upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-02-11 23:03:06 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
haproxy/src/cfgparse.c

4899 lines
153 KiB
C
Raw Permalink Normal View History

[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
/*
* Configuration parser
*
[REORG] http: move the http-request rules to proto_http And also rename "req_acl_rule" "http_req_rule". At the beginning that was a bit confusing to me, especially the "req_acl" list which in fact holds what we call rules. After some digging, it appeared that some part of the code is 100% HTTP and not just related to authentication anymore, so let's move that part to HTTP and keep the auth-only code in auth.c.
2011-01-06 11:51:27 -05:00
* Copyright 2000-2011 Willy Tarreau <w@1wt.eu>
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*
*/
BUILD: cfgparse: always defined _GNU_SOURCE for sched.h and crypt.h _GNU_SOURCE used to be defined only when USE_LIBCRYPT was set. It's also needed for sched_setaffinity() to be exported. As a side effect, when USE_LIBCRYPT is not set, a warning is emitted, as Ilya found and reported in issue #1815. Let's just define _GNU_SOURCE regardless of USE_LIBCRYPT, and also explicitly add sched.h, as right now it appears to be inherited from one of the other includes. This should be backported to 2.4.
2022-08-07 10:55:07 -04:00
/* This is to have crypt() and sched_setaffinity() defined on Linux */
BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported When an unknown encryption algorithm is used in userlists or the password is not pasted correctly in the configuration, http authentication silently fails. An initial check is now performed during the configuration parsing, in order to verify that the encrypted password is supported. An unsupported password will fail with a fatal error. This patch should be backported to 1.4 and 1.5.
2014-08-29 14:20:02 -04:00
#define _GNU_SOURCE
BUILD: cfgparse: always defined _GNU_SOURCE for sched.h and crypt.h _GNU_SOURCE used to be defined only when USE_LIBCRYPT was set. It's also needed for sched_setaffinity() to be exported. As a side effect, when USE_LIBCRYPT is not set, a warning is emitted, as Ilya found and reported in issue #1815. Let's just define _GNU_SOURCE regardless of USE_LIBCRYPT, and also explicitly add sched.h, as right now it appears to be inherited from one of the other includes. This should be backported to 2.4.
2022-08-07 10:55:07 -04:00
#ifdef USE_LIBCRYPT
CLEANUP: build: rename some build macros to use the USE_* ones We still have quite a number of build macros which are mapped 1:1 to a USE_something setting in the makefile but which have a different name. This patch cleans this up by renaming them to use the USE_something one, allowing to clean up the makefile and make it more obvious when reading the code what build option needs to be added. The following renames were done : ENABLE_POLL -> USE_POLL ENABLE_EPOLL -> USE_EPOLL ENABLE_KQUEUE -> USE_KQUEUE ENABLE_EVPORTS -> USE_EVPORTS TPROXY -> USE_TPROXY NETFILTER -> USE_NETFILTER NEED_CRYPT_H -> USE_CRYPT_H CONFIG_HAP_CRYPT -> USE_LIBCRYPT CONFIG_HAP_NS -> DUSE_NS CONFIG_HAP_LINUX_SPLICE -> USE_LINUX_SPLICE CONFIG_HAP_LINUX_TPROXY -> USE_LINUX_TPROXY CONFIG_HAP_LINUX_VSYSCALL -> USE_LINUX_VSYSCALL
2019-05-22 13:24:06 -04:00
#ifdef USE_CRYPT_H
BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported When an unknown encryption algorithm is used in userlists or the password is not pasted correctly in the configuration, http authentication silently fails. An initial check is now performed during the configuration parsing, in order to verify that the encrypted password is supported. An unsupported password will fail with a fatal error. This patch should be backported to 1.4 and 1.5.
2014-08-29 14:20:02 -04:00
/* some platforms such as Solaris need this */
#include <crypt.h>
#endif
CLEANUP: build: rename some build macros to use the USE_* ones We still have quite a number of build macros which are mapped 1:1 to a USE_something setting in the makefile but which have a different name. This patch cleans this up by renaming them to use the USE_something one, allowing to clean up the makefile and make it more obvious when reading the code what build option needs to be added. The following renames were done : ENABLE_POLL -> USE_POLL ENABLE_EPOLL -> USE_EPOLL ENABLE_KQUEUE -> USE_KQUEUE ENABLE_EVPORTS -> USE_EVPORTS TPROXY -> USE_TPROXY NETFILTER -> USE_NETFILTER NEED_CRYPT_H -> USE_CRYPT_H CONFIG_HAP_CRYPT -> USE_LIBCRYPT CONFIG_HAP_NS -> DUSE_NS CONFIG_HAP_LINUX_SPLICE -> USE_LINUX_SPLICE CONFIG_HAP_LINUX_TPROXY -> USE_LINUX_TPROXY CONFIG_HAP_LINUX_VSYSCALL -> USE_LINUX_VSYSCALL
2019-05-22 13:24:06 -04:00
#endif /* USE_LIBCRYPT */
BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported When an unknown encryption algorithm is used in userlists or the password is not pasted correctly in the configuration, http authentication silently fails. An initial check is now performed during the configuration parsing, in order to verify that the encrypted password is supported. An unsupported password will fail with a fatal error. This patch should be backported to 1.4 and 1.5.
2014-08-29 14:20:02 -04:00
MEDIUM: cfgparse: detect numa and set affinity if needed On process startup, the CPU topology of the machine is inspected. If a multi-socket CPU machine is detected, automatically define the process affinity on the first node with active cpus. This is done to prevent an impact on the overall performance of the process in case the topology of the machine is unknown to the user. This step is not executed in the following condition : - a non-null nbthread statement is present - a restrictive 'cpu-map' statement is present - the process affinity is already restricted, for example via a taskset call For the record, benchmarks were executed on a machine with 2 CPUs Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz. In both clear and ssl scenario, the performance were sub-optimal without the automatic rebinding on a single node.
2021-03-26 13:20:47 -04:00
#include <dirent.h>
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
[MEDIUM] add user/groupname support Patch from Marcus Rueckert for 1.2.17 : "I added the attached patch to haproxy. I don't have a static uid/gid for haproxy so i need to specify the username/groupname to run it as non root user."
2007-03-25 09:39:23 -04:00
#include <pwd.h>
#include <grp.h>
[BUILD] cfgparse requires errno.h on OpenBSD.
2007-03-25 18:18:40 -04:00
#include <errno.h>
BUILD: cfgparse: always defined _GNU_SOURCE for sched.h and crypt.h _GNU_SOURCE used to be defined only when USE_LIBCRYPT was set. It's also needed for sched_setaffinity() to be exported. As a side effect, when USE_LIBCRYPT is not set, a warning is emitted, as Ilya found and reported in issue #1815. Let's just define _GNU_SOURCE regardless of USE_LIBCRYPT, and also explicitly add sched.h, as right now it appears to be inherited from one of the other includes. This should be backported to 2.4.
2022-08-07 10:55:07 -04:00
#ifdef USE_CPU_AFFINITY
#include <sched.h>
#endif
[MEDIUM] errorfile: use a local file to feed error messages It is now possible to read error messages from local files, using the 'errorfile' keyword. Those files are read during parsing, so there's no I/O involved. They make it possible to return custom error messages with custom status and headers.
2007-06-10 18:29:26 -04:00
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
REORG: include: move acl.h to haproxy/acl.h{,-t}.h The files were moved almost as-is, just dropping arg-t and auth-t from acl-t but keeping arg-t in acl.h. It was useful to revisit the call places since a handful of files used to continue to include acl.h while they did not need it at all. Struct stream was only made a forward declaration since not otherwise needed.
2020-06-04 13:11:43 -04:00
#include <haproxy/acl.h>
MINOR: action: Use a generic function to check validity of an action rule list The check_action_rules() function is now used to check the validity of an action rule list. It is used from check_config_validity() function to check L5/6/7 rulesets.
2021-03-25 12:19:04 -04:00
#include <haproxy/action.h>
CLEANUP: include: tree-wide alphabetical sort of include files This patch fixes all the leftovers from the include cleanup campaign. There were not that many (~400 entries in ~150 files) but it was definitely worth doing it as it revealed a few duplicates.
2020-06-09 03:07:15 -04:00
#include <haproxy/api.h>
MINOR: config: make cfg_eval_condition() support predicates with arguments Now we can look up a list of known predicates and pre-parse their arguments. For now the list is empty. The code needed to be arranged with a common exit point to release all arguments because there's no default argument freeing function (it likely only used to exist in the deinit code). Since we only support simple arguments for now it's no big deal, only a 2-liner loop.
2021-05-06 09:49:04 -04:00
#include <haproxy/arg.h>
REORG: include: move auth.h to haproxy/auth{,-t}.h The STATS_DEFAULT_REALM and STATS_DEFAULT_URI were moved to defaults.h. It was required to include types/pattern.h and types/sample.h since they are mentioned in function prototypes. It would be wise to merge this with uri_auth.h later.
2020-06-04 04:36:03 -04:00
#include <haproxy/auth.h>
REORG: include: move backend.h to haproxy/backend{,-t}.h The files remained mostly unchanged since they were OK. However, half of the users didn't need to include them, and about as many actually needed to have it and used to find functions like srv_currently_usable() through a long chain that broke when moving the file.
2020-06-04 16:50:02 -04:00
#include <haproxy/backend.h>
REORG: include: move capture.h to haproxy/capture{,-t}.h The file was split into two since it contains a variable declaration.
2020-06-04 05:18:28 -04:00
#include <haproxy/capture.h>
REORG: config: move the condition preprocessing code to its own file The .if/.else/.endif and condition evaluation code is quite dirty and was dumped into cfgparse.c because it was easy. But it should be tidied quite a bit as it will need to evolve. Let's move all that to cfgcond.{c,h}.
2021-07-16 09:39:28 -04:00
#include <haproxy/cfgcond.h>
REORG: include: move cfgparse.h to haproxy/cfgparse.h There's no point splitting the file in two since only cfgparse uses the types defined there. A few call places were updated and cleaned up. All of them were in C files which register keywords. There is nothing left in common/ now so this directory must not be used anymore.
2020-06-04 18:00:29 -04:00
#include <haproxy/cfgparse.h>
REORG: include: move channel.h to haproxy/channel{,-t}.h The files were moved with no change. The callers were cleaned up a bit and a few of them had channel.h removed since not needed.
2020-06-04 15:07:02 -04:00
#include <haproxy/channel.h>
REORG: include: move checks.h to haproxy/check{,-t}.h All includes that were not absolutely necessary were removed because checks.h happens to very often be part of dependency loops. A warning was added about this in check-t.h. The fields, enums and structs were a bit tidied because it's particularly tedious to find anything there. It would make sense to split this in two or more files (at least extract tcp-checks). The file was renamed to the singular because it was one of the rare exceptions to have an "s" appended to its name compared to the struct name.
2020-06-04 12:21:56 -04:00
#include <haproxy/check.h>
REORG: include: move common/chunk.h to haproxy/chunk.h No change was necessary, it was already properly split.
2020-06-02 04:22:45 -04:00
#include <haproxy/chunk.h>
REORG: time: move time-keeping code and variables to clock.c There is currently a problem related to time keeping. We're mixing the functions to perform calculations with the os-dependent code needed to retrieve and adjust the local time. This patch extracts from time.{c,h} the parts that are solely dedicated to time keeping. These are the "now" or "before_poll" variables for example, as well as the various now_*() functions that make use of gettimeofday() and clock_gettime() to retrieve the current time. The "tv_*" functions moved there were also more appropriately renamed to "clock_*". Other parts used to compute stolen time are in other files, they will have to be picked next.
2021-10-08 03:33:24 -04:00
#include <haproxy/clock.h>
MEDIUM: counters: manage shared counters using dedicated helpers proxies, listeners and server shared counters are now managed via helpers added in one of the previous commits. When guid is not set (ie: when not yet assigned), shared counters pointer is allocated using calloc() (local memory) and a flag is set on the shared counters struct to know how to manipulate (and free it). Else if guid is set, then it means that the counters may be shared so while for now we don't actually use a shared memory location the API is ready for that. The way it works, for proxies and servers (for which guid is not known during creation), we first call counters_{fe,be}_shared_get with guid not set, which results in local pointer being retrieved (as if we just manually called calloc() to retrieve a pointer). Later (during postparsing) if guid is set we try to upgrade the pointer from local to shared. Lastly, since the memory location for some objects (proxies and servers counters) may change from creation to postparsing, let's update counters->last_change member directly under counters_{fe,be}_shared_get() so we don't miss it. No change of behavior is expected, this is only preparation work.
2025-05-07 17:42:04 -04:00
#include <haproxy/counters.h>
BUG/MINOR: cpuset: fix compilation on platform without cpu affinity The compilation is currently broken on platform without USE_CPU_AFFINITY set. An error has been reported by the cygwin build of the CI. This does not need to be backported. In file included from include/haproxy/global-t.h:27, from include/haproxy/global.h:26, from include/haproxy/fd.h:33, from src/ev_poll.c:22: include/haproxy/cpuset-t.h:32:3: error: #error "No cpuset support implemented on this platform" 32 | # error "No cpuset support implemented on this platform" | ^~~~~ include/haproxy/cpuset-t.h:37:2: error: unknown type name ‘CPUSET_REPR’ 37 | CPUSET_REPR cpuset; | ^~~~~~~~~~~ make: *** [Makefile:944: src/ev_poll.o] Error 1 make: *** Waiting for unfinished jobs.... In file included from include/haproxy/global-t.h:27, from include/haproxy/global.h:26, from include/haproxy/fd.h:33, from include/haproxy/connection.h:30, from include/haproxy/ssl_sock.h:27, from src/ssl_sample.c:30: include/haproxy/cpuset-t.h:32:3: error: #error "No cpuset support implemented on this platform" 32 | # error "No cpuset support implemented on this platform" | ^~~~~ include/haproxy/cpuset-t.h:37:2: error: unknown type name ‘CPUSET_REPR’ 37 | CPUSET_REPR cpuset; | ^~~~~~~~~~~ make: *** [Makefile:944: src/ssl_sample.o] Error 1
2021-04-23 10:58:08 -04:00
#ifdef USE_CPU_AFFINITY
MINOR: cfgparse: use hap_cpuset for parse_cpu_set Replace the unsigned long parameter by a hap_cpuset. This allows to address CPU with index greater than LONGBITS. This function is used to parse the 'cpu-map' statement. However at the moment, the result is casted back to a long to store it in the global structure. The next step is to replace ulong in in cpu_map in the global structure with hap_cpuset.
2021-04-14 10:16:03 -04:00
#include <haproxy/cpuset.h>
REORG: cpu-topo: move bound cpu detection from cpuset to cpu-topo The cpuset files are normally used only for cpu manipulations. It happens that the initial CPU binding detection was initially placed there since there was no better place, but in practice, being OS-specific, it should really be in cpu-topo. This simplifies cpuset which doesn't need to know about the OS anymore.
2025-01-22 11:17:59 -05:00
#include <haproxy/cpu_topo.h>
BUG/MINOR: cpuset: fix compilation on platform without cpu affinity The compilation is currently broken on platform without USE_CPU_AFFINITY set. An error has been reported by the cygwin build of the CI. This does not need to be backported. In file included from include/haproxy/global-t.h:27, from include/haproxy/global.h:26, from include/haproxy/fd.h:33, from src/ev_poll.c:22: include/haproxy/cpuset-t.h:32:3: error: #error "No cpuset support implemented on this platform" 32 | # error "No cpuset support implemented on this platform" | ^~~~~ include/haproxy/cpuset-t.h:37:2: error: unknown type name ‘CPUSET_REPR’ 37 | CPUSET_REPR cpuset; | ^~~~~~~~~~~ make: *** [Makefile:944: src/ev_poll.o] Error 1 make: *** Waiting for unfinished jobs.... In file included from include/haproxy/global-t.h:27, from include/haproxy/global.h:26, from include/haproxy/fd.h:33, from include/haproxy/connection.h:30, from include/haproxy/ssl_sock.h:27, from src/ssl_sample.c:30: include/haproxy/cpuset-t.h:32:3: error: #error "No cpuset support implemented on this platform" 32 | # error "No cpuset support implemented on this platform" | ^~~~~ include/haproxy/cpuset-t.h:37:2: error: unknown type name ‘CPUSET_REPR’ 37 | CPUSET_REPR cpuset; | ^~~~~~~~~~~ make: *** [Makefile:944: src/ssl_sample.o] Error 1
2021-04-23 10:58:08 -04:00
#endif
REORG: include: move connection.h to haproxy/connection{,-t}.h The type file is becoming a mess, half of it is for the proxy protocol, another good part describes conn_streams and mux ops, it would deserve being split again. At least it was reordered so that elements are easier to find, with the PP-stuff left at the end. The MAX_SEND_FD macro was moved to compat.h as it's said to be the value for Linux.
2020-06-04 12:02:10 -04:00
#include <haproxy/connection.h>
REORG: include: move base64.h, errors.h and hash.h from common to to haproxy/ These ones do not depend on any other file. One used to include haproxy/api.h but that was solely for stddef.h.
2020-05-27 10:10:29 -04:00
#include <haproxy/errors.h>
REORG: include: move filters.h to haproxy/filters{,-t}.h Just a minor change, moved the macro definitions upwards. A few caller files were updated since they didn't need to include it.
2020-06-04 15:29:29 -04:00
#include <haproxy/filters.h>
REORG: include: move frontend.h to haproxy/frontend.h There was no type file for this one, it only contains frontend_accept().
2020-06-04 05:23:07 -04:00
#include <haproxy/frontend.h>
CLEANUP: include: tree-wide alphabetical sort of include files This patch fixes all the leftovers from the include cleanup campaign. There were not that many (~400 entries in ~150 files) but it was definitely worth doing it as it revealed a few duplicates.
2020-06-09 03:07:15 -04:00
#include <haproxy/global.h>
REORG: include: move http_ana.h to haproxy/http_ana{,-t}.h It was moved without any change, however many callers didn't need it at all. This was a consequence of the split of proto_http.c into several parts that resulted in many locations to still reference it.
2020-06-04 15:21:03 -04:00
#include <haproxy/http_ana.h>
REORG: include: move http_rules.h to haproxy/http_rules.h There was no include file. This one still includes types/proxy.h.
2020-06-04 05:40:28 -04:00
#include <haproxy/http_rules.h>
REORG: include: move lb_chash.h to haproxy/lb_chash{,-t}.h Nothing fancy, includes were already OK. The proto didn't reference the type, this was fixed. Still references proxy.h and server.h from types/.
2020-06-04 08:34:27 -04:00
#include <haproxy/lb_chash.h>
REORG: include: move lb_fas.h to haproxy/lb_fas{,-t}.h Nothing fancy, includes were already OK. The proto didn't reference the type, this was fixed. Still references proxy.h and server.h from types/.
2020-06-04 08:37:38 -04:00
#include <haproxy/lb_fas.h>
REORG: include: move lb_fwlc.h to haproxy/lb_fwlc{,-t}.h Nothing fancy, includes were already OK. The proto didn't reference the type, this was fixed. Still references proxy.h and server.h from types/.
