Commit Graph

4836 Commits

Author SHA1 Message Date
Thomas Holmes
f95aaf6af1 DOC: add build indications for 51Degrees to README. 2015-06-02 19:30:59 +02:00
Thomas Holmes
db04f19ca3 DOC: add 51Degrees notes to configuration.txt. 2015-06-02 19:30:58 +02:00
Thomas Holmes
4d441a759c MEDIUM: sample: add trie support to 51Degrees
Trie or pattern algorithm is used depending on what 51Degrees source
files are provided to MAKE.
2015-06-02 19:30:53 +02:00
Thomas Holmes
5ed33eed53 MEDIUM: deinit: add cleanup for 51Degrees to deinit 2015-06-02 14:00:25 +02:00
Thomas Holmes
951d44d24d MEDIUM: sample: add fiftyone_degrees converter.
It takes up to 5 string arguments that are to be 51Degrees property names.
It will then create a chunk with values detected based on the request header
supplied (this should be the User-Agent).
2015-06-02 14:00:25 +02:00
Thomas Holmes
6abded4f8d MINOR: init: add 51Degrees initialisation code
This creates a dataset using the file given in global._51d_data_file_path.
2015-06-02 14:00:25 +02:00
Thomas Holmes
0809f26869 MINOR: config: add 51Degrees config parsing. 2015-06-02 14:00:25 +02:00
Thomas Holmes
eef3f9fbd3 MINOR: global: add several 51Degrees members to global
These are :
  fiftyoneDegreesDataSet _51d_data_set
  char *_51d_data_file_path
  char _51d_property_seperator
  struct list _51d_property_names
2015-06-02 14:00:22 +02:00
Thomas Holmes
0ca65f8217 BUILD: add 51degrees options to makefile.
To build with 51Degrees set USE_51DEGREES=1. 51DEGREES_INC, 51DEGREES_LIB,
and 51DEGREES_SRC will need to be set to the 51Degrees pattern header and
C file.
2015-06-02 13:43:15 +02:00
Willy Tarreau
25eda1e182 CLEANUP: da: remove ifdef USE_DEVICEATLAS from da.c
This file is only built when the macro is defined, there's no point
having it ifdefed here.
2015-06-02 13:42:12 +02:00
Willy Tarreau
a397e76ac7 CLEANUP: adjust the envelope name in da.h to reflect the file name
Since the file is import/da.h, the define should be _IMPORT_DA_H,
nor MOBI_DA_DAC_HAPROXY_H.
2015-06-02 13:42:12 +02:00
Willy Tarreau
0d74f77ee7 CLEANUP: da: register the config keywords in da.c
No need to export the registration to haproxy.c, it can be done
locally.
2015-06-02 13:42:12 +02:00
Willy Tarreau
f63386ad27 CLEANUP: da: move the converter registration to da.c
There's no reason to put it into sample.c, it's better to register it
locally in da.c, it removes a number of ifdefs and exports.
2015-06-02 13:42:12 +02:00
Willy Tarreau
ba3dd2b7e0 CLEANUP: global: remove one ifdef USE_DEVICEATLAS
The include file already has the ifdef, let's remove it from the global
file.
2015-06-02 13:42:12 +02:00
Willy Tarreau
6bd42e7f41 BUG/MINOR: da: fix log-level comparison to emove annoying warning
When haproxy is run on the foreground with DeviceAtlas enabled, one
line of warning is seen for every test because the comparison is always
true even when loglevel is zero :

willy@wtap:haproxy$ ./haproxy  -db -f test-da.cfg
[WARNING] 151/150831 (25506) : deviceatlas : final memory image 7148029 bytes.
Deviceatlas module loaded.
[WARNING] 151/150832 (25506) : deviceatlas : .
[WARNING] 151/150833 (25506) : deviceatlas : .
[WARNING] 151/150833 (25506) : deviceatlas : .
^C

