possible
- MINOR: conn-stream: Add ISBACK conn-stream flag
- MINOR: conn-stream: Add header file with util functions related to conn-streams
- MEDIUM: tree-wide: Use CS util functions instead of SI ones
- MINOR: stream-int/txn: Move buffer for L7 retries in the HTTP transaction
- CLEANUP: http-ana: Remove http_alloc_txn() function
- MINOR: stream-int/stream: Move conn_retries counter in the stream
- MINOR: stream: Simplify retries counter calculation
- MEDIUM: stream-int/conn-stream: Move src/dst addresses in the conn-stream
- MINOR: stream-int/conn-stream: Move half-close timeout in the conn-stream
- MEDIUM: stream-int/stream: Use connect expiration instead of SI expiration
- MINOR: stream-int/conn-stream: Report error to the CS instead of the SI
- MEDIUM: conn-stream: Use endpoint error instead of conn-stream error
- MINOR: channel: Use conn-streams as channel producer and consumer
- MINOR: stream-int: Remove SI_FL_KILL_CON to rely on conn-stream endpoint only
- MINOR: mux-h2/mux-fcgi: Fully rely on CS_EP_KILL_CONN
- MINOR: stream-int: Remove SI_FL_NOLINGER/NOHALF to rely on CS flags instead
- MINOR: stream-int: Remove SI_FL_DONT_WAKE to rely on CS flags instead
- MINOR: stream-int: Remove SI_FL_INDEP_STR to rely on CS flags instead
- MINOR: stream-int: Remove SI_FL_SRC_ADDR to rely on stream flags instead
- CLEANUP: stream-int: Remove unused SI_FL_CLEAN_ABRT flag
- MINOR: stream: Only save previous connection state for the server side
- MEDIUM: stream-int: Move SI err_type in the stream
- MEDIUM: stream-int/conn-stream: Move stream-interface state in the conn-stream
- MINOR: stream-int/stream: Move si_retnclose() in the stream scope
- MINOR: stream-int/backend: Move si_connect() in the backend scope
- MINOR: stream-int/conn-stream: Move si_conn_ready() in the conn-stream scope
- MINOR: conn-stream/connection: Move SHR/SHW modes in the connection scope
- MEDIUM: conn-stream: Be prepared to fail to attach a cs to a mux
- MEDIUM: stream-int/conn-stream: Handle I/O subscriptions in the conn-stream
- MINOR: conn-stream: Rename CS functions dedicated to connections
- MINOR: stream-int/conn-stream: Move si_shut* and si_chk* in conn-stream scope
- MEDIUM: stream-int/conn-stream: Move si_ops in the conn-stream scope
- MINOR: applet: Use the CS to register and release applets instead of SI
- MINOR: connection: unconst mux's get_fist_cs() callback function
- MINOR: stream-int/connection: Move conn_si_send_proxy() in the connection scope
- REORG: stream-int: Export si_cs_recv(), si_cs_send() and si_cs_process()
- REORG: stream-int: Move si_is_conn_error() in the header file
- REORG: conn-stream: Move cs_shut* and cs_chk* in cs_utils
- REORG: conn-stream: Move cs_app_ops in conn_stream.c
- MINOR: stream-int-conn-stream: Move si_update_* in conn-stream scope
- MINOR: stream-int/stream: Move si_update_both in stream scope
- MEDIUM: conn-stream/applet: Add a data callback for applets
- MINOR: stream-int/conn-stream: Move stream_int_read0() in the conn-stream scope
- MINOR: stream-int/conn-stream: Move stream_int_notify() in the conn-stream scope
- MINOR: stream-int/conn-stream: Move si_cs_io_cb() in the conn-stream scope
- MINOR: stream-int/conn-stream: Move si_sync_recv/send() in conn-stream scope
- MINOR: conn-stream: Move si_conn_cb in the conn-stream scope
- MINOR: stream-int/conn-stream Move si_is_conn_error() in the conn-stream scope
- MINOR: stream-int/conn-stream: Move si_alloc_ibuf() in the conn-stream scope
- CLEANUP: stream-int: Remove unused SI functions
- MEDIUM: stream-int/conn-stream: Move blocking flags from SI to CS
- MEDIUM: stream-int/conn-stream: Move I/O functions to conn-stream
- REORG: stream-int/conn-stream: Move remaining functions to conn-stream
