Commit Graph

2577 Commits

Author SHA1 Message Date
William Lallemand
6bc00a97da MINOR: httpclient: allow to configure the timeout.connect
When using the httpclient, one could be bothered with it returning
after a very long time when failing. By default the httpclient has a
retries of 3 and a timeout connect of 5s, which can results in pause of
20s upon failure.

This patch allows the user to configure the "timeout connect" of the
httpclient so it could reduce the time to return an error.

This patch helps fixing part of the issue #2269.

Could be backported in 2.7 if needed.
2023-09-05 16:42:27 +02:00
William Lallemand
c52948bd2c MINOR: httpclient: allow to configure the retries
When using the httpclient, one could be bothered with it returning after
a very long time when failing. By default the httpclient has a retries
of 3 and a timeout connect of 5s, which can results in pause of 20s
upon failure.

This patch allows the user to configure the retries of the httpclient so
it could reduce the time to return an error.

This patch helps fixing part of the issue #2269.

Could be backported in 2.7 if needed.
2023-09-05 15:55:04 +02:00
William Lallemand
637306c86d DOC: configuration: update examples for req.ver
Update the documentation for the req.ver sample fetch.

Could be backported as far as 2.6.
2023-09-04 18:12:58 +02:00
Willy Tarreau
844a3bc25b MEDIUM: checks: implement a queue in order to limit concurrent checks
The progressive adoption of OpenSSL 3 and its abysmal handshake
performance has started to reveal situations where it simply isn't
possible anymore to succesfully run health checks on many servers,
because between the moment all the checks are started and the moment
the handshake finally completes, the timeout has expired!

This also has consequences on production traffic which gets
significantly delayed as well, all that for lots of checks. While it's
possible to increase the check delays, it doesn't solve everything as
checks still take a huge amount of time to converge in such conditions.

Here we take a different approach by permitting to enforce the maximum
concurrent checks per thread limitation and implementing an ordered
queue. Thanks to this, if a thread about to start a check has reached
its limit, it will add the check at the end of a queue and it will be
processed once another check is finished. This proves to be extremely
efficient, with all checks completing in a reasonable amount of time
and not being disturbed by the rest of the traffic from other checks.
They're just cycling slower, but at the speed the machine can handle.

One must understand however that if some complex checks perform multiple
exchanges, they will take a check slot for all the required duration.
This is why the limit is not enforced by default.

Tests on SSL show that a limit of 5-50 checks per thread on local
servers gives excellent results already, so that could be a good starting
point.
2023-09-01 14:00:04 +02:00
Willy Tarreau
cfc0bceeb5 MEDIUM: checks: search more aggressively for another thread on overload
When the current check is overloaded (more running checks than the
configured limit), we'll try more aggressively to find another thread.
Instead of just opportunistically looking for one half as loaded, now if
the current thread has more than 1% more active checks than another one,
or has more than a configured limit of concurrent running checks, it will
search for a more suitable thread among 3 other random ones in order to
migrate the check there. The number of migrations remains very low (~1%)
and the checks load very fair across all threads (~1% as well). The new
parameter is called tune.max-checks-per-thread.
2023-09-01 08:26:06 +02:00
Alexander Stephan
2cc53ecc8f MINOR: sample: Add common TLV types as constants for fc_pp_tlv
This patch adds common TLV types as specified in the PPv2 spec.
We will use the suffix of the type, e.g., PP2_TYPE_AUTHORITY becomes AUTHORITY.
2023-08-29 15:32:02 +02:00
Alexander Stephan
f773ef721c MEDIUM: sample: Add fetch for arbitrary TLVs
Based on the new, generic allocation infrastructure, a new sample
fetch fc_pp_tlv is introduced. It is an abstraction for existing
PPv2 TLV sample fetches. It takes any valid TLV ID as argument and
returns the value as a string, similar to fc_pp_authority and
fc_pp_unique_id.
2023-08-29 15:31:28 +02:00
Willy Tarreau
bd84387beb MEDIUM: capabilities: enable support for Linux capabilities
For a while there has been the constraint of having to run as root for
transparent proxying, and we're starting to see some cases where QUIC is
not running in socket-per-connection mode due to the missing capability
that would be needed to bind a privileged port. It's not realistic to
ask all QUIC users on port 443 to run as root, so instead let's provide
a basic support for capabilities at least on linux. The ones currently
supported are cap_net_raw, cap_net_admin and cap_net_bind_service. The
mechanism was made OS-specific with a dedicated file because it really
is. It can be easily refined later for other OSes if needed.

A new keyword "setcaps" is added to the global section, to enumerate the
capabilities that must be kept when switching from root to non-root. This
is ignored in other situations though. HAProxy has to be built with
USE_LINUX_CAP=1 for this to be supported, which is enabled by default
for linux-glibc, linux-glibc-legacy and linux-musl.

A good way to test this is to start haproxy with such a config:

    global
        uid 1000
        setcap cap_net_bind_service

    frontend test
        mode http
        timeout client 3s
        bind quic4@:443 ssl crt rsa+dh2048.pem allow-0rtt

