Commit Graph

507 Commits

Author SHA1 Message Date
William Lallemand
82fe75c1a7 MEDIUM: HTTP compression (zlib library support)
This commit introduces HTTP compression using the zlib library.

http_response_forward_body has been modified to call the compression
functions.

This feature includes 3 algorithms: identity, gzip and deflate:

  * identity: this is mostly for debugging, and it was useful for
  developping the compression feature. With Content-Length in input, it
  is making each chunk with the data available in the current buffer.
  With chunks in input, it is rechunking, the output chunks will be
  bigger or smaller depending of the size of the input chunk and the
  size of the buffer. Identity does not apply any change on data.

  * gzip: same as identity, but applying a gzip compression. The data
  are deflated using the Z_NO_FLUSH flag in zlib. When there is no more
  data in the input buffer, it flushes the data in the output buffer
  (Z_SYNC_FLUSH). At the end of data, when it receives the last chunk in
  input, or when there is no more data to read, it writes the end of
  data with Z_FINISH and the ending chunk.

  * deflate: same as gzip, but with deflate algorithm and zlib format.
  Note that this algorithm has ambiguous support on many browsers and
  no support at all from recent ones. It is strongly recommended not
  to use it for anything else than experimentation.

You can't choose the compression ratio at the moment, it will be set to
Z_BEST_SPEED (1), as tests have shown very little benefit in terms of
compression ration when going above for HTML contents, at the cost of
a massive CPU impact.

Compression will be activated depending of the Accept-Encoding request
header. With identity, it does not take care of that header.

To build HAProxy with zlib support, use USE_ZLIB=1 in the make
parameters.

This work was initially started by David Du Colombier at Exceliance.
2012-10-26 02:30:48 +02:00
Willy Tarreau
35b7b16818 MEDIUM: cli: allow the stats socket to be bound to a specific set of processes
Using "stats bind-process", it becomes possible to indicate to haproxy which
process will get the incoming connections to the stats socket. It will also
shut down the warning when nbproc > 1.
2012-10-22 23:17:18 +02:00
Dmitry Sivachenko
f6f4f7b9a6 DOC: make it clear what the HTTP request size is
Please consider the following patch for configuration.txt to clarify meaning
of bufsize, maxrewrite and the size of HTTP request which can be processed.
2012-10-22 08:10:10 +02:00
Willy Tarreau
6c9a3d5585 MEDIUM: ssl: add support for the "npn" bind keyword
The ssl_npn match could not work by itself because clients do not use
the NPN extension unless the server advertises the protocols it supports.
Thanks to Simone Bordet for the explanations on how to get it right.
2012-10-18 19:03:00 +02:00
Cyril Bonté
941a0c6209 DOC: fix minor typo on http-send-name-header
The "server" keyword documentation had a reference on "http-send-server-name"
instead of "http-send-name-header".
2012-10-16 08:11:13 +02:00
Willy Tarreau
a33c654cb1 MINOR: ssl: add 'ssl_npn' sample/acl to extract TLS/NPN information
This may be used to distinguish between SPDY versions for example.
2012-10-15 13:19:06 +02:00
Willy Tarreau
0b737a72ef DOC: document relations between internal entities
Links between internal structures have been represented in
entities.fig. The pdf and svg versions were added too.
2012-10-14 14:05:16 +02:00
Willy Tarreau
ffc3fcd6da MEDIUM: log: report SSL ciphers and version in logs using logformat %sslc/%sslv
These two new log-format tags report the SSL protocol version (%sslv) and the
SSL ciphers (%sslc) used for the connection with the client. For instance, to
append these information just after the client's IP/port address information
on an HTTP log line, use the following configuration :

    log-format %Ci:%Cp\ %sslv:%sslc\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\ %B\ %cc\ \ %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r

It will report a line such as the following one :

