Commit Graph

17505 Commits

Author SHA1 Message Date
Christopher Faulet
ac57bb527a MINOR: applet: Prepare appctx to own the session on frontend side
Applets were moved at the same level than multiplexers. Thus, gradually,
applets code is changed to be less dependent from the stream. With this
commit, the frontend appctx are ready to own the session. It means a
frontend appctx will be responsible to release the session.
2022-05-17 16:13:21 +02:00
Christopher Faulet
ef5e1bb4cf CLEANUP: conn-stream: Remove cs_applet_shut declaration from header file
This function was renamed and moved in applet code. cs_applet_shut() does
not exist anymore. Its declaration must be removed.
2022-05-17 16:13:21 +02:00
Remi Tricot-Le Breton
9bf3a1f67e BUG/MINOR: ssl: Fix crash when no private key is found in pem
If no private key can be found in a bind line's certificate and
ssl-load-extra-files is set to none we end up trying to call
X509_check_private_key with a NULL key, which crashes.

This fix should be backported to all stable branches.
2022-05-17 15:51:41 +02:00
David Carlier
7198c700bc MINOR: tools: add get_exec_path implementation for solaris based systems.
We can use getexecname() which fetches AT_SUN_EXECNAME from the auxiliary
vectors.
2022-05-17 11:44:21 +02:00
David Carlier
135c1ec139 BUILD: fix build warning on solaris based systems with __maybe_unused.
__maybe_unused is already defined there.
2022-05-17 11:42:20 +02:00
Tim Duesterhus
9b6becb312 CLEANUP: Remove unused function hlua_get_top_error_string
This function has no prototype defined in a header and is not used in hlua.c
either, thus it can be safely removed. Found with -Wmissing-prototypes.
2022-05-17 11:40:33 +02:00
Tim Duesterhus
6eded62f6a CLEANUP: Add missing header to hlua_fcn.c
Found with -Wmissing-prototypes:

    src/hlua_fcn.c:53:5: fatal error: no previous prototype for function 'hlua_checkboolean' [-Wmissing-prototypes]
    int hlua_checkboolean(lua_State *L, int index)
        ^
    src/hlua_fcn.c:53:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
    int hlua_checkboolean(lua_State *L, int index)
    ^
    static
    1 error generated.
2022-05-17 11:40:33 +02:00
Tim Duesterhus
2a0688aa89 CLEANUP: Add missing header to ssl_utils.c
Found with -Wmissing-prototypes:

    src/ssl_utils.c:22:5: fatal error: no previous prototype for function 'cert_get_pkey_algo' [-Wmissing-prototypes]
    int cert_get_pkey_algo(X509 *crt, struct buffer *out)
        ^
    src/ssl_utils.c:22:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
    int cert_get_pkey_algo(X509 *crt, struct buffer *out)
    ^
    static
    1 error generated.
2022-05-17 11:40:33 +02:00
Remi Tricot-Le Breton
1746a388c5 MINOR: ssl: Add 'ssl-provider' global option
When HAProxy is linked to an OpenSSLv3 library, this option can be used
to load a provider during init. You can specify multiple ssl-provider
options, which will be loaded in the order they appear. This does not
prevent OpenSSL from parsing its own configuration file in which some
other providers might be specified.
A linked list of the providers loaded from the configuration file is
kept so that all those providers can be unloaded during cleanup. The
providers loaded directly by OpenSSL will be freed by OpenSSL.
2022-05-17 10:56:05 +02:00
Remi Tricot-Le Breton
e80976526c MINOR: ssl: Add 'ssl-propquery' global option
This option can be used to define a default property query used when
fetching algorithms in OpenSSL providers. It follows the format
described in https://www.openssl.org/docs/man3.0/man7/property.html.
It is only available when haproxy is built with SSL support and linked
to OpenSSLv3 libraries.
2022-05-17 10:56:05 +02:00
Remi Tricot-Le Breton
5194446b76 MEDIUM: ssl: Delay random generator initialization after config parsing
The random generator initialization needs to be performed before the
chroot but it is not needed before. If we want to add provider
configuration option to the configuration file, they need to be
processed before any call to a crypto-related OpenSSL function.
We can then delay the initialization until after the configuration file
is parsed and processed.
2022-05-17 10:55:59 +02:00
Christopher Faulet
18c13d3bd8 MEDIUM: http-ana: Add a proxy option to restrict chars in request header names
The "http-restrict-req-hdr-names" option can now be set to restrict allowed
characters in the request header names to the "[a-zA-Z0-9-]" charset.