and run it under "sudo strace -e trace=bind,setuid", then connecting
there from an H3 client. The bind() syscall must succeed despite the
user id having been switched.
2023-08-29 11:11:50 +02:00
Willy Tarreau
4d5f7d94b9 DOC: config: mention uid dependency on the tune.quic.socket-owner option
This option defaults to "connection" but is also dependent on the user
being allowed to bind the specified port. Since QUIC can easily run on
non-privileged ports, usually this is not a problem, but if bound to port
443 it will usually fail. Let's mention this.
2023-08-29 11:11:50 +02:00
Willy Tarreau
518349f08a [RELEASE] Released version 2.9-dev4
Released version 2.9-dev4 with the following main changes :
    - DEV: flags/show-sess-to-flags: properly decode fd.state
    - BUG/MINOR: stktable: allow sc-set-gpt(0) from tcp-request connection
    - BUG/MINOR: stktable: allow sc-add-gpc from tcp-request connection
    - DOC: typo: fix sc-set-gpt references
    - SCRIPTS: git-show-backports: automatic ref and base detection with -m
    - REGTESTS: Do not use REQUIRE_VERSION for HAProxy 2.5+ (3)
    - DOC: jwt: Add explicit list of supported algorithms
    - BUILD: Makefile: add the USE_QUIC option to make help
    - BUILD: Makefile: add USE_QUIC_OPENSSL_COMPAT to make help
    - BUILD: Makefile: realigned USE_* options in make help
    - DEV: makefile: fix POSIX compatibility for "range" target
    - IMPORT: plock: also support inlining the int code
    - IMPORT: plock: always expose the inline version of the lock wait function
    - IMPORT: lorw: support inlining the wait call
    - MINOR: threads: inline the wait function for pthread_rwlock emulation
    - MINOR: atomic: make sure to always relax after a failed CAS
    - MINOR: pools: use EBO to wait for unlock during pool_flush()
    - BUILD/IMPORT: fix compilation with PLOCK_DISABLE_EBO=1
    - MINOR: quic+openssl_compat: Do not start without "limited-quic"
    - MINOR: quic+openssl_compat: Emit an alert for "allow-0rtt" option
    - BUG/MINOR: quic: allow-0rtt warning must only be emitted with quic bind
    - BUG/MINOR: quic: ssl_quic_initial_ctx() uses error count not error code
    - MINOR: pattern: do not needlessly lookup the LRU cache for empty lists
    - IMPORT: xxhash: update xxHash to version 0.8.2
    - MINOR: proxy: simplify parsing 'backend/server'
    - MINOR: connection: centralize init/deinit of backend elements
    - MEDIUM: connection: implement passive reverse
    - MEDIUM: h2: reverse connection after SETTINGS reception
    - MINOR: server: define reverse-connect server
    - MINOR: backend: only allow reuse for reverse server
    - MINOR: tcp-act: parse 'tcp-request attach-srv' session rule
    - REGTESTS: provide a reverse-server test
    - MINOR: tcp-act: define optional arg name for attach-srv
    - MINOR: connection: use attach-srv name as SNI reuse parameter on reverse
    - REGTESTS: provide a reverse-server test with name argument
    - MINOR: proto: define dedicated protocol for active reverse connect
    - MINOR: connection: extend conn_reverse() for active reverse
    - MINOR: proto_reverse_connect: parse rev@ addresses for bind
    - MINOR: connection: prepare init code paths for active reverse
    - MEDIUM: proto_reverse_connect: bootstrap active reverse connection
    - MINOR: proto_reverse_connect: handle early error before reversal
    - MEDIUM: h2: implement active connection reversal
    - MEDIUM: h2: prevent stream opening before connection reverse completed
    - REGTESTS: write a full reverse regtest
    - BUG/MINOR: h2: fix reverse if no timeout defined
    - CI: fedora: fix "dnf" invocation syntax
    - BUG/MINOR: hlua_fcn: potentially unsafe stktable_data_ptr usage
    - DOC: lua: fix Sphinx warning from core.get_var()
    - DOC: lua: fix core.register_action typo
    - BUG/MINOR: ssl_sock: fix possible memory leak on OOM
    - MEDIUM: map/acl: Improve pat_ref_set() efficiency (for "set-map", "add-acl" action perfs)
    - MEDIUM: map/acl: Improve pat_ref_set_elt() efficiency (for "set-map", "add-acl"action perfs)
    - MEDIUM: map/acl: Accelerate several functions using pat_ref_elt struct ->head list
    - MEDIUM: map/acl: Replace map/acl spin lock by a read/write lock.
    - DOC: map/acl: Remove the comments about map/acl performance issue
    - DOC: Explanation of be_name and be_id fetches
    - MINOR: connection: simplify removal of idle conns from their trees
    - MINOR: server: move idle tree insert in a dedicated function
    - MAJOR: connection: purge idle conn by last usage
2023-08-25 17:57:22 +02:00
Sébastien Gross
f20f85f4d7 DOC: Explanation of be_name and be_id fetches
The be_name and be_id fetches contain data related to the current
backend and can be used in frontend responses. Yet, in cases where
no backend is used due to a local response or backend selection
failure, these fetches retain details of the current frontend.

This patch enhances the clarity of the values provided by these
fetches.

Signed-off-by: Sébastien Gross <sgross@haproxy.com>
2023-08-25 15:54:30 +02:00
Frédéric Lécaille
0a20be8915 DOC: map/acl: Remove the comments about map/acl performance issue
These commits have improved the performances of "set-map", "add-acl"
http rule actions:

   MINOR: map/acl: Improve pat_ref_set_elt() efficiency (for "set-map", "add-acl" actions perfs)
   MINOR: map/acl: Improve pat_ref_set() efficiency (for "set-map", "add-acl" action perfs)
2023-08-25 15:41:55 +02:00
Aurelien DARRAGON
7e9aea789f DOC: lua: fix core.register_action typo
"converter" was used in place of "action" as a result of a copy-paste
error probably.

Also, rephrasing the "actions" keyword explanation to prevent confusion
between action name (which is the name of new action about to be created)
and action facilities where we want to expose the new action.

This could be backported to every stable versions.
2023-08-25 11:52:43 +02:00
Aurelien DARRAGON
190f09a6ce DOC: lua: fix Sphinx warning from core.get_var()
Since f034139bc0 ("MINOR: lua: Allow reading "proc." scoped vars from
LUA core."), a new Sphinx warning is emitted when generating the lua doc:

  "WARNING: Field list ends without a blank line; unexpected unindent."