Don't emit a warning when loglevel is null.
2015-06-02 13:42:12 +02:00
David Carlier
b5efa0149f DOC: README: explain how to build with DeviceAtlas
This diff is related to the additional documentation in
order to build the DeviceAtlas module and in addition with
an example of a basic configuration.
2015-06-02 13:42:11 +02:00
David Carlier
a03fb1433d BUILD: Makefile: add options to build with DeviceAtlas
This diff updates the Makefile to compile conditionally via
some new sets of flags, USE_DEVICEATLAS to enable the module
and the couple DEVICEATLAS_INC/DEVICEATLAS_LIB which needs to
point to the API root folder in order to compile the API and
the module.
2015-06-02 13:42:11 +02:00
David Carlier
4a02641a86 MEDIUM: init: DeviceAtlas initialization
This diff initialises few DeviceAtlas struct fields member with
their inherent default values.
Furthermore, the specific DeviceAtlas configuration keywords are
registered and the module is initialised and all necessary
resources are freed during the deinit phase.
2015-06-02 13:24:50 +02:00
David Carlier
4542b10ae1 MEDIUM: sample: add the da-csv converter
This diff declares the deviceatlas module and can accept up to 5
property names for the API lookup.

[wt: this should probably be moved to its own file using the keyword
      registration mechanism]
2015-06-02 13:24:50 +02:00
David Carlier
88d13cbf4d MEDIUM: global: add the DeviceAtlas required elements to struct global
This diff is the raw C struct definition of all DeviceAtlas module
data needed added to the main global struct haproxy configuration.
The three first members are needed for both init and deinit phases
as some dynamic memory allocations are done.
The useragentid serves to hold during the whole lifecycle of the
module the User-Agent HTTP Header identifier from the DeviceAtlas
data during the init process.
2015-06-02 13:24:49 +02:00
David Carlier
8167f30661 MEDIUM: config: add DeviceAtlas global keywords
This diff is for the DeviceAtlas convertor.

This patch adds the following converters :
  deviceatlas-json-file
  deviceatlas-log-level
  deviceatlas-property-separator

First, the configuration keywords handling (only the log
level configuration part does not end the haproxy process
if it is wrongly set, it fallbacks to the default level).
Furthermore, init, deinit phases and the API lookup phase,
the da_haproxy function which is fed by the input provided
and set all necessary properties chosen via the configuration
to the output, separated by the separator.
2015-06-02 13:24:44 +02:00
Remi Gacogne
d3a341a96f MEDIUM: ssl: replace standards DH groups with custom ones
It is likely that powerful adversaries have been pre-computing the
standardized DH groups, because being widely used have made them
valuable targets. While users are advised to generate their own
DH parameters, replace the ones we ship by values been randomly
generated for this product only.

[wt: replaced dh1024_p, dh2048_p, and dh4096_p with locally-generated
 ones as recommended by Rémi]
2015-05-31 22:41:28 +02:00
Remi Gacogne
47783ef05b MEDIUM: ssl: add the possibility to use a global DH parameters file
This patch adds the ssl-dh-param-file global setting. It sets the
default DH parameters that will be used during the SSL/TLS handshake when
ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines
which do not explicitely define theirs.
2015-05-31 22:02:00 +02:00
Thierry FOURNIER
79318d79ba MINOR: lua: Lua tcp action are not final action
Actually, the registered lua actions with "tcp-request lua" and
"tcp-response lua" are final actions. This patch change the action
type type and permit to continue the evaluation of tcp-* processing
after the evaluation of the lua actions.
2015-05-29 17:49:50 +02:00
Thierry FOURNIER
561a0f989d MINOR: tcp: add custom actions that can continue tcp-(request|response) processing
Actually, the tcp-request and tcp-response custom ation are always final
actions. This patch create a new type of action that can permit to
continue the evaluation of tcp-request and tcp-response processing.
2015-05-29 17:49:48 +02:00
Emeric Brun
b3971ab062 MAJOR: peers: peers protocol version 2.0
This patch does'nt add any new feature: the functional behavior
is the same than version 1.0.

Technical differences:

In this version all updates on different stick tables are
multiplexed on the same tcp session. There is only one established
tcp session per peer whereas in first version there was one established
tcp session per peer and per stick table.

Messages format was reviewed to be more evolutive and to support
further types of data exchange such as SSL sessions or other sticktable's
data types (currently only the sticktable's server id is supported).
2015-05-29 15:50:33 +02:00
Willy Tarreau
b8cdf52da0 BUG/MEDIUM: http: fix body processing for the stats applet
Commit 9fbe18e ("MEDIUM: http: add a new option http-buffer-request")
introduced a regression due to a misplaced check causing the admin
mode of the HTTP stats not to work anymore.