2020-06-04 08:41:04 -04:00
#include <haproxy/lb_fwlc.h>
REORG: include: move lb_fwrr.h to haproxy/lb_fwrr{,-t}.h Nothing fancy, includes were already OK. The proto didn't reference the type, this was fixed. Still references proxy.h and server.h from types/.
2020-06-04 08:45:03 -04:00
#include <haproxy/lb_fwrr.h>
REORG: include: move lb_map.h to haproxy/lb_map{,-t}.h Nothing was changed.
2020-06-04 14:22:59 -04:00
#include <haproxy/lb_map.h>
MINOR: lbprm: implement true "sticky" balance algo As previously mentioned in cd352c0db ("MINOR: log/balance: rename "log-sticky" to "sticky""), let's define a sticky algorithm that may be used from any protocol. Sticky algorithm sticks on the same server as long as it remains available. The documentation was updated accordingly.
2024-03-28 12:24:53 -04:00
#include <haproxy/lb_ss.h>
REORG: include: move listener.h to haproxy/listener{,-t}.h stdlib and list were missing from listener.h, otherwise it was OK.
2020-06-04 08:58:24 -04:00
#include <haproxy/listener.h>
REORG: include: move log.h to haproxy/log{,-t}.h The current state of the logging is a real mess. The main problem is that almost all files include log.h just in order to have access to the alert/warning functions like ha_alert() etc, and don't care about logs. But log.h also deals with real logging as well as log-format and depends on stream.h and various other things. As such it forces a few heavy files like stream.h to be loaded early and to hide missing dependencies depending where it's loaded. Among the missing ones is syslog.h which was often automatically included resulting in no less than 3 users missing it. Among 76 users, only 5 could be removed, and probably 70 don't need the full set of dependencies. A good approach would consist in splitting that file in 3 parts: - one for error output ("errors" ?). - one for log_format processing - and one for actual logging.
2020-06-04 16:01:04 -04:00
#include <haproxy/log.h>
BUG/MEDIUM: sink: bad init sequence on tcp sink from a ring. The init of tcp sink, particularly for SSL, was done too early in the code, during parsing, and this can cause a crash specially if nbthread was not configured. This was detected by William using ASAN on a new regtest on log forward. This patch adds the 'struct proxy' created for a sink to a list and this list is now submitted to the same init code than the main proxies list or the log_forward's proxies list. Doing this, we are assured to use the right init sequence. It also removes the ini code for ssl from post section parsing. This patch should be backported as far as v2.2 Note: this fix uses 'goto' labels created by commit 'BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized' but this code didn't exist before v2.3 so this patch needs to be adapted for v2.2.
2022-09-13 10:16:30 -04:00
#include <haproxy/sink.h>
REORG: check: move the e-mail alerting code to mailers.c check.c is one of the largest file and contains too many things. The e-mail alerting code is stored there while nothing is in mailers.c. Let's move this code out. That's only 4% of the code but a good start. In order to do so, a few tcp-check functions had to be exported.
2020-06-05 05:40:38 -04:00
#include <haproxy/mailers.h>
CLEANUP: include: tree-wide alphabetical sort of include files This patch fixes all the leftovers from the include cleanup campaign. There were not that many (~400 entries in ~150 files) but it was definitely worth doing it as it revealed a few duplicates.
2020-06-09 03:07:15 -04:00
#include <haproxy/namespace.h>
MINOR: quic: transform pacing settings into a global option Pacing support was previously activated on each bind line individually, via an optional argument of quic-cc-algo keyword. Remove this optional argument and introduce a global setting to enable/disable pacing. Pacing activation is still flagged as experimental. One important change is that previously BBR usage automatically activated pacing support. This is not the case anymore, so users should now always explicitely activate pacing if BBR is selected. A new warning message will be displayed if this is not the case. Another consequence of this change is that now pacing_inter callback is always defined for every quic_cc_algo types. As such, QUIC MUX uses global.tune.options to determine if pacing is required. This should be backported up to 3.1, after a period of observation.
2025-01-30 08:50:19 -05:00
#include <haproxy/quic_cc-t.h>
MINOR: quic: define QUIC flag on listener Mark QUIC listeners with the flag LI_F_QUIC_LISTENER. It is set by the proto-quic layer on the add listener callback. This allows to override more clearly the accept callback on quic_session_accept.
2022-01-25 11:48:47 -05:00
#include <haproxy/quic_sock.h>
BUILD: quic: fix overflow in global tune A new global option was recently introduced to disable pacing. However, the value used (1<<31) caused issue with some compiler as options field used for storage is declared as int. Move pacing deactivation flag outside into the newly defined quic_tune to fix this. This should be backported up to 3.1 after a period of observation. Note that it relied on the previous patch which defined new quic_tune type.
2025-01-30 12:01:53 -05:00
#include <haproxy/quic_tune.h>
REORG: include: move obj_type.h to haproxy/obj_type{,-t}.h No change was necessary. It still includes lots of types/* files.
2020-06-04 05:29:21 -04:00
#include <haproxy/obj_type-t.h>
BUG/MINOR: cfgparse: make sure to include openssl-compat Commit 5003ac7fe ("MEDIUM: config: set useful ALPN defaults for HTTPS and QUIC") revealed a build dependency bug: if QUIC is not enabled, cfgparse doesn't have any dependency on the SSL stack, so the various ifdefs that try to check special conditions such as rejecting an H2 config with too small a bufsize, are silently ignored. This was detected because the default ALPN string was not set and caused the alpn regtest to fail without QUIC support. Adding openssl-compat to the list of includes seems to be sufficient to have what we need. It's unclear when this dependency was broken, it seems that even 2.2 didn't have an explicit dependency on anything SSL-related, though it could have been inherited through other files (as happens with QUIC here). It would be safe to backport it to all stable branches. The impact is very low anyway.
2023-04-19 04:41:55 -04:00
#include <haproxy/openssl-compat.h>
REORG: include: move peers.h to haproxy/peers{,-t}.h The cfg_peers external declaration was moved to the main file instead of the type one. A few types were still missing from the proto, causing warnings in the functions prototypes (proxy, stick_table).
2020-06-04 12:38:21 -04:00
#include <haproxy/peers-t.h>
CLEANUP: include: tree-wide alphabetical sort of include files This patch fixes all the leftovers from the include cleanup campaign. There were not that many (~400 entries in ~150 files) but it was definitely worth doing it as it revealed a few duplicates.
2020-06-09 03:07:15 -04:00
#include <haproxy/peers.h>
REORG: include: move common/memory.h to haproxy/pool.h Now the file is ready to be stored into its final destination. A few minor reorderings were performed to keep the file properly organized, making the various sections more visible (cache & lockless). In addition and to stay consistent, memory.c was renamed to pool.c.
2020-06-02 03:38:52 -04:00
#include <haproxy/pool.h>
CLEANUP: include: tree-wide alphabetical sort of include files This patch fixes all the leftovers from the include cleanup campaign. There were not that many (~400 entries in ~150 files) but it was definitely worth doing it as it revealed a few duplicates.
2020-06-09 03:07:15 -04:00
#include <haproxy/protocol.h>
REORG: include: move proxy.h to haproxy/proxy{,-t}.h This one is particularly difficult to split because it provides all the functions used to manipulate a proxy state and to retrieve names or IDs for error reporting, and as such, it was included in 73 files (down to 68 after cleanup). It would deserve a small cleanup though the cut points are not obvious at the moment given the number of structs involved in the struct proxy itself.
2020-06-04 16:29:18 -04:00
#include <haproxy/proxy.h>
MEDIUM: resolvers/dns: split dns.c into dns.c and resolvers.c This patch splits current dns.c into two files: The first dns.c contains code related to DNS message exchange over UDP and in future other TCP. We try to remove depencies to resolving to make it usable by other stuff as DNS load balancing. The new resolvers.c inherit of the code specific to the actual resolvers. Note: It was really difficult to obtain a clean diff dur to the amount of moved code. Note2: Counters and stuff related to stats is not cleany separated because currently counters for both layers are merged and hard to separate for now.
2021-02-12 13:42:55 -05:00
#include <haproxy/resolvers.h>
CLEANUP: include: tree-wide alphabetical sort of include files This patch fixes all the leftovers from the include cleanup campaign. There were not that many (~400 entries in ~150 files) but it was definitely worth doing it as it revealed a few duplicates.
2020-06-09 03:07:15 -04:00
#include <haproxy/sample.h>
#include <haproxy/server.h>
REORG: include: move session.h to haproxy/session{,-t}.h Almost no change was needed beyond a little bit of reordering of the types file and adjustments to use session-t instead of session at a few places.
2020-06-04 12:58:52 -04:00
#include <haproxy/session.h>
REORG: include: move stats.h to haproxy/stats{,-t}.h Just some minor reordering, and the usual cleanup of call places for those which didn't need it. We don't include the whole tools.h into stats-t anymore but just tools-t.h.
2020-06-04 13:58:55 -04:00
#include <haproxy/stats-t.h>
REORG: include: move stick_table.h to haproxy/stick_table{,-t}.h The stktable_types[] array declaration was moved to the main file as it had nothing to do in the types. A few declarations were reordered in the types file so that defines were before the structs. Thread-t was added since there are a few __decl_thread(). The loss of peers.h revealed that cfgparse-listen needed it.
2020-06-04 12:46:44 -04:00
#include <haproxy/stick_table.h>
REORG: include: move stream.h to haproxy/stream{,-t}.h This one was not easy because it was embarking many includes with it, which other files would automatically find. At least global.h, arg.h and tools.h were identified. 93 total locations were identified, 8 additional includes had to be added. In the rare files where it was possible to finalize the sorting of includes by adjusting only one or two extra lines, it was done. But all files would need to be rechecked and cleaned up now. It was the last set of files in types/ and proto/ and these directories must not be reused anymore.
2020-06-04 17:46:14 -04:00
#include <haproxy/stream.h>
CLEANUP: include: tree-wide alphabetical sort of include files This patch fixes all the leftovers from the include cleanup campaign. There were not that many (~400 entries in ~150 files) but it was definitely worth doing it as it revealed a few duplicates.
2020-06-09 03:07:15 -04:00
#include <haproxy/task.h>
REORG: include: move tcp_rules.h to haproxy/tcp_rules.h There's no type file on this one which is pretty simple.
2020-06-04 11:42:48 -04:00
#include <haproxy/tcp_rules.h>
MINOR: check: allocate default check ruleset for every backends Allocate default tcp ruleset for every backend without explicit rules defined, even if no server in the backend use check. This change is required to implement checks for dynamic servers. This allocation is done on check_config_validity. It must absolutely be called before check_proxy_tcpcheck (called via post proxy check) which allocate the implicit tcp connect rule.
2021-07-23 09:46:46 -04:00
#include <haproxy/tcpcheck.h>
CLEANUP: include: tree-wide alphabetical sort of include files This patch fixes all the leftovers from the include cleanup campaign. There were not that many (~400 entries in ~150 files) but it was definitely worth doing it as it revealed a few duplicates.
2020-06-09 03:07:15 -04:00
#include <haproxy/thread.h>
#include <haproxy/tools.h>
MEDIUM: uri_auth: implement clean uri_auth cleaning proxy auth_uri struct was manually cleaned up during deinit, but the logic behind was kind of akward because it was required to find out which ones were shared or not. Instead, let's switch to a proper refcount mechanism and free the auth_uri struct directly in proxy_free_common().
2024-11-13 13:54:32 -05:00
#include <haproxy/uri_auth.h>
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
MEDIUM: config: Dynamic sections. This patch permit to register new sections in the haproxy's configuration file. This run like all the "keyword" registration, it is used during the haproxy initialization, typically with the "__attribute__((constructor))" functions.
2014-03-18 08:54:18 -04:00
/* Used to chain configuration sections definitions. This list
* stores struct cfg_section
*/
struct list sections = LIST_HEAD_INIT(sections);
MEDIUM: cfgparse: post parsing registration Allow to register a function which will be called after the configuration file parsing, at the end of the check_config_validity(). It's useful fo checking dependencies between sections or for resolving keywords, pointers or values.
2017-10-23 08:36:34 -04:00
struct list postparsers = LIST_HEAD_INIT(postparsers);
MINOR/BUG: mworker/cli: do not use the unix_bind prefix for the master CLI socket If the configuration file contains a 'unix-bind prefix' directive, and if we use the -S option and specify a UNIX socket path, the path of the socket will be prepended with the value of the unix-bind prefix. For instance, if we have 'unix-bind prefix /tmp/sockets/' and we use '-S /tmp/master-socket' on the command line, we will get this error: Starting proxy MASTER: cannot bind UNIX socket (No such file or directory) [/tmp/sockets/tmp/master-socket] So this patch adds an exception, and will ignore the unix-bind prefix for the master CLI socket. This patch can be backported as far as 1.9.
2021-03-16 10:12:17 -04:00
extern struct proxy *mworker_proxy;
REORG: cfgparse: extract curproxy as a global variable This extracts curproxy from cfg_parse_listen so that it can be referenced by keywords that need the context of the proxy they are being used within.
2023-07-27 11:09:14 -04:00
/* curproxy is only valid during parsing and will be NULL afterwards. */
BUILD: cfgparse: keep a single "curproxy" Surprisingly, commit 00e00fb42 ("REORG: cfgparse: extract curproxy as a global variable") caused a build breakage on the CI but not on two developers' machines. It looks like it's dependent on the linker version used. What happens is that flt_spoe.c already has a curproxy struct which already is a copy of the one passed by the parser because it also needed it to be exported, so they now conflict. Let's just drop this unused copy.
2023-08-01 05:18:00 -04:00
struct proxy *curproxy = NULL;
REORG: cfgparse: extract curproxy as a global variable This extracts curproxy from cfg_parse_listen so that it can be referenced by keywords that need the context of the proxy they are being used within.
2023-07-27 11:09:14 -04:00
REORG: config: extract the proxy parser into cfgparse-listen.c This was the largest function of the whole file, taking a rough second to build alone. Let's move it to a distinct file along with a few dependencies. Doing so saved about 2 seconds on the total build time.
2018-11-11 09:40:36 -05:00
char *cursection = NULL;
MEDIUM: config: don't enforce a low frontend maxconn value anymore Historically the default frontend's maxconn used to be quite low (2000), which was sufficient two decades ago but often proved to be a problem when users had purposely set the global maxconn value but forgot to set the frontend's. There is no point in keeping this arbitrary limit for frontends : when the global maxconn is lower, it's already too high and when the global maxconn is much higher, it becomes a limiting factor which causes trouble in production. This commit allows the value to be set to zero, which becomes the new default value, to mean it's not directly limited, or in fact it's set to the global maxconn. Since this operation used to be performed before computing a possibly automatic global maxconn based on memory limits, the calculation of the maxconn value and its propagation to the backends' fullconn has now moved to a dedicated function, proxy_adjust_all_maxconn(), which is called once the global maxconn is stabilized. This comes with two benefits : 1) a configuration missing "maxconn" in the defaults section will not limit itself to a magically hardcoded value but will scale up to the global maxconn ; 2) when the global maxconn is not set and memory limits are used instead, the frontends' maxconn automatically adapts, and the backends' fullconn as well.
2019-02-27 11:25:52 -05:00
int cfg_maxpconn = 0; /* # of simultaneous connections per proxy (-N) */
[CLEANUP] config: catch and report some possibly wrong rule ordering There are some configurations in which redirect rules are declared after use_backend rules. We can also find "block" rules after any of these ones. The processing sequence is : - block - redirect - use_backend So as of now we try to detect wrong ordering to warn the user about a possibly undesired behaviour.
2009-03-15 10:23:16 -04:00
int cfg_maxconn = 0; /* # of simultaneous connections, (-n) */
MINOR: cfgparse: Parse scope lines and save the last one parsed A scope is a section name between square bracket, alone on its line, ie: [scope-name] ... The spaces at the beginning and at the end of the line are skipped. Comments at the end of the line are also skipped. When a scope is parsed, its name is saved in the global variable cfg_scope. Initially, cfg_scope is NULL and it remains NULL until a valid scope line is parsed. This feature remains unused in the HAProxy configuration file and undocumented. However, it will be used during SPOE configuration parsing.
2016-11-04 17:36:15 -04:00
char *cfg_scope = NULL; /* the current scope during the configuration parsing */
MINOR: cfgparse: Always check the section position In diag mode, the section position is checked and a warning is emitted if a global section is defined after any non-global one. Now, this check is always performed. But the warning is still only emitted in diag mode. In addition, the result of this check is now stored in a global variable, to be used from anywhere. The aim of this patch is to be able to restrict usage of some global directives to the very first global sections. It will be useful to avoid undefined behaviors. Indeed, some config parts may depend on global settings and it is a problem if these settings are changed after.
2022-11-18 09:46:06 -05:00
int non_global_section_parsed = 0;
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
MINOR: config: add a new "default-path" global directive By default haproxy loads all files designated by a relative path from the location the process is started in. In some circumstances it might be desirable to force all relative paths to start from a different location just as if the process was started from such locations. This is what this directive is made for. Technically it will perform a temporary chdir() to the designated location while processing each configuration file, and will return to the original directory after processing each file. It takes an argument indicating the policy to use when loading files whose path does not start with a slash ('/'). A few options are offered, "current" (the default), "config" (files relative to config file's dir), "parent" (files relative to config file's parent dir), and "origin" with an absolute path. This should address issue #1198.
2021-04-27 14:29:11 -04:00
/* how to handle default paths */
static enum default_path_mode {
DEFAULT_PATH_CURRENT = 0, /* "current": paths are relative to CWD (this is the default) */
DEFAULT_PATH_CONFIG, /* "config": paths are relative to config file */
DEFAULT_PATH_PARENT, /* "parent": paths are relative to config file's ".." */
DEFAULT_PATH_ORIGIN, /* "origin": paths are relative to default_path_origin */
} default_path_mode;
BUG/MEIDUM: startup: return to initial cwd only after check_config_validity() In check_config_validity() we evaluate some sample fetch expressions (log-format, server rules, etc). These expressions may use external files like maps. If some particular 'default-path' was set in the global section before, it's no longer applied to resolve file pathes in check_config_validity(). parse_cfg() at the end of config parsing switches back to the initial cwd. This fixes the issue #2886. This patch should be backported in all stable versions since 2.4.0, including 2.4.0.
2025-03-04 05:04:01 -05:00
char initial_cwd[PATH_MAX];
MINOR: config: add a new "default-path" global directive By default haproxy loads all files designated by a relative path from the location the process is started in. In some circumstances it might be desirable to force all relative paths to start from a different location just as if the process was started from such locations. This is what this directive is made for. Technically it will perform a temporary chdir() to the designated location while processing each configuration file, and will return to the original directory after processing each file. It takes an argument indicating the policy to use when loading files whose path does not start with a slash ('/'). A few options are offered, "current" (the default), "config" (files relative to config file's dir), "parent" (files relative to config file's parent dir), and "origin" with an absolute path. This should address issue #1198.