This is due to a missing space after the line break continuation, sphinx
parser is very restrictive unfortunately!

Suppressing the warning and fixing the html output at the same time by
adding the missing space.
2023-08-25 11:52:43 +02:00
Amaury Denoyelle
0747e493a0 MINOR: proto_reverse_connect: parse rev@ addresses for bind
Implement parsing for "rev@" addresses on bind line. On config parsing,
server name is stored on the bind_conf.

Several new callbacks are defined on reverse_connect protocol to
complete parsing. listen callback is used to retrieve the server
instance from the bind_conf server name. If found, the server instance
is stored on the receiver. Checks are implemented to ensure HTTP/2
protocol only is used by the server.
2023-08-24 17:02:37 +02:00
Amaury Denoyelle
0b3758e18f MINOR: tcp-act: define optional arg name for attach-srv
Add an optional argument 'name' for attach-srv rule. This contains an
expression which will be used as an identifier inside the server idle
pool after reversal. To match this connection for a future transfer
through the server, the SNI server parameter must match this name. If no
name is defined, match will only occur with an empty SNI value.

For the moment, only the parsing step is implemented. An extra check is
added to ensure that the reverse server uses SSL with a SNI. Indeed, if
name is defined but server does not uses a SNI, connections will never
be selected on reused after reversal due to a hash mismatch.
2023-08-24 15:28:38 +02:00
Amaury Denoyelle
58cb76d7e1 MINOR: tcp-act: parse 'tcp-request attach-srv' session rule
Create a new tcp-request session rule 'attach-srv'.

The parsing handler is used to extract the server targetted with the
notation 'backend/server'. The server instance is stored in the act_rule
instance under the new union variant 'attach_srv'.

Extra checks are implemented in parsing to ensure attach-srv is only
used for proxy in HTTP mode and with listeners/server with no explicit
protocol reference or HTTP/2 only.

The action handler itself is really simple. It assigns the stored server
instance to the 'reverse' member of the connection instance. It will be
used in a future patch to implement passive reverse-connect.
2023-08-24 15:02:32 +02:00
Amaury Denoyelle
e6223a3188 MINOR: server: define reverse-connect server
Implement reverse-connect server. This server type cannot instantiate
its own connection on transfer. Instead, it can only reuse connection
from its idle pool. These connections will be populated using the future
'tcp-request session attach-srv' rule.