This patch tried to ensure that when we need a request body for the
stats applet, and we have already waited for this body, we don't wait
for it again, but the condition was applied too early causing a
disabling of the entire processing the body, and based on the wrong
HTTP state (MSG_BODY) resulting in the test never matching.

Thanks to Chad Lavoie for reporting the problem.

This bug is 1.6-only, no backport is needed.
2015-05-29 01:12:38 +02:00
William Lallemand
df1425ad45 MEDIUM: cfgparse: check max arguments in the proxies sections
Add checks on the maximum number of arguments in proxies sections.
2015-05-28 18:43:03 +02:00
William Lallemand
1a748aed07 MEDIUM: cfgparse: max arguments check in the global section
Most of the keywords in the global section does not check the maximum
number of arguments. This leds sometines to unused and wrong arguments
in the configuration file. This patch add a maximum argument test in
many keywords of this section.
2015-05-28 18:43:03 +02:00
William Lallemand
6e62fb6405 MEDIUM: cfgparse: check section maximum number of arguments
This patch checks the number of arguments of the keywords:
'global', 'defaults', 'listen', 'backend', 'frontend', 'peers' and
'userlist'

The 'global' section does not take any arguments.

Proxy sections does not support bind address as argument anymore.  Those
sections supports only an <id> argument.

The 'defaults' section didn't had any check on its arguments. It takes
an optional <name> argument.

'peers' section takes a <peersect> argument.

'userlist' section takes a <listname> argument.
2015-05-28 18:43:03 +02:00
William Lallemand
5109719e77 CLEANUP: cfgparse: remove reference to 'ruleset' section
The 'ruleset' section was never implemented. This patch remove
references and tests about this keyword.
2015-05-28 18:43:03 +02:00
William Lallemand
4ac9f54612 BUG/MEDIUM: cfgparse: segfault when userlist is misused
If the 'userlist' keyword parsing returns an error and no userlist were
previously created. The parsing of 'user' and 'group' leads to NULL
derefence.

The userlist pointer is now tested to prevent this issue.
2015-05-28 18:43:03 +02:00
William Lallemand
77063bc0c6 BUG/MINOR: cfgparse: fix typo in 'option httplog' error message
The error message was displaying the wrong argument when 'option
httplog' took a wrong argument.
2015-05-28 18:43:03 +02:00
Remi Gacogne
d3a23c3eb8 MINOR: ssl: add a destructor to free allocated SSL ressources
Using valgrind or another memory leak tracking tool is easier
when the memory internally allocated by OpenSSL is cleanly released
at shutdown.
2015-05-28 18:03:29 +02:00
Remi Gacogne
4f902b8832 BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten
Hervé Commowick reported that the logic used to avoid complaining about
ssl-default-dh-param not being set when static DH params are present
in the certificate file was clearly wrong when more than one sni_ctx
is used.
This patch stores whether static DH params are being used for each
SSL_CTX individually, and does not overwrite the value of
tune.ssl.default-dh-param.
2015-05-28 18:03:27 +02:00
Thierry FOURNIER
be1ccaea92 MEDIUM: stats: escape some strings in the CSV dump
Some strings which must be dumped in the CSV output can contain one of
the following chars : <,>, <">, or CR/LF. This patch escapes these
strings if the case is encountered.
2015-05-28 17:49:50 +02:00
Thierry FOURNIER
ddea626de4 MINOR: common: escape CSV strings
This function checks a string for using it in a CSV output format. If
the string contains one of the following four char <">, <,>, CR or LF,
the string is encapsulated between <"> and the <"> are escaped by a <"">
sequence.

The rounding by <"> is optionnal. It can be canceled, forced or the
function choose automatically the right way.
2015-05-28 17:47:19 +02:00
Willy Tarreau
2de8a50918 MEDIUM: http: no need to close the request on redirect if data was parsed
There are two reasons for not keeping the client connection alive upon a
redirect :
  - save the client from uploading all data
  - avoid keeping a connection alive if the redirect goes to another domain

The first case should consider an exception when all the data from the
client have been read already. This specifically happens on response
redirects after a POST to a server. This is an easy situation to detect.

