Commit Graph

356 Commits

Author SHA1 Message Date
Remi Tricot-Le Breton 74f6ab6e87 MEDIUM: ssl: Keep a reference to the client's certificate for use in logs
Most of the SSL sample fetches related to the client certificate were
based on the SSL_get_peer_certificate function which returns NULL when
the verification process failed. This made it impossible to use those
fetches in a log format since they would always be empty.

The patch adds a reference to the X509 object representing the client
certificate in the SSL structure and makes use of this reference in the
fetches.

The reference can only be obtained in ssl_sock_bind_verifycbk which
means that in case of an SSL error occurring before the verification
process ("no shared cipher" for instance, which happens while processing
the Client Hello), we won't ever start the verification process and it
will be impossible to get information about the client certificate.

This patch also allows most of the ssl_c_XXX fetches to return a usable
value in case of connection failure (because of a verification error for
instance) by making the "conn->flags & CO_FL_WAIT_XPRT" test (which
requires a connection to be established) less strict.

Thanks to this patch, a log-format such as the following should return
usable information in case of an error occurring during the verification
process :
    log-format "DN=%{+Q}[ssl_c_s_dn] serial=%[ssl_c_serial,hex] \
                hash=%[ssl_c_sha1,hex]"

It should answer to GitHub issue #693.
2021-08-19 23:26:05 +02:00
Amaury Denoyelle 7ef244d73b REGTESTS: add a test to prevent h2 desync attacks
This test ensure that h2 pseudo headers are properly checked for invalid
characters and the host header is ignored if :authority is present. This
is necessary to prevent h2 desync attacks as described here
https://portswigger.net/research/http2
2021-08-17 10:22:20 +02:00
Ilya Shipitsin 01881087fc CLEANUP: assorted typo fixes in the code and comments
This is 25th iteration of typo fixes
2021-08-16 12:37:59 +02:00
Amaury Denoyelle a026783bd7 REGTESTS: server: fix dynamic server with checks test
Add a missing 'rxreq' statement in first server. Without it the test is
unstable. The issue is frequent when running with one thread only.

This should fix github issue #1342.
2021-08-06 15:34:04 +02:00
Amaury Denoyelle 3e7d468e80 REGTESTS: server: add dynamic check server test
Write a regtest to validate check support by dynamic servers. Three
differents servers are added on various configuration :
- server OK
- server DOWN
- agent-check
2021-08-06 11:22:01 +02:00
William Lallemand 56f1f75715 MINOR: log: rename 'dontloglegacyconnerr' to 'log-error-via-logformat'
Rename the 'dontloglegacyconnerr' option to 'log-error-via-logformat'
which is much more self-explanatory and readable.

Note: only legacy keywords don't use hyphens, it is recommended to
separate words with them in new keywords.
2021-08-02 10:42:42 +02:00
William Lallemand 4f59c67c4f REGTESTS: ssl: ssl_errors.vtc does not work with old openssl version
Disable the new ssl_errors.vtc reg-tests because in does not work
correctly on the CI since it requires a version of OpenSSL which is
compatible with TLSv1.3 and the ciphersuites keyword.
2021-07-29 16:00:24 +02:00
Remi Tricot-Le Breton 54f63836d2 REGTESTS: ssl: Add tests for the connection and SSL error fetches
This reg-test checks that the connection and SSL sample fetches related
to errors are functioning properly. It also tests the proper behaviour
of the default HTTPS log format and of the log-legacy-conn-error option
which enables or disables the output of a special error message in case
of connection failure (otherwise a line following the configured
log-format is output).
2021-07-29 15:40:45 +02:00
Willy Tarreau f2e44d4e87 REGTESTS: add more complex check conditions to check_conditions.vtc
Now that we support logic expressions, variables and parenthesis, let's
add a few more tests to check_conditions.vtc. The tests are conditionned
by the version being at least 2.5-dev2 so that it will not cause failures
during a possible later bisect session or if backported.