A reverse-connect has no address. Instead, it uses a new custom server
notation with '@' character prefix. For the moment, only '@reverse' is
defined. An extra check is implemented to ensure server is used in a
HTTP proxy.
2023-08-24 14:49:03 +02:00
Remi Tricot-Le Breton
672203c26b DOC: jwt: Add explicit list of supported algorithms
Add explicit list of algorithms supported by the jwt_verify converter.
2023-08-16 11:53:42 +02:00
Johannes Naab
d5590ef633 DOC: typo: fix sc-set-gpt references
Only sc-inc-gpc and sc-set-gpt do exist. The mix-up sc-inc-gpt crept in
in 71d189219 (DOC: config: Rework and uniformize how TCP/HTTP rules are
documented, 2021-10-14) and got copied in a92480462 (MINOR: http-rules:
Add missing actions in http-after-response ruleset, 2023-01-05).
2023-08-14 09:04:45 +02:00
Willy Tarreau
75028bcba6 [RELEASE] Released version 2.9-dev3
Released version 2.9-dev3 with the following main changes :
    - BUG/MINOR: ssl: OCSP callback only registered for first SSL_CTX
    - BUG/MEDIUM: h3: Properly report a C-L header was found to the HTX start-line
    - MINOR: sample: add pid sample
    - MINOR: sample: implement act_conn sample fetch
    - MINOR: sample: accept_date / request_date return %Ts / %tr timestamp values
    - MEDIUM: sample: implement us and ms variant of utime and ltime
    - BUG/MINOR: sample: check alloc_trash_chunk() in conv_time_common()
    - DOC: configuration: describe Td in Timing events
    - MINOR: sample: implement the T* timer tags from the log-format as fetches
    - DOC: configuration: add sample fetches for timing events
    - BUG/MINOR: quic: Possible crash when acknowledging Initial v2 packets
    - MINOR: quic: Export QUIC traces code from quic_conn.c
    - MINOR: quic: Export QUIC CLI code from quic_conn.c
    - MINOR: quic: Move TLS related code to quic_tls.c
    - MINOR: quic: Add new "QUIC over SSL" C module.
    - MINOR: quic: Add a new quic_ack.c C module for QUIC acknowledgements
    - CLEANUP: quic: Defined but no more used function (quic_get_tls_enc_levels())
    - MINOR: quic: Split QUIC connection code into three parts
    - CLEANUP: quic: quic_conn struct cleanup
    - MINOR: quic; Move the QUIC frame pool to its proper location
    - BUG/MINOR: chunk: fix chunk_appendf() to not write a zero if buffer is full
    - BUG/MEDIUM: h3: Be sure to handle fin bit on the last DATA frame
    - DOC: configuration: rework the custom log format table
    - BUG/MINOR: quic+openssl_compat: Non initialized TLS encryption levels
    - CLEANUP: acl: remove cache_idx from acl struct
    - REORG: cfgparse: extract curproxy as a global variable
    - MINOR: acl: add acl() sample fetch
    - BUILD: cfgparse: keep a single "curproxy"
    - BUG/MEDIUM: bwlim: Reset analyse expiration date when then channel analyse ends
    - MEDIUM: stream: Reset response analyse expiration date if there is no analyzer
    - BUG/MINOR: htx/mux-h1: Properly handle bodyless responses when splicing is used
    - BUG/MEDIUM: quic: consume contig space on requeue datagram
    - BUG/MINOR: http-client: Don't forget to commit changes on HTX message
    - CLEANUP: stconn: Move comment about sedesc fields on the field line
    - REGTESTS: http: Create a dedicated script to test spliced bodyless responses
    - REGTESTS: Test SPLICE feature is enabled to execute script about splicing
    - BUG/MINOR: quic: reappend rxbuf buffer on fake dgram alloc error
    - BUILD: quic: fix wrong potential NULL dereference
    - MINOR: h3: abort request if not completed before full response
    - BUG/MAJOR: http-ana: Get a fresh trash buffer for each header value replacement
    - CLEANUP: quic: Remove quic_path_room().
    - MINOR: quic: Amplification limit handling sanitization.
    - MINOR: quic: Move some counters from [rt]x quic_conn anonymous struct
    - MEDIUM: quic: Send CONNECTION_CLOSE packets from a dedicated buffer.
    - MINOR: quic: Use a pool for the connection ID tree.
    - MEDIUM: quic: Allow the quic_conn memory to be asap released.
    - MINOR: quic: Release asap quic_conn memory (application level)
    - MINOR: quic: Release asap quic_conn memory from ->close() xprt callback.
    - MINOR: quic: Warning for OpenSSL wrapper QUIC bindings without "limited-quic"
    - REORG: http: move has_forbidden_char() from h2.c to http.h
    - BUG/MAJOR: h3: reject header values containing invalid chars
    - MINOR: mux-h2/traces: also suggest invalid header upon parsing error
    - MINOR: ist: add new function ist_find_range() to find a character range
    - MINOR: http: add new function http_path_has_forbidden_char()
    - MINOR: h2: pass accept-invalid-http-request down the request parser
    - REGTESTS: http-rules: add accept-invalid-http-request for normalize-uri tests
    - BUG/MINOR: h1: do not accept '#' as part of the URI component
    - BUG/MINOR: h2: reject more chars from the :path pseudo header
    - BUG/MINOR: h3: reject more chars from the :path pseudo header
    - REGTESTS: http-rules: verify that we block '#' by default for normalize-uri
    - DOC: clarify the handling of URL fragments in requests
    - BUG/MAJOR: http: reject any empty content-length header value
    - BUG/MINOR: http: skip leading zeroes in content-length values
    - BUG/MEDIUM: mux-h1: fix incorrect state checking in h1_process_mux()
    - BUG/MEDIUM: mux-h1: do not forget EOH even when no header is sent
    - BUILD: mux-h1: shut a build warning on clang from previous commit
    - DEV: makefile: add a new "range" target to iteratively build all commits
    - CI: do not use "groupinstall" for Fedora Rawhide builds
    - CI: get rid of travis-ci wrapper for Coverity scan
    - BUG/MINOR: quic: mux started when releasing quic_conn
    - BUG/MINOR: quic: Possible crash in quic_cc_conn_io_cb() traces.
    - MINOR: quic: Add a trace for QUIC conn fd ready for receive
    - BUG/MINOR: quic: Possible crash when issuing "show fd/sess" CLI commands
    - BUG/MINOR: quic: Missing tasklet (quic_cc_conn_io_cb) memory release (leak)
    - BUG/MEDIUM: quic: fix tasklet_wakeup loop on connection closing
    - BUG/MINOR: hlua: fix invalid use of lua_pop on error paths
    - MINOR: hlua: add hlua_stream_ctx_prepare helper function
    - BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread
    - MAJOR: threads/plock: update the embedded library again
    - MINOR: stick-table: move the task_queue() call outside of the lock
    - MINOR: stick-table: move the task_wakeup() call outside of the lock
    - MEDIUM: stick-table: change the ref_cnt atomically
    - MINOR: stick-table: better organize the struct stktable
    - MEDIUM: peers: update ->commitupdate out of the lock using a CAS
    - MEDIUM: peers: drop then re-acquire the wrlock in peer_send_teachmsgs()
    - MEDIUM: peers: only read-lock peer_send_teachmsgs()
    - MEDIUM: stick-table: use a distinct lock for the updates tree
    - MEDIUM: stick-table: touch updates under an upgradable read lock
    - MEDIUM: peers: drop the stick-table lock before entering peer_send_teachmsgs()
    - MINOR: stick-table: move the update lock into its own cache line
    - CLEANUP: stick-table: slightly reorder the stktable struct
    - BUILD: defaults: use __WORDSIZE not LONGBITS for MAX_THREADS_PER_GROUP
    - MINOR: tools: make ptr_hash() support 0-bit outputs
    - MINOR: tools: improve ptr hash distribution on 64 bits
    - OPTIM: tools: improve hash distribution using a better prime seed
    - OPTIM: pools: use exponential back-off on shared pool allocation/release
    - OPTIM: pools: make pool_get_from_os() / pool_put_to_os() not update ->allocated
    - MINOR: pools: introduce the use of multiple buckets
    - MEDIUM: pools: spread the allocated counter over a few buckets
    - MEDIUM: pools: move the used counter over a few buckets
    - MEDIUM: pools: move the needed_avg counter over a few buckets
    - MINOR: pools: move the failed allocation counter over a few buckets
    - MAJOR: pools: move the shared pool's free_list over multiple buckets
    - MINOR: pools: make pool_evict_last_items() use pool_put_to_os_no_dec()
    - BUILD: pools: fix build error on clang with inline vs forceinline
2023-08-12 19:59:27 +02:00
Willy Tarreau
7ab4949ef1 DOC: clarify the handling of URL fragments in requests
We indicate in path/pathq/url that they may contain '#' if the frontend
is configured with "option accept-invalid-http-request", and that option
mentions the fragment as well.
2023-08-08 19:56:41 +02:00
Patrick Hemmer
7fccccccea MINOR: acl: add acl() sample fetch
This provides a sample fetch which returns the evaluation result
of the conjunction of named ACLs.
2023-08-01 10:49:06 +02:00
William Lallemand
d52da4ef70 DOC: configuration: rework the custom log format table
Rework the custom log format table to add sample fetch alternatives.

