Commit Graph

45 Commits

Author SHA1 Message Date
Willy Tarreau
c22b57d37d [TESTS] test-fsm: 22 regression tests for state machines
22 regression tests for state machines are managed by the new
file tests/test-fsm.cfg. Check it, they are all documented
inside. Most of the bugs introduced during the FSM extraction
have been found with these tests.
2008-08-17 19:30:03 +02:00
Willy Tarreau
b6fb420c7e [MINOR] acl: add the "wait_end" acl verb
The new "wait_end" acl delays evaluation of the rule (and the next ones)
to the end of the analysis period. This is intented to be used with TCP
content analysis. A rule referencing such an ACL will not match until
the delay is over. An equivalent default ACL "WAIT_END" has been created.
2008-07-20 11:18:28 +02:00
Willy Tarreau
655e26af24 [MINOR] acl: add req_ssl_ver in TCP, to match an SSL version
This new keyword matches an dotted version mapped into an integer.
It permits to match an SSL message protocol version just as if it
was an integer, so that it is easy to map ranges, like this :

	acl obsolete_ssl  req_ssl_ver   lt 3
	acl correct_ssl   req_ssl_ver   3.0-3.1
	acl invalid_ssl   req_ssl_ver   gt 3.1

Both SSLv2 hello messages and SSLv3 messages are supported. The
test tries to be strict enough to avoid being easily fooled. In
particular, it waits for as many bytes as announced in the message
header if this header looks valid (bound to the buffer size).

The same decoder will be usable with minor changes to check the
response messages.
2008-07-16 10:30:06 +02:00
Willy Tarreau
b686644ad8 [MAJOR] implement tcp request content inspection
Some people need to inspect contents of TCP requests before
deciding to forward a connection or not. A future extension
of this demand might consist in selecting a server farm
depending on the protocol detected in the request.

For this reason, a new state CL_STINSPECT has been added on
the client side. It is immediately entered upon accept() if
the statement "tcp-request inspect-delay <xxx>" is found in
the frontend configuration. Haproxy will then wait up to
this amount of time trying to find a matching ACL, and will
either accept or reject the connection depending on the
"tcp-request content <action> {if|unless}" rules, where
<action> is either "accept" or "reject".

Note that it only waits that long if no definitive verdict
can be found earlier. That generally implies calling a fetch()
function which does not have enough information to decode
some contents, or a match() function which only finds the
beginning of what it's looking for.

It is only at the ACL level that partial data may be processed
as such, because we need to distinguish between MISS and FAIL
*before* applying the term negation.

Thus it is enough to add "| ACL_PARTIAL" to the last argument
when calling acl_exec_cond() to indicate that we expect
ACL_PAT_MISS to be returned if some data is missing (for
fetch() or match()). This is the only case we may return
this value. For this reason, the ACL check in process_cli()
has become a lot simpler.

A new ACL "req_len" of type "int" has been added. Right now
it is already possible to drop requests which talk too early
(eg: for SMTP) or which don't talk at all (eg: HTTP/SSL).

Also, the acl fetch() functions have been extended in order
to permit reporting of missing data in case of fetch failure,
using the ACL_TEST_F_MAY_CHANGE flag.

The default behaviour is unchanged, and if no rule matches,
the request is accepted.

As a side effect, all layer 7 fetching functions have been
cleaned up so that they now check for the validity of the
layer 7 pointer before dereferencing it.
2008-07-16 10:29:07 +02:00
Willy Tarreau
11382813a1 [TESTS] added test-acl.cfg to test some ACL combinations
various rules constructions can be tested with this test case.
2008-07-09 16:18:21 +02:00
Willy Tarreau
28c41a4041 [MEDIUM] rework the wait queue mechanism
The wait queues now rely on 4 trees for past, present and future
timers. The computations are cleaner and more reliable. The
wake_expired_tasks function has become simpler. Also, a bug
previously introduced in task_queue() by the first introduction
of eb_trees has been fixed (the eb->key was never updated).
2008-06-29 17:00:59 +02:00
Willy Tarreau
b463dfb2de [MEDIUM] add support for conditional HTTP redirection
A new "redirect" keyword adds the ability to send an HTTP 301/302/303
redirection to either an absolute location or to a prefix followed by
the original URI. The redirection is conditionned by ACL rules, so it
becomes very easy to move parts of a site to another site using this.

This work was almost entirely done at Exceliance by Emeric Brun.

A test-case has been added in the tests/ directory.
2008-06-07 23:08:56 +02:00
Krzysztof Oledzki
cdeb9a2002 [TESTS] add a debug patch to help trigger the stats bug
About: [BUG] Flush buffers also where there are exactly 0 bytes left

I'm also attaching a debug patch that helps to trigger this bug.