    Oct 12 20:47:30 haproxy[9643]: 127.0.0.1:43602 TLSv1:AES-SHA [12/Oct/2012:20:47:30.303] stick2~ stick2/s1 7/0/12/0/19 200 145 - - ---- 0/0/0/0/0 0/0 "GET /?t=0 HTTP/1.0"
2012-10-12 20:48:51 +02:00
Willy Tarreau
773d65f413 MEDIUM: log: suffix the frontend's name with '~' when using SSL
Until now it was not possible to know from the logs whether the incoming
connection was made over SSL or not. In order to address this in the existing
log formats, a new log format %ft was introduced, to log the frontend's name
suffixed with its transport layer. The only transport layer in use right now
is '~' for SSL, so that existing log formats for non-SSL traffic are not
affected at all, and SSL log formats have the frontend's name suffixed with
'~'.

The TCP, HTTP and CLF log format now use %ft instead of %f. This does not
affect existing log formats which still make use of %f however.
2012-10-12 14:56:11 +02:00
Emeric Brun
fd33a26d75 DOC: Fix rename of options cafile and crlfile to ca-file and crl-file. 2012-10-12 12:06:04 +02:00
Emeric Brun
ef42d9219d MINOR: ssl: add statements 'verify', 'ca-file' and 'crl-file' on servers.
It now becomes possible to verify the server's certificate using the "verify"
directive. This one only supports "none" and "required", as it does not make
much sense to also support "optional" here.
2012-10-12 12:05:15 +02:00
Emeric Brun
f9c5c4701c MINOR: ssl: add statement 'no-tls-tickets' on server side. 2012-10-12 11:48:55 +02:00
Cyril Bonté
9c1eb1e8be DOC: ssl: surround keywords with quotes
In order to make external tools easily detect keywords in the documentation,
let's surround them by quotes as it is done for other keywords.
2012-10-09 22:52:49 +02:00
Cyril Bonté
0d44fc6472 DOC: ssl: remove prefer-server-ciphers documentation
Commit 3c4bc6e1 removed the prefer-server-ciphers statement.
Therefore, the statement should also be removed from the documentation.
2012-10-09 22:52:49 +02:00
Emeric Brun
8694b9a682 MINOR: ssl: add 'force-sslv3' and 'force-tlsvXX' statements on server
These options force the SSL lib to use the specified protocol when
connecting to a server. They are complentary to no-tlsv*/no-sslv3.
2012-10-05 22:05:04 +02:00
Emeric Brun
2cb7ae5302 MINOR: ssl: add 'force-sslv3' and 'force-tlsvXX' statements on bind.
These options force the SSL lib to use the specified protocol. They
are complentary to no-tlsv*/no-sslv3.
2012-10-05 22:02:42 +02:00
Emeric Brun
9b3009b440 MEDIUM: conf: rename 'nosslv3' and 'notlsvXX' statements 'no-sslv3' and 'no-tlsvXX'.
These ones were really not easy to read nor write, and become confusing
with the next ones to be added.
2012-10-05 21:47:42 +02:00
Emeric Brun
c8e8d12257 MINOR: ssl: add 'crt-base' and 'ca-base' global statements.
'crt-base' sets root directory used for relative certificates paths.
'ca-base' sets root directory used for relative CAs and CRLs paths.
2012-10-05 21:46:52 +02:00
Willy Tarreau
1c862c5920 MEDIUM: tcp: enable TCP Fast Open on systems which support it
If TCP_FASTOPEN is defined, then the "tfo" option is supported on
"bind" lines to enable TCP Fast Open (linux >= 3.6).
2012-10-05 16:22:35 +02:00
bedis
4c75cca8ba MINOR: samples: update the url_param fetch to match parameters in the path
It now supports an optional delimiter to allow to look for the parameter before
the query string.
2012-10-05 15:17:23 +02:00
Willy Tarreau
6c16adc661 MEDIUM: checks: enable the PROXY protocol with health checks
When health checks are configured on a server which has the send-proxy
directive and no "port" nor "addr" settings, the health check connections
will automatically use the PROXY protocol. If "port" or "addr" are set,
the "check-send-proxy" directive may be used to force the protocol.
2012-10-05 00:33:14 +02:00
Willy Tarreau
763a95bfde MEDIUM: checks: add the "check-ssl" server option
This option forces health checks to be sent over SSL even if the
address or port are not the standard ones.
2012-10-05 00:33:14 +02:00
Willy Tarreau
f7bc57ca6e REORG: connection: rename the data layer the "transport layer"
While working on the changes required to make the health checks use the
new connections, it started to become obvious that some naming was not
logical at all in the connections. Specifically, it is not logical to
call the "data layer" the layer which is in charge for all the handshake
and which does not yet provide a data layer once established until a
session has allocated all the required buffers.