Split the timestamps and the timers from the rest of the tags.
2023-07-28 14:29:08 +02:00
William Lallemand
454c372b60 DOC: configuration: add sample fetches for timing events
Add the alternatives sample fetches for timing events.
2023-07-26 17:45:33 +02:00
William Lallemand
38975c0164 DOC: configuration: describe Td in Timing events
Describe the Td timer in the timing events section.

Must be backported in every stable branches.
2023-07-25 14:58:35 +02:00
William Lallemand
5e63e1636a MEDIUM: sample: implement us and ms variant of utime and ltime
Implement 4 new fetches:

- ms_ltime
- ms_utime

- us_ltime
- us_utime

Which are the same as ltime and utime but with milliseconds and
microseconds input.

The converters also suports the %N conversion specifier like in date(1).

Unfortunately since %N is not supported by strftime, the format string
is parsed twice, once manually to replace %N, and once by strftime.
2023-07-24 17:12:29 +02:00
William Lallemand
739c4e5b1e MINOR: sample: accept_date / request_date return %Ts / %tr timestamp values
Implement %[accept_date] which returns the same as %Ts log-format tag.
Implement %[request_date] which is a timestamp for %tr.

accept_date and request_date take an faculative unit argument which can
be 's', 'ms' or 'us'.

The goal is to be able to convert these 2 timestamps to HAProxy date
format like its done with %T, %tr, %trg etc
2023-07-24 17:12:29 +02:00
William Lallemand
2a46bfe239 MINOR: sample: implement act_conn sample fetch
Implement the act_conn sample fetch which is the same as %ac (actconn)
in the log-format.
2023-07-24 17:12:29 +02:00
William Lallemand
ac87815be9 MINOR: sample: add pid sample
Implement the pid sample fetch.
2023-07-24 17:12:29 +02:00
Willy Tarreau
80cef0c02d [RELEASE] Released version 2.9-dev2
Released version 2.9-dev2 with the following main changes :
    - BUG/MINOR: quic: Possible leak when allocating an encryption level
    - BUG/MINOR: quic: Missing QUIC connection path member initialization
    - BUILD: quic: Compilation fixes for some gcc warnings with -O1
    - DOC: ssl: Fix typo in 'ocsp-update' option
    - DOC: ssl: Add ocsp-update troubleshooting clues and emphasize on crt-list only aspect
    - BUG/MINOR: tcp_sample: bc_{dst,src} return IP not INT
    - MEDIUM: acl/sample: unify sample conv parsing in a single function
    - MINOR: sample: introduce c_pseudo() conv function
    - MEDIUM: sample: add missing ADDR=>? compatibility matrix entries
    - MINOR: sample: fix ipmask sample definition
    - MEDIUM: tree-wide: fetches that may return IPV4+IPV6 now return ADDR
    - MEDIUM: sample: introduce 'same' output type
    - BUG/MINOR: quic: Possible crash in "show quic" dumping packet number spaces
    - BUG/MINOR: cache: A 'max-age=0' cache-control directive can be overriden by a s-maxage
    - BUG/MEDIUM: sink: invalid server list in sink_new_from_logsrv()
    - BUG/MINOR: http_ext: unhandled ERR_ABORT in proxy_http_parse_7239()
    - BUG/MINOR: sink: missing sft free in sink_deinit()
    - BUG/MINOR: ring: size warning incorrectly reported as fatal error
    - BUG/MINOR: ring: maxlen warning reported as alert
    - BUG/MINOR: log: LF upsets maxlen for UDP targets
    - MINOR: sink/api: pass explicit maxlen parameter to sink_write()
    - BUG/MEDIUM: log: improper use of logsrv->maxlen for buffer targets
    - BUG/MINOR: log: fix missing name error message in cfg_parse_log_forward()
    - BUG/MINOR: log: fix multiple error paths in cfg_parse_log_forward()
    - BUG/MINOR: log: free errmsg on error in cfg_parse_log_forward()
    - BUG/MINOR: sink: invalid sft free in sink_deinit()
    - BUG/MINOR: sink: fix errors handling in cfg_post_parse_ring()
    - BUG/MINOR: server: set rid default value in new_server()
    - MINOR: hlua_fcn/mailers: handle timeout mail from mailers section
    - BUG/MINOR: sink/log: properly deinit srv in sink_new_from_logsrv()
    - EXAMPLES: maintain haproxy 2.8 retrocompatibility for lua mailers script
    - BUG/MINOR: hlua_fcn/queue: use atomic load to fetch queue size
    - BUG/MINOR: config: Remove final '\n' in error messages
    - BUG/MINOR: config: Lenient port configuration parsing
    - BUG/MEDIUM: quic: token IV was not computed using a strong secret
    - BUG/MINOR: quic: retry token remove one useless intermediate expand
    - BUG/MEDIUM: quic: missing check of dcid for init pkt including a token
    - BUG/MEDIUM: quic: timestamp shared in token was using internal time clock
    - CLEANUP: quic: remove useless parameter 'key' from quic_packet_encrypt
    - BUG/MINOR: hlua: hlua_yieldk ctx argument should support pointers
    - BUG/MEDIUM: hlua_fcn/queue: bad pop_wait sequencing
    - DOC: config: Fix fc_src description to state the source address is returned
    - BUG/MINOR: sample: Fix wrong overflow detection in add/sub conveters
    - BUG/MINOR: http: Return the right reason for 302
    - MEDIUM: ssl: new sample fetch method to get curve name
    - CI: add naming convention documentation
    - CI: explicitely highlight VTest result section if there's something
    - BUG/MINOR: quic: Unckecked encryption levels availability
    - BUILD: quic: fix warning during compilation using gcc-6.5
    - BUG/MINOR: hlua: add check for lua_newstate
    - BUG/MINOR: h1-htx: Return the right reason for 302 FCGI responses
    - MINOR: lua: Allow reading "proc." scoped vars from LUA core.
    - MINOR: cpuset: add cpu_map_configured() to know if a cpu-map was found
    - BUG/MINOR: config: do not detect NUMA topology when cpu-map is configured
    - BUG/MINOR: cpuset: remove the bogus "proc" from the cpu_map struct
    - BUG/MINOR: init: set process' affinity even in foreground
    - CLEANUP: cpuset: remove the unused proc_t1 field in cpu_map
    - CLEANUP: config: make parse_cpu_set() return documented values
    - BUG/MINOR: server: Don't warn on server resolution failure with init-addr none
    - MINOR: peers: add peers keyword registration
    - MINOR: quic: Stop storing the TX encoded transport parameters
    - MINOR: quic: Dynamic allocation for negotiated Initial TLS cipher context.
    - MINOR: quic: Release asap the negotiated Initial TLS context.
    - MINOR: quic: Add traces to qc_may_build_pkt()
    - MEDIUM: quic: Packet building rework.
    - CLEANUP: quic: Remove a useless TLS related variable from quic_conn_io_cb().
    - MEDIUM: quic: Handshake I/O handler rework.
    - MINOR: quic: Add traces for qc_frm_free()
    - MINOR: quic: add trace about pktns packet/frames releasing
    - BUG/MINOR: quic: Missing parentheses around PTO probe variable.
    - MINOR: quic: Ping from Initial pktns before reaching anti-amplification limit
    - BUG/MINOR: server-state: Ignore empty files
    - BUG/MINOR: server-state: Avoid warning on 'file not found'
    - BUG/MEDIUM: listener: Acquire proxy's lock in relax_listener() if necessary
    - MINOR: quic: QUIC openssl wrapper implementation
    - MINOR: quic: Include QUIC opensssl wrapper header from TLS stacks compatibility header
    - MINOR: quic: Do not enable O-RTT with USE_QUIC_OPENSSL_COMPAT
    - MINOR: quic: Set the QUIC connection as extra data before calling SSL_set_quic_method()
    - MINOR: quic: Do not enable 0RTT with SSL_set_quic_early_data_enabled()
    - MINOR: quic: Add a compilation option for the QUIC OpenSSL wrapper
    - MINOR: quic: Export some KDF functions (QUIC-TLS)
    - MINOR: quic: Make ->set_encryption_secrets() be callable two times
    - MINOR: quic: Initialize TLS contexts for QUIC openssl wrapper
    - MINOR: quic: Call the keylog callback for QUIC openssl wrapper from SSL_CTX_keylog()
    - MINOR: quic: Add a quic_openssl_compat struct to quic_conn struct
    - MINOR: quic: Useless call to SSL_CTX_set_quic_method()
    - MINOR: quic: SSL context initialization with QUIC OpenSSL wrapper.
    - MINOR: quic: Missing encoded transport parameters for QUIC OpenSSL wrapper
    - MINOR: quic: Add "limited-quic" new tuning setting
    - DOC: quic: Add "limited-quic" new tuning setting
    - DOC: install: Document how to build a limited support for QUIC
2023-07-21 20:29:42 +02:00
Frédéric Lécaille
91410302e9 DOC: quic: Add "limited-quic" new tuning setting
Document "limited-quic" new tuning setting which must be used to
enable the QUIC listener bindings when haproxy is compiled against
a TLS/SSL stack without QUIC support.
2023-07-21 19:19:27 +02:00
Daan van Gorkum
f034139bc0 MINOR: lua: Allow reading "proc." scoped vars from LUA core.
This adds the "core.get_var()" method allow the reading
of "proc." scoped variables outside of TXN or HTTP/TCPApplet.