The test verifies that exported variables are seen, that operators precedence
works as expected, that parenthesis work at least through two levels, that an
empty condition is false while a negative number is true, and that extraneous
chars in an expression, or unfinished strings are properly caught.
2021-07-17 11:01:47 +02:00
Willy Tarreau b333db3fd2 REGTEST: make check_condition.vtc fail as soon as possible
The test consists in a sequence of shell commands, but the shell is not
necessarily started with strict errors enabled, so only the last command
provides the verdict. Let's add "set -e" to make it fail on the first
test that fails.
2021-07-17 10:56:32 +02:00
Amaury Denoyelle 79c52ec6b4 REGTESTS: test track support for dynamic servers
Create a regtest for the 'track' keyword support by dynamic servers.

First checks are executed to ensure that tracking cannot be activated on
non-check server or dynamic servers.

Then, 3 scenarii are written to ensure that the deletion of a dynamic
server with track is properly handled and other servers in the track
chain are properly maintained.
2021-07-16 10:22:58 +02:00
Remi Tricot-Le Breton 0498fa4059 BUG/MINOR: ssl: Default-server configuration ignored by server
When a default-server line specified a client certificate to use, the
frontend would not take it into account and create an empty SSL context,
which would raise an error on the backend side ("peer did not return a
certificate").

This bug was introduced by d817dc733e in
which the SSL contexts are created earlier than before (during the
default-server line parsing) without setting it in the corresponding
server structures. It then made the server create an empty SSL context
in ssl_sock_prepare_srv_ctx because it thought it needed one.

It was raised on redmine, in Bug #3906.

It can be backported to 2.4.
2021-07-13 18:35:38 +02:00
Amaury Denoyelle ff5adf82a5 REGTESTS: add http scheme-based normalization test
This test ensure that http scheme-based normalization is properly
applied on target URL and host header. It uses h2 clients as it is not
possible to specify an absolute url for h1 vtc clients.
2021-07-07 15:34:01 +02:00
Christopher Faulet 0de0becf0b BUG/MINOR: mqtt: Support empty client ID in CONNECT message
As specified by the MQTT specification (MQTT-3.1.3-6), the client ID may be
empty. That means the length of the client ID string may be 0. However, The
MQTT parser does not support empty strings.

So, to fix the bug, the mqtt_read_string() function may now parse empty
string. 2 bytes must be found to decode the string length, but the length
may be 0 now. It is the caller responsibility to test the string emptiness
if necessary. In addition, in mqtt_parse_connect(), the client ID may be
empty now.

This patch should partely fix the issue #1310. It must be backported to 2.4.
2021-06-28 16:29:44 +02:00
Christopher Faulet ca925c9c28 BUG/MINOR: mqtt: Fix parser for string with more than 127 characters
Parsing of too long strings (> 127 characters) was buggy because of a wrong
cast on the length bytes. To fix the bug, we rely on mqtt_read_2byte_int()
function. This way, the string length is properly decoded.

This patch should partely fix the issue #1310. It must be backported to 2.4.
2021-06-28 16:29:44 +02:00
Amaury Denoyelle e500e593a7 REGTESTS: fix maxconn update with agent-check
Correct the typo in the parameter used to update the 'maxconn' via
agent-check. The test is also completed to detect the update of maxconn
using CLI 'show stats'.
2021-06-22 16:34:23 +02:00
Amaury Denoyelle 0ffad2d76c REGTESTS: server: test ssl support for dynamic servers
Create a new regtest to test SSL support for dynamic servers.

The first step of the test is to create the ca-file via the CLI. Then a
dynamic server is created with the ssl option using the ca-file. A
client request is made through it to achieve the test.
2021-06-18 16:49:58 +02:00
Tim Duesterhus 3bc6af417d BUG/MINOR: cache: Correctly handle existing-but-empty 'accept-encoding' header
RFC 7231#5.3.4 makes a difference between a completely missing
'accept-encoding' header and an 'accept-encoding' header without any values.

This case was already correctly handled by accident, because an empty accept
encoding does not match any known encoding. However this resulted in the
'other' encoding being added to the bitmap. Usually this also succeeds in
serving cached responses, because the cached response likely has no
'content-encoding', thus matching the identity case instead of not serving the
response, due to the 'other' encoding. But it's technically not 100% correct.

Fix this by special-casing 'accept-encoding' values with a length of zero and
extend the test to check that an empty accept-encoding is correctly handled.
Due to the reasons given above the test also passes without the change in
cache.c.