In fact, it's more a transport layer, which makes much more sense. The
transport layer offers a medium on which data can transit, and it offers
the functions to move these data when the upper layer requests this. And
it is the upper layer which iterates over the transport layer's functions
to move data which should be called the data layer.

The use case where it's obvious is with embryonic sessions : an incoming
SSL connection is accepted. Only the connection is allocated, not the
buffers nor stream interface, etc... The connection handles the SSL
handshake by itself. Once this handshake is complete, we can't use the
data functions because the buffers and stream interface are not there
yet. Hence we have to first call a specific function to complete the
session initialization, after which we'll be able to use the data
functions. This clearly proves that SSL here is only a transport layer
and that the stream interface constitutes the data layer.

A similar change will be performed to rename app_cb => data, but the
two could not be in the same commit for obvious reasons.
2012-10-04 22:26:09 +02:00
Emeric Brun
90ad8727dd DOC: ssl: add 'no-tls-tickets' statement documentation.
Disables the stateless session resumption (RFC 5077 TLS Ticket
extension) and force to use stateful session resumption. Stateless
session resumption is more expensive in CPU usage.
2012-10-02 16:05:35 +02:00
Emeric Brun
f5da49392a DOC: ssl : add statements 'notlsv11' and 'notlsv12' and rename 'notlsv1' to 'notlsv10'.
This applies both to "bind" and "server" statements.
2012-10-02 08:34:38 +02:00
Emeric Brun
3603fbe0af DOC: ssl: add fetches and ACLs 'ssl_verify_crterr', 'ssl_verify_caerr', and 'ssl_verify_crterr_depth' 2012-10-02 08:34:37 +02:00
Emeric Brun
c68af8db6f DOC: ssl: add fetch and ACL 'ssl_verify_result' 2012-10-02 08:34:37 +02:00
Emeric Brun
b6dc934302 DOC: ssl: add 'ca-ignore-err' and 'crt-ignore-err' statements on 'bind' 2012-10-02 08:34:34 +02:00
Emeric Brun
b4354087ee DOC: ssl: add fetch and ACL 'client_cert' 2012-10-02 08:32:50 +02:00
Emeric Brun
1a073b4650 DOC: ssl: add 'verify', 'cafile' and 'crlfile' statements on 'bind' 2012-10-02 08:32:37 +02:00
Emeric Brun
7fb34422fe DOC: ssl: add 'ecdhe' statement on 'bind' 2012-10-02 08:03:35 +02:00
Emeric Brun
e032bfaa33 DOC: ssl: update 'crt' statement on 'bind' about Diffie-Hellman parameters loading 2012-10-02 08:02:08 +02:00
Willy Tarreau
82569f9158 MEDIUM: monitor: simplify handling of monitor-net and mode health
We were having several different behaviours with monitor-net and
"mode health" :
  - monitor-net on TCP connections was evaluated just after accept(),
    did not count a connection on the frontend and were not subject
    to tcp-request connection rules, and caused an immediate close().

  - monitor-net in HTTP mode was evaluated once the session was
    accepted (eg: on top of SSL), returned "HTTP/1.0 200 OK\r\n\r\n"
    over the connection's data layer and instanciated a session which
    was responsible for closing this connection. A connection AND a
    session were counted for the frontend ;

  - "mode health" with "option httpchk" would do exactly the same as
    monitor-net in HTTP mode ;

  - "mode health" without "option httpchk" would do the same as above
    except that "OK" was returned instead of "HTTP/1.0 200 OK\r\n\r\n".