Fixes: #2212
Signed-off-by: Daan van Gorkum <djvg@djvg.net>
2023-07-20 10:55:28 +02:00
Mariam John
00b7b49a46 MEDIUM: ssl: new sample fetch method to get curve name
Adds a new sample fetch method to get the curve name used in the
key agreement to enable better observability. In OpenSSLv3, the function
`SSL_get_negotiated_group` returns the NID of the curve and from the NID,
we get the curve name by passing the NID to OBJ_nid2sn. This was not
available in v1.1.1. SSL_get_curve_name(), which returns the curve name
directly was merged into OpenSSL master branch last week but will be available
only in its next release.
2023-07-17 15:45:41 +02:00
Christopher Faulet
46e5876035 DOC: config: Fix fc_src description to state the source address is returned
A typo in the "fc_src" description was fixed. This sample returns the
original source IP address and not the destination one.

This patch should be backported as far as 2.6.
2023-07-17 11:11:39 +02:00
Aurelien DARRAGON
b58bd9794f MINOR: hlua_fcn/mailers: handle timeout mail from mailers section
As the example/lua/mailers.lua script does its best to mimic the c-mailer
implementation, it should support the "timeout mail" directive as well.

This could be backported in 2.8.
2023-07-10 18:28:08 +02:00
Remi Tricot-Le Breton
a9b1a4edd9 DOC: ssl: Add ocsp-update troubleshooting clues and emphasize on crt-list only aspect
The current limitation of the 'ocsp-update' option and the fact that it
can only be used in crt-lists was puzzling for some people so the doc
was amended to emphasize this specificity. A configuration extract was
added as well.
A few troubleshooting clues were added as well.