Idea of this option is to not send header names with non-alphanumeric or
hyphen character. It is especially important for FastCGI application because
all those characters are converted to underscore. For instance,
"X-Forwarded-For" and "X_Forwarded_For" are both converted to
"HTTP_X_FORWARDED_FOR". So, header names can be mixed up by FastCGI
applications. And some HAProxy rules may be bypassed by mangling header
names. In addition, some non-HTTP compliant servers may incorrectly handle
requests when header names contain characters ouside the "[a-zA-Z0-9-]"
charset.

When this option is set, the policy must be specify:

  * preserve: It disables the filtering. It is the default mode for HTTP
              proxies with no FastCGI application configured.

  * delete: It removes request headers with a name containing a character
            outside the "[a-zA-Z0-9-]" charset. It is the default mode for
            HTTP backends with a configured FastCGI application.

  * reject: It rejects the request with a 403-Forbidden response if it
            contains a header name with a character outside the
            "[a-zA-Z0-9-]" charset.

The option is evaluated per-proxy and after http-request rules evaluation.

This patch may be backported to avoid any secuirty issue with FastCGI
application (so as far as 2.2).
2022-05-16 16:00:26 +02:00
Amaury Denoyelle
f46393ac44 MINOR: ncbuf: fix warnings for testing build
Using -Wall reveals several warning when building ncbuf testing API. One
of them was about the signedness mismatch. The other one was with an
incorrect print format.
2022-05-16 11:32:33 +02:00
Amaury Denoyelle
48fbad45e2 BUG/MEDIUM: ncbuf: fix null buffer usage
ncbuf public API functions were not ready to deal with a NCBUF_NULL as
parameter. Strenghten these functions by handling it properly.

Most of the functions will consider the buffer as empty and silently
returns. The only exception is ncb_init(buf) which cannot be called
with a NCBUF_NULL. This seems legitimate to consider this as a bug and
not silently failed in this case.
2022-05-16 11:28:41 +02:00
Ilya Shipitsin
94cd779a4f CI: determine actual LibreSSL version dynamically
this change introduce "LIBRESSL_VERSION=latest" semantic, which scans
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ and detects latest release.