None of them took care of cleaning the input buffer, sometimes resulting
in a TCP reset to be emitted after the last packet if a request was received
over the connection.

Given the inconsistencies and the complexity in keeping all these features
handled at the right position, we now slightly changed the way they are
handled :

  - all of them are handled just after the "tcp-request connection" rules,
    so that all of them may be blocked using such rules, offering more
    flexibility and consistency ;

  - no connection handshake is performed anymore for non-TCP modes

  - all of them send the response as raw data over the socket, there is no
    more difference between TCP and HTTP mode for example (these rules were
    never meant to be served over SSL connections and were never documented
    as able to do that).

  - any possible pending data on the incoming socket is drained before the
    response is sent, in order to avoid the risk of a reset.

  - none of them exactly did what was documented !

This results in more consistent, more flexible and more accurate handling of
monitor rules, with smaller and more robust code.
2012-09-28 00:01:22 +02:00
Willy Tarreau
3c7a79dbb1 MINOR: cli: allow to set frontend maxconn to zero
It is sometimes useful to completely disable accepting new connections
on a frontend during maintenance operations. By setting a frontend's
maxconn to zero, connections are not accepted anymore until the limit
is increased again.
2012-09-26 21:07:15 +02:00
Willy Tarreau
086fbf53b5 DOC: fix index to reference bind and server options
Last commit forgot to update the index.
2012-09-24 20:35:19 +02:00
Willy Tarreau
abb175f0e9 DOC: stats: refer to "bind" section for "stats socket" settings
They're all shared now, so let's have them described at one single
place.
2012-09-24 12:43:26 +02:00
Willy Tarreau
b6205fd092 DOC: move bind options to their own section
There are now too many bind options to still have them in the middle
of the keyword matrix, so let's move them with the server options in
section 5. No new option was documented yet at this point.
2012-09-24 12:27:33 +02:00
Guillaume Castagnino
aeff252dca DOC: duplicate ssl_sni section
I noticed that the ssl_sni section is duplicated in configuration. Here
is the (very) small fix.
2012-09-13 23:50:56 +02:00
Willy Tarreau
2e1dca8f52 MEDIUM: http: add "redirect scheme" to ease HTTP to HTTPS redirection
For instance :