Must be backported in 2.8.
2023-07-03 16:04:09 +02:00
Remi Tricot-Le Breton
8352f00261 DOC: ssl: Fix typo in 'ocsp-update' option
This patch fixes a misalignment in the 'ocsp-update' option description
and it splits the example log lines for readability.

Must be backported in 2.8.
2023-07-03 16:03:52 +02:00
Willy Tarreau
fdc57c4021 [RELEASE] Released version 2.9-dev1
Released version 2.9-dev1 with the following main changes :
    - BUG/MINOR: stats: Fix Lua's `get_stats` function
    - MINOR: stats: protect against future stats fields omissions
    - BUG/MINOR: stream: do not use client-fin/server-fin with HTX
    - BUG/MINOR: quic: Possible crash when SSL session init fails
    - CONTRIB: Add vi file extensions to .gitignore
    - BUG/MINOR: spoe: Only skip sending new frame after a receive attempt
    - BUG/MINOR: peers: Improve detection of config errors in peers sections
    - REG-TESTS: stickiness: Delay haproxys start to properly resolv variables
    - DOC: quic: fix misspelled tune.quic.socket-owner
    - DOC: config: fix jwt_verify() example using var()
    - DOC: config: fix rfc7239 converter examples (again)
    - BUG/MINOR: cfgparse-tcp: leak when re-declaring interface from bind line
    - BUG/MINOR: proxy: add missing interface bind free in free_proxy
    - BUG/MINOR: proxy/server: free default-server on deinit
    - BUG/MEDIUM: hlua: Use front SC to detect EOI in HTTP applets' receive functions
    - BUG/MINOR: ssl: log message non thread safe in SSL Hanshake failure
    - BUG/MINOR: quic: Wrong encryption level flags checking
    - BUG/MINOR: quic: Address inversion in "show quic full"
    - BUG/MINOR: server: inherit from netns in srv_settings_cpy()
    - BUG/MINOR: namespace: missing free in netns_sig_stop()
    - BUG/MINOR: quic: Missing initialization (packet number space probing)
    - BUG/MINOR: quic: Possible crash in quic_conn_prx_cntrs_update()
    - BUG/MINOR: quic: Possible endless loop in quic_lstnr_dghdlr()
    - MINOR: quic: Remove pool_zalloc() from qc_new_conn()
    - MINOR: quic: Remove pool_zalloc() from qc_conn_alloc_ssl_ctx()
    - MINOR: quic: Remove pool_zalloc() from quic_dgram_parse()
    - BUG/MINOR: quic: Missing transport parameters initializations
    - BUG/MEDIUM: mworker: increase maxsock with each new worker
    - BUG/MINOR: quic: ticks comparison without ticks API use
    - BUG/MINOR: quic: Missing TLS secret context initialization
    - DOC: Add tune.h2.be.* and tune.h2.fe.* options to table of contents
    - DOC: Add tune.h2.max-frame-size option to table of contents
    - DOC: Attempt to fix dconv parsing error for tune.h2.fe.initial-window-size
    - REGTESTS: h1_host_normalization : Add a barrier to not mix up log messages
    - MEDIUM: mux-h1: Split h1_process_mux() to make code more readable
    - REORG: mux-h1: Rename functions to emit chunk size/crlf in the output buffer
    - MINOR: mux-h1: Add function to append the chunk size to the output buffer
    - MINOR: mux-h1: Add function to prepend the chunk crlf to the output buffer
    - MEDIUM: filters/htx: Don't rely on HTX extra field if payload is filtered
    - MEDIIM: mux-h1: Add splicing support for chunked messages
    - REGTESTS: Add a script to test the kernel splicing with chunked messages
    - CLEANUP: mux-h1: Remove useless __maybe_unused statement
    - BUG/MINOR: http_ext: fix if-none regression in forwardfor option
    - REGTEST: add an extra testcase for ifnone-forwardfor
    - BUG/MINOR: mworker: leak of a socketpair during startup failure
    - BUG/MINOR: quic: Prevent deadlock with CID tree lock
    - MEDIUM: ssl: handle the SSL_ERROR_ZERO_RETURN during the handshake
    - BUG/MINOR: ssl: SSL_ERROR_ZERO_RETURN returns CO_ER_SSL_EMPTY
    - BUILD: mux-h1: silence a harmless fallthrough warning
    - BUG/MEDIUM: quic: error checking buffer large enought to receive the retry tag
    - MINOR: ssl: allow to change the server signature algorithm on server lines
    - MINOR: ssl: allow to change the client-sigalgs on server lines
    - BUG/MINOR: config: fix stick table duplicate name check
    - BUG/MINOR: quic: Missing random bits in Retry packet header
    - BUG/MINOR: quic: Wrong Retry paquet version field endianess
    - BUG/MINOR: quic: Wrong endianess for version field in Retry token
    - IMPORT: slz: implement a synchronous flush() operation
    - MINOR: compression/slz: add support for a pure flush of pending bytes
    - MINOR: quic: Move QUIC TLS encryption level related code (quic_conn_enc_level_init())
    - MINOR: quic: Move QUIC encryption level structure definition
    - MINOR: quic: Implement a packet number space identification function
    - MINOR: quic: Move packet number space related functions
    - MEDIUM: quic: Dynamic allocations of packet number spaces
    - CLEANUP: quic: Remove qc_list_all_rx_pkts() defined but not used
    - MINOR: quic: Add a pool for the QUIC TLS encryption levels
    - MEDIUM: quic: Dynamic allocations of QUIC TLS encryption levels
    - MINOR: quic: Reduce the maximum length of TLS secrets
    - CLEANUP: quic: Remove two useless pools a low QUIC connection level
    - MEDIUM: quic: Handle the RX in one pass
    - MINOR: quic: Remove call to qc_rm_hp_pkts() from I/O callback
    - CLEANUP: quic: Remove server specific about Initial packet number space
    - MEDIUM: quic: Release encryption levels and packet number spaces asap
    - CLEANUP: quic: Remove a useless test about discarded pktns (qc_handle_crypto_frm())
    - MINOR: quic: Move the packet number space status at quic_conn level
    - MINOR: quic: Drop packet with type for discarded packet number space.
    - BUILD: quic: Add a DISGUISE() to please some compiler to qc_prep_hpkts() 1st parameter
    - BUILD: debug: avoid a build warning related to epoll_wait() in debug code
2023-07-02 11:13:42 +02:00
William Lallemand
593c895eed MINOR: ssl: allow to change the client-sigalgs on server lines
This patch introduces the "client-sigalgs" keyword for the server line,
which allows to configure the list of server signature algorithms
negociated during the handshake. Also available as
"ssl-default-server-client-sigalgs" in the global section.
2023-06-29 14:11:46 +02:00
William Lallemand
717f0ad995 MINOR: ssl: allow to change the server signature algorithm on server lines
This patch introduces the "sigalgs" keyword for the server line, which
allows to configure the list of server signature algorithms negociated
during the handshake. Also available as "ssl-default-server-sigalgs" in
the global section.
2023-06-29 13:40:18 +02:00
Tim Duesterhus
bd88998678 DOC: Attempt to fix dconv parsing error for tune.h2.fe.initial-window-size
It appears that dconv dislikes the "see also" part being on the same line as
the regular paragraph. The beginning of the line does not show up in the
rendered version.