Vary support was added in HAProxy 2.4. This fix should be backported to 2.4+.
2021-06-18 15:48:20 +02:00
Christopher Faulet c7b391aed2 BUG/MEDIUM: server/cli: Fix ABBA deadlock when fqdn is set from the CLI
To perform servers resolution, the resolver's lock is first acquired then
the server's lock when necessary. However, when the fqdn is set via the CLI,
the opposite is performed. So, it is possible to experience an ABBA
deadlock.

To fix this bug, the server's lock is acquired and released for each
subcommand of "set server" with an exception when the fqdn is set. The
resolver's lock is first acquired. Of course, this means we must be sure to
have a resolver to lock.

This patch must be backported as far as 1.8.
2021-06-17 16:52:14 +02:00
Tim Duesterhus 4ee192f072 REGTESTS: Replace REQUIRE_BINARIES with 'command -v'
This migrates the tests to the native `feature cmd` functionality of VTest.
2021-06-17 14:59:55 +02:00
Tim Duesterhus c9570483b0 REGTESTS: Replace REQUIRE_OPTIONS with 'haproxy -cc' for 2.5+ tests
This migrates the tests for HAProxy versions that support '-cc' to the native
VTest functionality.
2021-06-17 14:59:55 +02:00
Tim Duesterhus 5efc48dcf1 REGTESTS: Replace REQUIRE_VERSION=2.5 with 'haproxy -cc'
This is safe, because running `haproxy -cc 'version_atleast(2.5-dev0)'` on
HAProxy 2.4 will also result in an exit code of 1.
2021-06-17 14:59:55 +02:00
Tim Duesterhus 1b095cac94 REGTESTS: Remove REQUIRE_VERSION=1.7 from all tests
HAProxy 1.7 is the lowest supported version, thus this always matches.
2021-06-11 19:21:28 +02:00
Tim Duesterhus d8be0018fe REGTESTS: Remove REQUIRE_VERSION=1.6 from all tests
HAProxy 1.6 is EOL, thus this always matches.
2021-06-11 19:21:28 +02:00
Willy Tarreau b63dbb7b2e MAJOR: config: remove parsing of the global "nbproc" directive
This one was deprecated in 2.3 and marked for removal in 2.5. It suffers
too many limitations compared to threads, and prevents some improvements
from being engaged. Instead of a bypassable startup error, there is now
a hard error.

The parsing code was removed, and very few obvious cases were as well.
The code is deeply rooted at certain places (e.g. "for" loops iterating
from 0 to nbproc) so it will not be that trivial to remove everywhere.
The "bind" and "bind-process" parsers will have to be adjusted, though
maybe not completely changed if we later want to support thread groups
for large NUMA machines. Some stats socket restrictions were removed,
and the doc was updated according to what was done. A few places in the
doc still refer to nbproc and will have to be revisited. The master-worker
code also refers to the process number to distinguish between master and
workers and will have to be carefully adjusted. The MAX_PROCS macro was
reset to 1, this will at least reduce the size of some remaining arrays.

Two regtests were dependieng on this directive, one with an explicit
"nbproc 1" and another one testing the master's CLI using nbproc 4.
Both were adapted.
2021-06-11 17:02:13 +02:00
William Lallemand 0061323114 REGTESTS: ssl: show_ssl_ocspresponce.vtc is broken with BoringSSL
The `show ssl ocsp-response` feature is not available with BoringSSL,
but we don't have a way to disable this feature only with boringSSL on
the CI. Disable the reg-test until we do.
2021-06-11 10:03:08 +02:00
Remi Tricot-Le Breton 2a77c62c18 REGTESTS: ssl: Add "show ssl ocsp-response" test
This file adds tests for the new "show ssl ocsp-response" command and
the new "show ssl cert foo.pem.ocsp" and "show ssl cert *foo.pem.ocsp"
special cases. They are all used to display information about an OCSP
response, committed or not.
2021-06-10 16:44:11 +02:00
Maximilian Mader fc0cceb08a MINOR: haproxy: Add `-cc` argument
This patch adds the `-cc` (check condition) argument to evaluate conditions on
startup and return the result as the exit code.

As an example this can be used to easily check HAProxy's version in scripts:

    haproxy -cc 'version_atleast(2.4)'

This resolves GitHub issue #1246.