   redirect scheme https if !{ is_ssl }
2012-09-12 08:43:15 +02:00
Willy Tarreau
16216828fc [RELEASE] Released version 1.5-dev12
Released version 1.5-dev12 with the following main changes :
    - CONTRIB: halog: sort URLs by avg bytes_read or total bytes_read
    - MEDIUM: ssl: add support for prefer-server-ciphers option
    - MINOR: IPv6 support for transparent proxy
    - MINOR: protocol: add SSL context to listeners if USE_OPENSSL is defined
    - MINOR: server: add SSL context to servers if USE_OPENSSL is defined
    - MEDIUM: connection: add a new handshake flag for SSL (CO_FL_SSL_WAIT_HS).
    - MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer
    - MEDIUM: config: add the 'ssl' keyword on 'bind' lines
    - MEDIUM: config: add support for the 'ssl' option on 'server' lines
    - MEDIUM: ssl: protect against client-initiated renegociation
    - BUILD: add optional support for SSL via the USE_OPENSSL flag
    - MEDIUM: ssl: add shared memory session cache implementation.
    - MEDIUM: ssl: replace OpenSSL's session cache with the shared cache
    - MINOR: ssl add global setting tune.sslcachesize to set SSL session cache size.
    - MEDIUM: ssl: add support for SNI and wildcard certificates
    - DOC: Typos cleanup
    - DOC: fix name for "option independant-streams"
    - DOC: specify the default value for maxconn in the context of a proxy
    - BUG/MINOR: to_log erased with unique-id-format
    - LICENSE: add licence exception for OpenSSL
    - BUG/MAJOR: cookie prefix doesn't support cookie-less servers
    - BUILD: add an AIX 5.2 (and later) target.
    - MEDIUM: fd/si: move peeraddr from struct fdinfo to struct connection
    - MINOR: halog: use the more recent dual-mode fgets2 implementation
    - BUG/MEDIUM: ebtree: ebmb_insert() must not call cmp_bits on full-length matches
    - CLEANUP: halog: make clean should also remove .o files
    - OPTIM: halog: make use of memchr() on platforms which provide a fast one
    - OPTIM: halog: improve cold-cache behaviour when loading a file
    - BUG/MINOR: ACL implicit arguments must be created with unresolved flag
    - MINOR: replace acl_fetch_{path,url}* with smp_fetch_*
    - MEDIUM: pattern: add the "base" sample fetch method
    - OPTIM: i386: make use of kernel-mode-linux when available
    - BUG/MINOR: tarpit: fix condition to return the HTTP 500 message
    - BUG/MINOR: polling: some events were not set in various pollers
    - MINOR: http: add the urlp_val ACL match
    - BUG: stktable: tcp_src_to_stktable_key() must return NULL on invalid families
    - MINOR: stats/cli: add plans to support more stick-table actions
    - MEDIUM: stats/cli: add support for "set table key" to enter values
    - REORG/MEDIUM: fd: remove FD_STCLOSE from struct fdtab
    - REORG/MEDIUM: fd: remove checks for FD_STERROR in ev_sepoll
    - REORG/MEDIUM: fd: get rid of FD_STLISTEN
    - REORG/MINOR: connection: move declaration to its own include file
    - REORG/MINOR: checks: put a struct connection into the server
    - MINOR: connection: add flags to the connection struct
    - MAJOR: get rid of fdtab[].state and use connection->flags instead
    - MINOR: fd: add a new I/O handler to fdtab
    - MEDIUM: polling: prepare to call the iocb() function when defined.
    - MEDIUM: checks: make use of fdtab->iocb instead of cb[]
    - MEDIUM: protocols: use the generic I/O callback for accept callbacks
    - MINOR: connection: add a handler for fd-based connections
    - MAJOR: connection: replace direct I/O callbacks with the connection callback
    - MINOR: fd: make fdtab->owner a connection and not a stream_interface anymore
    - MEDIUM: connection: remove the FD_POLL_* flags only once
    - MEDIUM: connection: extract the send_proxy callback from proto_tcp
    - MAJOR: tcp: remove the specific I/O callbacks for TCP connection probes
    - CLEANUP: remove the now unused fdtab direct I/O callbacks
    - MAJOR: remove the stream interface and task management code from sock_*
    - MEDIUM: stream_interface: pass connection instead of fd in sock_ops
    - MEDIUM: stream_interface: centralize the SI_FL_ERR management
    - MAJOR: connection: add a new CO_FL_CONNECTED flag
    - MINOR: rearrange tcp_connect_probe() and fix wrong return codes
    - MAJOR: connection: call data layer handshakes from the handler
    - MEDIUM: fd: remove the EV_FD_COND_* primitives
    - MINOR: sock_raw: move calls to si_data_close upper
    - REORG: connection: replace si_data_close() with conn_data_close()
    - MEDIUM: sock_raw: introduce a read0 callback that is different from shutr
    - MAJOR: stream_int: use a common stream_int_shut*() functions regardless of the data layer
    - MAJOR: fd: replace all EV_FD_* macros with new fd_*_* inline calls
    - MEDIUM: fd: add fd_poll_{recv,send} for use when explicit polling is required
    - MEDIUM: connection: add definitions for dual polling mechanisms
    - MEDIUM: connection: make use of the new polling functions
    - MAJOR: make use of conn_{data|sock}_{poll|stop|want}* in connection handlers
    - MEDIUM: checks: don't use FD_WAIT_* anymore
    - MINOR: fd: get rid of FD_WAIT_*
    - MEDIUM: stream_interface: offer a generic function for connection updates
    - MEDIUM: stream-interface: offer a generic chk_rcv function for connections
    - MEDIUM: stream-interface: add a snd_buf() callback to sock_ops
    - MEDIUM: stream-interface: provide a generic stream_int_chk_snd_conn() function
    - MEDIUM: stream-interface: provide a generic si_conn_send_cb callback
