Commit Graph

11913 Commits

Author SHA1 Message Date
Willy Tarreau
f1dccedcf6 BUG/MEDIUM: http_ana: make the detection of NTLM variants safer
In issue #511 a problem was reported regarding NTLM and undesired session
sharing. This was caused by an attempt to limit the protection against
NTLM breakage to just NTLM and not properly working schemes in commit
fd9b68c48 ("BUG/MINOR: only mark connections private if NTLM is detected").

Unfortunately as reported in the issue above, the extent of possible
challenges for NTLM is a bit more complex than just the "NTLM" or
"Negotiate" words. There's also "Nego2" and these words can be followed
by a base64 value, which is not validated here. The list of possible
entries doesn't seem to be officially documented but can be reconstructed
from different public documents:

  https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ntht/7daaf621-94d9-4942-a70a-532e81ba293e
  https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-n2ht/5c1d2bbc-e1d6-458f-9def-dd258c181310
  https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-n2ht/9201ed70-d245-41ce-accd-e609637583bf
  https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-n2ht/02be79f3-e360-475f-b468-b96c878c70c7

This patch tries to fix all this on top of previous attempts by making
as private any connection that returns a www-authenticate header starting
with "Nego" or "NTLM". We don't need to be too strict, we really just
want to leave the connection shared if really sure it can be.

This must be backported to 1.8 but will require some adaptations. In
1.9 and 2.0 the check appears both for legacy and HTX. The simplest
thing to do is to look for "Negotiate" and fix all relevant places.
2020-05-07 19:41:12 +02:00
Willy Tarreau
49a1d28fcb BUG/MINOR: http-ana: fix NTLM response parsing again
Commit 9df188695f ("BUG/MEDIUM: http-ana: Handle NTLM messages correctly.")
tried to address an HTTP-reuse issue reported in github issue #511 by making
sure we properly detect extended NTLM responses, but made the match case-
sensitive while it's a token so it's case insensitive.

This should be backported to the same versions as the commit above.
2020-05-07 19:22:37 +02:00
Willy Tarreau
a0be8595c6 REGTESTS: make the http-check-send test require version 2.2
It causes failures when passing regtests on older releases.
2020-05-07 18:42:22 +02:00
Christopher Faulet
f82ea4ae4c BUG/MINOR: config: Make use_backend and use-server post-parsing less obscur
During use_backend and use-server post-parsing, if the log-format string used to
specify the backend or the server is just a single string, the log-format string
(a list, internally) is replaced by the string itself. Because the field is an
union, the list is not emptied according to the rules of art. The element, when
released, is not removed from the list. There is no bug, but it is clearly not
obvious and error prone.

This patch should fix #544. The fix for the use_backend post-parsing may be
backported to all stable releases. use-server is static in 2.1 and prior.
2020-05-07 15:59:35 +02:00
Adis Nezirovic
ad9f9ed3f4 BUG/MEDIUM: lua: Fix dumping of stick table entries for STD_T_DICT
The issue can easily be reproduced with "stick on" statement

backend BE_NAME
    stick-table type ip size 1k
    stick on src

and calling dump() method on BE_NAME stick table from Lua

Before the fix, HAProxy would return 500 and log something like
the following:
  runtime error: attempt to index a string value from [C] method 'dump'

Where one would expect a Lua table like this:

{
    ["IP_ADDR"] = {
        ["server_id"] = 1,
        ["server_name"] = "srv1"
    }
}

This patch needs to backported to 1.9 and later releases.
2020-05-07 15:51:36 +02:00
Christopher Faulet
083eff3734 MINOR: checks: Make matching on HTTP headers for expect rules less obscure
A default statement in the switch testing the header name has been added to be
sure it is impossible to eval the value pattern on an uninitialized header
value. It should never happen of course. But this way, it is explicit.

And a comment has been added to make clear that ctx.value is always defined when
it is evaluated.

This patch fixes the issue #619.
2020-05-07 15:41:41 +02:00
Christopher Faulet
d888f0fc6e DOC: Be more explicit about configurable check ok/error/timeout status
It is possible to configure the check status on success, on error and on
timeout, for http-check and tcp-check expect rules. But the documentation relies
on internal names. These names are reported on the stats and are describe in the
management guide. But it is probably a good idea to be more explicit too in the
doc describing these options.
2020-05-07 07:40:18 +02:00
Christopher Faulet
574e7bd7f3 MINOR: checks: Support log-format string to set the body for HTTP send rules
For http-check send rules, it is now possible to use a log-format string to set
the request's body. the keyword "body-lf" should be used instead of "body". If the
string eval fails, no body is added.
2020-05-06 18:04:05 +02:00
Christopher Faulet
7c95f5f22b MINOR: checks: Support log-format string to set the URI for HTTP send rules
For http-check send rules, it is now possible to use a log-format string to set
the request URI. the keyword "uri-lf" should be used instead of "uri". If the
string eval fails, we fall back on the default uri "/".
2020-05-06 18:04:05 +02:00
William Lallemand
a655ba4a94 MINOR: mworker: replace ha_alert by ha_warning when exiting successfuly
Since commit bb86986 ("MINOR: init: report the haproxy version and
executable path once on errors") the master-worker displays its version
and path upon a successful exits of a current worker. Which is kind of
confusing upon a clean exits.