2021-04-27 14:29:11 -04:00
static char current_cwd[PATH_MAX];
[MEDIUM] add support for configuration keyword registration Any module which needs configuration keywords may now dynamically register a keyword in a given section, and associate it with a configuration parsing function using cfg_register_keywords() from a constructor function. This makes the configuration parser more modular because it is not required anymore to touch cfg_parse.c. Example : static int parse_global_blah(char **args, int section_type, struct proxy *curpx, struct proxy *defpx, char *err, int errlen) { printf("parsing blah in global section\n"); return 0; } static int parse_listen_blah(char **args, int section_type, struct proxy *curpx, struct proxy *defpx, char *err, int errlen) { printf("parsing blah in listen section\n"); if (*args[1]) { snprintf(err, errlen, "missing arg for listen_blah!!!"); return -1; } return 0; } static struct cfg_kw_list cfg_kws = {{ },{ { CFG_GLOBAL, "blah", parse_global_blah }, { CFG_LISTEN, "blah", parse_listen_blah }, { 0, NULL, NULL }, }}; __attribute__((constructor)) static void __module_init(void) { cfg_register_keywords(&cfg_kws); }
2008-07-09 13:39:06 -04:00
/* List head of all known configuration keywords */
REORG: config: extract the global section parser into cfgparse-global The config parser is the largest file to build and its build dominates the total project's build time. Let's start to split it into multiple smaller pieces by extracting the "global" section parser into a new file called "cfgparse-global.c". This removes 1/4th of the file's build time.
2018-11-11 09:19:52 -05:00
struct cfg_kw_list cfg_keywords = {
[MEDIUM] add support for configuration keyword registration Any module which needs configuration keywords may now dynamically register a keyword in a given section, and associate it with a configuration parsing function using cfg_register_keywords() from a constructor function. This makes the configuration parser more modular because it is not required anymore to touch cfg_parse.c. Example : static int parse_global_blah(char **args, int section_type, struct proxy *curpx, struct proxy *defpx, char *err, int errlen) { printf("parsing blah in global section\n"); return 0; } static int parse_listen_blah(char **args, int section_type, struct proxy *curpx, struct proxy *defpx, char *err, int errlen) { printf("parsing blah in listen section\n"); if (*args[1]) { snprintf(err, errlen, "missing arg for listen_blah!!!"); return -1; } return 0; } static struct cfg_kw_list cfg_kws = {{ },{ { CFG_GLOBAL, "blah", parse_global_blah }, { CFG_LISTEN, "blah", parse_listen_blah }, { 0, NULL, NULL }, }}; __attribute__((constructor)) static void __module_init(void) { cfg_register_keywords(&cfg_kws); }
2008-07-09 13:39:06 -04:00
.list = LIST_HEAD_INIT(cfg_keywords.list)
};
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
/*
* converts <str> to a list of listeners which are dynamically allocated.
* The format is "{addr|'*'}:port[-end][,{addr|'*'}:port[-end]]*", where :
* - <addr> can be empty or "*" to indicate INADDR_ANY ;
* - <port> is a numerical port from 1 to 65535 ;
* - <end> indicates to use the range from <port> to <end> instead (inclusive).
* This can be repeated as many times as necessary, separated by a coma.
MINOR: config: make str2listener() use memprintf() to report errors. This will make it possible to use the function for other listening sockets.
2012-09-20 14:01:39 -04:00
* Function returns 1 for success or 0 if error. In case of errors, if <err> is
* not NULL, it must be a valid pointer to either NULL or a freeable area that
* will be replaced with an error message.
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
*/
MINOR: config: make str2listener() use memprintf() to report errors. This will make it possible to use the function for other listening sockets.
2012-09-20 14:01:39 -04:00
int str2listener(char *str, struct proxy *curproxy, struct bind_conf *bind_conf, const char *file, int line, char **err)
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
{
MINOR: listener: pass the chosen protocol to create_listeners() The function will need to use more than just a family, let's pass it the selected protocol. The caller will then be able to do all the fancy stuff required to pick the best protocol.
2020-09-16 11:58:55 -04:00
struct protocol *proto;
[MINOR] cfgparse: better report wrong listening addresses and make use of str2sa_range It's always been a mess to debug wrong listening addresses because the parsing function does not indicate the file and line number. Now it does. Since the code was almost a duplicate of str2sa_range, it now makes use of it and has been sensibly reduced.
2011-03-04 09:43:13 -05:00
char *next, *dupstr;
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
int port, end;
next = dupstr = strdup(str);
[MEDIUM] Collect & provide separate statistics for sockets, v2 This patch allows to collect & provide separate statistics for each socket. It can be very useful if you would like to distinguish between traffic generate by local and remote users or between different types of remote clients (peerings, domestic, foreign). Currently no "Session rate" is supported, but adding it should be possible if we found it useful.
2009-10-04 09:43:17 -04:00
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
while (next && *next) {
MINOR: listeners: new function create_listeners This function is used to create a series of listeners for a specific address and a port range. It automatically calls the matching protocol handlers to add them to the relevant lists. This way cfgparse doesn't need to manipulate listeners anymore. As an added bonus, the memory allocation is checked.
2017-09-15 02:10:44 -04:00
struct sockaddr_storage *ss2;
MAJOR: listener: support inheriting a listening fd from the parent Using the address syntax "fd@<num>", a listener may inherit a file descriptor that the caller process has already bound and passed as this number. The fd's socket family is detected using getsockname(), and the usual initialization is performed through the existing code for that family, but the socket creation is skipped. Whether the parent has performed the listen() call or not is not important as this is detected. For UNIX sockets, we immediately clear the path after preparing a socket so that we never remove it in case an abort would happen due to a late error during startup.
2013-03-10 18:51:38 -04:00
int fd = -1;
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
str = next;
/* 1) look for the end of the first address */
[BUG] Fix listen & more of 2 couples <ip>:<port> Fix "listen www-mutualise 80.248.x.y1:80,80.248.x.y2:80,80.248.x.y3:80": [ALERT] 309/161509 (15450) : Invalid server address: '80.248.x.y1:80,80.248.x.y2' [ALERT] 309/161509 (15450) : Error reading configuration file : /etc/haproxy/haproxy.cfg Bug reported by Laurent Dolosor.
2009-01-27 10:57:08 -05:00
if ((next = strchr(str, ',')) != NULL) {
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
*next++ = 0;
}
MINOR: tools: make str2sa_range() directly return type hints str2sa_range() already allows the caller to provide <proto> in order to get a pointer on the protocol matching with the string input thanks to 5fc9328a ("MINOR: tools: make str2sa_range() directly return the protocol") However, as stated into the commit message, there is a trick: "we can fail to return a protocol in case the caller accepts an fqdn for use later. This is what servers do and in this case it is valid to return no protocol" In this case, we're unable to return protocol because the protocol lookup depends on both the [proto type + xprt type] and the [family type] to be known. While family type might not be directly resolved when fqdn is involved (because family type might be discovered using DNS queries), proto type and xprt type are already known. As such, the caller might be interested in knowing those address related hints even if the address family type is not yet resolved and thus the matching protocol cannot be looked up. Thus in this patch we add the optional net_addr_type (custom type) argument to str2sa_range to enable the caller to check the protocol type and transport type when the function succeeds.
2023-11-09 05:19:24 -05:00
ss2 = str2sa_range(str, NULL, &port, &end, &fd, &proto, NULL, err,
MINOR/BUG: mworker/cli: do not use the unix_bind prefix for the master CLI socket If the configuration file contains a 'unix-bind prefix' directive, and if we use the -S option and specify a UNIX socket path, the path of the socket will be prepended with the value of the unix-bind prefix. For instance, if we have 'unix-bind prefix /tmp/sockets/' and we use '-S /tmp/master-socket' on the command line, we will get this error: Starting proxy MASTER: cannot bind UNIX socket (No such file or directory) [/tmp/sockets/tmp/master-socket] So this patch adds an exception, and will ignore the unix-bind prefix for the master CLI socket. This patch can be backported as far as 1.9.
2021-03-16 10:12:17 -04:00
(curproxy == global.cli_fe || curproxy == mworker_proxy) ? NULL : global.unix_bind.prefix,
MINOR: tools: extend str2sa_range to add an alt parameter Add a new parameter "alt" that will store wether this configuration use an alternate protocol. This alt pointer will contain a value that can be transparently passed to protocol_lookup to obtain an appropriate protocol structure. This change is needed to allow for example the servers to know if it need to use an alternate protocol or not.
2024-08-26 05:50:24 -04:00
NULL, NULL, PA_O_RESOLVE | PA_O_PORT_OK | PA_O_PORT_MAND | PA_O_PORT_RANGE |
MEDIUM: config: make str2listener() not accept datagram sockets anymore str2listener() was temporarily hacked to support datagram sockets for the log-forward listeners. This has has an undesirable side effect that "bind udp@1.2.3.4:5555" was silently accepted as TCP for a bind line. We don't need this hack anymore since the only user (log-forward) now relies on str2receiver(). Now such an address will properly be rejected.
2020-09-16 10:28:08 -04:00
PA_O_SOCKET_FD | PA_O_STREAM | PA_O_XPRT);
MEDIUM: config: use a single str2sa_range() call to parse bind addresses str2listener() now doesn't check the address syntax, it only relies on str2sa_range() to retrieve the address and family.
2013-03-06 09:45:03 -05:00
if (!ss2)
goto fail;
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
MINOR: rhttp: large renaming to use rhttp prefix Previous commit renames 'proto_reverse_connect' module to 'proto_rhttp'. This commits follows this by replacing various custom prefix by 'rhttp_' to make the code uniform. Note that 'reverse_' prefix was kept in connection module. This is because if a new reversable protocol not based on HTTP is implemented, it may be necessary to reused the same connection function which are protocol agnostic.
2023-11-21 05:10:34 -05:00
if (ss2->ss_family == AF_CUST_RHTTP_SRV) {
MINOR: cfgparse: forbid mixing reverse and standard listeners Reverse HTTP listeners are very specific and share only a very limited subset of keywords with other listeners. As such, it is probable meaningless to mix standard and reverse addresses on the same bind line. This patch emits a fatal error during configuration parsing if this is the case.
2023-10-19 06:05:31 -04:00
/* Check if a previous non reverse HTTP present is
* already defined. If DGRAM or STREAM is set, this
* indicates that we are currently parsing the second
* or more address.
*/
if (bind_conf->options & (BC_O_USE_SOCK_DGRAM|BC_O_USE_SOCK_STREAM) &&
!(bind_conf->options & BC_O_REVERSE_HTTP)) {
memprintf(err, "Cannot mix reverse HTTP bind with others.\n");
goto fail;
}
MINOR: rhttp: large renaming to use rhttp prefix Previous commit renames 'proto_reverse_connect' module to 'proto_rhttp'. This commits follows this by replacing various custom prefix by 'rhttp_' to make the code uniform. Note that 'reverse_' prefix was kept in connection module. This is because if a new reversable protocol not based on HTTP is implemented, it may be necessary to reused the same connection function which are protocol agnostic.
2023-11-21 05:10:34 -05:00
bind_conf->rhttp_srvname = strdup(str + strlen("rhttp@"));
if (!bind_conf->rhttp_srvname) {
MINOR: cfgparse: forbid mixing reverse and standard listeners Reverse HTTP listeners are very specific and share only a very limited subset of keywords with other listeners. As such, it is probable meaningless to mix standard and reverse addresses on the same bind line. This patch emits a fatal error during configuration parsing if this is the case.
2023-10-19 06:05:31 -04:00
memprintf(err, "Cannot allocate reverse HTTP bind.\n");
goto fail;
}
bind_conf->options |= BC_O_REVERSE_HTTP;
}
else if (bind_conf->options & BC_O_REVERSE_HTTP) {
/* Standard address mixed with a previous reverse HTTP one. */
memprintf(err, "Cannot mix reverse HTTP bind with others.\n");
goto fail;
}
MEDIUM: config: use a single str2sa_range() call to parse bind addresses str2listener() now doesn't check the address syntax, it only relies on str2sa_range() to retrieve the address and family.
2013-03-06 09:45:03 -05:00
/* OK the address looks correct */
CLEANUP: listener: store stream vs dgram at the bind_conf level Let's collect the set of xprt-level and sock-level dgram/stream protocols seen on a bind line and store that in the bind_conf itself while they're being parsed. This will make it much easier to detect incompatibilities later than the current approch which consists in scanning all listeners in post-parsing.
2022-05-20 10:15:01 -04:00
if (proto->proto_type == PROTO_TYPE_DGRAM)
bind_conf->options |= BC_O_USE_SOCK_DGRAM;
else
bind_conf->options |= BC_O_USE_SOCK_STREAM;
if (proto->xprt_type == PROTO_TYPE_DGRAM)
bind_conf->options |= BC_O_USE_XPRT_DGRAM;
else
bind_conf->options |= BC_O_USE_XPRT_STREAM;
MINOR: listener: Add QUIC info to listeners and receivers. This patch adds a quic_transport_params struct to bind_conf struct used for the listeners. This is to store the QUIC transport parameters for the listeners. Also initializes them when calling str2listener(). Before str2sa_range() it's too early to figure we're going to speak QUIC, and after it's too late as listeners are already created. So it seems that doing it in str2listener() when the protocol is discovered is the best place. Also adds two ebtrees to the underlying receivers to store the connection by connections IDs (one for the original connection IDs, and another one for the definitive connection IDs which really identify the connections. However it doesn't seem normal that it is stored in the receiver nor the listener. There should be a private context in the listener so that protocols can store internal information. This element should in fact be the listener handle. Something still feels wrong, and probably we'll have to make QUIC and SSL co-exist: a proof of this is that there's some explicit code in bind_parse_ssl() to prevent the "ssl" keyword from replacing the xprt.
2020-11-23 08:23:21 -05:00
MINOR: listener: pass the chosen protocol to create_listeners() The function will need to use more than just a family, let's pass it the selected protocol. The caller will then be able to do all the fancy stuff required to pick the best protocol.
2020-09-16 11:58:55 -04:00
if (!create_listeners(bind_conf, ss2, port, end, fd, proto, err)) {
MINOR: listeners: new function create_listeners This function is used to create a series of listeners for a specific address and a port range. It automatically calls the matching protocol handlers to add them to the relevant lists. This way cfgparse doesn't need to manipulate listeners anymore. As an added bonus, the memory allocation is checked.
2017-09-15 02:10:44 -04:00
memprintf(err, "%s for address '%s'.\n", *err, str);
goto fail;
}
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
} /* end while(next) */
free(dupstr);
[MEDIUM] Collect & provide separate statistics for sockets, v2 This patch allows to collect & provide separate statistics for each socket. It can be very useful if you would like to distinguish between traffic generate by local and remote users or between different types of remote clients (peerings, domestic, foreign). Currently no "Session rate" is supported, but adding it should be possible if we found it useful.
2009-10-04 09:43:17 -04:00
return 1;
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
fail:
free(dupstr);
[MEDIUM] Collect & provide separate statistics for sockets, v2 This patch allows to collect & provide separate statistics for each socket. It can be very useful if you would like to distinguish between traffic generate by local and remote users or between different types of remote clients (peerings, domestic, foreign). Currently no "Session rate" is supported, but adding it should be possible if we found it useful.
2009-10-04 09:43:17 -04:00
return 0;
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
}
MINOR: cfgparse: add str2receiver() to parse dgram receivers This is at least temporary, as the migration at once is way too difficuly. For now it still creates listeners but only allows DGRAM sockets. This aims at easing the split between listeners and receivers.
2020-09-16 09:13:04 -04:00
/*
* converts <str> to a list of datagram-oriented listeners which are dynamically
* allocated.
* The format is "{addr|'*'}:port[-end][,{addr|'*'}:port[-end]]*", where :
* - <addr> can be empty or "*" to indicate INADDR_ANY ;
* - <port> is a numerical port from 1 to 65535 ;
* - <end> indicates to use the range from <port> to <end> instead (inclusive).
* This can be repeated as many times as necessary, separated by a coma.
* Function returns 1 for success or 0 if error. In case of errors, if <err> is
* not NULL, it must be a valid pointer to either NULL or a freeable area that
* will be replaced with an error message.
*/
int str2receiver(char *str, struct proxy *curproxy, struct bind_conf *bind_conf, const char *file, int line, char **err)
{
MINOR: listener: pass the chosen protocol to create_listeners() The function will need to use more than just a family, let's pass it the selected protocol. The caller will then be able to do all the fancy stuff required to pick the best protocol.
2020-09-16 11:58:55 -04:00
struct protocol *proto;
MINOR: cfgparse: add str2receiver() to parse dgram receivers This is at least temporary, as the migration at once is way too difficuly. For now it still creates listeners but only allows DGRAM sockets. This aims at easing the split between listeners and receivers.
2020-09-16 09:13:04 -04:00
char *next, *dupstr;
int port, end;
next = dupstr = strdup(str);
while (next && *next) {
struct sockaddr_storage *ss2;
int fd = -1;
str = next;
/* 1) look for the end of the first address */
if ((next = strchr(str, ',')) != NULL) {
*next++ = 0;
}
MINOR: tools: make str2sa_range() directly return type hints str2sa_range() already allows the caller to provide <proto> in order to get a pointer on the protocol matching with the string input thanks to 5fc9328a ("MINOR: tools: make str2sa_range() directly return the protocol") However, as stated into the commit message, there is a trick: "we can fail to return a protocol in case the caller accepts an fqdn for use later. This is what servers do and in this case it is valid to return no protocol" In this case, we're unable to return protocol because the protocol lookup depends on both the [proto type + xprt type] and the [family type] to be known. While family type might not be directly resolved when fqdn is involved (because family type might be discovered using DNS queries), proto type and xprt type are already known. As such, the caller might be interested in knowing those address related hints even if the address family type is not yet resolved and thus the matching protocol cannot be looked up. Thus in this patch we add the optional net_addr_type (custom type) argument to str2sa_range to enable the caller to check the protocol type and transport type when the function succeeds.
2023-11-09 05:19:24 -05:00
ss2 = str2sa_range(str, NULL, &port, &end, &fd, &proto, NULL, err,
CLEANUP: cli: rename the last few "stats_" to "cli_" There were still a very small list of functions, variables and fields called "stats_" while they were really purely CLI-centric. There's the frontend called "stats_fe" in the global section, which instantiates a "cli_applet" called "<CLI>" so it was renamed "cli_fe". The "alloc_stats_fe" function cas renamed to "cli_alloc_fe" which also better matches the naming convention of all cli-specific functions. Finally the "stats_permission_denied_msg" used to return an error on the CLI was renamed "cli_permission_denied_msg". Now there's no more "stats_something" that designates the CLI.
2021-03-13 05:00:33 -05:00
curproxy == global.cli_fe ? NULL : global.unix_bind.prefix,
MINOR: tools: extend str2sa_range to add an alt parameter Add a new parameter "alt" that will store wether this configuration use an alternate protocol. This alt pointer will contain a value that can be transparently passed to protocol_lookup to obtain an appropriate protocol structure. This change is needed to allow for example the servers to know if it need to use an alternate protocol or not.