    - MEDIUM: stream-interface: provide a generic stream_sock_read0() function
    - REORG/MAJOR: use "struct channel" instead of "struct buffer"
    - REORG/MAJOR: extract "struct buffer" from "struct channel"
    - MINOR: connection: provide conn_{data|sock}_{read0|shutw} functions
    - REORG: sock_raw: rename the files raw_sock*
    - MAJOR: raw_sock: extract raw_sock_to_buf() from raw_sock_read()
    - MAJOR: raw_sock: temporarily disable splicing
    - MINOR: stream-interface: add an rcv_buf callback to sock_ops
    - REORG: stream-interface: move sock_raw_read() to si_conn_recv_cb()
    - MAJOR: connection: split the send call into connection and stream interface
    - MAJOR: stream-interface: restore splicing mechanism
    - MAJOR: stream-interface: make conn_notify_si() more robust
    - MEDIUM: proxy-proto: don't use buffer flags in conn_si_send_proxy()
    - MAJOR: stream-interface: don't commit polling changes in every callback
    - MAJOR: stream-interface: fix splice not to call chk_snd by itself
    - MEDIUM: stream-interface: don't remove WAIT_DATA when a handshake is in progress
    - CLEANUP: connection: split sock_ops into data_ops, app_cp and si_ops
    - REORG: buffers: split buffers into chunk,buffer,channel
    - MAJOR: channel: remove the BF_OUT_EMPTY flag
    - REORG: buffer: move buffer_flush, b_adv and b_rew to buffer.h
    - MINOR: channel: rename bi_full to channel_full as it checks the whole channel
    - MINOR: buffer: provide a new buffer_full() function
    - MAJOR: channel: stop relying on BF_FULL to take action
    - MAJOR: channel: remove the BF_FULL flag
    - REORG: channel: move buffer_{replace,insert_line}* to buffer.{c,h}
    - CLEANUP: channel: usr CF_/CHN_ prefixes instead of BF_/BUF_
    - CLEANUP: channel: use "channel" instead of "buffer" in function names
    - REORG: connection: move the target pointer from si to connection
    - MAJOR: connection: move the addr field from the stream_interface
    - MEDIUM: stream_interface: remove CAP_SPLTCP/CAP_SPLICE flags
    - MEDIUM: proto_tcp: remove any dependence on stream_interface
    - MINOR: tcp: replace tcp_src_to_stktable_key with addr_to_stktable_key
    - MEDIUM: connection: add an ->init function to data layer
    - MAJOR: session: introduce embryonic sessions
    - MAJOR: connection: make the PROXY decoder a handshake handler
    - CLEANUP: frontend: remove the old proxy protocol decoder
    - MAJOR: connection: rearrange the polling flags.
    - MEDIUM: connection: only call tcp_connect_probe when nothing was attempted yet
    - MEDIUM: connection: complete the polling cleanups
    - MEDIUM: connection: avoid calling handshakes when polling is required
    - MAJOR: stream_interface: continue to update data polling flags during handshakes
    - CLEANUP: fd: remove fdtab->flags
    - CLEANUP: fdtab: flatten the struct and merge the spec struct with the rest
    - CLEANUP: includes: fix includes for a number of users of fd.h
    - MINOR: ssl: disable TCP quick-ack by default on SSL listeners
    - MEDIUM: config: add a "ciphers" keyword to set SSL cipher suites
    - MEDIUM: config: add "nosslv3" and "notlsv1" on bind and server lines
    - BUG: ssl: mark the connection as waiting for an SSL connection during the handshake
    - BUILD: http: rename error_message http_error_message to fix conflicts on RHEL
    - BUILD: ssl: fix shctx build on RHEL with futex
    - BUILD: include sys/socket.h to fix build failure on FreeBSD
    - BUILD: fix build error without SSL (ssl_cert)
    - BUILD: ssl: use MAP_ANON instead of MAP_ANONYMOUS
    - BUG/MEDIUM: workaround an eglibc bug which truncates the pidfiles when nbproc > 1
    - MEDIUM: config: support per-listener backlog and maxconn
    - MINOR: session: do not send an HTTP/500 error on SSL sockets
    - MEDIUM: config: implement maxsslconn in the global section
    - BUG: tcp: close socket fd upon connect error
    - MEDIUM: connection: improve error handling around the data layer
    - MINOR: config: make the tasks "nice" value configurable on "bind" lines.
    - BUILD: shut a gcc warning introduced by commit 269ab31
    - MEDIUM: config: centralize handling of SSL config per bind line
    - BUILD: makefile: report USE_OPENSSL status in build options
    - BUILD: report openssl build settings in haproxy -vv
    - MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_*
    - DOC: add a special acknowledgement for the stud project
    - DOC: add missing SSL options for servers and listeners
    - BUILD: automatically add -lcrypto for SSL
    - DOC: add some info about openssl build in the README
2012-09-10 09:46:55 +02:00
Willy Tarreau
a0ee1d05f3 DOC: add missing SSL options for servers and listeners 2012-09-10 09:44:59 +02:00
Willy Tarreau
7875d0967f MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_*
This allows SNI presence and value to be checked on incoming SSL connections.
It is usable both for ACLs and stick tables.
2012-09-10 09:27:02 +02:00
Willy Tarreau
50acaaae5e MINOR: config: make the tasks "nice" value configurable on "bind" lines.
This is very convenient to reduce SSL processing priority compared to
other traffic. This applies to CPU usage only, but has a direct impact
on latency under congestion.
2012-09-06 14:28:58 +02:00
Willy Tarreau
403edff4b8 MEDIUM: config: implement maxsslconn in the global section
SSL connections take a huge amount of memory, and unfortunately openssl
does not check malloc() returns and easily segfaults when too many
connections are used.