This is due to the fact that that commit displays this upon a ha_alert()
which was used during the exit of the process.

Replace the ha_alert() by an ha_warning() if the process exit correctly
and was supposed to.

It still displays the message upon a SIGINT since the workers are
catching the signal.
2020-05-06 17:27:03 +02:00
Christopher Faulet
8d38f0affd REGTEST: checks: Adapt SSL error message reported when connection is rejected
Depending on the SSL library version, the reported error may differ when the
connection is rejected during the handshake. An empty handshke may be detected
or just an generic handshake error. So tcp-check-ssl.vtc has been adapted to
support both error messages.
2020-05-06 12:45:11 +02:00
Christopher Faulet
f98e626491 MINOR: checks/sample: Remove unnecessary tests on the sample session
A sample must always have a session defined. Otherwise, it is a bug. So it is
unnecessary to test if it is defined when called from a health checks context.

This patch fixes the issue #616.
2020-05-06 12:44:46 +02:00
Christopher Faulet
b5594265d2 MINOR: checks: Simplify matching on HTTP headers in HTTP expect rules
Extra parameters on http-check expect rules, for the header matching method, to
use log-format string or to match full header line have been removed. There is
now separate matching methods to match a full header line or to match each
comma-separated values. "http-check expect fhdr" must be used in the first case,
and "http-check expect hdr" in the second one. In addition, to match log-format
header name or value, "-lf" suffix must be added to "name" or "value"
keyword. For intance:

   http-check expect hdr name "set-cookie" value-lf -m beg "sessid=%[var(check.cookie)]"

Thanks to this changes, each parameter may only be interpreted in one way.
2020-05-06 12:42:36 +02:00
Christopher Faulet
b50b3e6d0a MINOR: checks: Use dedicated actions to send log-format strings in send rules
Following actions have been added to send log-format strings from a tcp-check
ruleset instead the log-format parameter:

  * tcp-check send-lf <fmt>
  * tcp-check send-binary-lf <fmt>

It is easier for tools generating configurations. Each action may only be
interpreted in one way.
2020-05-06 12:41:57 +02:00
Christopher Faulet
67a234583e CLEANUP: checks: sort and rename tcpcheck_expect_type types
The same naming format is used for all expect rules. And names are sorted to be
grouped by type.
2020-05-06 12:38:44 +02:00
Christopher Faulet
e596d184be MEDIUM: checks: Remove dedicated sample fetches and use response ones instead
All sample fetches in the scope "check." have been removed. Response sample
fetches must be used instead. It avoids keyword duplication. So, for instance,
res.hdr() must be now used instead of check.hdr().

To do so, following sample fetches have been added on the response :