2024-08-26 05:50:24 -04:00
NULL, NULL, PA_O_RESOLVE | PA_O_PORT_OK | PA_O_PORT_MAND | PA_O_PORT_RANGE |
MINOR: cfgparse: add str2receiver() to parse dgram receivers This is at least temporary, as the migration at once is way too difficuly. For now it still creates listeners but only allows DGRAM sockets. This aims at easing the split between listeners and receivers.
2020-09-16 09:13:04 -04:00
PA_O_SOCKET_FD | PA_O_DGRAM | PA_O_XPRT);
if (!ss2)
goto fail;
/* OK the address looks correct */
MINOR: listener: pass the chosen protocol to create_listeners() The function will need to use more than just a family, let's pass it the selected protocol. The caller will then be able to do all the fancy stuff required to pick the best protocol.
2020-09-16 11:58:55 -04:00
if (!create_listeners(bind_conf, ss2, port, end, fd, proto, err)) {
MINOR: cfgparse: add str2receiver() to parse dgram receivers This is at least temporary, as the migration at once is way too difficuly. For now it still creates listeners but only allows DGRAM sockets. This aims at easing the split between listeners and receivers.
2020-09-16 09:13:04 -04:00
memprintf(err, "%s for address '%s'.\n", *err, str);
goto fail;
}
} /* end while(next) */
free(dupstr);
return 1;
fail:
free(dupstr);
return 0;
}
REORG: config: uninline warnifnotcap() and failifnotcap() These ones are used by virtually every config parser. Not only they provide no benefit in being inlined, but they imply a very deep dependency starting at proxy.h, which results for example in task.c including openssl. Let's move these two functions to cfgparse.c.
2021-05-08 13:58:37 -04:00
/*
* Sends a warning if proxy <proxy> does not have at least one of the
* capabilities in <cap>. An optional <hint> may be added at the end
* of the warning to help the user. Returns 1 if a warning was emitted
* or 0 if the condition is valid.
*/
int warnifnotcap(struct proxy *proxy, int cap, const char *file, int line, const char *arg, const char *hint)
{
char *msg;
switch (cap) {
case PR_CAP_BE: msg = "no backend"; break;
case PR_CAP_FE: msg = "no frontend"; break;
case PR_CAP_BE|PR_CAP_FE: msg = "neither frontend nor backend"; break;
default: msg = "not enough"; break;
}
if (!(proxy->cap & cap)) {
ha_warning("parsing [%s:%d] : '%s' ignored because %s '%s' has %s capability.%s\n",
file, line, arg, proxy_type_str(proxy), proxy->id, msg, hint ? hint : "");
return 1;
}
return 0;
}
/*
* Sends an alert if proxy <proxy> does not have at least one of the
* capabilities in <cap>. An optional <hint> may be added at the end
* of the alert to help the user. Returns 1 if an alert was emitted
* or 0 if the condition is valid.
*/
int failifnotcap(struct proxy *proxy, int cap, const char *file, int line, const char *arg, const char *hint)
{
char *msg;
switch (cap) {
case PR_CAP_BE: msg = "no backend"; break;
case PR_CAP_FE: msg = "no frontend"; break;
case PR_CAP_BE|PR_CAP_FE: msg = "neither frontend nor backend"; break;
default: msg = "not enough"; break;
}
if (!(proxy->cap & cap)) {
ha_alert("parsing [%s:%d] : '%s' not allowed because %s '%s' has %s capability.%s\n",
file, line, arg, proxy_type_str(proxy), proxy->id, msg, hint ? hint : "");
return 1;
}
return 0;
}
MINOR: cfgparse: add two new functions to check arguments count We already had alertif_too_many_args{,_idx}(), but these ones are specifically designed for use in cfgparse. Outside of it we're trying to avoid calling Alert() all the time so we need an equivalent using a pointer to an error message. These new functions called too_many_args{,_idx)() do exactly this. They don't take the file name nor the line number which they have no use for but instead they take an optional pointer to an error message and the pointer to the error code is optional as well. With (NULL, NULL) they'll simply check the validity and return a verdict. They are quite convenient for use in isolated keyword parsers. These two new functions as well as the previous ones have all been exported.
2016-12-21 16:41:44 -05:00
/*
* Report an error in <msg> when there are too many arguments. This version is
* intended to be used by keyword parsers so that the message will be included
* into the general error message. The index is the current keyword in args.
* Return 0 if the number of argument is correct, otherwise build a message and
* return 1. Fill err_code with an ERR_ALERT and an ERR_FATAL if not null. The
* message may also be null, it will simply not be produced (useful to check only).
* <msg> and <err_code> are only affected on error.
*/
int too_many_args_idx(int maxarg, int index, char **args, char **msg, int *err_code)
{
int i;
if (!*args[index + maxarg + 1])
return 0;
if (msg) {
*msg = NULL;
memprintf(msg, "%s", args[0]);
for (i = 1; i <= index; i++)
memprintf(msg, "%s %s", *msg, args[i]);
memprintf(msg, "'%s' cannot handle unexpected argument '%s'.", *msg, args[index + maxarg + 1]);
}
if (err_code)
*err_code |= ERR_ALERT | ERR_FATAL;
return 1;
}
/*
* same as too_many_args_idx with a 0 index
*/
int too_many_args(int maxarg, char **args, char **msg, int *err_code)
{
return too_many_args_idx(maxarg, 0, args, msg, err_code);
}
MEDIUM: cfgparse: check section maximum number of arguments This patch checks the number of arguments of the keywords: 'global', 'defaults', 'listen', 'backend', 'frontend', 'peers' and 'userlist' The 'global' section does not take any arguments. Proxy sections does not support bind address as argument anymore. Those sections supports only an <id> argument. The 'defaults' section didn't had any check on its arguments. It takes an optional <name> argument. 'peers' section takes a <peersect> argument. 'userlist' section takes a <listname> argument.
2015-04-28 10:55:23 -04:00
/*
* Report a fatal Alert when there is too much arguments
* The index is the current keyword in args
* Return 0 if the number of argument is correct, otherwise emit an alert and return 1
* Fill err_code with an ERR_ALERT and an ERR_FATAL
*/
int alertif_too_many_args_idx(int maxarg, int index, const char *file, int linenum, char **args, int *err_code)
{
char *kw = NULL;
int i;
if (!*args[index + maxarg + 1])
return 0;
memprintf(&kw, "%s", args[0]);
for (i = 1; i <= index; i++) {
memprintf(&kw, "%s %s", kw, args[i]);
}
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : '%s' cannot handle unexpected argument '%s'.\n", file, linenum, kw, args[index + maxarg + 1]);
MEDIUM: cfgparse: check section maximum number of arguments This patch checks the number of arguments of the keywords: 'global', 'defaults', 'listen', 'backend', 'frontend', 'peers' and 'userlist' The 'global' section does not take any arguments. Proxy sections does not support bind address as argument anymore. Those sections supports only an <id> argument. The 'defaults' section didn't had any check on its arguments. It takes an optional <name> argument. 'peers' section takes a <peersect> argument. 'userlist' section takes a <listname> argument.
2015-04-28 10:55:23 -04:00
free(kw);
*err_code |= ERR_ALERT | ERR_FATAL;
return 1;
}
/*
* same as alertif_too_many_args_idx with a 0 index
*/
int alertif_too_many_args(int maxarg, const char *file, int linenum, char **args, int *err_code)
{
return alertif_too_many_args_idx(maxarg, 0, file, linenum, args, err_code);
}
[MINOR] improve reporting of misplaced acl/reqxxx rules Now we can detect improper ordering of "block", "reqxxx", "reqadd", "redirect" and "use_backend", and warn the user accordingly.
2009-03-31 04:49:21 -04:00
MAJOR: acl: convert all ACL requires to SMP use+val instead of ->requires The ACLs now use the fetch's ->use and ->val to decide upon compatibility between the place where they are used and where the information are fetched. The code is capable of reporting warnings about very fine incompatibilities between certain fetches and an exact usage location, so it is expected that some new warnings will be emitted on some existing configurations. Two degrees of detection are provided : - detecting ACLs that never match - detecting keywords that are ignored All tests show that this seems to work well, though bugs are still possible.
2013-03-25 03:12:18 -04:00
/* Report it if a request ACL condition uses some keywords that are incompatible
* with the place where the ACL is used. It returns either 0 or ERR_WARN so that
* its result can be or'ed with err_code. Note that <cond> may be NULL and then
* will be ignored.
[CLEANUP] config: use warnif_cond_requires_resp() to check for bad ACLs Factor out some repetitive copy-pasted code to check for request ACLs validity.
2010-01-28 11:59:39 -05:00
*/
REORG: config: extract the proxy parser into cfgparse-listen.c This was the largest function of the whole file, taking a rough second to build alone. Let's move it to a distinct file along with a few dependencies. Doing so saved about 2 seconds on the total build time.
2018-11-11 09:40:36 -05:00
int warnif_cond_conflicts(const struct acl_cond *cond, unsigned int where, const char *file, int line)
[CLEANUP] config: use warnif_cond_requires_resp() to check for bad ACLs Factor out some repetitive copy-pasted code to check for request ACLs validity.
2010-01-28 11:59:39 -05:00
{
MAJOR: acl: convert all ACL requires to SMP use+val instead of ->requires The ACLs now use the fetch's ->use and ->val to decide upon compatibility between the place where they are used and where the information are fetched. The code is capable of reporting warnings about very fine incompatibilities between certain fetches and an exact usage location, so it is expected that some new warnings will be emitted on some existing configurations. Two degrees of detection are provided : - detecting ACLs that never match - detecting keywords that are ignored All tests show that this seems to work well, though bugs are still possible.
2013-03-25 03:12:18 -04:00
const struct acl *acl;
MEDIUM: acl: have a pointer to the keyword name in acl_expr The acl_expr struct used to hold a pointer to the ACL keyword. But since we now have all the relevant pointers, we don't need that anymore, we just need the pointer to the keyword as a string in order to return warnings and error messages. So let's change this in order to remove the dependency on the acl_keyword struct from acl_expr. During this change, acl_cond_kw_conflicts() used to return a pointer to an ACL keyword but had to be changed to return a const char* for the same reason.
2013-03-31 16:59:32 -04:00
const char *kw;
[CLEANUP] config: use warnif_cond_requires_resp() to check for bad ACLs Factor out some repetitive copy-pasted code to check for request ACLs validity.
2010-01-28 11:59:39 -05:00
MAJOR: acl: convert all ACL requires to SMP use+val instead of ->requires The ACLs now use the fetch's ->use and ->val to decide upon compatibility between the place where they are used and where the information are fetched. The code is capable of reporting warnings about very fine incompatibilities between certain fetches and an exact usage location, so it is expected that some new warnings will be emitted on some existing configurations. Two degrees of detection are provided : - detecting ACLs that never match - detecting keywords that are ignored All tests show that this seems to work well, though bugs are still possible.
2013-03-25 03:12:18 -04:00
if (!cond)
[CLEANUP] config: use warnif_cond_requires_resp() to check for bad ACLs Factor out some repetitive copy-pasted code to check for request ACLs validity.
2010-01-28 11:59:39 -05:00
return 0;
MAJOR: acl: convert all ACL requires to SMP use+val instead of ->requires The ACLs now use the fetch's ->use and ->val to decide upon compatibility between the place where they are used and where the information are fetched. The code is capable of reporting warnings about very fine incompatibilities between certain fetches and an exact usage location, so it is expected that some new warnings will be emitted on some existing configurations. Two degrees of detection are provided : - detecting ACLs that never match - detecting keywords that are ignored All tests show that this seems to work well, though bugs are still possible.
2013-03-25 03:12:18 -04:00
acl = acl_cond_conflicts(cond, where);
if (acl) {
if (acl->name && *acl->name)
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("parsing [%s:%d] : acl '%s' will never match because it only involves keywords that are incompatible with '%s'\n",
file, line, acl->name, sample_ckp_names(where));
MAJOR: acl: convert all ACL requires to SMP use+val instead of ->requires The ACLs now use the fetch's ->use and ->val to decide upon compatibility between the place where they are used and where the information are fetched. The code is capable of reporting warnings about very fine incompatibilities between certain fetches and an exact usage location, so it is expected that some new warnings will be emitted on some existing configurations. Two degrees of detection are provided : - detecting ACLs that never match - detecting keywords that are ignored All tests show that this seems to work well, though bugs are still possible.
2013-03-25 03:12:18 -04:00
else
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("parsing [%s:%d] : anonymous acl will never match because it uses keyword '%s' which is incompatible with '%s'\n",
file, line, LIST_ELEM(acl->expr.n, struct acl_expr *, list)->kw, sample_ckp_names(where));
MAJOR: acl: convert all ACL requires to SMP use+val instead of ->requires The ACLs now use the fetch's ->use and ->val to decide upon compatibility between the place where they are used and where the information are fetched. The code is capable of reporting warnings about very fine incompatibilities between certain fetches and an exact usage location, so it is expected that some new warnings will be emitted on some existing configurations. Two degrees of detection are provided : - detecting ACLs that never match - detecting keywords that are ignored All tests show that this seems to work well, though bugs are still possible.
2013-03-25 03:12:18 -04:00
return ERR_WARN;
}
if (!acl_cond_kw_conflicts(cond, where, &acl, &kw))
[MEDIUM] http: add support for conditional response header rewriting Just as for the req* rules, we can now condition rsp* rules with ACLs. ACLs match on response, so volatile request information cannot be used. A warning is emitted if a configuration contains such an anomaly.
2010-01-31 09:43:27 -05:00
return 0;
MAJOR: acl: convert all ACL requires to SMP use+val instead of ->requires The ACLs now use the fetch's ->use and ->val to decide upon compatibility between the place where they are used and where the information are fetched. The code is capable of reporting warnings about very fine incompatibilities between certain fetches and an exact usage location, so it is expected that some new warnings will be emitted on some existing configurations. Two degrees of detection are provided : - detecting ACLs that never match - detecting keywords that are ignored All tests show that this seems to work well, though bugs are still possible.
2013-03-25 03:12:18 -04:00
if (acl->name && *acl->name)
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("parsing [%s:%d] : acl '%s' involves keywords '%s' which is incompatible with '%s'\n",
file, line, acl->name, kw, sample_ckp_names(where));
MAJOR: acl: convert all ACL requires to SMP use+val instead of ->requires The ACLs now use the fetch's ->use and ->val to decide upon compatibility between the place where they are used and where the information are fetched. The code is capable of reporting warnings about very fine incompatibilities between certain fetches and an exact usage location, so it is expected that some new warnings will be emitted on some existing configurations. Two degrees of detection are provided : - detecting ACLs that never match - detecting keywords that are ignored All tests show that this seems to work well, though bugs are still possible.
2013-03-25 03:12:18 -04:00
else
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("parsing [%s:%d] : anonymous acl involves keyword '%s' which is incompatible with '%s'\n",
file, line, kw, sample_ckp_names(where));
[MEDIUM] http: add support for conditional response header rewriting Just as for the req* rules, we can now condition rsp* rules with ACLs. ACLs match on response, so volatile request information cannot be used. A warning is emitted if a configuration contains such an anomaly.
2010-01-31 09:43:27 -05:00
return ERR_WARN;
}
MINOR: payload/config: Warn if a L6 sample fetch is used from an HTTP proxy L6 sample fetches are now ignored when called from an HTTP proxy. Thus, a warning is emitted during the startup if such usage is detected. It is true for most ACLs and for log-format strings. Unfortunately, it is a bit painful to do so for sample expressions. This patch relies on the commit "MINOR: action: Use a generic function to check validity of an action rule list".
2021-03-26 05:02:46 -04:00
/* Report it if an ACL uses a L6 sample fetch from an HTTP proxy. It returns
* either 0 or ERR_WARN so that its result can be or'ed with err_code. Note that
* <cond> may be NULL and then will be ignored.
*/
int warnif_tcp_http_cond(const struct proxy *px, const struct acl_cond *cond)
{
if (!cond || px->mode != PR_MODE_HTTP)
return 0;
if (cond->use & (SMP_USE_L6REQ|SMP_USE_L6RES)) {
ha_warning("Proxy '%s': L6 sample fetches ignored on HTTP proxies (declared at %s:%d).\n",
px->id, cond->file, cond->line);
return ERR_WARN;
}
return 0;
}
MINOR: cfgparse: add cfg_find_best_match() to suggest an existing word Instead of just reporting "unknown keyword", let's provide a function which will look through a list of registered keywords for a similar-looking word to the one that wasn't matched. This will help callers suggest correct spelling. Also, given that a large part of the config parser still relies on a long chain of strcmp(), we'll need to be able to pass extra candidates. Thus the function supports an optional extra list for this purpose.
2021-03-12 03:08:04 -05:00
/* try to find in <list> the word that looks closest to <word> by counting
* transitions between letters, digits and other characters. Will return the
* best matching word if found, otherwise NULL. An optional array of extra
* words to compare may be passed in <extra>, but it must then be terminated
* by a NULL entry. If unused it may be NULL.
*/
const char *cfg_find_best_match(const char *word, const struct list *list, int section, const char **extra)
{
uint8_t word_sig[1024]; // 0..25=letter, 26=digit, 27=other, 28=begin, 29=end
uint8_t list_sig[1024];
const struct cfg_kw_list *kwl;
int index;
const char *best_ptr = NULL;
int dist, best_dist = INT_MAX;
make_word_fingerprint(word_sig, word);
list_for_each_entry(kwl, list, list) {
for (index = 0; kwl->kw[index].kw != NULL; index++) {
if (kwl->kw[index].section != section)
continue;
make_word_fingerprint(list_sig, kwl->kw[index].kw);
dist = word_fingerprint_distance(word_sig, list_sig);
if (dist < best_dist) {
best_dist = dist;
best_ptr = kwl->kw[index].kw;
}
}
}
while (extra && *extra) {
make_word_fingerprint(list_sig, *extra);
dist = word_fingerprint_distance(word_sig, list_sig);
if (dist < best_dist) {
best_dist = dist;
best_ptr = *extra;
}
extra++;
}
if (best_dist > 2 * strlen(word) || (best_ptr && best_dist > 2 * strlen(best_ptr)))
best_ptr = NULL;
return best_ptr;
}
MINOR: threads: Add thread-map config parameter in the global section By default, no affinity is set for threads. To bind threads on CPU, you must define a "thread-map" in the global section. The format is the same than the "cpu-map" parameter, with a small difference. The process number must be defined, with the same format than cpu-map ("all", "even", "odd" or a number between 1 and 31/63). A thread will be bound on the intersection of its mapping and the one of the process on which it is attached. If the intersection is null, no specific bind will be set for the thread.
2017-10-16 09:49:32 -04:00
/* Parse a string representing a process number or a set of processes. It must
MINOR: cfgparse: make the process/thread parser support a maximum value It was hard-wired to LONGBITS, let's make it configurable depending on the context (threads, processes).
2019-01-26 07:25:14 -05:00
* be "all", "odd", "even", a number between 1 and <max> or a range with
MINOR: config: Slightly change how parse_process_number works Now, this function returns a status code to indicate a success (0) or a failure (1) and the error message in set in <err> parameter. And the result of the parsing is set in <proc> parameter.