The only solution against this is to provide a global maxsslconn setting
to reject SSL connections above the limit in order to avoid reaching
unsafe limits.
2012-09-06 12:10:43 +02:00
Willy Tarreau
32368ceba4 MEDIUM: config: support per-listener backlog and maxconn
With SSL, connections are much more expensive, so it is important to be
able to limit concurrent connections per listener in order to limit the
memory usage.
2012-09-06 11:10:55 +02:00
Jamie Gloudon
801a0a353a DOC: fix name for "option independant-streams"
The correct spelling is "independent", not "independant". This patch
fixes the doc and the configuration parser to accept the correct form.
The config parser still allows the old naming for backwards compatibility.
2012-09-02 21:51:07 +02:00
Jamie Gloudon
aaa21008a7 DOC: Typos cleanup
I came across a couple of typos in configuration.txt and made this patch.
Also, there is an inconsistency between using the word analys/ze in
configuration.txt as well. However, I did not provide a patch for that.

-- Jamie Gloudon

[wt: won't fix the us/uk language mistakes, they'll always exist anyway]
2012-09-02 21:51:07 +02:00
Willy Tarreau
654694e189 MEDIUM: stats/cli: add support for "set table key" to enter values
This is used to enter values for stick tables. The most likely usage
is to set gpc0 for a specific IP address in order to block traffic
for abusers without having to reload. Since all data types are
supported, other usages are possible (eg: replace a users's assigned
server).
2012-09-02 21:51:07 +02:00
Willy Tarreau
a9fddca778 MINOR: http: add the urlp_val ACL match
It's derived from other urlp_* matches, but there was no way to check for
an integer value and it seems like it's significantly used.
2012-07-31 07:55:32 +02:00
Willy Tarreau
a7ad50cdb1 MEDIUM: pattern: add the "base" sample fetch method
This one returns the concatenation of the first Host header entry with
the path. It can make content-switching rules easier, help with fighting
DDoS on certain URLs and improve shared caches efficiency.
2012-07-26 19:08:38 +02:00