RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-26 14:42:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
haproxy public development tree
11,913 Commits 15 Branches 371 Tags 53 MiB
C 98.1%
Shell 0.9%
Makefile 0.5%
Python 0.2%
Lua 0.1%
f1dccedcf6
Go to file
Willy Tarreau f1dccedcf6 BUG/MEDIUM: http_ana: make the detection of NTLM variants safer 
In issue #511 a problem was reported regarding NTLM and undesired session
sharing. This was caused by an attempt to limit the protection against
NTLM breakage to just NTLM and not properly working schemes in commit
fd9b68c48 ("BUG/MINOR: only mark connections private if NTLM is detected").

Unfortunately as reported in the issue above, the extent of possible
challenges for NTLM is a bit more complex than just the "NTLM" or
"Negotiate" words. There's also "Nego2" and these words can be followed
by a base64 value, which is not validated here. The list of possible
entries doesn't seem to be officially documented but can be reconstructed
from different public documents:

  https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ntht/7daaf621-94d9-4942-a70a-532e81ba293e
  https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-n2ht/5c1d2bbc-e1d6-458f-9def-dd258c181310
  https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-n2ht/9201ed70-d245-41ce-accd-e609637583bf
  https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-n2ht/02be79f3-e360-475f-b468-b96c878c70c7

This patch tries to fix all this on top of previous attempts by making
as private any connection that returns a www-authenticate header starting
with "Nego" or "NTLM". We don't need to be too strict, we really just
want to leave the connection shared if really sure it can be.

This must be backported to 1.8 but will require some adaptations. In
1.9 and 2.0 the check appears both for legacy and HTX. The simplest
thing to do is to look for "Negotiate" and fix all relevant places.
2020-05-07 19:41:12 +02:00
.github CI: run weekly OpenSSL "no-deprecated" builds 2020-04-21 10:27:41 +02:00
contrib MINOR: contrib: make the peers wireshark dissector a plugin 2020-04-26 11:29:05 +02:00
doc DOC: Be more explicit about configurable check ok/error/timeout status 2020-05-07 07:40:18 +02:00
ebtree CLEANUP: assorted typo fixes in the code and comments 2020-04-16 10:04:36 +02:00
examples CLEANUP: removed obsolete examples an move a few to better places 2019-06-15 21:25:06 +02:00
include CLEANUP: checks: sort and rename tcpcheck_expect_type types 2020-05-06 12:38:44 +02:00
reg-tests REGTESTS: make the http-check-send test require version 2.2 2020-05-07 18:42:22 +02:00
scripts CLEANUP: assorted typo fixes in the code and comments 2020-04-17 09:37:36 +02:00
src BUG/MEDIUM: http_ana: make the detection of NTLM variants safer 2020-05-07 19:41:12 +02:00
tests CLEANUP: assorted typo fixes in the code and comments 2020-04-16 10:04:36 +02:00
.cirrus.yml CI: cirrus-ci: remove reg-tests/checks/tcp-check-ssl.vtc on CentOS 6 2020-04-28 09:08:10 +02:00
.gitignore DOC: create a BRANCHES file to explain the life cycle 2019-06-15 22:00:14 +02:00
.travis.yml CI: travis-ci: upgrade openssl to 1.1.1f 2020-04-07 07:26:21 +02:00
BRANCHES DOC: assorted typo fixes in the documentation 2020-03-09 14:45:58 +01:00
CHANGELOG [RELEASE] Released version 2.2-dev7 2020-05-05 21:49:10 +02:00
CONTRIBUTING DOC: assorted typo fixes in the documentation and Makefile 2020-03-06 10:49:55 +01:00
INSTALL BUILD: Makefile: add linux-musl to TARGET 2020-04-16 15:17:13 +02:00
LICENSE
MAINTAINERS DOC: wurfl: added point of contact in MAINTAINERS file 2019-04-23 11:00:23 +02:00
Makefile BUILD: Makefile: add linux-musl to TARGET 2020-04-16 15:17:13 +02:00
README DOC: create a BRANCHES file to explain the life cycle 2019-06-15 22:00:14 +02:00
ROADMAP DOC: update the outdated ROADMAP file 2019-06-15 21:59:54 +02:00
SUBVERS
VERDATE [RELEASE] Released version 2.2-dev7 2020-05-05 21:49:10 +02:00
VERSION [RELEASE] Released version 2.2-dev7 2020-05-05 21:49:10 +02:00

README 

The HAProxy documentation has been split into a number of different files for
ease of use.

Please refer to the following files depending on what you're looking for :

  - INSTALL for instructions on how to build and install HAProxy
  - BRANCHES to understand the project's life cycle and what version to use
  - LICENSE for the project's license
  - CONTRIBUTING for the process to follow to submit contributions

The more detailed documentation is located into the doc/ directory :

  - doc/intro.txt for a quick introduction on HAProxy
  - doc/configuration.txt for the configuration's reference manual
  - doc/lua.txt for the Lua's reference manual
  - doc/SPOE.txt for how to use the SPOE engine
  - doc/network-namespaces.txt for how to use network namespaces under Linux
  - doc/management.txt for the management guide
  - doc/regression-testing.txt for how to use the regression testing suite
  - doc/peers.txt for the peers protocol reference
  - doc/coding-style.txt for how to adopt HAProxy's coding style
  - doc/internals for developer-specific documentation (not all up to date)