Without the fix:
# echo -ne "GET /haproxy?stats;csv;norefresh HTTP/1.0\r\n\r\n"|nc 127.0.0.1
801|wc -c
16384

With the fix:
# echo -ne "GET /haproxy?stats;csv;norefresh HTTP/1.0\r\n\r\n"|nc 127.0.0.1
801|wc -c
33089

Best regards,

                                Krzysztof Oledzki
2008-04-21 07:31:52 +02:00
Willy Tarreau
a532324128 [TESTS] add new methods in ip-hash test file
added methods to provide a better hash with small input sets
2008-04-13 09:27:00 +02:00
Willy Tarreau
53cfa0e58d [TESTS] add a benchmark for integer hashing
If we want to support netmasks for IP address hashing,
we will need something better than a pure modulus, otherwise
people with even numbers of servers will get surprizes.

Bob Jenkins is known for his works on hashing, and his site
has a lot of very interesting researches and algorithms for
integer hashing. He also points to the work of Thomas Wang
who has similar findings.

The program here tests their algorithms in order to find one
well suited for IP address hashing.
2008-04-12 22:28:32 +02:00
Willy Tarreau
73290cc74f [TESTS] add a test case for port mapping 2008-04-12 11:19:04 +02:00
Willy Tarreau
51406233bb [MAJOR] implementation of the "leastconn" load balancing algorithm
The new "leastconn" LB algorithm selects the server which has the
least established or pending connections. The weights are considered,
so that a server with a weight of 20 will get twice as many connections
as the server with a weight of 10.

The algorithm respects the minconn/maxconn settings, as well as the
slowstart since it is a dynamic algorithm. It also correctly supports
backup servers (one and all).

It is generally suited for protocols with long sessions (such as remote
terminals and databases), as it will ensure that upon restart, a server
with no connection will take all new ones until its load is balanced
with others.

A test configuration has been added in order to ease regression testing.
2008-03-10 22:04:30 +01:00
Willy Tarreau
8b2f55aec4 [TESTS] add test-pollers.cfg to easily report pollers in use 2008-02-16 20:02:48 +01:00
Willy Tarreau
21d2af3e9f Revert "[BUILD] backend.c and checks.c did not build without tproxy !"
This reverts commit 3c3c0122f8.
This commit was buggy as it also removed previous tproxy changes !
2008-02-14 20:25:24 +01:00
Willy Tarreau
3c3c0122f8 [BUILD] backend.c and checks.c did not build without tproxy !
missing #ifdefs.
2008-02-13 22:22:56 +01:00
Willy Tarreau
ac172b27fa [TESTS] add a test case for the server redirection mechanism 2008-02-13 00:57:06 +01:00
Willy Tarreau
036fae0ec9 [MEDIUM] introduce "timeout http-request" in frontends
In order to offer DoS protection, it may be required to lower the maximum
accepted time to receive a complete HTTP request without affecting the client
timeout. This helps protecting against established connections on which
nothing is sent. The client timeout cannot offer a good protection against
this abuse because it is an inactivity timeout, which means that if the
attacker sends one character every now and then, the timeout will not
trigger. With the HTTP request timeout, no matter what speed the client
types, the request will be aborted if it does not complete in time.
2008-01-06 13:24:40 +01:00
Willy Tarreau
c73ce2b111 [MINOR] add support for the "backlog" parameter
Add the "backlog" parameter to frontends, to give hints to
the system about the approximate listen backlog desired size.

In order to protect against SYN flood attacks, one solution is
to increase the system's SYN backlog size. Depending on the
system, sometimes it is just tunable via a system parameter,
sometimes it is not adjustable at all, and sometimes the system
relies on hints given by the application at the time of the
listen() syscall. By default, HAProxy passes the frontend's
maxconn value to the listen() syscall. On systems which can
make use of this value, it can sometimes be useful to be able
to specify a different value, hence this backlog parameter.
2008-01-06 10:55:10 +01:00
Willy Tarreau
e219db7a46 [MEDIUM] introduce the "timeout" keyword
A new "timeout" keyword replaces old "{con|cli|srv}timeout", and
provides the ability to independantly set the following timeouts :

  - client
  - tarpit
  - queue
  - connect
  - server
  - appsession

Additionally, the "clitimeout", "contimeout" and "srvtimeout" values
are supported but deprecated. No warning is emitted yet when they are
used since the option is very new.

