haproxy public development tree
Go to file
Christopher Faulet 9d9d645409 BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered
If an client error is reported on the request channel (CF_READ_ERROR) while a
session is tarpitted, no error is returned to the client. Concretly,
http_reply_and_close() function is not called. This function is reponsible to
forward the error to the client. But not only. It is also responsible to abort
the request. Because this function is not called when a read error is reported
on the request channel, and because the tarpit analyzer is the last one, there
is nothing preventing a connection attempt on a server while it is totally
unexpected.

So, a useless connexion on a backend server may be performed because of this
bug. If an HTTP load-balancing algorithm is used on the backend side, it leads
to a crash of HAProxy because the request was already erased.

If you have tarpit rules and if you use an HTTP load-balancing algorithm on your
backends, you must apply this patch. Otherwise a simple TCP reset on a tarpitted
connexion will most likely crash your HAProxy. A safe workaround is to use a
silent-drop rule or a deny rule instead of a tarpit.

This bug also affect the legacy code. It is in fact an very old hidden bug. But
the refactoring of process_stream() in the 1.9 makes it visible. And,
unfortunately, with the HTX, it is easier to hit it because many processing has
been moved in lower layers, in the muxes.

It must be backported as far as 1.9. For the 2.0 and the 1.9, the legacy HTTP
code must also be patched the same way. For older versions, it may be backported
but the bug seems to not impact them.

Thanks to Olivier D <webmaster@ajeux.com> to have reported the bug and provided
all the infos to analyze it.
2020-02-21 11:18:08 +01:00
.github BUILD: enable ERR=1 in github cygwin builds 2020-02-15 16:32:38 +01:00
contrib CONTRIB: debug: also support reading values from stdin 2020-02-06 18:30:07 +01:00
doc MINOR: http-ana: Match on the path if the monitor-uri starts by a / 2020-02-18 16:29:29 +01:00
ebtree BUILD: ebtree: make eb_is_empty() and eb_is_dup() take a const 2019-10-02 15:24:19 +02:00
examples CLEANUP: removed obsolete examples an move a few to better places 2019-06-15 21:25:06 +02:00
include MINOR: http-htx: Add a function to retrieve the headers size of an HTX message 2020-02-18 11:19:57 +01:00
reg-tests MINOR: http-ana: Match on the path if the monitor-uri starts by a / 2020-02-18 16:29:29 +01:00
scripts SCRIPTS: announce-release: use mutt -H instead of -i to include the draft 2020-02-15 15:24:28 +01:00
src BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered 2020-02-21 11:18:08 +01:00
tests TESTS: Add a stress-test for mt_lists. 2019-09-23 18:16:08 +02:00
.cirrus.yml BUILD: cirrus-ci: add ERR=1 to freebsd builds 2020-02-11 10:03:06 +01:00
.gitignore DOC: create a BRANCHES file to explain the life cycle 2019-06-15 22:00:14 +02:00
.travis.yml BUILD: travis-ci: harden builds, add ERR=1 (warning ought to be errors) 2020-02-12 15:42:44 +01:00
BRANCHES DOC: create a BRANCHES file to explain the life cycle 2019-06-15 22:00:14 +02:00
CHANGELOG [RELEASE] Released version 2.2-dev2 2020-02-07 04:12:19 +01:00
CONTRIBUTING DOC: improve the wording in CONTRIBUTING about how to document a bug fix 2019-07-26 15:46:21 +02:00
INSTALL MINOR: build: add aix72-gcc build TARGET and power{8,9} CPUs 2020-02-12 15:37:13 +01:00
LICENSE
MAINTAINERS
Makefile MINOR: build: add aix72-gcc build TARGET and power{8,9} CPUs 2020-02-12 15:37:13 +01:00
README DOC: create a BRANCHES file to explain the life cycle 2019-06-15 22:00:14 +02:00
ROADMAP DOC: update the outdated ROADMAP file 2019-06-15 21:59:54 +02:00
SUBVERS
VERDATE [RELEASE] Released version 2.2-dev2 2020-02-07 04:12:19 +01:00
VERSION [RELEASE] Released version 2.2-dev2 2020-02-07 04:12:19 +01:00

The HAProxy documentation has been split into a number of different files for
ease of use.

Please refer to the following files depending on what you're looking for :

  - INSTALL for instructions on how to build and install HAProxy
  - BRANCHES to understand the project's life cycle and what version to use
  - LICENSE for the project's license
  - CONTRIBUTING for the process to follow to submit contributions

The more detailed documentation is located into the doc/ directory :

  - doc/intro.txt for a quick introduction on HAProxy
  - doc/configuration.txt for the configuration's reference manual
  - doc/lua.txt for the Lua's reference manual
  - doc/SPOE.txt for how to use the SPOE engine
  - doc/network-namespaces.txt for how to use network namespaces under Linux
  - doc/management.txt for the management guide
  - doc/regression-testing.txt for how to use the regression testing suite
  - doc/peers.txt for the peers protocol reference
  - doc/coding-style.txt for how to adopt HAProxy's coding style
  - doc/internals for developer-specific documentation (not all up to date)