  * res.body, res.body_len and res.body_size
  * res.hdrs and res.hdrs_bin

Sample feches dealing with the response's body are only useful in the health
checks context. When called from a stream context, there is no warranty on the
body presence. There is no option to wait the response's body.
2020-05-06 12:37:43 +02:00
Christopher Faulet
af4dc4ccaa DOC: Fix req.body and co documentation to be accurate
Because the HTX is the only mode to represent HTTP data, "option
http-request-buffer" is no longer mandatory to have body data. Without this
option, there is no warranty on the body presence. So it is recommanded to use
it. But it is not a requirement. In addition, the note about chunked body is
removed because outdated.
2020-05-06 09:06:01 +02:00
Christopher Faulet
aaab0836d9 MEDIUM: checks: Add matching on log-format string for expect rules
It is now possible to use log-format string (or hexadecimal string for the
binary version) to match a content in tcp-check based expect rules. For
hexadecimal log-format string, the conversion in binary is performed after the
string evaluation, during health check execution. The pattern keywords to use
are "string-lf" for the log-format string and "binary-lf" for the hexadecimal
log-format string.
2020-05-06 08:31:29 +02:00
Christopher Faulet
0d6909b33b MINOR: checks: Improve report of unexpected errors for expect rules
TCP and HTTP expect rules may fail because of unexpected and internal
error. Mainly during log-format strings eval. The error report is improved by
this patch.
2020-05-06 07:49:38 +02:00
Willy Tarreau
fc0b8f39a6 [RELEASE] Released version 2.2-dev7
Released version 2.2-dev7 with the following main changes :
    - MINOR: version: Show uname output in display_version()
    - CI: run weekly OpenSSL "no-deprecated" builds
    - CLEANUP: log: fix comment of parse_logformat_string()
    - DOC: Improve documentation on http-request set-src
    - MINOR: ssl/cli: disallow SSL options for directory in 'add ssl crt-list'
    - MINOR: ssl/cli: restrain certificate path when inserting into a directory
    - MINOR: ssl: add ssl-skip-self-issued-ca global option
    - BUG/MINOR: ssl: default settings for ssl server options are not used
    - MINOR: config: add a global directive to set default SSL curves
    - BUG/MEDIUM: http-ana: Handle NTLM messages correctly.
    - DOC: internals: update the SSL architecture schema
    - BUG/MINOR: tools: fix the i386 version of the div64_32 function
    - BUG/MINOR: mux-fcgi/trace: fix wrong set of trace flags in fcgi_strm_add_eom()
    - BUG/MINOR: http: make url_decode() optionally convert '+' to SP
    - DOC: option logasap does not depend on mode
    - MEDIUM: memory: make pool_gc() run under thread isolation
    - MINOR: contrib: make the peers wireshark dissector a plugin
    - BUG/MINOR: http-ana: Throw a 500 error if after-response ruleset fails on errors
    - BUG/MINOR: check: Update server address and port to execute an external check
    - MINOR: mini-clist: Add functions to iterate backward on a list
    - MINOR: checks: Add a way to send custom headers and payload during http chekcs
    - MINOR: server: respect warning and alert semantic
    - BUG/MINOR: checks: Respect the no-check-ssl option
    - BUG/MEDIUM: server/checks: Init server check during config validity check
    - CLEANUP: checks: Don't export anymore init_check and srv_check_healthcheck_port
    - BUG/MINOR: checks: chained expect will not properly wait for enough data
    - BUG/MINOR: checks: Forbid tcp-check lines in default section as documented
    - MINOR: checks: Use an enum to describe the tcp-check rule type
    - MINOR: checks: Simplify connection flag parsing in tcp-check connect
    - MEDIUM: checks: rewind to the first inverse expect rule of a chain on new data
    - MINOR: checks: simplify tcp expect config parser
    - MINOR: checks: add min-recv tcp-check expect option
    - MINOR: checks: add linger option to tcp connect
    - MINOR: checks: define a tcp expect type
    - MEDIUM: checks: rewrite tcp-check expect block
    - MINOR: checks: Stop xform buffers to null-terminated string for tcp-check rules
    - MINOR: checks: add rbinary expect match type
    - MINOR: checks: Simplify functions to get step id and comment
    - MEDIUM: checks: capture groups in expect regexes
    - MINOR: checks: Don't use a static tcp rule list head
    - MEDIUM: checks: Use a non-comment rule iterator to get next rule
    - MEDIUM: proxy/checks: Register a keyword to parse tcp-check rules
    - MINOR: checks: Set the tcp-check rule index during parsing
    - MINOR: checks: define tcp-check send type
    - MINOR: checks: define a tcp-check connect type
    - MEDIUM: checks: Add implicit tcp-check connect rule
    - MAJOR: checks: Refactor and simplify the tcp-check loop
    - MEDIUM: checks: Associate a session to each tcp-check healthcheck
    - MINOR: checks/vars: Add a check scope for variables
    - MEDIUM: checks: Parse custom action rules in tcp-checks
    - MINOR: checks: Add support to set-var and unset-var rules in tcp-checks
    - MINOR: checks: Add the sni option for tcp-check connect rules
    - MINOR: checks: Add the via-socks4 option for tcp-check connect rules
    - MINOR: checks: Add the alpn option for tcp-check connect rules
    - MINOR: ssl: Export a generic function to parse an alpn string
    - MINOR: checks: Add the default option for tcp-check connect rules
    - MINOR: checks: Add the addr option for tcp-check connect rule
    - MEDIUM: checks: Support expression to set the port