LIBRESSL_VERSION=2.9.2 is removed from the matrix.
2022-05-14 17:30:15 +02:00
Willy Tarreau
370332572b [RELEASE] Released version 2.6-dev10
Released version 2.6-dev10 with the following main changes :
    - MINOR: ssl: ignore dotfiles when loading a dir w/ ca-file
    - MEDIUM: ssl: ignore dotfiles when loading a dir w/ crt
    - BUG/MINOR: ssl: Fix typos in crl-file related CLI commands
    - MINOR: compiler: add a new macro to set an attribute on an enum when possible
    - BUILD: stats: conditionally mark obsolete stats states as deprecated
    - BUILD: ssl: work around bogus warning in gcc 12's -Wformat-truncation
    - BUILD: debug: work around gcc-12 excessive -Warray-bounds warnings
    - BUILD: listener: shut report of possible null-deref in listener_accept()
    - BUG/MEDIUM: ssl: fix the gcc-12 broken fix :-(
    - DOC: install: update gcc version requirements
    - BUILD: makefile: add -Wfatal-errors to the default flags
    - BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes).
    - BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket
    - BUG/MINOR: mux-h2: mark the stream as open before processing it not after
    - MINOR: mux-h2: report a trace event when failing to create a new stream
    - DOC: configuration: add the httpclient keywords to the global keywords index
    - MINOR: quic: Add a debug counter for sendto() errors
    - BUG/MINOR: quic: Dropped peer transport parameters
    - BUG/MINOR: quic: Wrong unit for ack delay for incoming ACK frames
    - MINOR: quic: Congestion controller event trace fix (loss)
    - MINOR: quic: Add correct ack delay values to ACK frames
    - MINOR: config: Add "cluster-secret" new global keyword
    - MINOR: quic-tls: Add quic_hkdf_extract_and_expand() for HKDF
    - MINOR: quic: new_quic_cid() code moving
    - MINOR: quic: Initialize stateless reset tokens with HKDF secrets
    - MINOR: qc_new_conn() rework for stateless reset
    - MINOR: quic: Stateless reset token copy to transport parameters
    - MINOR: quic: Send stateless reset tokens
    - MINOR: quic: Short packets always embed a trailing AEAD TAG
    - CLEANUP: quic: wrong use of eb*entry() macro
    - CLEANUP: quic: Useless use of pointer for quic_hkdf_extract()
    - CLEANUP: quic_tls: QUIC_TLS_IV_LEN defined two times
    - MINOR: ncbuf: define non-contiguous buffer
    - MINOR: ncbuf: complete API and define block interal abstraction
    - MINOR: ncbuf: optimize storage for the last gap
    - MINOR: ncbuf: implement insertion
    - MINOR: ncbuf: define various insertion modes
    - MINOR: ncbuf: implement advance
    - MINOR: ncbuf: write unit tests
    - BUG/MEDIUM: lua: fix argument handling in data removal functions
    - DOC/MINOR: fix typos in the lua-api document
    - BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized
    - MINOR: mux-h1: Add global option accpet payload for any HTTP/1.0 requests
    - CLEANUP: mux-h1: Fix comments and error messages for global options
    - MINOR: conn_stream: make cs_set_error() work on the endpoint instead
    - CLEANUP: mux-h1: always take the endp from the h1s not the cs
    - CLEANUP: mux-h2: always take the endp from the h2s not the cs
    - CLEANUP: mux-pt: always take the endp from the context not the cs
    - CLEANUP: mux-fcgi: always take the endp from the fstrm not the cs
    - CLEANUP: mux-quic: always take the endp from the qcs not the cs
    - CLEANUP: applet: use the appctx's endp instead of cs->endp
    - MINOR: conn_stream: add a pointer back to the cs from the endpoint
    - MINOR: mux-h1: remove the now unneeded h1s->cs
    - MINOR: mux-h2: make sure any h2s always has an endpoint
    - MINOR: mux-h2: remove the now unneeded conn_stream from the h2s
    - MINOR: mux-fcgi: make sure any stream always has an endpoint
    - MINOR: mux-fcgi: remove the now unneeded conn_stream from the fcgi_strm
    - MINOR: mux-quic: remove the now unneeded conn_stream from the qcs
    - MINOR: mux-pt: remove the now unneeded conn_stream from the context
    - CLEANUP: muxes: make mux->attach/detach take a conn_stream endpoint
    - MINOR: applet: replace cs_applet_shut() with appctx_shut()
    - MINOR: applet: add appctx_strm() and appctx_cs() to access common fields
    - CLEANUP: applet: remove the unneeded appctx->owner
    - CLEANUP: conn_stream: merge cs_new_from_{mux,applet} into cs_new_from_endp()
    - MINOR: ext-check: indicate the transport and protocol of a server
    - BUG/MEDIUM: mux-quic: fix a thinko in the latest cs/endpoint cleanup
    - MINOR: tools: improve error message accuracy in str2sa_range
    - MINOR: config: make sure never to mix dgram and stream protocols on a bind line
    - BUG/MINOR: ncbuf: fix coverity warning on uninit sz_data
    - MINOR: xprt_quic: adjust flow-control according to bufsize
    - MEDIUM: mux-quic/h3/hq-interop: use ncbuf for bidir streams
    - MEDIUM: mux-quic/h3/qpack: use ncbuf for uni streams
    - CLEANUP: mux-quic: remove unused fields for Rx
    - CLEANUP: quic: remove unused quic_rx_strm_frm
2022-05-14 16:05:50 +02:00
Amaury Denoyelle
45fce8fcb5 CLEANUP: quic: remove unused quic_rx_strm_frm
quic_rx_strm_frm type was used to buffered STREAM frames received out of
order. Now the MUX is able to deal directly with these frames and
buffered it inside its ncbuf.
2022-05-13 17:29:52 +02:00
Amaury Denoyelle
00f87bbaa3 CLEANUP: mux-quic: remove unused fields for Rx
Rx has been simplified since the conversion of buffer to a ncbuf. The
old buffer can now be removed. The frms tree is also removed. It was
used previously to stored out-of-order received STREAM frames. Now the
MUX is able to buffer them directly into the ncbuf.
2022-05-13 17:29:52 +02:00
Amaury Denoyelle
3db98e9d13 MEDIUM: mux-quic/h3/qpack: use ncbuf for uni streams
This commit is the equivalent for uni-streams of previous commit
  MEDIUM: mux-quic/h3/hq-interop: use ncbuf for bidir streams

All unidirectional streams data is now handle in MUX Rx ncbuf. The
obsolete buffer is not unused and will be cleared in the following
patches.
2022-05-13 17:29:49 +02:00
Amaury Denoyelle
1290f1ebfb MEDIUM: mux-quic/h3/hq-interop: use ncbuf for bidir streams
Add a ncbuf for data reception on qcs. Thanks to this, the MUX is able
to buffered all received frame directly into the buffer. Flow control
parameters will be used to ensure there is never an overflow.