Other timeouts should follow soon now.
2007-12-03 01:30:13 +01:00
Willy Tarreau
b3f32f5f8a [MEDIUM] add support for time units in the configuration
It is not always handy to manipulate large values exprimed
in milliseconds for timeouts. Also, some values are entered
in seconds (such as the stats refresh interval). This patch
adds support for time units. It knows about 'us', 'ms', 's',
'm', 'h', and 'd'. It automatically converts each value into
the caller's expected unit. Unit-less values are still passed
unchanged.

The unit must be passed as a suffix to the number. For instance:

     clitimeout 15m

If any character is not understood, an error is returned.
2007-12-02 22:15:14 +01:00
Willy Tarreau
2e74c3f202 [MEDIUM] restrict the set of allowed characters for identifiers
In order to avoid issues in the future, we want to restrict
the set of allowed characters for identifiers. Starting from
now, only A-Z, a-z, 0-9, '-', '_', '.' and ':' will be allowed
for a proxy, a server or an ACL name.

A test file has been added to check the restriction.
2007-12-02 18:45:09 +01:00
Willy Tarreau
b698f0f4a2 [CLEANUP] fwrr: ensure that we never overflow in placements
Now we can compute the max place depending on the number of servers,
maximum weight and weight scale. The formula has been stored as a
comment so that it's easy to choose between smooth weight ramp up
and high number of servers. The default scale has been set to 16,
which permits 4000 servers with a granularity of 6% in the worst
case (weight=1).
2007-12-02 11:01:23 +01:00
Willy Tarreau
4689ae6e79 [TESTS] add a test file for disable-on-404 2007-11-30 15:23:38 +01:00
Willy Tarreau
980b7d35c6 [TESTS] merge test-fwrr.cfg to validate dynamic weights 2007-11-28 14:23:32 +01:00
Willy Tarreau
18baa9d646 [TESTS] include filltab25.c to experiment on FWRR for dynamic weights
This is the 25th version of this test program. Merge it to ensure it
does not get lost.
2007-11-28 14:23:29 +01:00
Willy Tarreau
a7e76142a1 [MEDIUM] make default_backend work in TCP mode too
The default_backend did not work in TCP mode since there was no
header state to assign the backend. This causes much trouble when
configs are created by copy-paste.

The solution was to fix the way the backend is assigned upon accept().
A wrong contimeout assignment was fixed too.
2007-11-03 14:28:39 +01:00
Willy Tarreau
0173280bfa [MEDIUM] introduce the "url_param" balance method
Some applications do not have a strict persistence requirement, yet
it is still desirable for performance considerations, due to local
caches on the servers. For some reasons, there are some applications
which cannot rely on cookies, and for which the last resort is to use
a parameter passed in the URL.

The new 'url_param' balance method is there to solve this issue. It
accepts a parameter name which is looked up from the URL and which
is then hashed to select a server. If the parameter is not found,
then the round robin algorithm is used in order to provide a normal
load balancing across the servers for the first requests. It would
have been possible to use a source IP hash instead, but since such
applications are generally buried behind multiple levels of
reverse-proxies, it would not provide a good balance.

The doc has been updated, and two regression testing configurations
have been added.
2007-11-01 23:05:09 +01:00
Willy Tarreau
23085b6df8 [TESTS] add a simple test for the status page 2007-10-25 20:17:40 +02:00
Willy Tarreau
fe94460d53 [BUG] fix calls to localtime()
localtime() was called with pointers to tv_sec, which is time_t on
some platforms and long on others. A problem was encountered on
Sparc64 under OpenBSD where tv_sec is long (64 bits) and time_t is
32 bits. Since this architecture is big-endian, it exhibited the
bug because localtime() always worked with the high part of the
value which is always zero. This problem was identified and debugged
by Thierry Fournier.

The correct solution is to pass the date by value and not by pointer,
through an intermediate function. The use of localtime_r() instead of
localtime() also made it possible to get rid of the first call to
localtime() since it does not need to allocate memory anymore.
2007-10-25 10:34:16 +02:00
Willy Tarreau
d1eb3f0919 [TESTS] added a file to check that "retries" works. 2007-10-15 09:32:21 +02:00
Willy Tarreau
51041c737c [MAJOR] remove files distributed under an obscure license
src/chtbl.c, src/hashpjw.c and src/list.c are distributed under
an obscure license. While Aleks and I believe that this license
is OK for haproxy, other people think it is not compatible with
the GPL.

Whether it is or not is not the problem. The fact that it rises
a doubt is sufficient for this problem to be addressed. Arnaud
Cornet rewrote the unclear parts with clean GPLv2 and LGPL code.
The hash algorithm has changed too and the code has been slightly
simplified in the process. A lot of care has been taken in order
to respect the original API as much as possible, including the
LGPL for the exportable parts.