- MINOR: stream: Use conn-stream to report server error
- MINOR: http-ana: Use CS to perform L7 retries
- MEDIUM: stream: Don't use the stream-int anymore in process_stream()
- MINOR: conn-stream: Remove the stream-interface from the conn-stream
- DEV: flags: No longer dump SI flags
- CLEANUP: tree-wide: Remove any ref to stream-interfaces
- CLEANUP: conn-stream: Don't export internal functions
- DOC: conn-stream: Add comments on functions of the new CS api
- MEDIUM: check: Use a new conn-stream for each health-check run
- CLEANUP: muxes: Remove MX_FL_CLEAN_ABRT flag
- MINOR: conn-stream: Use a dedicated function to conditionally remove a CS
- CLEANUP: conn-stream: rename cs_register_applet() to cs_applet_create()
- MINOR: muxes: Improve show_fd callbacks to dump endpoint flags
- MINOR: mux-h1: Rely on the endpoint instead of the conn-stream when possible
- BUG/MINOR: quic: Avoid starting the mux if no ALPN sent by the client
- BUILD: debug: mark the __start_mem_stats/__stop_mem_stats symbols as weak
- BUILD: initcall: mark the __start_i_* symbols as weak, not global
- BUG/MINOR: mux-h2: do not use timeout http-keep-alive on backend side
- BUG/MINOR: mux-h2: use timeout http-request as a fallback for http-keep-alive
- MINOR: muxes: Don't expect to have a mux without connection in destroy callback
- MINOR: muxes: Don't handle proto upgrade for muxes not supporting it
- MINOR: muxes: Don't expect to call release function with no mux defined
- MINOR: conn-stream: Use unsafe functions to get conn/appctx in cs_detach_endp
- BUG/MEDIUM: mux-h1: Don't request more room on partial trailers
- BUILD: http-client: Avoid dead code when compiled without SSL support
- BUG/MINOR: mux-quic: prevent a crash in session_free on mux.destroy
- BUG/MINOR: quic-sock: do not double free session on conn init failure
- BUG/MINOR: quic: fix return value for error in start
- MINOR: quic: emit CONNECTION_CLOSE on app init error
- BUILD: sched: workaround crazy and dangerous warning in Clang 14
- BUILD: compiler: use a more portable set of asm(".weak") statements
- BUG/MEDIUM: stream: do not abort connection setup too early
- CLEANUP: extcheck: do not needlessly preset the server's address/port
- MINOR: extcheck: fill in the server's UNIX socket address when known
- BUG/MEDIUM: connection: Don't crush context pointer location if it is a CS
- BUG/MEDIUM: quic: properly clean frames on stream free
- BUG/MEDIUM: fcgi-app: Use http_msg flags to know if C-L header can be added
- BUG/MEDIUM: compression: Don't forget to update htx_sl and http_msg flags
- MINOR: tcp_sample: clarifying samples support per os, for further expansion.
- MINOR: tcp_sample: extend support for get_tcp_info to macOs.
- SCRIPTS: announce-release: update the doc's URL
- DOC: lua: update a few doc URLs
- SCRIPTS: announce-release: add shortened links to pending issues
The list of URLs now also adds pending bugs, reviewed bugs, and code
reports. The redirect is performed on haproxy.org since github URLs
are far too large here.
The HAProxy doc was updated to point to docs.haproxy.org.
The HAProxy API doc was returning a 404, let's point to version 2.6.
This should be backported with 1.9dev modified to match the respective
versions.
MacOS can feed fc_rtt, fc_rttvar, fc_sacked, fc_lost and fc_retrans
so let's expose them on this platform.
Note that at the tcp(7) level, the API is slightly different, as
struct tcp_info is called tcp_connection_info and TCP_INFO is
called TCP_CONNECTION_INFO, so for convenience these ones were
defined to point to their equivalent. However there is a small
difference now in that tcpi_rtt is called tcpi_rttcur on this
platform, which forces us to make a special case for it before
other platforms.