    - MEDIUM: checks: Support log-format strings for tcp-check send rules
    - MINOR: log: Don't depends on a stream to process samples in log-format string
    - MINOR: log: Don't systematically set LW_REQ when a sample expr is added
    - MEDIUM: checks: Add a shared list of tcp-check rules
    - MINOR: sample: add htonl converter
    - MINOR: sample: add cut_crlf converter
    - MINOR: sample: add ltrim converter
    - MINOR: sample: add rtrim converter
    - MINOR: checks: Use a name for the healthcheck status enum
    - MINOR: checks: Add option to tcp-check expect rules to customize error status
    - MINOR: checks: Merge tcp-check comment rules with the others at config parsing
    - MINOR: checks: Add a sample fetch to extract a block from the input check buffer
    - MEDIUM: checks: Add on-error/on-success option on tcp-check expect rules
    - MEDIUM: checks: Add status-code sample expression on tcp-check expect rules
    - MINOR: checks: Relax the default option for tcp-check connect rules
    - MEDIUM: checks: Add a list of vars to set before executing a tpc-check ruleset
    - MINOR: checks: Export the tcpcheck_eval_ret enum
    - MINOR: checks: Use dedicated function to handle onsuccess/onerror messages
    - MINOR: checks: Support custom functions to eval a tcp-check expect rules
    - MEDIUM: checks: Implement redis check using tcp-check rules
    - MEDIUM: checks: Implement ssl-hello check using tcp-check rules
    - MEDIUM: checks: Implement smtp check using tcp-check rules
    - MEDIUM: checks: Implement postgres check using tcp-check rules
    - MEDIUM: checks: Implement MySQL check using tcp-check rules
    - MEDIUM: checks: Implement LDAP check using tcp-check rules
    - MEDIUM: checks: Implement SPOP check using tcp-check rules
    - MINOR: server/checks: Move parsing of agent keywords in checks.c
    - MINOR: server/checks: Move parsing of server check keywords in checks.c
    - MEDIUM: checks: Implement agent check using tcp-check rules
    - REGTEST: Adapt regtests about checks to recent changes
    - MINOR: Produce tcp-check info message for pure tcp-check rules only
    - MINOR: checks: Add an option to set success status of tcp-check expect rules
    - MINOR: checks: Improve log message of tcp-checks on success
    - MINOR: proxy/checks: Move parsing of httpchk option in checks.c
    - MINOR: proxy/checks: Move parsing of tcp-check option in checks.c
    - MINOR: proxy/checks: Register a keyword to parse http-check rules
    - MINOR: proxy/checks: Move parsing of external-check option in checks.c
    - MINOR: proxy/checks: Register a keyword to parse external-check rules
    - MEDIUM: checks: Use a shared ruleset to store tcp-check rules
    - MINOR: checks: Use an indirect string to represent the expect matching string
    - MINOR: checks: Introduce flags to configure in tcp-check expect rules
    - MINOR: standard: Add my_memspn and my_memcspn
    - MINOR: checks: Add a reverse non-comment rule iterator to get last rule
    - MAJOR: checks: Implement HTTP check using tcp-check rules
    - MINOR: checks: Make resume conditions more explicit in tcpcheck_main()
    - MINOR: connection: Add macros to know if a conn or a cs uses an HTX mux
    - MEDIUM: checks: Refactor how data are received in tcpcheck_main()
    - MINOR: checks/obj_type: Add a new object type for checks
    - BUG/MINOR: obj_type: Handle stream object in obj_base_ptr() function
    - MINOR: checks: Use the check as origin when a session is created
    - MINOR: checks: Add a mux proto to health-check and tcp-check connect rule
    - MINOR: connection: Add a function to install a mux for a health-check
    - MAJOR: checks: Use the best mux depending on the protocol for health checks
    - MEDIUM: checks: Implement default TCP check using tcp-check rules
    - MINOR: checks: Remove unused code about pure TCP checks
    - CLEANUP: checks: Reorg checks.c file to be more readable
    - REGTEST: Fix reg-tests about health-checks to adapt them to recent changes
    - MINOR: ist: Add a function to retrieve the ist pointer
    - MINOR: checks: Use ist API as far as possible
    - BUG/MEDIUM: checks: Be sure to subscribe for sends if outgoing data remains
    - MINOR: checks: Use a tree instead of a list to store tcp-check rulesets
    - BUG/MINOR: checks: Send the right amount of outgoing data for HTTP checks
    - REGTEST: Add scripts to test based tcp-check health-checks
    - Revert "MEDIUM: checks: capture groups in expect regexes"
    - DOC: Add documentation about comments for tcp-check and http-check directives
    - DOC: Fix the tcp-check and http-check directives layout
    - BUG/MEDIUM: checks: Use the mux protocol specified on the server line
    - MINOR: checks: Support mux protocol definition for tcp and http health checks
    - BUG/MINOR: mux-fcgi: Be sure to have a connection as session's origin to use it
    - MINOR: checks: Support list of status codes on http-check expect rules
    - BUG/MEDIUM: checks: Unsubscribe to mux events when a conn-stream is destroyed
    - REGTEST: Add a script to validate agent checks
    - BUG/MINOR: server: Fix server_finalize_init() to avoid unused variable
    - BUG/MEDIUM: checks: unsubscribe for events on the old conn-stream on connect
    - BUG/MINOR: checks: Only use ssl_sock_is_ssl() if compiled with SSL support
    - BUG/MINOR: checks/server: use_ssl member must be signed
    - BUG/MEDIUM: sessions: Always pass the mux context as argument to destroy a mux
    - BUG/MEDIUM: checks: Destroy the conn-stream before the session
    - BUG/MINOR: checks: Fix PostgreSQL regex on the authentication packet