This change will simplify Rx path with the future deletion of acked
frames tree previously used for frames out of order.
2022-05-13 17:28:46 +02:00
Amaury Denoyelle
06749f3d6f MINOR: xprt_quic: adjust flow-control according to bufsize
Redefine the initial local flow-control to enforce by us. Use bufsize as
the maximum offset allowed to be received.

This change is part of an adjustement on the Rx path. Mux buffer will be
converted to a ncbuf. Flow-control parameters must ensure that we never
receive a frame larger than the buffer. With this, all received frames
will be stored in the MUX buffer.
2022-05-13 17:22:19 +02:00
Amaury Denoyelle
b5ca943ff9 BUG/MINOR: ncbuf: fix coverity warning on uninit sz_data
Coverity reports that data block generated by ncb_blk_first() has
sz_data field uninitialized. This has no real impact as it has no sense
for data block. Set to 0 to hide the warning.

This should fix github issue #1695.
2022-05-13 17:06:24 +02:00
Willy Tarreau
26f221bd55 MINOR: config: make sure never to mix dgram and stream protocols on a bind line
It is absolutely not possible to use the same "bind" line to listen to
both quic and tcp for example, because no single transport layer would
fit both modes and we'll need the type to choose one then to choose a
mux. Let's make sure this does not happen. This may be relaxed in the
future if we manage to instantiate transport layers on the fly, but the
SSL vs quic part might be tricky to handle.
2022-05-13 17:00:09 +02:00
Willy Tarreau
8d31ab0438 MINOR: tools: improve error message accuracy in str2sa_range
The error message when mixing stream and dgram protocols in an
address speaks about sockets while it ought to speak about addresses,
let's fix this as in some contexts it can be a bit confusing.
2022-05-13 16:50:00 +02:00
Willy Tarreau
df94313e0e BUG/MEDIUM: mux-quic: fix a thinko in the latest cs/endpoint cleanup
Fred & Amaury found that I messed up with qc_detach() in commit 4201ab791
("CLEANUP: muxes: make mux->attach/detach take a conn_stream endpoint"),
causing a segv in this case with endp->cs == NULL being passed to
__cs_mux(). It obviously ought to have been endp->target like in other
muxes.

No backport needed.
2022-05-13 16:34:40 +02:00
Willy Tarreau
973cf90714 MINOR: ext-check: indicate the transport and protocol of a server
Valerio Pachera explained [1] that external checks would benefit from
having a variable indicating if SSL is being used or not on the server
being checked, and the discussion derived to also indicating the protocol
in use.

This patch adds two environment variables for external checks:
  - HAPROXY_SERVER_SSL: equals "0" when SSL is not used, "1" when it is
  - HAPROXY_SERVER_PROTO: contains one of the following words to describe
    the protocol used with this server:
      - "cli": the haproxy CLI. Normally not seen
      - "syslog": this is a syslog TCP server
      - "peers": this is a peers TCP server
      - "h1": this is an HTTP/1.x server
      - "h2": this is an HTTP/2 server
      - "tcp": this is any other TCP server

The patch is very simple, and may be backported to recent versions if
needed. This closes github issue #1692.