2017-11-22 05:21:58 -05:00
* two such numbers delimited by a dash ('-'). On success, it returns
* 0. otherwise it returns 1 with an error message in <err>.
MINOR: threads: Add thread-map config parameter in the global section By default, no affinity is set for threads. To bind threads on CPU, you must define a "thread-map" in the global section. The format is the same than the "cpu-map" parameter, with a small difference. The process number must be defined, with the same format than cpu-map ("all", "even", "odd" or a number between 1 and 31/63). A thread will be bound on the intersection of its mapping and the one of the process on which it is attached. If the intersection is null, no specific bind will be set for the thread.
2017-10-16 09:49:32 -04:00
*
* Note: this function can also be used to parse a thread number or a set of
* threads.
*/
MINOR: cfgparse: make the process/thread parser support a maximum value It was hard-wired to LONGBITS, let's make it configurable depending on the context (threads, processes).
2019-01-26 07:25:14 -05:00
int parse_process_number(const char *arg, unsigned long *proc, int max, int *autoinc, char **err)
MINOR: threads: Add thread-map config parameter in the global section By default, no affinity is set for threads. To bind threads on CPU, you must define a "thread-map" in the global section. The format is the same than the "cpu-map" parameter, with a small difference. The process number must be defined, with the same format than cpu-map ("all", "even", "odd" or a number between 1 and 31/63). A thread will be bound on the intersection of its mapping and the one of the process on which it is attached. If the intersection is null, no specific bind will be set for the thread.
2017-10-16 09:49:32 -04:00
{
MINOR: config: Add auto-increment feature for cpu-map The prefix "auto:" can be added before the process set to let HAProxy automatically bind a process to a CPU by incrementing process and CPU sets. To be valid, both sets must have the same size. No matter the declaration order of the CPU sets, it will be bound from the lower to the higher bound. Examples: # all these lines bind the process 1 to the cpu 0, the process 2 to cpu 1 # and so on. cpu-map auto:1-4 0-3 cpu-map auto:1-4 0-1 2-3 cpu-map auto:1-4 3 2 1 0 # bind each process to exaclty one CPU using all/odd/even keyword cpu-map auto:all 0-63 cpu-map auto:even 0-31 cpu-map auto:odd 32-63 # invalid cpu-map because process and CPU sets have different sizes. cpu-map auto:1-4 0 # invalid cpu-map auto:1 0-3 # invalid
2017-11-22 09:01:51 -05:00
if (autoinc) {
*autoinc = 0;
if (strncmp(arg, "auto:", 5) == 0) {
arg += 5;
*autoinc = 1;
}
}
MINOR: threads: Add thread-map config parameter in the global section By default, no affinity is set for threads. To bind threads on CPU, you must define a "thread-map" in the global section. The format is the same than the "cpu-map" parameter, with a small difference. The process number must be defined, with the same format than cpu-map ("all", "even", "odd" or a number between 1 and 31/63). A thread will be bound on the intersection of its mapping and the one of the process on which it is attached. If the intersection is null, no specific bind will be set for the thread.
2017-10-16 09:49:32 -04:00
if (strcmp(arg, "all") == 0)
MINOR: config: Slightly change how parse_process_number works Now, this function returns a status code to indicate a success (0) or a failure (1) and the error message in set in <err> parameter. And the result of the parsing is set in <proc> parameter.
2017-11-22 05:21:58 -05:00
*proc |= ~0UL;
MINOR: threads: Add thread-map config parameter in the global section By default, no affinity is set for threads. To bind threads on CPU, you must define a "thread-map" in the global section. The format is the same than the "cpu-map" parameter, with a small difference. The process number must be defined, with the same format than cpu-map ("all", "even", "odd" or a number between 1 and 31/63). A thread will be bound on the intersection of its mapping and the one of the process on which it is attached. If the intersection is null, no specific bind will be set for the thread.
2017-10-16 09:49:32 -04:00
else if (strcmp(arg, "odd") == 0)
MINOR: config: Slightly change how parse_process_number works Now, this function returns a status code to indicate a success (0) or a failure (1) and the error message in set in <err> parameter. And the result of the parsing is set in <proc> parameter.
2017-11-22 05:21:58 -05:00
*proc |= ~0UL/3UL; /* 0x555....555 */
MINOR: threads: Add thread-map config parameter in the global section By default, no affinity is set for threads. To bind threads on CPU, you must define a "thread-map" in the global section. The format is the same than the "cpu-map" parameter, with a small difference. The process number must be defined, with the same format than cpu-map ("all", "even", "odd" or a number between 1 and 31/63). A thread will be bound on the intersection of its mapping and the one of the process on which it is attached. If the intersection is null, no specific bind will be set for the thread.
2017-10-16 09:49:32 -04:00
else if (strcmp(arg, "even") == 0)
MINOR: config: Slightly change how parse_process_number works Now, this function returns a status code to indicate a success (0) or a failure (1) and the error message in set in <err> parameter. And the result of the parsing is set in <proc> parameter.
2017-11-22 05:21:58 -05:00
*proc |= (~0UL/3UL) << 1; /* 0xAAA...AAA */
MINOR: threads: Add thread-map config parameter in the global section By default, no affinity is set for threads. To bind threads on CPU, you must define a "thread-map" in the global section. The format is the same than the "cpu-map" parameter, with a small difference. The process number must be defined, with the same format than cpu-map ("all", "even", "odd" or a number between 1 and 31/63). A thread will be bound on the intersection of its mapping and the one of the process on which it is attached. If the intersection is null, no specific bind will be set for the thread.
2017-10-16 09:49:32 -04:00
else {
BUG/MINOR: config: Reinforce validity check when a process number is parsed Now, in the function parse_process_number(), when a process number or a set of processes is parsed, an error is triggered if an invalid character is found. It means following syntaxes are not forbidden and will emit an alert during the HAProxy startup: 1a 1/2 1-2-3 This bug was reported on Github. See issue #36. This patch may be backported to 1.9 and 1.8.
2019-02-07 10:29:41 -05:00
const char *p, *dash = NULL;
MINOR: config: Support a range to specify processes in "cpu-map" parameter Now, you can define processes concerned by a cpu-map line using a range. For instance, the following line binds the first 32 processes on CPUs 0 to 3: cpu-map 1-32 0-3
2017-11-22 04:24:40 -05:00
unsigned int low, high;
BUG/MINOR: config: Reinforce validity check when a process number is parsed Now, in the function parse_process_number(), when a process number or a set of processes is parsed, an error is triggered if an invalid character is found. It means following syntaxes are not forbidden and will emit an alert during the HAProxy startup: 1a 1/2 1-2-3 This bug was reported on Github. See issue #36. This patch may be backported to 1.9 and 1.8.
2019-02-07 10:29:41 -05:00
for (p = arg; *p; p++) {
if (*p == '-' && !dash)
dash = p;
BUILD: general: always pass unsigned chars to is* functions The isalnum(), isalpha(), isdigit() etc functions from ctype.h are supposed to take an int in argument which must either reflect an unsigned char or EOF. In practice on some platforms they're implemented as macros referencing an array, and when passed a char, they either cause a warning "array subscript has type 'char'" when lucky, or cause random segfaults when unlucky. It's quite unconvenient by the way since none of them may return true for negative values. The recent introduction of cygwin to the list of regularly tested build platforms revealed a lot of breakage there due to the same issues again. So this patch addresses the problem all over the code at once. It adds unsigned char casts to every valid use case, and also drops the unneeded double cast to int that was sometimes added on top of it. It may be backported by dropping irrelevant changes if that helps better support uncommon platforms. It's unlikely to fix bugs on platforms which would already not emit any warning though.
2020-02-25 02:16:33 -05:00
else if (!isdigit((unsigned char)*p)) {
BUG/MINOR: config: Reinforce validity check when a process number is parsed Now, in the function parse_process_number(), when a process number or a set of processes is parsed, an error is triggered if an invalid character is found. It means following syntaxes are not forbidden and will emit an alert during the HAProxy startup: 1a 1/2 1-2-3 This bug was reported on Github. See issue #36. This patch may be backported to 1.9 and 1.8.
2019-02-07 10:29:41 -05:00
memprintf(err, "'%s' is not a valid number/range.", arg);
return -1;
}
MINOR: config: Slightly change how parse_process_number works Now, this function returns a status code to indicate a success (0) or a failure (1) and the error message in set in <err> parameter. And the result of the parsing is set in <proc> parameter.
2017-11-22 05:21:58 -05:00
}
MINOR: config: Support a range to specify processes in "cpu-map" parameter Now, you can define processes concerned by a cpu-map line using a range. For instance, the following line binds the first 32 processes on CPUs 0 to 3: cpu-map 1-32 0-3
2017-11-22 04:24:40 -05:00
low = high = str2uic(arg);
BUG/MINOR: config: Reinforce validity check when a process number is parsed Now, in the function parse_process_number(), when a process number or a set of processes is parsed, an error is triggered if an invalid character is found. It means following syntaxes are not forbidden and will emit an alert during the HAProxy startup: 1a 1/2 1-2-3 This bug was reported on Github. See issue #36. This patch may be backported to 1.9 and 1.8.
2019-02-07 10:29:41 -05:00
if (dash)
MINOR: cfgparse: make the process/thread parser support a maximum value It was hard-wired to LONGBITS, let's make it configurable depending on the context (threads, processes).
2019-01-26 07:25:14 -05:00
high = ((!*(dash+1)) ? max : str2uic(dash + 1));
MINOR: config: Support partial ranges in cpu-map directive Now, processa and CPU ranges can be partially defined. The higher bound can be omitted. In such case, it is replaced by the corresponding maximum value, 32 or 64 depending on the machine's word size. By extension, It is also true for the "bind-process" directive and "process" parameter on a "bind" or a "stats socket" line.
2017-11-22 10:38:49 -05:00
MINOR: config: Support a range to specify processes in "cpu-map" parameter Now, you can define processes concerned by a cpu-map line using a range. For instance, the following line binds the first 32 processes on CPUs 0 to 3: cpu-map 1-32 0-3
2017-11-22 04:24:40 -05:00
if (high < low) {
unsigned int swap = low;
low = high;
high = swap;
}
MINOR: cfgparse: make the process/thread parser support a maximum value It was hard-wired to LONGBITS, let's make it configurable depending on the context (threads, processes).
2019-01-26 07:25:14 -05:00
if (low < 1 || low > max || high > max) {
MINOR: config: Add the threads support in cpu-map directive Now, it is possible to bind CPU at the thread level instead of the process level by defining a thread set in "cpu-map" directives. Thus, its format is now: cpu-map [auto:]<process-set>[/<thread-set>] <cpu-set>... where <process-set> and <thread-set> must follow the format: all | odd | even | number[-[number]] Having a process range and a thread range in same time with the "auto:" prefix is not supported. Only one range is supported, the other one must be a fixed number. But it is allowed when there is no "auto:" prefix. Because it is possible to define a mapping for a process and another for a thread on this process, threads will be bound on the intersection of their mapping and the one of the process on which they are attached. If the intersection is null, no specific binding will be set for the threads.
2017-11-22 10:50:41 -05:00
memprintf(err, "'%s' is not a valid number/range."
" It supports numbers from 1 to %d.\n",
MINOR: cfgparse: make the process/thread parser support a maximum value It was hard-wired to LONGBITS, let's make it configurable depending on the context (threads, processes).
2019-01-26 07:25:14 -05:00
arg, max);
MINOR: config: Slightly change how parse_process_number works Now, this function returns a status code to indicate a success (0) or a failure (1) and the error message in set in <err> parameter. And the result of the parsing is set in <proc> parameter.
2017-11-22 05:21:58 -05:00
return 1;
}
MINOR: config: Support a range to specify processes in "cpu-map" parameter Now, you can define processes concerned by a cpu-map line using a range. For instance, the following line binds the first 32 processes on CPUs 0 to 3: cpu-map 1-32 0-3
2017-11-22 04:24:40 -05:00
for (;low <= high; low++)
MINOR: config: Slightly change how parse_process_number works Now, this function returns a status code to indicate a success (0) or a failure (1) and the error message in set in <err> parameter. And the result of the parsing is set in <proc> parameter.
2017-11-22 05:21:58 -05:00
*proc |= 1UL << (low-1);
MINOR: threads: Add thread-map config parameter in the global section By default, no affinity is set for threads. To bind threads on CPU, you must define a "thread-map" in the global section. The format is the same than the "cpu-map" parameter, with a small difference. The process number must be defined, with the same format than cpu-map ("all", "even", "odd" or a number between 1 and 31/63). A thread will be bound on the intersection of its mapping and the one of the process on which it is attached. If the intersection is null, no specific bind will be set for the thread.
2017-10-16 09:49:32 -04:00
}
MINOR: cfgparse: make the process/thread parser support a maximum value It was hard-wired to LONGBITS, let's make it configurable depending on the context (threads, processes).
2019-01-26 07:25:14 -05:00
*proc &= ~0UL >> (LONGBITS - max);
MINOR: config: Support a range to specify processes in "cpu-map" parameter Now, you can define processes concerned by a cpu-map line using a range. For instance, the following line binds the first 32 processes on CPUs 0 to 3: cpu-map 1-32 0-3
2017-11-22 04:24:40 -05:00
MINOR: config: Slightly change how parse_process_number works Now, this function returns a status code to indicate a success (0) or a failure (1) and the error message in set in <err> parameter. And the result of the parsing is set in <proc> parameter.
2017-11-22 05:21:58 -05:00
return 0;
MINOR: threads: Add thread-map config parameter in the global section By default, no affinity is set for threads. To bind threads on CPU, you must define a "thread-map" in the global section. The format is the same than the "cpu-map" parameter, with a small difference. The process number must be defined, with the same format than cpu-map ("all", "even", "odd" or a number between 1 and 31/63). A thread will be bound on the intersection of its mapping and the one of the process on which it is attached. If the intersection is null, no specific bind will be set for the thread.
2017-10-16 09:49:32 -04:00
}
MINOR: cfgparse: Extract some code to be re-used. Create init_peers_frontend() function to allocate and initialize the frontend of "peers" sections (->peers_fe) so that to reuse it later. May be backported to 1.5 and newer.
2019-01-11 05:07:15 -05:00
/* Allocate and initialize the frontend of a "peers" section found in
Revert "BUG/MINOR: peers: set the proxy's name to the peers section name" This reverts commit 356866accefd16458f0e3c335d1b784e24e86d2d. It seems that an undocumented expectation of peers is based on the peers proxy name to determine if the local peer is fully configured or not. Thus because of the commit above, we are no longer able to detect incomplete peers sections. On side effect of this bug is a segfault when HAProxy is stopped/reloaded if we try to perform a local resync on a mis-configured local peer. So waiting for a better solution, the patch is reverted. This patch must be backported as far as 2.5.
2022-07-25 09:10:44 -04:00
* file <file> at line <linenum> with <id> as ID.
MINOR: cfgparse: Extract some code to be re-used. Create init_peers_frontend() function to allocate and initialize the frontend of "peers" sections (->peers_fe) so that to reuse it later. May be backported to 1.5 and newer.
2019-01-11 05:07:15 -05:00
* Return 0 if succeeded, -1 if not.
MINOR: cfgparse: Make "peer" lines be parsed as "server" lines. With this patch "default-server" lines are supported in "peers" sections to setup the default settings of peers which are from now setup when parsing both "peer" and "server" lines. May be backported to 1.5 and newer.
2018-04-26 04:06:41 -04:00
* Note that this function may be called from "default-server"
* or "peer" lines.
MINOR: cfgparse: Extract some code to be re-used. Create init_peers_frontend() function to allocate and initialize the frontend of "peers" sections (->peers_fe) so that to reuse it later. May be backported to 1.5 and newer.
2019-01-11 05:07:15 -05:00
*/
Revert "BUG/MINOR: peers: set the proxy's name to the peers section name" This reverts commit 356866accefd16458f0e3c335d1b784e24e86d2d. It seems that an undocumented expectation of peers is based on the peers proxy name to determine if the local peer is fully configured or not. Thus because of the commit above, we are no longer able to detect incomplete peers sections. On side effect of this bug is a segfault when HAProxy is stopped/reloaded if we try to perform a local resync on a mis-configured local peer. So waiting for a better solution, the patch is reverted. This patch must be backported as far as 2.5.
2022-07-25 09:10:44 -04:00
static int init_peers_frontend(const char *file, int linenum,
const char *id, struct peers *peers)
MINOR: cfgparse: Extract some code to be re-used. Create init_peers_frontend() function to allocate and initialize the frontend of "peers" sections (->peers_fe) so that to reuse it later. May be backported to 1.5 and newer.
2019-01-11 05:07:15 -05:00
{
struct proxy *p;
MEDIUM: tree-wide: avoid manually initializing proxies In this patch we try to use the proxy API init functions as much as possible to avoid code redundancy and prevent proxy initialization errors. As such, we prefer using alloc_new_proxy() and setup_new_proxy() instead of manually allocating the proxy pointer and performing the base init ourselves.
2025-04-09 15:57:39 -04:00
char *errmsg = NULL;
MINOR: cfgparse: Extract some code to be re-used. Create init_peers_frontend() function to allocate and initialize the frontend of "peers" sections (->peers_fe) so that to reuse it later. May be backported to 1.5 and newer.
2019-01-11 05:07:15 -05:00
MINOR: cfgparse: Make "peer" lines be parsed as "server" lines. With this patch "default-server" lines are supported in "peers" sections to setup the default settings of peers which are from now setup when parsing both "peer" and "server" lines. May be backported to 1.5 and newer.
2018-04-26 04:06:41 -04:00
if (peers->peers_fe) {
p = peers->peers_fe;
goto out;
}
MINOR: cfgparse: Simplication. Make init_peers_frontend() be callable without having to check if there is something to do or not. May be backported to 1.5 and newer.
2019-01-11 05:47:12 -05:00
MEDIUM: tree-wide: avoid manually initializing proxies In this patch we try to use the proxy API init functions as much as possible to avoid code redundancy and prevent proxy initialization errors. As such, we prefer using alloc_new_proxy() and setup_new_proxy() instead of manually allocating the proxy pointer and performing the base init ourselves.
2025-04-09 15:57:39 -04:00
p = alloc_new_proxy(NULL, PR_CAP_FE | PR_CAP_BE, &errmsg);
MINOR: cfgparse: Extract some code to be re-used. Create init_peers_frontend() function to allocate and initialize the frontend of "peers" sections (->peers_fe) so that to reuse it later. May be backported to 1.5 and newer.
2019-01-11 05:07:15 -05:00
if (!p) {
MEDIUM: tree-wide: avoid manually initializing proxies In this patch we try to use the proxy API init functions as much as possible to avoid code redundancy and prevent proxy initialization errors. As such, we prefer using alloc_new_proxy() and setup_new_proxy() instead of manually allocating the proxy pointer and performing the base init ourselves.