    - CI: cirrus-ci: remove reg-tests/checks/tcp-check-ssl.vtc on CentOS 6
    - MINOR: checks: Support HTTP/2 version (without '.0') for http-check send rules
    - MINOR: checks: Use ver keyword to specify the HTTP version for http checks
    - BUG/MINOR: checks: Remove wrong variable redeclaration
    - BUG/MINOR: checks: Properly handle truncated mysql server messages
    - CLEANUP: checks: Remove unused code when ldap server message is parsed
    - MINOR: checks: Make the use of the check's server more explicit on connect
    - BUG/MINOR: checks: Avoid incompatible cast when a binary string is parsed
    - BUG/MINOR: checks: Remove bad call to free() when an expect rule is parsed
    - BUG/MINOR: checks: Don't lose warning on proxy capability
    - MINOR: log: Add "Tu" timer
    - BUG/MINOR: checks: Set the output buffer length before calling parse_binary()
    - BUG/MEDIUM: mux-h1: make sure we always have a timeout on front connections
    - REGTEST: ssl: test the client certificate authentication
    - DOC: give a more accurate description of what check does
    - BUG/MEDIUM: capture: capture-req/capture-res converters crash without a stream
    - BUG/MEDIUM: capture: capture.{req,res}.* crash without a stream
    - BUG/MEDIUM: http: the "http_first_req" sample fetch could crash without a steeam
    - BUG/MEDIUM: http: the "unique-id" sample fetch could crash without a steeam
    - CLEANUP: http: add a few comments on certain functions' assumptions about streams
    - BUG/MEDIUM: sample: make the CPU and latency sample fetches check for a stream
    - MINOR: http-htx: Export functions to update message authority and host
    - MINOR: checks: Don't support multiple host header for http-check send rule
    - MINOR: checks: Skip some headers for http-check send rules
    - MINOR: checks: Keep the Host header and the request uri synchronized
    - CLEANUP: checks: Fix checks includes
    - DOC: Fix send rules in the http-check connect example
    - DOC: Add more info about request formatting in http-check send description
    - REGTEST: http-rules: Require PCRE or PCRE2 option to run map_redirect script
    - REGTEST: ssl: remove curl from the "add ssl crt-list" test
    - REGTEST: ssl: improve the "set ssl cert" test
    - CLEANUP: ssl: silence a build warning when threads are disabled
    - BUG/MEDIUM: listener: mark the thread as not stuck inside the loop
    - MINOR: threads: export the POSIX thread ID in panic dumps
    - BUG/MINOR: debug: properly use long long instead of long for the thread ID
    - BUG/MEDIUM: shctx: really check the lock's value while waiting
    - BUG/MEDIUM: shctx: bound the number of loops that can happen around the lock
    - MINOR: stream: report the list of active filters on stream crashes
    - BUG/MEDIUM: mux-fcgi: Return from detach if server don't keep the connection
    - BUG/MEDIUM: mux_fcgi: Free the FCGI connection at the end of fcgi_release()
    - BUG/MEDIUM: mux-fcgi: Fix wrong test on FCGI_CF_KEEP_CONN in fcgi_detach()
    - BUG/MEDIUM: connections: force connections cleanup on server changes
    - BUG/MEDIUM: h1: Don't compare host and authority if only h1 headers are parsed
    - BUG/MEDIUM: ssl: fix the id length check within smp_fetch_ssl_fc_session_id()
    - CLEANUP: connections: align function declaration
    - BUG/MINOR: sample: Set the correct type when a binary is converted to a string
    - MEDIUM: checks/http-fetch: Support htx prefetch from a check for HTTP samples
    - DOC: Document the log-format parameter for tcp-check send/send-binary rules
    - MINOR: checks: Add support of payload-based sample fetches
    - MINOR: checks: Add support of be_id, be_name, srv_id and srv_name sample fetches
    - MINOR: checks: Add support of server side ssl sample fetches
    - MINOR: checks: Add support of HTTP response sample fetches
    - MINOR: http-htx: Support different methods to look for header names
    - MINOR: checks: Set by default expect rule status to UNKNOWN during parsing
    - BUG/MINOR: checks: Support multiple HTTP expect rules
    - REGTEST: checks: Fix sync condition for agent-check
    - MEDIUM: checks: Support matching on headers for http-check expect rules
    - MINOR: lua: allow changing port with set_addr
    - BUG/MINOR: da: Fix HTX message prefetch
    - BUG/MINOR: wurfl: Fix HTX message prefetch
    - BUG/MINOR: 51d: Fix HTX message prefetch
    - MINOR: ist: add istadv() function
    - MINOR: ist: add istissame() function
    - MINOR: istbuf: add ist2buf() function
    - BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_CAS()
    - BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_UPDATE_{MIN,MAX}()
    - DOC: update intro.txt for 2.2
    - DOC: intro: add a contacts section
2020-05-05 21:49:10 +02:00
Willy Tarreau
6562623f41 DOC: intro: add a contacts section
This indicates where to find help and where to report bugs.
2020-05-05 18:08:07 +02:00
Willy Tarreau
ec8962cb5a DOC: update intro.txt for 2.2
A number of things have changed since last update, for example caching
and fastcgi were not mentioned.
2020-05-05 17:39:16 +02:00
Willy Tarreau
a4d9ee3d1c BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_UPDATE_{MIN,MAX}()
Just like in previous patch, it happens that HA_ATOMIC_UPDATE_MIN() and
HA_ATOMIC_UPDATE_MAX() would evaluate the (val) argument up to 3 times.
However this time it affects both thread and non-thread versions. It's
strange because the copy was properly performed for the (new) argument
in order to avoid this. Anyway it was done for the "val" one as well.