It could later be improved to cover the cases where option
http-buffer-request is used.
2015-05-28 17:45:43 +02:00
Willy Tarreau
51d861a44f MEDIUM: http: implement http-response redirect rules
Sometimes it's problematic not to have "http-response redirect" rules,
for example to perform a browser-based redirect based on certain server
conditions (eg: match of a header).

This patch adds "http-response redirect location <fmt>" which gives
enough flexibility for most imaginable operations. The connection to
the server is closed when this is performed so that we don't risk to
forward any pending data from the server.

Any pending response data are trimmed so that we don't risk to
forward anything pending to the client. It's harmless to also do that
for requests so we don't need to consider the direction.
2015-05-28 17:45:43 +02:00
Willy Tarreau
be4653b6d4 MINOR: http: prepare support for parsing redirect actions on responses
In order to support http-response redirect, the parsing needs to be
adapted a little bit to only support the "location" type, and to
adjust the log-format parser so that it knows the direction of the
sample fetch calls.
2015-05-28 17:43:11 +02:00
Willy Tarreau
b329a312e3 CLEANUP: http: explicitly reference request in http_apply_redirect_rules()
This function was made to perform a redirect on requests only, it was
using a message or txn->req in an inconsistent way and did not consider
the possibility that it could be used for the other direction. Let's
clean it up to have both a request and a response messages.
2015-05-28 17:42:16 +02:00
Thierry FOURNIER
e80fadaaca MEDIUM: capture: adds http-response capture
This patch adds a http response capture keyword with the same behavior
as the previous patch called "MEDIUM: capture: Allow capture with slot
identifier".
2015-05-28 13:51:00 +02:00
Thierry FOURNIER
cdb67cad01 MINOR: http: add array of generic pointers in http_res_rules
This patch adds an array of generic pointers in the http_res_rules
struct. It is used later by the "response capture" functions.
2015-05-28 13:50:29 +02:00
Thierry FOURNIER
82bf70dff4 MEDIUM: capture: Allow capture with slot identifier
This patch modifies the current http-request capture function
and adds a new keyword "id" that permits to identify a capture slot.
If the identified doesn't exists, the action fails silently.

Note that this patch removs an unused list initilisation, which seems
to be inherited from a copy/paste. It's harmless and does not need to
be backported.

   LIST_INIT((struct list *)&rule->arg.act.p[0]);
2015-05-28 13:50:29 +02:00
Thierry FOURNIER
35ab27561e MINOR: capture: add two "capture" converters
This patch adds "capture-req" and "capture-res". These two converters
capture their entry in the allocated slot given in argument and pass
the input on the output.
2015-05-28 13:50:29 +02:00
Thierry FOURNIER
a0a1b75560 MINOR: proxy: custom capture declaration
This patch adds a new keyword called "declare". This keyword
allow to declare some capture slots in requests and response.
It is useful for sharing capture between frontend and backends.
2015-05-28 13:50:28 +02:00
Willy Tarreau
eb3e34854d MEDIUM: proxy: add a new proxy_find_best_match() function
This function tries to spot a proxy by its name, ID and type, and
in case some elements don't match, it tries to determine which ones
could be ignored and reports which ones were ignored so that the
caller can decide whether or not it wants to pick this proxy. This
will be used for maintaining the status across reloads where the
config might have changed a bit.
2015-05-27 16:51:28 +02:00
Willy Tarreau
0d1fdf7df5 MINOR: proxy: add a flag to memorize that the proxy's ID was forced
This will be used to know if proxy's ID should be considered when names
mismatch upon check status reload.
2015-05-27 16:51:28 +02:00
Willy Tarreau
3c56a7d94f MINOR: proxy: add a new function proxy_find_by_id()
It does the same as the other one except that it only focuses on the
numeric ID and the capabilities. It's used by proxy_find_by_name()
for numeric names.
2015-05-27 16:49:44 +02:00
Willy Tarreau
98d0485a90 MAJOR: config: remove the deprecated reqsetbe / reqisetbe actions
These ones were already obsoleted in 1.4, marked for removal in 1.5,
and not documented anymore. They used to emit warnings, and do still
require quite some code to stay in place. Let's remove them now.
2015-05-26 12:18:29 +02:00