2025-04-09 15:57:39 -04:00
ha_alert("parsing [%s:%d] : %s\n", file, linenum, errmsg);
ha_free(&errmsg);
MINOR: cfgparse: Extract some code to be re-used. Create init_peers_frontend() function to allocate and initialize the frontend of "peers" sections (->peers_fe) so that to reuse it later. May be backported to 1.5 and newer.
2019-01-11 05:07:15 -05:00
return -1;
}
MINOR: cfgparse: Make "peer" lines be parsed as "server" lines. With this patch "default-server" lines are supported in "peers" sections to setup the default settings of peers which are from now setup when parsing both "peer" and "server" lines. May be backported to 1.5 and newer.
2018-04-26 04:06:41 -04:00
peers_setup_frontend(p);
MINOR: cfgparse: Extract some code to be re-used. Create init_peers_frontend() function to allocate and initialize the frontend of "peers" sections (->peers_fe) so that to reuse it later. May be backported to 1.5 and newer.
2019-01-11 05:07:15 -05:00
p->parent = peers;
MINOR: cfgparse: Make "peer" lines be parsed as "server" lines. With this patch "default-server" lines are supported in "peers" sections to setup the default settings of peers which are from now setup when parsing both "peer" and "server" lines. May be backported to 1.5 and newer.
2018-04-26 04:06:41 -04:00
/* Finally store this frontend. */
peers->peers_fe = p;
out:
Revert "BUG/MINOR: peers: set the proxy's name to the peers section name" This reverts commit 356866accefd16458f0e3c335d1b784e24e86d2d. It seems that an undocumented expectation of peers is based on the peers proxy name to determine if the local peer is fully configured or not. Thus because of the commit above, we are no longer able to detect incomplete peers sections. On side effect of this bug is a segfault when HAProxy is stopped/reloaded if we try to perform a local resync on a mis-configured local peer. So waiting for a better solution, the patch is reverted. This patch must be backported as far as 2.5.
2022-07-25 09:10:44 -04:00
if (id && !p->id)
p->id = strdup(id);
MINOR: proxy: use the global file names for conf->file Proxy file names are assigned a bit everywhere (resolvers, peers, cli, logs, proxy). All these elements were enumerated and now use copy_file_name(). The only ha_free() call was turned to drop_file_name(). As a bonus side effect, a 300k backend config saved 14 MB of RAM.
2024-09-19 09:35:11 -04:00
drop_file_name(&p->conf.file);
p->conf.args.file = p->conf.file = copy_file_name(file);
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
if (linenum != -1)
p->conf.args.line = p->conf.line = linenum;
MINOR: cfgparse: Extract some code to be re-used. Create init_peers_frontend() function to allocate and initialize the frontend of "peers" sections (->peers_fe) so that to reuse it later. May be backported to 1.5 and newer.
2019-01-11 05:07:15 -05:00
return 0;
}
[MEDIUM] config: factor out the parsing of 20 req*/rsp* keywords A new function was added to take care of the common code between all those keywords. This has saved 8 kB of object code and about 500 lines of source code. This has also permitted to spot and fix minor bugs (allocated args that were never used). The code could be factored even more but that would make it a bit more complex which is not interesting at this stage. Various tests have been performed, and the warnings and errors are still correctly reported and everything seems to work as expected.
2010-01-28 13:33:49 -05:00
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
/* Only change ->file, ->line and ->arg struct bind_conf member values
* if already present.
*/
static struct bind_conf *bind_conf_uniq_alloc(struct proxy *p,
const char *file, int line,
const char *arg, struct xprt_ops *xprt)
{
struct bind_conf *bind_conf;
if (!LIST_ISEMPTY(&p->conf.bind)) {
bind_conf = LIST_ELEM((&p->conf.bind)->n, typeof(bind_conf), by_fe);
BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections If multiple "bind" lines were present on the "peers" section, multiple listeners were added to a list but the code mistakenly initialize the first member and this first listener was re-configured instead of the newly created one. The last one remains uninitialized causing a null dereference a soon a connection is received. In addition, the 'peers' sections and protocol are not currently designed to handle multiple listeners. This patch check if there is already a listener configured on the 'peers' section when we want to create a new one. This is rising an error if a listener is already present showing the file and line in the error message. To keep the file and line number of the previous listener available for the error message, the 'bind_conf_uniq_alloc' function was modified to keep the file/line data the struct 'bind_conf' was firstly allocated (previously it was updated each time the 'bind_conf' was reused). This patch should be backported until version 2.0
2022-05-25 04:12:07 -04:00
/*
* We keep bind_conf->file and bind_conf->line unchanged
* to make them available for error messages
*/
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
if (arg) {
free(bind_conf->arg);
bind_conf->arg = strdup(arg);
}
}
else {
bind_conf = bind_conf_alloc(p, file, line, arg, xprt);
}
return bind_conf;
}
/*
* Allocate a new struct peer parsed at line <linenum> in file <file>
* to be added to <peers>.
* Returns the new allocated structure if succeeded, NULL if not.
*/
static struct peer *cfg_peers_add_peer(struct peers *peers,
const char *file, int linenum,
const char *id, int local)
{
struct peer *p;
p = calloc(1, sizeof *p);
if (!p) {
ha_alert("parsing [%s:%d] : out of memory.\n", file, linenum);
return NULL;
}
/* the peers are linked backwards first */
peers->count++;
MINOR: peers: Add a ref to peers section in the peer structure This change is required to handle asynchrone init of the appctx. It is now possible to directly get the peers section associated to a peer.
2022-05-12 08:47:52 -04:00
p->peers = peers;
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
p->next = peers->remote;
peers->remote = p;
p->conf.file = strdup(file);
p->conf.line = linenum;
MEDIUM: clock: replace timeval "now" with integer "now_ns" This puts an end to the occasional confusion between the "now" date that is internal, monotonic and not synchronized with the system's date, and "date" which is the system's date and not necessarily monotonic. Variable "now" was removed and replaced with a 64-bit integer "now_ns" which is a counter of nanoseconds. It wraps every 585 years, so if all goes well (i.e. if humanity does not need haproxy anymore in 500 years), it will just never wrap. This implies that now_ns is never nul and that the zero value can reliably be used as "not set yet" for a timestamp if needed. This will also simplify date checks where it becomes possible again to do "date1<date2". All occurrences of "tv_to_ns(&now)" were simply replaced by "now_ns". Due to the intricacies between now, global_now and now_offset, all 3 had to be turned to nanoseconds at once. It's not a problem since all of them were solely used in 3 functions in clock.c, but they make the patch look bigger than it really is. The clock_update_local_date() and clock_update_global_date() functions are now much simpler as there's no need anymore to perform conversions nor to round the timeval up or down. The wrapping continues to happen by presetting the internal offset in the short future so that the 32-bit now_ms continues to wrap 20 seconds after boot. The start_time used to calculate uptime can still be turned to nanoseconds now. One interrogation concerns global_now_ms which is used only for the freq counters. It's unclear whether there's more value in using two variables that need to be synchronized sequentially like today or to just use global_now_ns divided by 1 million. Both approaches will work equally well on modern systems, the difference might come from smaller ones. Better not change anyhting for now. One benefit of the new approach is that we now have an internal date with a resolution of the nanosecond and the precision of the microsecond, which can be useful to extend some measurements given that timestamps also have this resolution.
2023-04-28 03:16:15 -04:00
p->last_change = ns_to_sec(now_ns);
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
HA_SPIN_INIT(&p->lock);
if (id)
p->id = strdup(id);
if (local) {
p->local = 1;
peers->local = p;
}
return p;
}
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
/*
CLEANUP: cfgparse: remove reference to 'ruleset' section The 'ruleset' section was never implemented. This patch remove references and tests about this keyword.
2015-04-14 10:35:22 -04:00
* Parse a line in a <listen>, <frontend> or <backend> section.
[MINOR] config: improve error reporting in listen sections Try not to immediately exit on non-fatal errors while parsing a listen section, so that the user has a chance to get most of the errors at once, which is quite convenient especially during config checks with the -c argument.
2009-07-23 07:19:11 -04:00
* Returns the error code, 0 if OK, or any combination of :
* - ERR_ABORT: must abort ASAP
* - ERR_FATAL: we can continue parsing but not start the service
* - ERR_WARN: a warning has been emitted
* - ERR_ALERT: an alert has been emitted
* Only the two first ones can stop processing, the two others are just
* indicators.
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
*/
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
int cfg_parse_peers(const char *file, int linenum, char **args, int kwm)
{
static struct peers *curpeers = NULL;
BUG/MEDIUM: peers: fix localpeer regression with 'bind+server' config style A dumb mistake was made in f6ae25858 ("MINOR: peers: rely on srv->addr and remove peer->addr"). I completely overlooked the part where the bind address settings are used as implicit server's address settings when the peers are declared using the new bind+server config style (which is the new recommended method to declare peers as it follows the same logic as the one used in other proxy sections). As such, the peers synchro fails to work between previous and new process (localpeer mechanism) upon reload when declaring peers with way: global localpeer local peers mypeers bind 127.0.0.1:10001 server local And one has to use the 'old' config style to make it work: global localpeer local peers mypeers peer local 127.0.0.1:10001 -- To fix the issue, let's explicitly set the server's addr:port according to the bind's address settings (only the first listener is considered) when local peer was declared using the 'bind+server' method. No backport needed.
2024-04-17 12:43:25 -04:00
static struct sockaddr_storage *bind_addr = NULL;
MINOR: peers: Support for peer shards Add "shards" new keyword for "peers" section to configure the number of peer shards attached to such secions. This impact all the stick-tables attached to the section. Add "shard" new "server" parameter to configure the peers which participate to all the stick-tables contents distribution. Each peer receive the stick-tables updates only for keys with this shard value as distribution hash. The "shard" value is stored in ->shard new server struct member. cfg_parse_peers() which is the function which is called to parse all the lines of a "peers" section is modified to parse the "shards" parameter stored in ->nb_shards new peers struct member. Add srv_parse_shard() new callback into server.c to pare the "shard" parameter. Implement stksess_getkey_hash() to compute the distribution hash for a stick-table key as the 64-bits xxhash of the key concatenated to the stick-table name. This function is called by stksess_setkey_shard(), itself called by the already implemented function which create a new stick-table key (stksess_new()). Add ->idlen new stktable struct member to store the stick-table name length to not have to compute it each time a stick-table key hash is computed.
2022-10-17 08:58:19 -04:00
static int nb_shards = 0;
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
struct peer *newpeer = NULL;
const char *err;
MAJOR: listeners: use dual-linked lists to chain listeners with frontends Navigating through listeners was very inconvenient and error-prone. Not to mention that listeners were linked in reverse order and reverted afterwards. In order to definitely get rid of these issues, we now do the following : - frontends have a dual-linked list of bind_conf - frontends have a dual-linked list of listeners - bind_conf have a dual-linked list of listeners - listeners have a pointer to their bind_conf This way we can now navigate from anywhere to anywhere and always find the proper bind_conf for a given listener, as well as find the list of listeners for a current bind_conf.
2012-09-20 10:48:07 -04:00
struct bind_conf *bind_conf;
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
int err_code = 0;
CLEANUP: config: do not use multiple errmsg at once Several of the parsing functions made use of multiple errmsg/err_msg variables which had to be freed, while there is already one in each function that is freed upon exit. Adapt the code to use the existing variable exclusively.
2013-03-10 14:44:48 -04:00
char *errmsg = NULL;
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
static int bind_line, peer_line;
if (strcmp(args[0], "bind") == 0 || strcmp(args[0], "default-bind") == 0) {
int cur_arg;
struct bind_conf *bind_conf;
MINOR: config: use the new bind_parse_args_list() to parse a "bind" line This now makes sure that both the peers' "bind" line and the regular one will use the exact same parser with the exact same behavior. Note that the parser applies after the address and that it could be factored further, since the peers one still does quite a bit of duplicated work.
2022-05-20 09:44:17 -04:00
int ret;
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
cur_arg = 1;
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
Revert "BUG/MINOR: peers: set the proxy's name to the peers section name" This reverts commit 356866accefd16458f0e3c335d1b784e24e86d2d. It seems that an undocumented expectation of peers is based on the peers proxy name to determine if the local peer is fully configured or not. Thus because of the commit above, we are no longer able to detect incomplete peers sections. On side effect of this bug is a segfault when HAProxy is stopped/reloaded if we try to perform a local resync on a mis-configured local peer. So waiting for a better solution, the patch is reverted. This patch must be backported as far as 2.5.
2022-07-25 09:10:44 -04:00
if (init_peers_frontend(file, linenum, NULL, curpeers) != 0) {
MINOR: cfgparse: Make "peer" lines be parsed as "server" lines. With this patch "default-server" lines are supported in "peers" sections to setup the default settings of peers which are from now setup when parsing both "peer" and "server" lines. May be backported to 1.5 and newer.
2018-04-26 04:06:41 -04:00
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
bind_conf = bind_conf_uniq_alloc(curpeers->peers_fe, file, linenum,
BUG/MINOR: peers/config: always fill the bind_conf's argument Some generic frontend errors mention the bind_conf by its name as "bind '%s'", but if this is used on peers "bind" lines it shows "(null)" because the argument is set to NULL in the call to bind_conf_uniq_alloc() instead of passing the argument. Fortunately that's trivial to fix. This may be backported to older versions.
2022-07-05 09:54:09 -04:00
args[1], xprt_get(XPRT_RAW));
BUG/MINOR: peers: fix possible NULL dereferences at config parsing Patch 49f6f4b ("BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections") introduced possible NULL dereferences when parsing the peers configuration. Fix the issue by checking the return value of bind_conf_uniq_alloc(). This patch should be backported as far as 2.0.
2022-07-06 08:30:23 -04:00
if (!bind_conf) {
ha_alert("parsing [%s:%d] : '%s %s' : cannot allocate memory.\n", file, linenum, args[0], args[1]);
err_code |= ERR_FATAL;
goto out;
}
MINOR: listener: move maxaccept from listener to bind_conf Like for previous values, maxaccept is really per-bind_conf, so let's move it there. Some frontends (peers, log) set it to 1 so the assignment was slightly moved.
2023-01-12 12:52:23 -05:00
bind_conf->maxaccept = 1;
MINOR: listener: move the ->accept callback to the bind_conf The accept callback directly derives from the upper layer, generally it's session_accept_fd(). As such it's also defined per bind line so it makes sense to move it there.
2023-01-12 13:10:17 -05:00
bind_conf->accept = session_accept_fd;
MINOR: listener: move LI_O_UNLIMITED and LI_O_NOSTOP to bind_conf These two flags are entirely for internal use and are even per proxy in practice since they're used for peers and CLI to indicate (for the first one) that the listener(s) are not subject to connection limits, and for the second that the listener(s) should not be stopped on soft-stop. No need to keep them in the listeners, let's move them to the bind_conf under names BC_O_UNLIMITED and BC_O_NOSTOP.
2023-01-12 13:58:42 -05:00
bind_conf->options |= BC_O_UNLIMITED; /* don't make the peers subject to global limits */
MINOR: listener: move maxaccept from listener to bind_conf Like for previous values, maxaccept is really per-bind_conf, so let's move it there. Some frontends (peers, log) set it to 1 so the assignment was slightly moved.
2023-01-12 12:52:23 -05:00
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
if (*args[0] == 'b') {
struct listener *l;
if (peer_line) {
ha_alert("parsing [%s:%d] : mixing \"peer\" and \"bind\" line is forbidden\n", file, linenum);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections If multiple "bind" lines were present on the "peers" section, multiple listeners were added to a list but the code mistakenly initialize the first member and this first listener was re-configured instead of the newly created one. The last one remains uninitialized causing a null dereference a soon a connection is received. In addition, the 'peers' sections and protocol are not currently designed to handle multiple listeners. This patch check if there is already a listener configured on the 'peers' section when we want to create a new one. This is rising an error if a listener is already present showing the file and line in the error message. To keep the file and line number of the previous listener available for the error message, the 'bind_conf_uniq_alloc' function was modified to keep the file/line data the struct 'bind_conf' was firstly allocated (previously it was updated each time the 'bind_conf' was reused). This patch should be backported until version 2.0
2022-05-25 04:12:07 -04:00
if (!LIST_ISEMPTY(&bind_conf->listeners)) {
ha_alert("parsing [%s:%d] : One listener per \"peers\" section is authorized but another is already configured at [%s:%d].\n", file, linenum, bind_conf->file, bind_conf->line);
err_code |= ERR_FATAL;
}
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
if (!str2listener(args[1], curpeers->peers_fe, bind_conf, file, linenum, &errmsg)) {
if (errmsg && *errmsg) {
indent_msg(&errmsg, 2);
ha_alert("parsing [%s:%d] : '%s %s' : %s\n", file, linenum, args[0], args[1], errmsg);
}
else
ha_alert("parsing [%s:%d] : '%s %s' : error encountered while parsing listening address %s.\n",
BUG/MINOR: peers: fix error reporting of "bind" lines In case the str2listener() parser reports a generic error with no message when parsing the argument of a "bind" statement in a "peers" section, the reported error indicates an invalid address on the empty arg. This has existed since 2.0 with commit 355b2033e ("MINOR: cfgparse: SSL/TLS binding in "peers" sections."), so this must be backported till 2.0.
2022-05-20 09:19:48 -04:00
file, linenum, args[0], args[1], args[1]);
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
err_code |= ERR_FATAL;
goto out;
}
MINOR: listener: move LI_O_UNLIMITED and LI_O_NOSTOP to bind_conf These two flags are entirely for internal use and are even per proxy in practice since they're used for peers and CLI to indicate (for the first one) that the listener(s) are not subject to connection limits, and for the second that the listener(s) should not be stopped on soft-stop. No need to keep them in the listeners, let's move them to the bind_conf under names BC_O_UNLIMITED and BC_O_NOSTOP.
2023-01-12 13:58:42 -05:00
BUG/MINOR: peers: Improve detection of config errors in peers sections There are several misuses in peers sections that are not detected during the configuration parsing and that could lead to undefined behaviors or crashes. First, only one listener is expected for a peers section. If several bind lines or local peer definitions are used, an error is triggered. However, if multiple addresses are set on the same bind line, there is no error while only the last listener is properly configured. On the 2.8, there is no crash but side effects are hardly predictable. On older version, HAProxy crashes if an unconfigured listener is used. Then, there is no check on remote peers name. It is unexpected to have same name for several remote peers. There is now a test, performed during the post-parsing, to verify all remote peer names are unique. Finally, server parsing options for the peers sections are changed to be sure a port is always defined, and not a port range or a port offset. This patch fixes the issue #2066. It could be backported to all stable versions.
2023-06-02 08:10:36 -04:00
/* Only one listener supported. Compare first listener
* against the last one. It must be the same one.