[1] https://www.mail-archive.com/haproxy@formilux.org/msg42233.html
2022-05-13 16:06:29 +02:00
Willy Tarreau
6796a06278 CLEANUP: conn_stream: merge cs_new_from_{mux,applet} into cs_new_from_endp()
The two functions became exact copies since there's no more special case
for the appctx owner. Let's merge them into a single one, that simplifies
the code.
2022-05-13 14:28:48 +02:00
Willy Tarreau
0698c80a58 CLEANUP: applet: remove the unneeded appctx->owner
This one is the pointer to the conn_stream which is always in the
endpoint that is always present in the appctx, thus it's not needed.
This patch removes it and replaces it with appctx_cs() instead. A
few occurences that were using __cs_strm(appctx->owner) were moved
directly to appctx_strm() which does the equivalent.
2022-05-13 14:28:48 +02:00
Willy Tarreau
c1b8d77805 MINOR: applet: add appctx_strm() and appctx_cs() to access common fields
It's very common to have to access a stream or a conn_stream from the
appctx, let's add trivial accessors for that.
2022-05-13 14:28:48 +02:00
Willy Tarreau
1c3ead45a4 MINOR: applet: replace cs_applet_shut() with appctx_shut()
The former takes a conn_stream still attached to a valid appctx,
which also complicates the termination of the applet. Instead, let's
pass the appctx which already points to the endpoint, this allows us
to properly detach the conn_stream before the call, which is cleaner
and safer.
2022-05-13 14:28:48 +02:00
Willy Tarreau
4201ab791d CLEANUP: muxes: make mux->attach/detach take a conn_stream endpoint
The mux ->detach() function currently takes a conn_stream. This causes
an awkward situation where the caller cs_detach_endp() has to partially
mark it as released but not completely so that ->detach() finds its
endpoint and context, and it cannot be done later since it's possible
that ->detach() deletes the endpoint. As such the endpoint link between
the conn_stream and the mux's stream is in a transient situation while
we'd like it to be clean so that the mux's ->detach() code can call any
regular function it wants that knows the regular semantics of the
relation between the CS and the endpoint.

A better approach consists in slightly modifying the detach() API to
better match the reality, which is that the endpoint is detached but
still alive and that it's the only part the function is interested in.

As such, this patch modifies the function to take an endpoint there,
and by analogy (or simplicity) does the same for ->attach(), even
though it looks less important there since we're always attaching an
endpoint to a conn_stream anyway. It is possible that in the future
the API could evolve to use more endpoints that provide a bit more
flexibility in the API, but at this point we don't need to go further.
2022-05-13 14:28:48 +02:00
Willy Tarreau
cfbfc3f091 MINOR: mux-pt: remove the now unneeded conn_stream from the context
Since we always have a valid endpoint we can safely use it to access
the conn_stream and stop using ctx->cs. That's one less pointer to
care about.
2022-05-13 14:28:48 +02:00
Willy Tarreau
01c2a4a86f MINOR: mux-quic: remove the now unneeded conn_stream from the qcs
Since we always have a valid endpoint we can safely use it to access
the conn_stream and stop using qcs->cs. That's one less pointer to
care about.
2022-05-13 14:28:48 +02:00
Willy Tarreau
b57669e6a4 MINOR: mux-fcgi: remove the now unneeded conn_stream from the fcgi_strm
Since we always have a valid endpoint we can safely use it to access
the conn_stream and stop using fstrm->cs. That's one less pointer to
care about.
2022-05-13 14:28:48 +02:00
Willy Tarreau
c84610c2ac MINOR: mux-fcgi: make sure any stream always has an endpoint
The principle that each mux stream should have an endpoint is not
guaranteed for closed streams that map to the dummy static streams.
Let's have a dummy endpoint for use with such streams. It only has
the DETACHED flag and a NULL conn_stream, and is referenced by all
the closed streams so that we can afford not to test strm->endp when
trying to access the flags or the CS.
2022-05-13 14:28:48 +02:00
Willy Tarreau
cd6bb1a5e5 MINOR: mux-h2: remove the now unneeded conn_stream from the h2s
Since we always have a valid endpoint we can safely use it to access
the conn_stream and stop using h2s->cs. That's one less pointer to
care about.
2022-05-13 14:28:48 +02:00
Willy Tarreau
b22b5f02af MINOR: mux-h2: make sure any h2s always has an endpoint
The principle that each mux stream should have an endpoint is not
guaranteed for closed streams that map to the dummy static streams.
Let's have a dummy endpoint for use with such streams. It only has
the DETACHED flag and a NULL conn_stream, and is referenced by all
the closed streams so that we can afford not to test h2s->endp when
trying to access the flags or the CS.
2022-05-13 14:28:48 +02:00
Willy Tarreau
56d5a819d7 MINOR: mux-h1: remove the now unneeded h1s->cs
There is always an endpoint link in a stream, and this endpoint link
contains a pointer to the conn_stream it's attached to, so the one in
the h1 stream is always duplicate now. Let's always use endp->cs
instead and get rid of it.
2022-05-13 14:28:48 +02:00
Willy Tarreau
efb4618c6e MINOR: conn_stream: add a pointer back to the cs from the endpoint
Muxes and applets need to have both a pointer to the endpoint and to the
conn_stream. It would seem more natural that they only have a pointer to
the endpoint (that is always there) and that this one has an optional
pointer to the conn_stream. This would reduce the number of elements to
manipulate in lower level code. In addition, the conn_stream is not much
used from the lower layers (wake and exceptional events mostly).
2022-05-13 14:28:48 +02:00
Willy Tarreau
66435e5f63 CLEANUP: applet: use the appctx's endp instead of cs->endp
The few applets that set CS_EP_EOI or CS_EP_ERROR used to set it on the
endpoint retrieved from the conn_stream while it's already available on
the appctx itself. Better use the appctx one to limit the unneeded
interactions between the two sides.
2022-05-13 14:28:46 +02:00
Willy Tarreau
15b0721ca5 CLEANUP: mux-quic: always take the endp from the qcs not the cs
At a few places the endpoint pointer was retrieved from the conn_stream
while it's safer and more long-term proof to take it from the qcs. Let's
just do that.
2022-05-13 14:27:57 +02:00
Willy Tarreau
7d299c284b CLEANUP: mux-fcgi: always take the endp from the fstrm not the cs
At a few places the endpoint pointer was retrieved from the conn_stream
while it's safer and more long-term proof to take it from the fstrm.
Let's just do that.
2022-05-13 14:27:57 +02:00
Willy Tarreau
7a2705f921 CLEANUP: mux-pt: always take the endp from the context not the cs
At a few places the endpoint pointer was retrieved from the conn_stream
while it's safer and more long-term proof to take it from the context.
Let's just do that.
2022-05-13 14:27:57 +02:00
Willy Tarreau
aff21f9a96 CLEANUP: mux-h2: always take the endp from the h2s not the cs
At a few places the endpoint pointer was retrieved from the conn_stream
while it's safer and more long-term proof to take it from the h2s. Let's
just do that.
2022-05-13 14:27:57 +02:00
Willy Tarreau
61533d3486 CLEANUP: mux-h1: always take the endp from the h1s not the cs
At a few places the endpoint pointer was retrieved from the conn_stream
while it's safer and more long-term proof to take it from the h1s. Let's
just do that.
2022-05-13 14:27:57 +02:00
Willy Tarreau
386346f5eb MINOR: conn_stream: make cs_set_error() work on the endpoint instead
Wherever we need to report an error, we have an even easier access to
the endpoint than the conn_stream. Let's first adjust the API to use
the endpoint and rename the function accordingly to cs_ep_set_error().
2022-05-13 14:27:57 +02:00
Christopher Faulet
b112b1d02a CLEANUP: mux-h1: Fix comments and error messages for global options
Wrong name was used in comments and error messages for
"h1-header-case-adjust" and "h1-headers-case-adjust-file" global options.
2022-05-13 12:04:24 +02:00
Christopher Faulet
0f9c0f5801 MINOR: mux-h1: Add global option accpet payload for any HTTP/1.0 requests
Since the 2.5, for security reason, HTTP/1.0 GET/HEAD/DELETE requests with a
payload are rejected (See e136bd12a "MEDIUM: mux-h1: Reject HTTP/1.0
GET/HEAD/DELETE requests with a payload" for details). However it may be an
issue for old clients.