While there is some overlap between what each OS provides in terms of
retrievable info, each set is not a real subset of another one and this
results in increasing complexity when trying to add support for new OSes.
Let's just condition each item to the OS that support it. It's not pretty
but at least it will avoid a real mess later.
Note that fc_rtt and fc_rttvar are supported on any OS that has TCP_INFO,
not just linux/freebsd/netbsd, so we continue to expose them unconditionally.
If the response is compressed, we must update the HTX start-line flags and
the HTTP message flags. It is especially important if there is another
filter enabled. Otherwise, there is no way to know the C-L header was
removed and T-E one was added. Except by looping on headers.
This patch is related to the issue #1660. It must backported as far as 2.0
(for HTX part only).
Instead of relying on the HTX start-line flags, it is better to rely on
http_msg flags to know if a content-length header can be added or not. In
addition, if the header is added, HTTP_MSGF_CNT_LEN flag must be added.
Because of this bug, an invalid message can be emitted when the response is
compressed because it may contain C-L and a T-E headers.
This patch should fix the issue #1660. It must be backported as far as 2.2.
A released qc_stream_desc is freed as soon as all its buffer content has
been acknowledged. However, it may still contains other frames waiting
for ACK pointing to deleted buffer content. This can happen on
retransmission.
When freeing a qc_stream_desc, free all its frames in acked_frms tree to
fix memory leak. This may also possibly fix a crash on retransmission.
Now, the frames are properly removed from a packet. This ensure we do
not retransmit a frame whose buffer is deallocated.
The issue only concerns the backend connection. The conn-stream is now owned
by the stream and persists during all the stream life. Thus we must not
crush it when the backend connection is released.
It is 2.6-specific. No backport is needed.
While it's often a pain to try to figure a UNIX socket address, the
server ones are reliable and may be emitted in the check provided
they are retrieved in time. We cannot rely on addr_to_str() because
it only reports "unix" since it may be used to log client addresses
or listener addresses (which are renamed).
The address length was extended to 256 chars to deal with long paths
as previously it was limited to INET6_ADDRSTRLEN+1.
This addresses github issue #101. There's no point backporting this,
external checks are almost never used.
During the config parsing we preset the server's address and port, but
that's pointless since it's replaced during each check in order to deal
with the possibility that the address was changed since.
Github issue #472 reports a problem with short client connections making
stick-table entries disappear. The problem is in fact totally different
and stems at the connection establishment step.
What happens is that the stick-table there has a single entry. The
"stick-on" directive is forced to purge an existing entry before being
able to create a new one. The new entry will be committed during the
call to process_store_rules() on the response path.
But if the client sends the FIN immediately after the connection is set
up (e.g. using nc -z) then the SHUTR is received and will cancel the
connection setup just after it starts. This cancellation will induce a
call to cs_shutw() which will in turn leave the server-side state in
ST_DIS. This transition from ST_CON to ST_DIS doesn't belong to the
list of handled transition during the connection setup so it will be
handled right after on the regular path, causing the connection to be
closed. Because of this, we never pass through back_establish() and
the backend's analysers are never set on the response channel, which
is why process_store_rules() is not called and the stick-tables entry
never committed.
The comment above the code that causes this transition clearly says
that the function is to be used after the connection is established
with the server, but there's no such protection, and we always have
the AUTO_CLOSE flag there (but there's hardly any available condition
to eliminate it).
This patch adds a test for the connection not being in ST_CON or for
option abortonclose being set. It's sufficient to do the job and it
should not cause issues.
One concern was that the transition could happen during cs_recv()
after the connection switches from CON to RDY then the read0 would
be taken into account and would cause DIS to appear, which is not
handled either. But that cannot happen because cs_recv() doesn't do
anything until it's in ST_EST state, hence the read0() cannot be
called from CON/RDY. Thus the transition from CON to DIS is only
possible in back_handle_st_con() and back_handle_st_rdy() both of
which are called when dealing with the transition already, or when
abortonclose is set and the client aborts before connect() succeeds.