*/
if (bind_conf->listeners.n != bind_conf->listeners.p) {
ha_alert("parsing [%s:%d] : Only one listener per \"peers\" section is authorized. Multiple listening addresses or port range are not supported.\n", file, linenum);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
BUG/MEDIUM: peers: prevent unitialized multiple listeners on peers section The previous fix: BUG/MEDIUM: peers: fix segfault using multiple bind on peers Prevents to declare multiple listeners on a peers sections but if peers protocol is extended to support this we could raise the bug again. Indeed, after allocating a new listener and adding it to a list the code mistakenly re-configure the first element of the list instead of the new added one, and the last one remains finally uninitialized. The previous fix assure there is no more than one listener in this list but this could be changed in futur. This patch patch assures we configure and initialize the newly added listener instead of the first one in the list. This patch could be backported until version 2.0 to complete BUG/MEDIUM: peers: fix segfault using multiple bind on peers
2022-05-25 04:25:45 -04:00
/*
* Newly allocated listener is at the end of the list
*/
l = LIST_ELEM(bind_conf->listeners.p, typeof(l), by_bind);
BUG/MEDIUM: peers: fix localpeer regression with 'bind+server' config style A dumb mistake was made in f6ae25858 ("MINOR: peers: rely on srv->addr and remove peer->addr"). I completely overlooked the part where the bind address settings are used as implicit server's address settings when the peers are declared using the new bind+server config style (which is the new recommended method to declare peers as it follows the same logic as the one used in other proxy sections). As such, the peers synchro fails to work between previous and new process (localpeer mechanism) upon reload when declaring peers with way: global localpeer local peers mypeers bind 127.0.0.1:10001 server local And one has to use the 'old' config style to make it work: global localpeer local peers mypeers peer local 127.0.0.1:10001 -- To fix the issue, let's explicitly set the server's addr:port according to the bind's address settings (only the first listener is considered) when local peer was declared using the 'bind+server' method. No backport needed.
2024-04-17 12:43:25 -04:00
bind_addr = &l->rx.addr;
MINOR: listener: move LI_O_UNLIMITED and LI_O_NOSTOP to bind_conf These two flags are entirely for internal use and are even per proxy in practice since they're used for peers and CLI to indicate (for the first one) that the listener(s) are not subject to connection limits, and for the second that the listener(s) should not be stopped on soft-stop. No need to keep them in the listeners, let's move them to the bind_conf under names BC_O_UNLIMITED and BC_O_NOSTOP.
2023-01-12 13:58:42 -05:00
BUG/MINOR: config: don't over-count the global maxsock value global.maxsock used to be augmented by the frontend's maxconn value for each frontend listener, which is absurd when there are many listeners in a frontend because the frontend's maxconn fixes an upper limit to how many connections will be accepted on all of its listeners anyway. What is needed instead is to add one to count the listening socket. In addition, the CLI's and peers' value was incremented twice, the first time when creating the listener and the second time in the main init code. Let's now make sure we only increment global.maxsock by the required amount of sockets. This means not adding maxconn for each listener, and relying on the global values when they are correct.
2019-02-27 10:25:28 -05:00
global.maxsock++; /* for the listening socket */
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
bind_line = 1;
if (cfg_peers->local) {
BUG/MEDIUM: peers: fix localpeer regression with 'bind+server' config style A dumb mistake was made in f6ae25858 ("MINOR: peers: rely on srv->addr and remove peer->addr"). I completely overlooked the part where the bind address settings are used as implicit server's address settings when the peers are declared using the new bind+server config style (which is the new recommended method to declare peers as it follows the same logic as the one used in other proxy sections). As such, the peers synchro fails to work between previous and new process (localpeer mechanism) upon reload when declaring peers with way: global localpeer local peers mypeers bind 127.0.0.1:10001 server local And one has to use the 'old' config style to make it work: global localpeer local peers mypeers peer local 127.0.0.1:10001 -- To fix the issue, let's explicitly set the server's addr:port according to the bind's address settings (only the first listener is considered) when local peer was declared using the 'bind+server' method. No backport needed.
2024-04-17 12:43:25 -04:00
/* Local peer already defined using "server" line has no
* address yet, we should update its server's addr:port
* settings
*/
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
newpeer = cfg_peers->local;
BUG/MEDIUM: peers: fix localpeer regression with 'bind+server' config style A dumb mistake was made in f6ae25858 ("MINOR: peers: rely on srv->addr and remove peer->addr"). I completely overlooked the part where the bind address settings are used as implicit server's address settings when the peers are declared using the new bind+server config style (which is the new recommended method to declare peers as it follows the same logic as the one used in other proxy sections). As such, the peers synchro fails to work between previous and new process (localpeer mechanism) upon reload when declaring peers with way: global localpeer local peers mypeers bind 127.0.0.1:10001 server local And one has to use the 'old' config style to make it work: global localpeer local peers mypeers peer local 127.0.0.1:10001 -- To fix the issue, let's explicitly set the server's addr:port according to the bind's address settings (only the first listener is considered) when local peer was declared using the 'bind+server' method. No backport needed.
2024-04-17 12:43:25 -04:00
BUG_ON(!newpeer->srv);
newpeer->srv->addr = *bind_addr;
newpeer->srv->svc_port = get_host_port(bind_addr);
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
}
else {
/* This peer is local.
* Note that we do not set the peer ID. This latter is initialized
* when parsing "peer" or "server" line.
*/
newpeer = cfg_peers_add_peer(curpeers, file, linenum, NULL, 1);
if (!newpeer) {
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
}
cur_arg++;
}
MINOR: config: use the new bind_parse_args_list() to parse a "bind" line This now makes sure that both the peers' "bind" line and the regular one will use the exact same parser with the exact same behavior. Note that the parser applies after the address and that it could be factored further, since the peers one still does quite a bit of duplicated work.
2022-05-20 09:44:17 -04:00
ret = bind_parse_args_list(bind_conf, args, cur_arg, cursection, file, linenum);
err_code |= ret;
if (ret != 0)
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
goto out;
}
else if (strcmp(args[0], "default-server") == 0) {
Revert "BUG/MINOR: peers: set the proxy's name to the peers section name" This reverts commit 356866accefd16458f0e3c335d1b784e24e86d2d. It seems that an undocumented expectation of peers is based on the peers proxy name to determine if the local peer is fully configured or not. Thus because of the commit above, we are no longer able to detect incomplete peers sections. On side effect of this bug is a segfault when HAProxy is stopped/reloaded if we try to perform a local resync on a mis-configured local peer. So waiting for a better solution, the patch is reverted. This patch must be backported as far as 2.5.
2022-07-25 09:10:44 -04:00
if (init_peers_frontend(file, -1, NULL, curpeers) != 0) {
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
REORG: server: use flags for parse_server Modify the API of parse_server function. Use flags to describe the type of the parsed server instead of discrete arguments. These flags can be used to specify if a server/default-server/server-template is parsed. Additional parameters are also specified (parsing of the address required, resolve of a name must be done immediately). It is now unneeded to use strcmp on args[0] in parse_server. Also, the calls to parse_server are more explicit thanks to the flags.
2021-03-08 10:36:46 -05:00
err_code |= parse_server(file, linenum, args, curpeers->peers_fe, NULL,
SRV_PARSE_DEFAULT_SERVER|SRV_PARSE_IN_PEER_SECTION|SRV_PARSE_INITIAL_RESOLVE);
MINOR: cfgparse: Make "peer" lines be parsed as "server" lines. With this patch "default-server" lines are supported in "peers" sections to setup the default settings of peers which are from now setup when parsing both "peer" and "server" lines. May be backported to 1.5 and newer.
2018-04-26 04:06:41 -04:00
}
MINOR: peers: Add "log" directive to "peers" section. This patch is easy to review: let's call parse_logsrv() function to parse "log" directive as this is already for other sections for proxies. This enable us to log incoming TCP connections for the listeners for "peers" sections. Update the documentation for "peers" section.
2019-11-05 03:57:45 -05:00
else if (strcmp(args[0], "log") == 0) {
Revert "BUG/MINOR: peers: set the proxy's name to the peers section name" This reverts commit 356866accefd16458f0e3c335d1b784e24e86d2d. It seems that an undocumented expectation of peers is based on the peers proxy name to determine if the local peer is fully configured or not. Thus because of the commit above, we are no longer able to detect incomplete peers sections. On side effect of this bug is a segfault when HAProxy is stopped/reloaded if we try to perform a local resync on a mis-configured local peer. So waiting for a better solution, the patch is reverted. This patch must be backported as far as 2.5.
2022-07-25 09:10:44 -04:00
if (init_peers_frontend(file, linenum, NULL, curpeers) != 0) {
MINOR: peers: Add "log" directive to "peers" section. This patch is easy to review: let's call parse_logsrv() function to parse "log" directive as this is already for other sections for proxies. This enable us to log incoming TCP connections for the listeners for "peers" sections. Update the documentation for "peers" section.
2019-11-05 03:57:45 -05:00
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
MEDIUM: tree-wide: logsrv struct becomes logger When 'log' directive was implemented, the internal representation was named 'struct logsrv', because the 'log' directive would directly point to the log target, which used to be a (UDP) log server exclusively at that time, hence the name. But things have become more complex, since today 'log' directive can point to ring targets (implicit, or named) for example. Indeed, a 'log' directive does no longer reference the "final" server to which the log will be sent, but instead it describes which log API and parameters to use for transporting the log messages to the proper log destination. So now the term 'logsrv' is rather confusing and prevents us from introducing a new level of abstraction because they would be mixed with logsrv. So in order to better designate this 'log' directive, and make it more generic, we chose the word 'logger' which now replaces logsrv everywhere it was used in the code (including related comments). This is internal rewording, so no functional change should be expected on user-side.
2023-09-11 09:06:53 -04:00
if (!parse_logger(args, &curpeers->peers_fe->loggers, (kwm == KWM_NO), file, linenum, &errmsg)) {
MINOR: peers: Add "log" directive to "peers" section. This patch is easy to review: let's call parse_logsrv() function to parse "log" directive as this is already for other sections for proxies. This enable us to log incoming TCP connections for the listeners for "peers" sections. Update the documentation for "peers" section.
2019-11-05 03:57:45 -05:00
ha_alert("parsing [%s:%d] : %s : %s\n", file, linenum, args[0], errmsg);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
}
MINOR: cfgparse: Make "peer" lines be parsed as "server" lines. With this patch "default-server" lines are supported in "peers" sections to setup the default settings of peers which are from now setup when parsing both "peer" and "server" lines. May be backported to 1.5 and newer.
2018-04-26 04:06:41 -04:00
else if (strcmp(args[0], "peers") == 0) { /* new peers section */
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
/* Initialize these static variables when entering a new "peers" section*/
bind_line = peer_line = 0;
BUG/MEDIUM: peers: fix localpeer regression with 'bind+server' config style A dumb mistake was made in f6ae25858 ("MINOR: peers: rely on srv->addr and remove peer->addr"). I completely overlooked the part where the bind address settings are used as implicit server's address settings when the peers are declared using the new bind+server config style (which is the new recommended method to declare peers as it follows the same logic as the one used in other proxy sections). As such, the peers synchro fails to work between previous and new process (localpeer mechanism) upon reload when declaring peers with way: global localpeer local peers mypeers bind 127.0.0.1:10001 server local And one has to use the 'old' config style to make it work: global localpeer local peers mypeers peer local 127.0.0.1:10001 -- To fix the issue, let's explicitly set the server's addr:port according to the bind's address settings (only the first listener is considered) when local peer was declared using the 'bind+server' method. No backport needed.
2024-04-17 12:43:25 -04:00
bind_addr = NULL;
MINOR: config: report missing peers section name Right now we report "invalid character ''" which is a bit confusing, better make a special case of the missing name.
2013-03-05 05:31:55 -05:00
if (!*args[1]) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : missing name for peers section.\n", file, linenum);
BUG/MEDIUM: config: immediately abort if peers section has no name Cyril Bonté reported that despite commit 0dbbf317 which attempted to fix the crash when a peers section has no name, we still get a segfault after the error message when parsing the peers. The reason is that the returned error code is ERR_FATAL and not ERR_ABORT, so the parsing continues while the section was not initialized. This is 1.5-specific, no backport is needed.
2014-02-16 02:20:13 -05:00
err_code |= ERR_ALERT | ERR_ABORT;
MINOR: config: report missing peers section name Right now we report "invalid character ''" which is a bit confusing, better make a special case of the missing name.
2013-03-05 05:31:55 -05:00
goto out;
}
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
BUG/MINOR: cfgparse: fix NULL ptr dereference in cfg_parse_peers When "peers" keyword is followed by more than one argument and it's the first "peers" section in the config, cfg_parse_peers() detects it and exits with "ERR_ALERT|ERR_FATAL" err_code. So, upper layer parser, parse_cfg(), continues and parses the next keyword "peer" and then he tries to check the global cfg_peers, which should contain "my_cluster". The global cfg_peers is still NULL, because after alerting a user in alertif_too_many_args, cfg_parse_peers() exited. peers my_cluster __some_wrong_data__ peer haproxy1 1.1.1.1 1000 In order to fix this, let's add ERR_ABORT, if "peers" keyword is followed by more than one argument. Like this parse_cfg() will stops immediately and terminates haproxy with "too many args for peers my_cluster..." alert message. It's more reliable, than add checks "if (cfg_peers !=NULL)" in "peer" subparser, as we may have many "peers" sections. peers my_another_cluster peer haproxy1 1.1.1.2 1000 peers my_cluster __some_wrong_data__ peer haproxy1 1.1.1.1 1000 In addition, for the example above, parse_cfg() will parse all configuration until the end and only then terminates haproxy with the alert "too many args...". Peer haproxy1 will be wrongly associated with my_another_cluster. This fixes the issue #2872. This should be backported in all stable versions.
2025-02-20 09:00:38 -05:00
if (alertif_too_many_args(1, file, linenum, args, &err_code)) {
err_code |= ERR_ABORT;
MEDIUM: cfgparse: check section maximum number of arguments This patch checks the number of arguments of the keywords: 'global', 'defaults', 'listen', 'backend', 'frontend', 'peers' and 'userlist' The 'global' section does not take any arguments. Proxy sections does not support bind address as argument anymore. Those sections supports only an <id> argument. The 'defaults' section didn't had any check on its arguments. It takes an optional <name> argument. 'peers' section takes a <peersect> argument. 'userlist' section takes a <listname> argument.
2015-04-28 10:55:23 -04:00
goto out;
BUG/MINOR: cfgparse: fix NULL ptr dereference in cfg_parse_peers When "peers" keyword is followed by more than one argument and it's the first "peers" section in the config, cfg_parse_peers() detects it and exits with "ERR_ALERT|ERR_FATAL" err_code. So, upper layer parser, parse_cfg(), continues and parses the next keyword "peer" and then he tries to check the global cfg_peers, which should contain "my_cluster". The global cfg_peers is still NULL, because after alerting a user in alertif_too_many_args, cfg_parse_peers() exited. peers my_cluster __some_wrong_data__ peer haproxy1 1.1.1.1 1000 In order to fix this, let's add ERR_ABORT, if "peers" keyword is followed by more than one argument. Like this parse_cfg() will stops immediately and terminates haproxy with "too many args for peers my_cluster..." alert message. It's more reliable, than add checks "if (cfg_peers !=NULL)" in "peer" subparser, as we may have many "peers" sections. peers my_another_cluster peer haproxy1 1.1.1.2 1000 peers my_cluster __some_wrong_data__ peer haproxy1 1.1.1.1 1000 In addition, for the example above, parse_cfg() will parse all configuration until the end and only then terminates haproxy with the alert "too many args...". Peer haproxy1 will be wrongly associated with my_another_cluster. This fixes the issue #2872. This should be backported in all stable versions.
2025-02-20 09:00:38 -05:00
}
MEDIUM: cfgparse: check section maximum number of arguments This patch checks the number of arguments of the keywords: 'global', 'defaults', 'listen', 'backend', 'frontend', 'peers' and 'userlist' The 'global' section does not take any arguments. Proxy sections does not support bind address as argument anymore. Those sections supports only an <id> argument. The 'defaults' section didn't had any check on its arguments. It takes an optional <name> argument. 'peers' section takes a <peersect> argument. 'userlist' section takes a <listname> argument.
2015-04-28 10:55:23 -04:00
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
err = invalid_char(args[1]);
if (err) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : character '%c' is not permitted in '%s' name '%s'.\n",
file, linenum, *err, args[0], args[1]);
BUG/MEDIUM: config: immediately abort if peers section has no name Cyril Bonté reported that despite commit 0dbbf317 which attempted to fix the crash when a peers section has no name, we still get a segfault after the error message when parsing the peers. The reason is that the returned error code is ERR_FATAL and not ERR_ABORT, so the parsing continues while the section was not initialized. This is 1.5-specific, no backport is needed.
2014-02-16 02:20:13 -05:00
err_code |= ERR_ALERT | ERR_ABORT;
MINOR: config: report missing peers section name Right now we report "invalid character ''" which is a bit confusing, better make a special case of the missing name.
2013-03-05 05:31:55 -05:00
goto out;
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
}
BUG/MINOR: peers: peer synchronization issue (with several peers sections). When several stick-tables were configured with several peers sections, only a part of them could be synchronized: the ones attached to the last parsed 'peers' section. This was due to the fact that, at least, the peer I/O handler refered to the wrong peer section list, in fact always the same: the last one parsed. The fact that the global peer section list was named "struct peers *peers" lead to this issue. This variable name is dangerous ;). So this patch renames global 'peers' variable to 'cfg_peers' to ensure that no such wrong references are still in use, then all the functions wich used old 'peers' variable have been modified to refer to the correct peer list. Must be backported to 1.6 and 1.7.
2017-07-13 03:07:09 -04:00
for (curpeers = cfg_peers; curpeers != NULL; curpeers = curpeers->next) {
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
/*
* If there are two proxies with the same name only following
* combinations are allowed:
*/
if (strcmp(curpeers->id, args[1]) == 0) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Parsing [%s:%d]: peers section '%s' has the same name as another peers section declared at %s:%d.\n",
file, linenum, args[1], curpeers->conf.file, curpeers->conf.line);
MEDIUM: config: reject invalid config with name duplicates Since 1.4 we used to emit a warning when two frontends or two backends had the same name. In 1.5 we added the same warning for two peers sections. In 1.6 we added the same warning for two mailers sections. It's about time to reject such invalid configurations, the impact they have on the code complexity is huge and it is becoming a real obstacle to some improvements such as restoring servers check status across reloads. Now these errors are reported as fatal errors and will need to be fixed. Anyway, till now there was no guarantee that what was written was working as expected since the behaviour is not defined (eg: use_backend with a name used by two backends leads to undefined behaviour). Example of output : [ALERT] 145/104759 (31564) : Parsing [prx.cfg:12]: mailers section 'm' has the same name as another mailers section declared at prx.cfg:10. [ALERT] 145/104759 (31564) : Parsing [prx.cfg:16]: peers section 'p' has the same name as another peers section declared at prx.cfg:14. [ALERT] 145/104759 (31564) : Parsing [prx.cfg:21]: frontend 'f' has the same name as another frontend declared at prx.cfg:18. [ALERT] 145/104759 (31564) : Parsing [prx.cfg:27]: backend 'b' has the same name as another backend declared at prx.cfg:24. [ALERT] 145/104759 (31564) : Error(s) found in configuration file : prx.cfg [ALERT] 145/104759 (31564) : Fatal errors found in configuration.