The new code has not been thoroughly tested but it looks OK now.
2007-09-09 21:56:53 +02:00
Willy Tarreau
ab28b8b9fd [TESTS] added a new hash algorithm
added "wt_hash" which shows only 60 collisions in 575k values, which
sets it between hashword() and djbx33(). It's also between both in
terms of performance, but the most important part is that its variable
length rotation mechanism should make it really harder to predict and
attack than the other ones.
2007-09-09 21:13:47 +02:00
Willy Tarreau
ca769dc631 [TESTS] provide a test configuration file for stats and checks
A file with 1000 servers and a stats interface has been added.
2007-09-09 21:09:28 +02:00
Willy Tarreau
ab3e1d313c [MEDIUM] optimize I/O by detecting system starvation
Compare the results of recv/send with the parameter passed and
detect whether the system has no free buffer space for send()
or has no data anymore for recv(). This dramatically reduces
the number of syscalls (by about 23%).
2007-06-03 16:05:39 +02:00
Willy Tarreau
ae5f7dadef [TESTS] updates to hash experimentations
Aleksandar Lazic has collected many hashing algorithms and put them
in one file to ease benchmarking. Some algos look promising, some
of them have been checked further with uri_hash. Some results on
various systems/hardware are stored in hash_results.txt.
2007-05-13 11:40:04 +02:00
Willy Tarreau
119680bc5e [TESTS] test_pools: added support for dlmalloc() 2007-05-12 16:14:55 +02:00
Willy Tarreau
ad99d29a00 [TESTS] added test_pools from Aleksandar Lazic
This simple test performs memory allocations using pools and
mallocs and returns the average number of allocations per second.
2007-05-12 15:51:02 +02:00
Willy Tarreau
58ef70227a [TESTS] added a trivial program to benchmark hash algos
The uri_hash.c program makes it very easy to benchmark the
distribution of hash algos. Pass it one word per line, and
it will show the distribution per server for 1 to 10 servers.
2007-05-08 23:22:43 +02:00
Willy Tarreau
1da7a77031 [TESTS] added two new test configurations
- one for basic features
- one for httpterm
2006-07-29 16:47:12 +02:00
willy tarreau
1a3442daee * added the 'source' load-balancing algorithm which uses the source IP(v4|v6) 2006-03-25 20:33:17 +01:00
willy tarreau
b8d29e4361 * some regression test files for active/backup conditions. 2006-03-25 20:33:14 +01:00
willy tarreau
9970d5cf80 * fixed odd addresses in tests/defaults.cfg 2006-01-08 01:51:58 +01:00
willy tarreau
eedaa9f220 * released 1.1.23
* fixed a stupid bug introduced in 1.1.22 which caused second and subsequent
  'default' sections to keep previous parameters, and not initialize logs
  correctly.
* fixed a second stupid bug introduced in 1.1.22 which caused configurations
  relying on 'dispatch' mode to segfault at the first connection.
* 'option httpchk' now supports method, HTTP version and a few headers.
* now, 'option httpchk', 'cookie' and 'capture' can be specified in
  'defaults' section
* a fresh new english documentation
* large Makefile cleanup for increased portability
* new build script 'build.cfg' for Formilux-0.1.8
* new startup script 'init.haproxy.flx0' for Formilux-0.1.8
2005-12-17 14:08:03 +01:00
willy tarreau
a41a8b4ee6 * released 1.1.22
* 'listen' now supports optionnal address:port-range lists
* 'bind' introduced to add new listen addresses
* fixed a bug which caused a session to be kept established on a server till
  it timed out if the client closed during the DATA phase.
* the port part of each server address can now be empty to make the proxy
  connect to the server on the same port it was connected to, be an absolute
  unsigned number to reflect a single port (as in older versions), or an
  explicitly signed number (+N/-N) to indicate that this offset must be
  applied to the port the proxy was connected to, when connecting to the
  server.
* the 'port' server option allows the user to specify a different
  health-check port than the service one. It is mandatory when only relative
  ports have been specified and check is required. By default, the checks are
  sent to the service port.
* new 'defaults' section which is rather similar to 'listen' except that all
  values are only used as default values for future 'listen' sections, until
  a new 'defaults' resets them. At the moment, server options, regexes,
  cookie names and captures cannot be set in the 'defaults' section.
* Makefile now optimizes for Ultrasparc by default on Solaris/Sparc
* large documentation updates and fixes
* new 'tests' directory with some debug files
2005-12-17 14:02:24 +01:00
willy tarreau
0f7af91265 * initial commit of version 1.0.0 2005-12-17 12:21:26 +01:00