It's possible that some further improvements could be made to detect
this specific transition but it doesn't seem like anything would have
to be added.
This issue was first reported on 2.1. The abortonclose area is very
sensitive so it would be wise to backport slowly, and probably no
further than 2.4.
The two recent patches b12966af1 ("BUILD: debug: mark the
__start_mem_stats/__stop_mem_stats symbols as weak") and 2a06e248f
("BUILD: initcall: mark the __start_i_* symbols as weak, not global")
aimed at fixing a build warning and resulted in a build breakage on
MacOS which doesn't have a ".weak" asm statement.
We've already had MacOS-specific asm() statements for section names, so
this patch continues on this trend by moving HA_GLOBL() to compiler.h
and using ".globl" on MacOS since apparently nobody complains there.
It is debatable whether to expose this only when !USE_OBSOLETE_LINKER
or all the time, but since these are just macroes it's no big deal to
let them be available when needed and let the caller decide on the
build conditions.
If any of the patches above is backported, this one will need to as
well.
Ilya reported in issue #1638 that Clang 14 has invented a new warning
that encourages to modify the code in a way that is not always
equivalent, by turning "|" to "||" between some logical operators,
except that the first one guarantees that all members of the expression
will always be evaluated while the latter will stop at the first one
which is true!
This warning triggers in thread_has_tasks(), which is not sensitive to
such change of behavior but which is built this way because it results
in branchless code for something that most often evaluates to false for
all terms. As such it was out of question to turn this to less efficient
compare-and-jump that needlessly pollute the branch predictor, so the
workaround consists in casting each expression to (int). It was verified
that the code is the same.
Yet another example of how-to-introduce-bugs-by-fixing-valid-code
through warnings invented around a beer without thinking longer!
This may need to be backported to a few older branches in case this
compiler lands in recent distros or if gcc finds it wise to imitate it.
Emit a CONNECTION_CLOSE if the app layer cannot be properly initialized
on qc_xprt_start. This force the quic-conn to enter the closing state
before being closed.
Without this, quic-conn normal operations continue, despite the
app-layer reported as not initialized. This behavior is undefined, in
particular when handling STREAM frames.
Fix the return value used in quic-conn start callback for error. The
caller expects a negative value in this case.
Without this patch, the quic-conn and the connection stack are not
closed despite an initialization failure error, which is an undefined
behavior and may cause a crash in the end.
In the quic_session_accept, connection is in charge to call the
quic-conn start callback. If this callback fails for whatever reason,
there is a crash because of an explicit session_free.
This happens because the connection is now the owner of the session due
to previous conn_complete_session call. It will automatically calls
session_free. Fix this by skipping the session_free explicit invocation
on error.
In practice, currently this has never happened as there is only limited
cases of failures for conn_xprt_start for QUIC.
Implement qc_destroy. This callback is used to quickly release all MUX
resources.
session_free uses this callback. Currently, it can only be called if
there was an error during connection initialization. If not defined, the
process crashes.
When an HTTP client is started on an HAProxy compiled without the SSL
support, an error is triggered when HTTPS is used. In this case, the freshly
created conn-stream is released. But this code is specific to the non-SSL
part. Thus it is moved the in right #if/#else section.
This patch should fix the issue #1655.
The commit 744451c7c ("BUG/MEDIUM: mux-h1: Properly detect full buffer cases
during message parsing") introduced a regression if trailers are not
received in one time. Indeed, in this case, nothing is appended in the
channel buffer, while there are some data in the input buffer. In this case,
we must not request more room to the upper layer, especially because the
channel buffer can be empty.
To fix the issue, on trailers parsing, we consider the H1 stream as
congested when the max size allowed is reached. Of course, the H1 stream is
also considered as congested if the trailers are too big and the channel
buffer is not empty.
This patch should fix the issue #1657. It must be backported as far as 2.0.
For all muxes, the function responsible to release a mux is always called
with a defined mux. Thus there is no reason to test if it is defined or not.