Attempt to fix this by inserting an additional newline which is consistent with
other options.
2023-06-20 11:52:47 +02:00
Tim Duesterhus
6a8638ff53 DOC: Add tune.h2.max-frame-size option to table of contents
This option was introduced in a24b35ca18, which
is 2.0+. It should be backported as far as it easily applies.
2023-06-20 11:51:55 +02:00
Tim Duesterhus
6b40cce10a DOC: Add tune.h2.be.* and tune.h2.fe.* options to table of contents
These new options were introduced in commits
9d7abda787 and
ca1027c22f, both of which at in HAProxy 2.8+.
This patch should be backported there.
2023-06-20 11:51:49 +02:00
Aurelien DARRAGON
1bdd490f9f DOC: config: fix rfc7239 converter examples (again)
Complementary fix to ac456ab ("DOC: config: fix rfc7239 converter examples")
since somehow I managed to overlook one example..

This needs to be backported in 2.8 with ac456ab.
2023-06-06 15:15:17 +02:00
Aurelien DARRAGON
b1d94e84e8 DOC: config: fix jwt_verify() example using var()
To prevent bogus matches, var() does not default to string type anymore
since 44c5ff6 ("MEDIUM: vars: make the var() sample fetch function really
return type ANY).

Thanks to the above fix, haproxy now returns an error if var() is used
within an ACL or IF condition and the matching type is not explicitly
set.

However, the documentation was not updated to reflect this change.

This partially fixes GH #2087 and must be backported up to 2.6.
2023-06-06 15:15:17 +02:00
Artur Pydo
a475448161 DOC: quic: fix misspelled tune.quic.socket-owner
Commit 511ddd5 introduced tune.quic.socket-owner parameter related to
QUIC socket behaviour. However it was misspelled in configuration.txt in
'bind' section as tune.quic.conn-owner.
2023-06-06 14:49:40 +02:00
Willy Tarreau
cb6a35fdc1 [RELEASE] Released version 2.9-dev0
Released version 2.9-dev0 with the following main changes :
    - MINOR: version: mention that it's development again
2023-05-31 16:29:19 +02:00
Willy Tarreau
fdd8154ed3 [RELEASE] Released version 2.8.0
Released version 2.8.0 with the following main changes :
    - MINOR: compression: Improve the way Vary header is added
    - BUILD: makefile: search for SSL_INC/wolfssl before SSL_INC
    - MINOR: init: pre-allocate kernel data structures on init
    - DOC: install: add details about WolfSSL
    - BUG/MINOR: ssl_sock: add check for ha_meth
    - BUG/MINOR: thread: add a check for pthread_create
    - BUILD: init: print rlim_cur as regular integer
    - DOC: install: specify the minimum openssl version recommended
    - CLEANUP: mux-quic: remove unneeded fields in qcc
    - MINOR: mux-quic: remove nb_streams from qcc
    - MINOR: quic: fix stats naming for flow control BLOCKED frames
    - BUG/MEDIUM: mux-quic: only set EOI on FIN
    - BUG/MEDIUM: threads: fix a tiny race in thread_isolate()
    - DOC: config: fix rfc7239 converter examples
    - DOC: quic: remove experimental status for QUIC
    - CLEANUP: mux-quic: rename functions for mux_ops
    - CLEANUP: mux-quic: rename internal functions
    - BUG/MINOR: mux-h2: refresh the idle_timer when the mux is empty
    - DOC: config: Fix bind/server/peer documentation in the peers section
    - BUILD: Makefile: use -pthread not -lpthread when threads are enabled
    - CLEANUP: doc: remove 21 totally obsolete docs
    - DOC: install: mention the common strict-aliasing warning on older compilers
    - DOC: install: clarify a few points on the wolfSSL build method
    - MINOR: quic: Add QUIC connection statistical counters values to "show quic"
    - EXAMPLES: update the basic-config-edge file for 2.8
    - MINOR: quic/cli: clarify the "show quic" help message
    - MINOR: version: mention that it's LTS now.
2023-05-31 16:24:38 +02:00
Willy Tarreau
6ccc8625b4 MINOR: quic/cli: clarify the "show quic" help message
Make it clear what is expected in the "<format>" field on the help line.
This should be backported to 2.7.
2023-05-31 16:15:24 +02:00