A quick code inspection showed that this currently has no effect as
these macros are fairly limited in usage.

It would be best to backport this for long-term stability (till 1.8)
but it will not fix an existing bug.
2020-05-05 16:18:52 +02:00
Willy Tarreau
d66345d6b0 BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_CAS()
When threads are disabled, HA_ATOMIC_CAS() becomes a simple compound
expression. However this expression presents a problem, which is that
its arguments are evaluated multiple times, once for the comparison
and once again for the assignement. This presents a risk of performing
some side-effect operations twice in the non-threaded case (e.g. in
case of auto-increment or function return).

The macro was rewritten using local copies for arguments like the
other macros do.

Fortunately a complete inspection of the code indicates that this case
currently never happens. It was however responsible for the strict-aliasing
warning emitted when building fd.c without threads but with 64-bit CAS.

This may be backported as far as 1.8 though it will not fix any existing
bug and is more of a long-term safety measure in case a future fix would
depend on this behavior.
2020-05-05 16:05:45 +02:00
Baptiste Assmann
0e9d87bf06 MINOR: istbuf: add ist2buf() function
Purpose of this function is to build a <struct buffer> from a <struct
ist>.
2020-05-05 15:28:59 +02:00
Baptiste Assmann
de80201460 MINOR: ist: add istissame() function
The istissame() function takes 2 ist and compare their <.ptr> and <.len>
values respectively. It returns non-zero if they are the same.
2020-05-05 15:28:59 +02:00
Baptiste Assmann
9ef1967af7 MINOR: ist: add istadv() function
The purpose of istadv() function is to move forward <.ptr> by <nb>
characters. It is very useful when parsing a payload.
2020-05-05 15:28:59 +02:00
Christopher Faulet
f11b1fb87f BUG/MINOR: 51d: Fix HTX message prefetch
An additional argument has been added to smp_prefetch_htx() function in the
commit 778f5ed47 ("MEDIUM: checks/http-fetch: Support htx prefetch from a check
for HTTP samples"). But forgot to update call in 51d module.

No need to backport.
2020-05-05 11:53:43 +02:00
Christopher Faulet
b565e72dfb BUG/MINOR: wurfl: Fix HTX message prefetch
An additional argument has been added to smp_prefetch_htx() function in the
commit 778f5ed47 ("MEDIUM: checks/http-fetch: Support htx prefetch from a check
for HTTP samples"). But forgot to update call in wurfl module.

No need to backport.
2020-05-05 11:52:13 +02:00
Christopher Faulet
d1185cc496 BUG/MINOR: da: Fix HTX message prefetch
An additional argument has been added to smp_prefetch_htx() function in the
commit 778f5ed47 ("MEDIUM: checks/http-fetch: Support htx prefetch from a check
for HTTP samples"). But forgot to update call in da module.

No need to backport.
2020-05-05 11:50:14 +02:00
Joseph C. Sible
49bbf528e4 MINOR: lua: allow changing port with set_addr
Add an optional port parameter, which can be either a number or a
string (to support '+' and '-' for port mapping).

This fixes issue #586.
2020-05-05 11:24:39 +02:00
Christopher Faulet
3970819a55 MEDIUM: checks: Support matching on headers for http-check expect rules
It is now possible to add http-check expect rules matching HTTP header names and
values. Here is the format of these rules:

  http-check expect header name [ -m <meth> ] <name> [log-format] \
                           [ value [ -m <meth> ] <value> [log-format] [full] ]

the name pattern (name ...) is mandatory but the value pattern (value ...) is
optionnal. If not specified, only the header presence is verified. <meth> is the
matching method, applied on the header name or the header value. Supported
matching methods are:

  * "str" (exact match)
  * "beg" (prefix match)
  * "end" (suffix match)
  * "sub" (substring match)
  * "reg" (regex match)

If not specified, exact matching method is used. If the "log-format" option is
used, the pattern (<name> or <value>) is evaluated as a log-format string. This
option cannot be used with the regex matching method. Finally, by default, the
header value is considered as comma-separated list. Each part may be tested. The
"full" option may be used to test the full header line. Note that matchings are
case insensitive on the header names.
2020-05-05 11:19:27 +02:00
Christopher Faulet
cb436f0c29 REGTEST: checks: Fix sync condition for agent-check
agent-check.vtc script fails time to time because the 2nd cli command is sent to
early. Waiting for the connection close in the s1 server should be enough to be
sure the server state is updated.
2020-05-05 11:07:00 +02:00
Christopher Faulet
1a200d6bd5 BUG/MINOR: checks: Support multiple HTTP expect rules
For an http-check ruleset, it should be allowed to set a chain of expect
rules. But an error is triggered during the post-parsing because of a wrong
test, inherited from the evaluation mode before the refactoring.

No need to backport.
2020-05-05 11:07:00 +02:00
Christopher Faulet
1941bab52c MINOR: checks: Set by default expect rule status to UNKNOWN during parsing
The status (ok, error and timeout) of an TCP or HTTP expect rule are set to
HCHK_STATUS_UNKNOWN by default, when not specified, during the configuration
parsing. This does not change the default status used for a terminal expect rule
(ok=L7OK, err=L7RSP and tout=L7TOUT). But this way, it is possible to know if a
specific status was forced by config or not.
2020-05-05 11:07:00 +02:00
Christopher Faulet
8dd33e13a5 MINOR: http-htx: Support different methods to look for header names
It is now possible to use different matching methods to look for header names in
an HTTP message:

 * The exact match. It is the default method. http_find_header() uses this
   method. http_find_str_header() is an alias.

