mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-02-01 19:13:36 +00:00
25bcdb1d95
As stated in issue #2565, checks on the request target during H1 message parsing are not good enough. Invalid paths, not starting by a slash are in fact parsed as authorities. The same error is repeated at the sample fetch level. This last point is annoying because routing rules may be fooled. It is also an issue when the URI or the Host header are updated. Because the error is repeated at different places, it must be fixed. We cannot be lax by arguing it is the server's job to accept or reject invalid request targets. With this patch, we strengthen the checks performed on the request target during H1 parsing. Idea is to reject invalid requests at this step to be sure it is safe to manipulate the path or the authority at other places. So now, the asterisk-form is only allowed for OPTIONS and OTHER methods. This last point was added to not reject the H2 preface. In addition, we take care to have only one asterisk and nothing more. For the CONNECT method, we take care to have a valid authority-form. All other form are rejected. The authority-form is now only supported for CONNECT method. No specific check is performed on the origin-form (except for the CONNECT method). For the absolute-form, we take care to have a scheme and a valid authority. These checks are not perfect but should be good enough to properly identify each part of the request target for a relative small cost. But, it is a breaking change. Some requests are now be rejected while they was not on older versions. However, nowadays, it is most probably not an issue. If it turns out it's really an issue for legitimate use-cases, an option would be to supports these kinds of requests when the "accept-invalid-http-request" option is set, with the consequence of seeing some sample fetches having an unexpected behavior. This patch should fix the issue #2665. It MUST NOT be backported. First because it is a breaking change. And then because by avoiding backporting it, it remains possible to relax the parsing with the "accept-invalid-http-request" option. |
||
|---|---|---|
| .. | ||
| balance | ||
| cache | ||
| checks | ||
| compression | ||
| connection | ||
| contrib | ||
| converter | ||
| filters | ||
| http-capture | ||
| http-cookies | ||
| http-errorfiles | ||
| http-messaging | ||
| http-rules | ||
| http-set-timeout | ||
| jwt | ||
| log | ||
| lua | ||
| mailers | ||
| mcli | ||
| peers | ||
| pki | ||
| sample_fetches | ||
| seamless-reload | ||
| server | ||
| spoe | ||
| ssl | ||
| startup | ||
| stats | ||
| stick-table | ||
| stickiness | ||
| stream | ||
| tcp-rules | ||
| webstats | ||
| README | ||
* Regression testing for HAProxy with VTest *
This little README file is about how to compile and run vtest test case files (VTC files)
to test HAProxy for any regression.
To do so, you will have to compile vtest program sources which depends on
Varnish cache application sources. vtest, formerly varnishtest, is a very useful
program which has been developed to test Varnish cache application. vtest has been
modified in collaboration with Varnish cache conceptor Poul-Henning Kamp to support
HAProxy in addition to Varnish cache.
See also: doc/regression-testing.txt
* vtest compilation *
$ git clone https://github.com/vtest/VTest
$ cd VTest
$ make vtest
Then vtest program may be found at the root directory of vtest sources directory.
The Varnish cache manuals are located in 'man' directory of Varnish cache sources
directory. You will have to have a look at varnishtest(7) and vtc(7) manuals to
use vtest.
Some information may also be found in doc/regression-testing.txt in HAProxy
sources.
Note that VTC files for Varnish cache may be found in bin/varnishtest/tests directory
of Varnish cache sources directory which may be found here:
https://github.com/varnishcache/varnish-cache
* vtest execution *
You must set HAPROXY_PROGRAM environment variable to give the location
of the HAProxy program to test to vtest:
$ HAPROXY_PROGRAM=<my haproxy program> vtest ...
The HAProxy VTC files found in HAProxy sources may be run with the reg-tests
Makefile target. You must set the VTEST_PROGRAM environment variable to
give the location of the vtest program which has been previously compiled.
$ VTEST_PROGRAM=<my vtest program> make reg-tests
"reg-tests" Makefile target run scripts/run-regtest.sh script.
To get more information about this script run it with --help option.
Note that vtest is run with -t10 and -l option. -l option is to keep
keep vtest temporary directory in case of failed test cases. core files
may be found in this directory (if enabled by ulimit).
* vtest patches for HAProxy VTC files *
When producing a patch to add a VTC regression testing file to reg-tests directory,
please follow these simple rules:
- If your VTC file needs others files, if possible, use the same basename as that
of the VTC file,
- Put these files in a directory with the same name as the code area concerned
by the bug ('peers', 'lua', 'acl' etc).
Please note that most tests use a common set of timeouts defined by the
environment variable HAPROXY_TEST_TIMEOUT. As much as possible, for regular I/O
(i.e. not errors), please try to reuse that setting so that the value may
easily be adjusted when running in some particularly slow environments, or be
shortened to fail faster on developers' machines.