Co-authored-by: Tim Duesterhus <tim@bastelstu.be>
2021-06-08 11:17:19 +02:00
Tim Duesterhus a9334df5a9 CLEANUP: reg-tests: Remove obsolete no-htx parameter for reg-tests
The legacy HTTP subsystem has been removed. HTX is always enabled.
2021-06-04 15:41:21 +02:00
Christopher Faulet 3b9cb60059 REGTESTS: Fix http_abortonclose.vtc to support -1 status for some client aborts
Since the commit 5e702fcad ("MINOR: http-ana: Use -1 status for client
aborts during queuing and connect"), -1 status is reported in the log
message when the client aborts during queuing and
connect. http_abortonclose.vtc script must be update accordingly.
2021-06-02 17:23:48 +02:00
Remi Tricot-Le Breton a3b2e099c2 REGTESTS: ssl: Add "set/commit ssl crl-file" test
This file adds tests for the new "set ssl crl-file" and "commit ssl
crl-file" commands which allow the hot update of CRL file through CLI
commands.
2021-05-17 10:50:24 +02:00
Remi Tricot-Le Breton f615070bcc REGTESTS: ssl: Add "new/del ssl crl-file" tests
This vtc tests the "new ssl crl-file" which allows to create a new empty
CRL file that can then be set through a "set+commit ssl crl-file"
command pair. It also tests the "del ssl crl-file" command which allows
to delete an unused CRL file.
2021-05-17 10:50:24 +02:00
Remi Tricot-Le Breton efcc5b28d1 REGTESTS: ssl: Add "new/del ssl ca-file" tests
This vtc tests the "new ssl ca-file" which allows to create a new empty
CA file that can then be set through a "set+commit ssl ca-file" command
pair. It also tests the "del ssl ca-file" command which allows to delete
an unused CA file.
2021-05-17 10:50:24 +02:00
Remi Tricot-Le Breton 2a22e16cb8 MEDIUM: ssl: Add "show ssl ca-file" CLI command
This patch adds the "show ssl ca-file [<cafile>[:index]]" CLI command.
This command can be used to display the list of all the known CA files
when no specific file name is specified, or to display the details of a
specific CA file when a name is given. If an index is given as well, the
command will only display the certificate having the specified index in
the CA file (if it exists).
The details displayed for each certificate are the same as the ones
showed when using the "show ssl cert" command on a single certificate.

This fixes a subpart of GitHub issue #1057.
2021-05-17 10:50:24 +02:00
Remi Tricot-Le Breton d5fd09d339 MINOR: ssl: Add "abort ssl ca-file" CLI command
The "abort" command aborts an ongoing transaction started by a "set ssl
ca-file" command. Since the updated CA file data is not pushed into the
cafile tree until a "commit ssl ca-file" call is performed, the abort
command simply clears the new cafile_entry that was stored in the
cafile_transaction.

This fixes a subpart of GitHub issue #1057.
2021-05-17 10:50:24 +02:00
Remi Tricot-Le Breton 2db6101ed7 REGTESTS: ssl: Add new ca-file update tests
This vtc tests the "set ssl ca-file" and "commit ssl ca-file" cli
commands. Those commands allow the hot update of CA files through cli
commands.
2021-05-17 10:50:24 +02:00
Amaury Denoyelle 94fd1339e7 REGTESTS: stick-table: add src_conn_rate test
Add a simple test which uses src_conn_rate stick table fetch. Limit the
connection rate to 3. The 4th connection should return a 403.
2021-05-12 15:30:03 +02:00
Tim Duesterhus dec1c36b3a MINOR: uri_normalizer: Add `fragment-encode` normalizer
This normalizer encodes '#' as '%23'.

See GitHub Issue #714.
2021-05-11 17:24:32 +02:00
Tim Duesterhus c9e05ab2de MINOR: uri_normalizer: Add `fragment-strip` normalizer
This normalizer strips the URI's fragment component which should never be sent
to the server.

See GitHub Issue #714.
2021-05-11 17:23:46 +02:00
Willy Tarreau e1465c1e46 REGTESTS: disable inter-thread idle connection sharing on sensitive tests
Some regtests involve multiple requests from multiple clients, which can
be dispatched as multiple requests to a server. It turns out that the
idle connection sharing works so well that very quickly few connections
are used, and regularly some of the remaining idle server connections
time out at the moment they were going to be reused, causing those random
"HTTP header incomplete" traces in the logs that make them fail often. In
the end this is only an artefact of the test environment.