To avoid any compatibility issue with such clients,
"h1-accept-payload-with-any-method" global option was added. It must only be
set if there is a good reason to do so because it may lead to a request
smuggling attack on some servers or intermediaries.

This patch should solve the issue #1691. it may be backported to 2.5.
2022-05-13 12:04:24 +02:00
William Lallemand
ae053b30da BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized
In wdt_handler(), does not try to trigger the watchdog if the
prev_cpu_time wasn't initialized.

This prevents an unexpected trigger of the watchdog when it wasn't
initialized yet. This case could happen in the master just after loading
the configuration. This would show a trace where the <diff> value is equal
to the <now> value in the trace, and the <poll> value would be 0.

For example:

    Thread 1 is about to kill the process.
    *>Thread 1 : id=0x0 act=1 glob=1 wq=0 rq=0 tl=0 tlsz=0 rqsz=0
                  stuck=1 prof=0 harmless=0 wantrdv=0
                  cpu_ns: poll=0 now=6005541706 diff=6005541706
                  curr_task=0

Thanks to Christian Ruppert for repporting the problem.

Could be backported in every stable versions.
2022-05-13 11:28:08 +02:00
Boyang Li
60cfe8b823 DOC/MINOR: fix typos in the lua-api document
Fixes a few typos in the Lua API document.
2022-05-13 08:40:08 +02:00