Note the patch may seem huge but it is just because of indentation changes.
Several muxes (h2, fcgi, quic) don't support the protocol upgrade. For these
muxes, there is no reason to have code to support it. Thus in the destroy
callback, there is now a BUG_ON() and the release function is simplified
because the connection is always owned by the mux..
Once a mux initialized, the underlying connection alwaus exists from its
point of view and it is never removed until the mux is released. It may be
owned by another mux during an upgrade. But the pointer remains set. Thus
there is no reason to test it in the destroy callback function.
This patch should fix the issue #1652.
The doc states that timeout http-keep-alive is not set, timeout http-request
is used instead. As implemented in commit 15a4733d5 ("BUG/MEDIUM: mux-h2:
make use of http-request and keep-alive timeouts"), we use http-keep-alive
unconditionally between requests, with a fallback on client/server. Let's
make sure http-request is always used as a fallback for http-keep-alive
first.
This needs to be backported wherever the commit above is backported.
Thanks to Christian Ruppert for spotting this.
Commit 15a4733d5 ("BUG/MEDIUM: mux-h2: make use of http-request and
keep-alive timeouts") omitted to check the side of the connection, and
as a side effect, automatically enabled timeouts on idle backend
connections, which is totally contrary to the principle that they
must be autonomous.
This needs to be backported wherever the patch above is backported.
Just like for previous fix, these symbols are marked ".globl" during
their declaration, but their later mention uses __attribute__((weak)),
so it's better to only use ".weak" during the declaration so that the
symbol's class does not change.
No need to backport this unless someone reports build issues.
Building with clang and DEBUG_MEM_STATS shows the following warnings:
warning: __start_mem_stats changed binding to STB_WEAK [-Wsource-mgr]
warning: __stop_mem_stats changed binding to STB_WEAK [-Wsource-mgr]
The reason is that the symbols are declared using ".globl" while they
are also referenced as __attribute__((weak)) elsewhere. It turns out
that a weak symbol is implicitly a global one and that the two classes
are exclusive, thus it may confuse the linker. Better fix this.
This may be backported where the patch applies.
If the client does not sent an ALPN, the SSL ALPN negotiation callback
is not called. However, the handshake is reported as successful. Check
just after SSL_do_handshake if an ALPN was negotiated. If not, emit a
CONNECTION_CLOSE with a TLS alert to close the connection.
This prevent a crash in qcc_install_app_ops() called with null as second
parameter value.
Instead of testing if a conn-stream exists or not, we rely on CS_EP_ORPHAN
endpoint flag. In addition, if possible, we access the endpoint from the
h1s. Finally, the endpoint flags are now reported in trace messages.
cs_free_cond() must now be used to remove a CS. cs_free() may be used on
error path to release a freshly allocated but unused CS. But in all other
cases cs_free_cond() must be used. This function takes care to release the
CS if it is possible (no app and detached from any endpoint).
In fact, this function is only used internally. From the outside,
cs_detach_* functions are used.
It is a partial revert of 54e85cbfc ("MAJOR: check: Use a persistent
conn-stream for health-checks"). But with the CS refactoring, the result is
cleaner now. A CS is allocated when a new health-check run is started. The
same CS is then used throughout the run. If there are several connections,
the endpoint is just reset. At the end of the run, the CS is released. It
means, in the tcp-check part, the CS is always defined.
process_stream() and all associated functions now manipulate conn-streams.
stream-interfaces are no longer used. In addition, function to dump info
about a stream no longer print info about stream-interfaces.
cs_conn_io_cb(), cs_conn_sync_recv() and cs_conn_sync_send() are moved in
conn_stream.c. Associated functions are moved too (cs_notify, cs_conn_read0,
cs_conn_recv, cs_conn_send and cs_conn_process).
Remaining flags and associated functions are move in the conn-stream
scope. These flags are added on the endpoint and not the conn-stream
itself. This way it will be possible to get them from the mux or the
applet. The functions to get or set these flags are renamed accordingly with
the "cs_" prefix and updated to manipualte a conn-stream instead of a
stream-interface.