And indeed, some tests like normalize-uri which perform a lot of reuse
fail very often, about 20-30% of the times in the CI, and 100% of the
time in local when running 1000 tests in a row. Others like ubase64,
sample_fetches or vary_* fail less often but still a lot in tests.

This patch addresses this by adding "tune.idle-pool.shared off" to all
tests which have at least twice as many requests as clients. It proves
very effective as no single error happens on normalize-uri anymore after
10000 tests. Also 100 full runs of all tests yield no error anymore.

One test is tricky, http_abortonclose, it used to fail ~10 times per
1000 runs and with this workaround still fails once every 1000 runs.
But the test is complex and there's a warning in it mentioning a
possible issue when run in parallel due to a port reuse.
2021-05-09 14:41:41 +02:00
Amaury Denoyelle a9e639afe2 MINOR: http_act: mark normalize-uri as experimental
normalize-uri http rule is marked as experimental, so it cannot be
activated without the global 'expose-experimental-directives'. The
associated vtc is updated to be able to use it.
2021-05-07 14:35:02 +02:00
Christopher Faulet 16b37510bc REGTESTS: Add script to test abortonclose option
This script test abortonclose option for HTTP/1 client only. It may be
backported as far as 2.0. But on the 2.2 and prior, the syslog part must be
adapted to catch log messages emitted by proxy during HAProxy
startup. Following lines must be added :

    recv
    expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Proxy fe1 started."
    recv
    expect ~ "[^:\\[ ]\\[${h1_pid}\\]: Proxy fe2 started."
2021-05-06 09:19:20 +02:00
Willy Tarreau deee369cfa REGTESTS: add minimal CLI "add map" tests
The map_redirect test already tests for "show map", "del map" and
"clear map" but doesn't have any "add map" command. Let's add some
trivial ones involving one regular entry and two other ones added as
payload, checking they are properly returned.
2021-04-29 16:19:03 +02:00
Amaury Denoyelle 996190a70d REGTESTS: server: fix cli_add_server due to previous trace update
Error output for dynamic server creation if invalid lb algo has changed
since previous commit :
MINOR: server: fix doc/trace on lb algo for dynamic server creation

The vtest regex should have been updated has well to match it.
2021-04-29 15:38:02 +02:00
Tim Duesterhus 2e4a18e04a MINOR: uri_normalizer: Add a `percent-decode-unreserved` normalizer
This normalizer decodes percent encoded characters within the RFC 3986
unreserved set.

See GitHub Issue #714.
2021-04-23 19:43:45 +02:00
Maximilian Mader ff3bb8b609 MINOR: uri_normalizer: Add a `strip-dot` normalizer
This normalizer removes "/./" segments from the path component.
Usually the dot refers to the current directory which renders those segments redundant.

See GitHub Issue #714.
2021-04-21 12:15:14 +02:00
Amaury Denoyelle e558043e13 MINOR: server: implement delete server cli command
Implement a new CLI command 'del server'. It can be used to removed a
dynamically added server. Only servers in maintenance mode can be
removed, and without pending/active/idle connection on it.

Add a new reg-test for this feature. The scenario of the reg-test need
to first add a dynamic server. It is then deleted and a client is used
to ensure that the server is non joinable.

The management doc is updated with the new command 'del server'.
2021-04-21 11:00:31 +02:00
Tim Duesterhus 5be6ab269e MEDIUM: http_act: Rename uri-normalizers
This patch renames all existing uri-normalizers into a more consistent naming
scheme:

1. The part of the URI that is being touched.
2. The modification being performed as an explicit verb.
2021-04-19 09:05:57 +02:00
Tim Duesterhus a407193376 MINOR: uri_normalizer: Add a `percent-upper` normalizer
This normalizer uppercases the hexadecimal characters used in percent-encoding.

See GitHub Issue #714.
2021-04-19 09:05:57 +02:00
Tim Duesterhus d7b89be30a MINOR: uri_normalizer: Add a `sort-query` normalizer
This normalizer sorts the `&` delimited query parameters by parameter name.

See GitHub Issue #714.
2021-04-19 09:05:57 +02:00