 * The prefix match. It evals the header names starting by a prefix.
   http_find_pfx_header() must be called to use this method.

 * The suffix match. It evals the header names ending by a suffix.
   http_find_sfx_header() must be called to use this method.

 * The substring match. It evals the header names containing a string.
   http_find_sub_header() must be called to use this method.

 * The regex match. It evals the header names matching a regular expression.
   http_match_header() must be called to use this method.
2020-05-05 11:07:00 +02:00
Christopher Faulet
16032ab44a MINOR: checks: Add support of HTTP response sample fetches
HTPP sample fetches acting on the response can now be called from any sample
expression or log-format string in a tcp-check based ruleset. To avoid any
ambiguities, all these sample fetches are in the check scope, for instance
check.hdr() or check.cook().
2020-05-05 11:06:43 +02:00
Christopher Faulet
d92ea7f5e7 MINOR: checks: Add support of server side ssl sample fetches
SSL sample fetches acting on the server connection can now be called from any
sample expression or log-format string in a tcp-check based ruleset. ssl_bc and
ssl_bc_* sample fetches are concerned.
2020-05-05 11:06:43 +02:00
Christopher Faulet
d1b4464b69 MINOR: checks: Add support of be_id, be_name, srv_id and srv_name sample fetches
It is now possible to call be_id, be_name, srv_id and srv_name sample fetches
from any sample expression or log-format string in a tcp-check based ruleset.
2020-05-05 11:06:43 +02:00
Christopher Faulet
78f371e498 MINOR: checks: Add support of payload-based sample fetches
It is now possible to call check.payload(), check.payload_lv() and check.len()
sample fetches from any sample expression or log-format string in a tcp-check
based ruleset. In fact, check.payload() was already added. But instead of having
a specific function to handle this sample fetch, we use the same than
req.payload().

These sample fetches act on the check input buffer, containing data received for
the server. So it should be part of or after an expect rule, but before any send
rule. Because the input buffer is cleared at this stage.
2020-05-05 11:06:43 +02:00
Christopher Faulet
16fff67e2e DOC: Document the log-format parameter for tcp-check send/send-binary rules
The documentation was not updated when the parameter was added.
2020-05-05 11:06:43 +02:00
Christopher Faulet
778f5ed478 MEDIUM: checks/http-fetch: Support htx prefetch from a check for HTTP samples
Some HTTP sample fetches will be accessible from the context of a http-check
health check. Thus, the prefetch function responsible to return the HTX message
has been update to handle a check, in addition to a channel. Both cannot be used
at the same time. So there is no ambiguity.
2020-05-05 11:06:43 +02:00
Christopher Faulet
472ad51ede BUG/MINOR: sample: Set the correct type when a binary is converted to a string
A binary sample data can be converted, implicitly or not, to a string by cutting
the buffer on the first null byte.

I guess this patch should be backported to all stable versions.
2020-05-05 11:06:43 +02:00
William Dauchy
707ad328ef CLEANUP: connections: align function declaration
srv_cleanup_connections() is supposed to be static, so mark it as so.
This patch should be backported where commit 6318d33ce6
("BUG/MEDIUM: connections: force connections cleanup on server changes")
will be backported, that is to say v1.9 to v2.1.

Fixes: 6318d33ce6 ("BUG/MEDIUM: connections: force connections cleanup
on server changes")
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
2020-05-04 19:26:19 +02:00
Dragan Dosen
f35d69e7fc BUG/MEDIUM: ssl: fix the id length check within smp_fetch_ssl_fc_session_id()
After we call SSL_SESSION_get_id(), the length of the id in bytes is
stored in "len", which was never checked. This could cause unexpected
behavior when using the "ssl_fc_session_id" or "ssl_bc_session_id"
fetchers (eg. the result can be an empty value).

The issue was introduced with commit 105599c ("BUG/MEDIUM: ssl: fix
several bad pointer aliases in a few sample fetch functions").

This patch must be backported to 2.1, 2.0, and 1.9.
2020-05-04 13:51:24 +02:00
Christopher Faulet
7032a3fd0a BUG/MEDIUM: h1: Don't compare host and authority if only h1 headers are parsed
When only request headers are parsed, the host header should not be compared to
the request authority because no start-line was parsed. Thus there is no
authority.

Till now this bug was hidden because this parsing mode was only used for the
response in the FCGI multiplexer. Since the HTTP checks refactoring, the request
headers may now also be parsed without the start-line.

This patch fixes the issue #610. It must be backported to 2.1.
2020-05-04 09:27:01 +02:00
William Dauchy
6318d33ce6 BUG/MEDIUM: connections: force connections cleanup on server changes
I've been trying to understand a change of behaviour between v2.2dev5 and
v2.2dev6. Indeed our probe is regularly testing to add and remove
servers on a given backend such as:

 # echo "show servers state be_foo" | sudo socat stdio /var/lib/haproxy/stats
 113 be_foo 1 srv0 10.236.139.34 2 0 1 1 263 15 3 4 6 0 0 0 - 31255 -
 113 be_foo 2 srv1 0.0.0.0 0 1 256 256 0 15 3 0 14 0 0 0 - 0 -

 -> curl on the corresponding frontend: reply from server:31255

 # echo "set server be_foo/srv1 addr 10.236.139.34 port 31257" | sudo socat stdio /var/lib/haproxy/stats
 IP changed from '0.0.0.0' to '10.236.139.34', port changed from '0' to '31257' by 'stats socket command'
 # echo "set server be_foo/srv1 weight 256" | sudo socat stdio /var/lib/haproxy/stats
 # echo "set server be_foo/srv1 check-port 8500" | sudo socat stdio /var/lib/haproxy/stats
 health check port updated.
 # echo "set server be_foo/srv1 state ready" | sudo socat stdio /var/lib/haproxy/stats
 # echo "show servers state be_foo" | sudo socat stdio /var/lib/haproxy/stats
 113 be_foo 1 srv0 10.236.139.34 2 0 1 1 105 15 3 4 6 0 0 0 - 31255 -
 113 be_foo 2 srv1 10.236.139.34 2 0 256 256 2319 15 3 2 6 0 0 0 - 31257 -

 -> curl on the corresponding frontend: reply for server:31257
 (notice the difference of weight)

 # echo "set server be_foo/srv1 state maint" | sudo socat stdio /var/lib/haproxy/stats
 # echo "set server be_foo/srv1 addr 0.0.0.0 port 0" | sudo socat stdio /var/lib/haproxy/stats
 IP changed from '10.236.139.34' to '0.0.0.0', port changed from '31257' to '0' by 'stats socket command'
 # echo "show servers state be_foo" | sudo socat stdio /var/lib/haproxy/stats
 113 be_foo 1 srv0 10.236.139.34 2 0 1 1 263 15 3 4 6 0 0 0 - 31255 -
 113 be_foo 2 srv1 0.0.0.0 0 1 256 256 0 15 3 0 14 0 0 0 - 0 -

 -> curl on the corresponding frontend: reply from server:31255

 # echo "set server be_foo/srv1 addr 10.236.139.34 port 31256" | sudo socat stdio /var/lib/haproxy/stats
 IP changed from '0.0.0.0' to '10.236.139.34', port changed from '0' to '31256' by 'stats socket command'
 # echo "set server be_foo/srv1 weight 256" | sudo socat stdio /var/lib/haproxy/stats
 # echo "set server be_foo/srv1 check-port 8500" | sudo socat stdio /var/lib/haproxy/stats
 health check port updated.
 # echo "set server be_foo/srv1 state ready" | sudo socat stdio /var/lib/haproxy/stats
 # echo "show servers state be_foo" | sudo socat stdio /var/lib/haproxy/stats
 113 be_foo 1 srv0 10.236.139.34 2 0 1 1 105 15 3 4 6 0 0 0 - 31255 -
 113 be_foo 2 srv1 10.236.139.34 2 0 256 256 2319 15 3 2 6 0 0 0 - 31256 -

 -> curl on the corresponding frontend: reply from server:31257 (!)

Here we indeed would expect to get an anver from server:31256. The issue
is highly linked to the usage of `pool-purge-delay`, with a value which
is higher than the duration of the test, 10s in our case.

a git bisect between dev5 and dev6 seems to show commit
079cb9af22 ("MEDIUM: connections: Revamp the way idle connections are killed")
being the origin of this new behaviour.

So if I understand the later correctly, it seems that it was more a
matter of chance that we did not saw the issue earlier.

My patch proposes to force clean idle connections in the two following
cases:
- we set a (still running) server to maintenance
- we change the ip/port of a server

This commit should be backported to 2.1, 2.0, and 1.9.

Signed-off-by: William Dauchy <w.dauchy@criteo.com>
2020-05-02 22:24:36 +02:00
Christopher Faulet
9bcd973a81 BUG/MEDIUM: mux-fcgi: Fix wrong test on FCGI_CF_KEEP_CONN in fcgi_detach()
When a stream is detached from its connection, we try to move the connection in
an idle list to keep it opened, the session one or the server one. But it must
only be done if there is no connection error and if we want to keep it
open. This last statement is true if FCGI_CF_KEEP_CONN flag is set. But the test
is inverted at the stage.

This patch must be backported to 2.1.
2020-05-02 09:37:03 +02:00
Christopher Faulet
8694f25040 BUG/MEDIUM: mux_fcgi: Free the FCGI connection at the end of fcgi_release()
fcgi_release() function is responsible to release a FCGI connection. But the
release of the connection itself is missing.

This patch must be backported to 2.1.
2020-05-02 09:37:03 +02:00
Christopher Faulet
66cd57ef5a BUG/MEDIUM: mux-fcgi: Return from detach if server don't keep the connection
When the last stream is detached from a FCGI connection, if the server don't add
the connection in its idle list, the connection is destroyed. Thus it is
important to exist immediately from the detach function. A return statement is
missing here.

This bug was introduced in the commit 2444aa5b6 ("MEDIUM: sessions: Don't be
responsible for connections anymore.").

It is a 2.2-dev bug. No need to backport.
2020-05-02 09:37:03 +02:00