2015-05-26 04:35:50 -04:00
err_code |= ERR_ALERT | ERR_FATAL;
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
}
}
CLEANUP: uniformize last argument of malloc/calloc Instead of repeating the type of the LHS argument (sizeof(struct ...)) in calls to malloc/calloc, we directly use the pointer name (sizeof(*...)). The following Coccinelle patch was used: @@ type T; T *x; @@ x = malloc( - sizeof(T) + sizeof(*x) ) @@ type T; T *x; @@ x = calloc(1, - sizeof(T) + sizeof(*x) ) When the LHS is not just a variable name, no change is made. Moreover, the following patch was used to ensure that "1" is consistently used as a first argument of calloc, not the last one: @@ @@ calloc( + 1, ... - ,1 )
2016-04-03 07:48:43 -04:00
if ((curpeers = calloc(1, sizeof(*curpeers))) == NULL) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : out of memory.\n", file, linenum);
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
BUG/MINOR: peers: peer synchronization issue (with several peers sections). When several stick-tables were configured with several peers sections, only a part of them could be synchronized: the ones attached to the last parsed 'peers' section. This was due to the fact that, at least, the peer I/O handler refered to the wrong peer section list, in fact always the same: the last one parsed. The fact that the global peer section list was named "struct peers *peers" lead to this issue. This variable name is dangerous ;). So this patch renames global 'peers' variable to 'cfg_peers' to ensure that no such wrong references are still in use, then all the functions wich used old 'peers' variable have been modified to refer to the correct peer list. Must be backported to 1.6 and 1.7.
2017-07-13 03:07:09 -04:00
curpeers->next = cfg_peers;
cfg_peers = curpeers;
BUG/MINOR: config: use a copy of the file name in proxy configurations Each proxy contains a reference to the original config file and line number where it was declared. The pointer used is just a reference to the one passed to the function instead of being duplicated. The effect is that it is not valid anymore at the end of the parsing and that all proxies will be enumerated as coming from the same file on some late configuration errors. This may happen for exmaple when reporting SSL certificate issues. By copying using strdup(), we avoid this issue. 1.4 has the same issue, though no report of the proxy file name is done out of the config section. Anyway a backport is recommended to ease post-mortem analysis.
2012-10-04 02:01:43 -04:00
curpeers->conf.file = strdup(file);
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
curpeers->conf.line = linenum;
MEDIUM: clock: replace timeval "now" with integer "now_ns" This puts an end to the occasional confusion between the "now" date that is internal, monotonic and not synchronized with the system's date, and "date" which is the system's date and not necessarily monotonic. Variable "now" was removed and replaced with a 64-bit integer "now_ns" which is a counter of nanoseconds. It wraps every 585 years, so if all goes well (i.e. if humanity does not need haproxy anymore in 500 years), it will just never wrap. This implies that now_ns is never nul and that the zero value can reliably be used as "not set yet" for a timestamp if needed. This will also simplify date checks where it becomes possible again to do "date1<date2". All occurrences of "tv_to_ns(&now)" were simply replaced by "now_ns". Due to the intricacies between now, global_now and now_offset, all 3 had to be turned to nanoseconds at once. It's not a problem since all of them were solely used in 3 functions in clock.c, but they make the patch look bigger than it really is. The clock_update_local_date() and clock_update_global_date() functions are now much simpler as there's no need anymore to perform conversions nor to round the timeval up or down. The wrapping continues to happen by presetting the internal offset in the short future so that the 32-bit now_ms continues to wrap 20 seconds after boot. The start_time used to calculate uptime can still be turned to nanoseconds now. One interrogation concerns global_now_ms which is used only for the freq counters. It's unclear whether there's more value in using two variables that need to be synchronized sequentially like today or to just use global_now_ns divided by 1 million. Both approaches will work equally well on modern systems, the difference might come from smaller ones. Better not change anyhting for now. One benefit of the new approach is that we now have an internal date with a resolution of the nanosecond and the precision of the microsecond, which can be useful to extend some measurements given that timestamps also have this resolution.
2023-04-28 03:16:15 -04:00
curpeers->last_change = ns_to_sec(now_ns);
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
curpeers->id = strdup(args[1]);
CLEANUP: peers: don't use the PR_ST* states to mark enabled/disabled The enabled/disabled config options were stored into a "state" field that is an integer but contained only PR_STNEW or PR_STSTOPPED, which is a bit confusing, and causes a dependency with proxies. This was renamed to "disabled" and is used as a boolean. The field was also moved to the end of the struct to stop creating a hole and fill another one.
2020-09-24 02:48:08 -04:00
curpeers->disabled = 0;
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
}
MINOR: cfgparse: Make "peer" lines be parsed as "server" lines. With this patch "default-server" lines are supported in "peers" sections to setup the default settings of peers which are from now setup when parsing both "peer" and "server" lines. May be backported to 1.5 and newer.
2018-04-26 04:06:41 -04:00
else if (strcmp(args[0], "peer") == 0 ||
strcmp(args[0], "server") == 0) { /* peer or server definition */
BUG/MINOR: cfgparse/peers: fix inconsistent check for missing peer server In the "peers" section parser, right after parse_server() is called, we used to check whether the curpeers->peers_fe->srv pointer was set or not to know if parse_server() successfuly added a server to the peers proxy, server that we can then associate to the new peer. However the check is wrong, as curpeers->peers_fe->srv points to the last added server, if a server was successfully added before the failing one, we cannot detect that the last parse_server() didn't add a server. This is known to cause bug with bad "peer"/"server" statements. To fix the issue, we save a pointer on the last known curpeers->peers_fe->srv before parse_server() is called, and we then compare the save with the pointer after parse_server(), if the value didn't change, then parse_server() didn't add a server. This makes the check consistent in all situations. It should be backported to all stable versions.
2025-03-06 03:05:23 -05:00
struct server *prev_srv;
BUG/MEDIUM: peers: Peer addresses parsing broken. This bug was introduced by 355b203 commit which prevented the peer addresses to be parsed for the local peer of a "peers" section. When adding "parse_addr" boolean parameter to parse_server(), this commit missed the case where the syntax with "peer" keyword should still be supported in addition to the new syntax with "server"+"bind" keyword. May be backported as fas as 1.5.
2019-01-31 00:48:16 -05:00
int local_peer, peer;
REORG: server: use flags for parse_server Modify the API of parse_server function. Use flags to describe the type of the parsed server instead of discrete arguments. These flags can be used to specify if a server/default-server/server-template is parsed. Additional parameters are also specified (parsing of the address required, resolve of a name must be done immediately). It is now unneeded to use strcmp on args[0] in parse_server. Also, the calls to parse_server are more explicit thanks to the flags.
2021-03-08 10:36:46 -05:00
int parse_addr = 0;
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
BUG/MEDIUM: peers: Peer addresses parsing broken. This bug was introduced by 355b203 commit which prevented the peer addresses to be parsed for the local peer of a "peers" section. When adding "parse_addr" boolean parameter to parse_server(), this commit missed the case where the syntax with "peer" keyword should still be supported in addition to the new syntax with "server"+"bind" keyword. May be backported as fas as 1.5.
2019-01-31 00:48:16 -05:00
peer = *args[0] == 'p';
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
local_peer = strcmp(args[1], localpeer) == 0;
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
/* The local peer may have already partially been parsed on a "bind" line. */
if (*args[0] == 'p') {
if (bind_line) {
ha_alert("parsing [%s:%d] : mixing \"peer\" and \"bind\" line is forbidden\n", file, linenum);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
peer_line = 1;
}
if (cfg_peers->local && !cfg_peers->local->id && local_peer) {
/* The local peer has already been initialized on a "bind" line.
* Let's use it and store its ID.
*/
newpeer = cfg_peers->local;
newpeer->id = strdup(localpeer);
}
else {
if (local_peer && cfg_peers->local) {
ha_alert("parsing [%s:%d] : '%s %s' : local peer name already referenced at %s:%d. %s\n",
file, linenum, args[0], args[1],
curpeers->peers_fe->conf.file, curpeers->peers_fe->conf.line, cfg_peers->local->id);
err_code |= ERR_FATAL;
goto out;
}
newpeer = cfg_peers_add_peer(curpeers, file, linenum, args[1], local_peer);
if (!newpeer) {
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
}
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
/* Line number and peer ID are updated only if this peer is the local one. */
if (init_peers_frontend(file,
newpeer->local ? linenum: -1,
Revert "BUG/MINOR: peers: set the proxy's name to the peers section name" This reverts commit 356866accefd16458f0e3c335d1b784e24e86d2d. It seems that an undocumented expectation of peers is based on the peers proxy name to determine if the local peer is fully configured or not. Thus because of the commit above, we are no longer able to detect incomplete peers sections. On side effect of this bug is a segfault when HAProxy is stopped/reloaded if we try to perform a local resync on a mis-configured local peer. So waiting for a better solution, the patch is reverted. This patch must be backported as far as 2.5.
2022-07-25 09:10:44 -04:00
newpeer->local ? newpeer->id : NULL,
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
curpeers) != 0) {
MINOR: cfgparse: Make "peer" lines be parsed as "server" lines. With this patch "default-server" lines are supported in "peers" sections to setup the default settings of peers which are from now setup when parsing both "peer" and "server" lines. May be backported to 1.5 and newer.
2018-04-26 04:06:41 -04:00
err_code |= ERR_ALERT | ERR_ABORT;
MEDIUM: config: use str2sa_range() to parse peers addresses Similarly to previous changes, use str2sa_range() so that we can detect invalid addresses or port configurations in peers.
2013-02-20 13:20:59 -05:00
goto out;
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
}
MEDIUM: config: use str2sa_range() to parse peers addresses Similarly to previous changes, use str2sa_range() so that we can detect invalid addresses or port configurations in peers.
2013-02-20 13:20:59 -05:00
BUG/MEDIUM: peers: Missing peer initializations. Initialize ->srv peer field for all the peers, the local peer included. Indeed, a haproxy process needs to connect to the local peer of a remote process. Furthermore, when a "peer" or "server" line is parsed by parse_server() the address must be copied to ->addr field of the peer object only if this address has been also parsed by parse_server(). This is not the case if this address belongs to the local peer and is provided on a "server" line. After having parsed the "peer" or "server" lines of a peer sections, the ->srv part of all the peer must be initialized for SSL, if enabled. Same thing for the binding part. Revert 1417f0b commit which is no more required. No backport is needed, this is purely 2.0.
2019-02-12 13:12:32 -05:00
/* This initializes curpeer->peers->peers_fe->srv.
* The server address is parsed only if we are parsing a "peer" line,
* or if we are parsing a "server" line and the current peer is not the local one.
*/
REORG: server: use flags for parse_server Modify the API of parse_server function. Use flags to describe the type of the parsed server instead of discrete arguments. These flags can be used to specify if a server/default-server/server-template is parsed. Additional parameters are also specified (parsing of the address required, resolve of a name must be done immediately). It is now unneeded to use strcmp on args[0] in parse_server. Also, the calls to parse_server are more explicit thanks to the flags.
2021-03-08 10:36:46 -05:00
parse_addr = (peer || !local_peer) ? SRV_PARSE_PARSE_ADDR : 0;
BUG/MINOR: cfgparse/peers: fix inconsistent check for missing peer server In the "peers" section parser, right after parse_server() is called, we used to check whether the curpeers->peers_fe->srv pointer was set or not to know if parse_server() successfuly added a server to the peers proxy, server that we can then associate to the new peer. However the check is wrong, as curpeers->peers_fe->srv points to the last added server, if a server was successfully added before the failing one, we cannot detect that the last parse_server() didn't add a server. This is known to cause bug with bad "peer"/"server" statements. To fix the issue, we save a pointer on the last known curpeers->peers_fe->srv before parse_server() is called, and we then compare the save with the pointer after parse_server(), if the value didn't change, then parse_server() didn't add a server. This makes the check consistent in all situations. It should be backported to all stable versions.
2025-03-06 03:05:23 -05:00
prev_srv = curpeers->peers_fe->srv;
REORG: server: use flags for parse_server Modify the API of parse_server function. Use flags to describe the type of the parsed server instead of discrete arguments. These flags can be used to specify if a server/default-server/server-template is parsed. Additional parameters are also specified (parsing of the address required, resolve of a name must be done immediately). It is now unneeded to use strcmp on args[0] in parse_server. Also, the calls to parse_server are more explicit thanks to the flags.
2021-03-08 10:36:46 -05:00
err_code |= parse_server(file, linenum, args, curpeers->peers_fe, NULL,
SRV_PARSE_IN_PEER_SECTION|parse_addr|SRV_PARSE_INITIAL_RESOLVE);
BUG/MINOR: cfgparse/peers: fix inconsistent check for missing peer server In the "peers" section parser, right after parse_server() is called, we used to check whether the curpeers->peers_fe->srv pointer was set or not to know if parse_server() successfuly added a server to the peers proxy, server that we can then associate to the new peer. However the check is wrong, as curpeers->peers_fe->srv points to the last added server, if a server was successfully added before the failing one, we cannot detect that the last parse_server() didn't add a server. This is known to cause bug with bad "peer"/"server" statements. To fix the issue, we save a pointer on the last known curpeers->peers_fe->srv before parse_server() is called, and we then compare the save with the pointer after parse_server(), if the value didn't change, then parse_server() didn't add a server. This makes the check consistent in all situations. It should be backported to all stable versions.
2025-03-06 03:05:23 -05:00
if (curpeers->peers_fe->srv == prev_srv) {
/* parse_server didn't add a server:
* Remove the newly allocated peer.
*/
BUG/MINOR: cfgparse/peers: properly handle ignored local peer case In 8ba10fea6 ("BUG/MINOR: peers: Incomplete peers sections should be validated."), some checks were relaxed in parse_server(), and extra logic was added in the peers section parser in an attempt to properly ignore incomplete "server" or "peer" statement under peers section. This was done in response to GH #565, the main intent was that haproxy should already complain about incomplete peers section (ie: missing localpeer). However, 8ba10fea69 explicitly skipped the peer cleanup upon missing srv association for local peers. This is wrong because later haproxy code always assumes that peer->srv is valid. Indeed, we got reports that the (invalid) config below would cause segmentation fault on all stable versions: global localpeer 01JM0TEPAREK01FQQ439DDZXD8 peers my-table peer 01JM0TEPAREK01FQQ439DDZXD8 listen dummy bind localhost:8080 To fix the issue, instead of by-passing some cleanup for the local peer, handle this case specifically by doing the regular peer cleanup and reset some fields set on the curpeers and curpeers proxy because of the invalid local peer (do as if the peer was not declared). It should still comply with requirements from #565. This patch should be backported to all stable versions.
2025-03-06 03:29:05 -05:00
struct peer *p;
MINOR: cfgparse/peers: provide more info when ignoring invalid "peer" or "server" lines Invalid (incomplete) "server" or "peer" lines under peers section are now properly ignored. For completeness, in this patch we add some reports so that the user knows that incomplete lines were ignored. For an incomplete server line, since it is tolerated (see GH #565), we only emit a diag warning. For an incomplete peer line, we report a real warning, as it is not expected to have a peer line without an address:port specified. Also, 'newpeer == curpeers->local' check could be simplified since we already have the 'local_peer' variable which tells us that the parsed line refers to a local peer.
2025-03-07 03:30:47 -05:00
/* while it is tolerated to have a "server" line without address, it isn't
* the case for a "peer" line
*/
if (peer) {
ha_warning("parsing [%s:%d] : '%s %s' : ignoring invalid peer definition (missing address:port)\n",
file, linenum, args[0], args[1]);
err_code |= ERR_WARN;
}
else {
ha_diag_warning("parsing [%s:%d] : '%s %s' : ignoring server (not a local peer, valid address:port is expected)\n",
file, linenum, args[0], args[1]);
}
BUG/MINOR: cfgparse/peers: properly handle ignored local peer case In 8ba10fea6 ("BUG/MINOR: peers: Incomplete peers sections should be validated."), some checks were relaxed in parse_server(), and extra logic was added in the peers section parser in an attempt to properly ignore incomplete "server" or "peer" statement under peers section. This was done in response to GH #565, the main intent was that haproxy should already complain about incomplete peers section (ie: missing localpeer). However, 8ba10fea69 explicitly skipped the peer cleanup upon missing srv association for local peers. This is wrong because later haproxy code always assumes that peer->srv is valid. Indeed, we got reports that the (invalid) config below would cause segmentation fault on all stable versions: global localpeer 01JM0TEPAREK01FQQ439DDZXD8 peers my-table peer 01JM0TEPAREK01FQQ439DDZXD8 listen dummy bind localhost:8080 To fix the issue, instead of by-passing some cleanup for the local peer, handle this case specifically by doing the regular peer cleanup and reset some fields set on the curpeers and curpeers proxy because of the invalid local peer (do as if the peer was not declared). It should still comply with requirements from #565. This patch should be backported to all stable versions.
2025-03-06 03:29:05 -05:00
p = curpeers->remote;
curpeers->remote = curpeers->remote->next;
free(p->id);
free(p);
MINOR: cfgparse/peers: provide more info when ignoring invalid "peer" or "server" lines Invalid (incomplete) "server" or "peer" lines under peers section are now properly ignored. For completeness, in this patch we add some reports so that the user knows that incomplete lines were ignored. For an incomplete server line, since it is tolerated (see GH #565), we only emit a diag warning. For an incomplete peer line, we report a real warning, as it is not expected to have a peer line without an address:port specified. Also, 'newpeer == curpeers->local' check could be simplified since we already have the 'local_peer' variable which tells us that the parsed line refers to a local peer.
2025-03-07 03:30:47 -05:00
if (local_peer) {
/* we only get there with incomplete "peer"
* line for local peer (missing address):
*
* reset curpeers and curpeers fields
BUG/MINOR: cfgparse/peers: properly handle ignored local peer case In 8ba10fea6 ("BUG/MINOR: peers: Incomplete peers sections should be validated."), some checks were relaxed in parse_server(), and extra logic was added in the peers section parser in an attempt to properly ignore incomplete "server" or "peer" statement under peers section. This was done in response to GH #565, the main intent was that haproxy should already complain about incomplete peers section (ie: missing localpeer). However, 8ba10fea69 explicitly skipped the peer cleanup upon missing srv association for local peers. This is wrong because later haproxy code always assumes that peer->srv is valid. Indeed, we got reports that the (invalid) config below would cause segmentation fault on all stable versions: global localpeer 01JM0TEPAREK01FQQ439DDZXD8 peers my-table peer 01JM0TEPAREK01FQQ439DDZXD8 listen dummy bind localhost:8080 To fix the issue, instead of by-passing some cleanup for the local peer, handle this case specifically by doing the regular peer cleanup and reset some fields set on the curpeers and curpeers proxy because of the invalid local peer (do as if the peer was not declared). It should still comply with requirements from #565. This patch should be backported to all stable versions.
2025-03-06 03:29:05 -05:00
* that are local peer related
*/
curpeers->local = NULL;
ha_free(&curpeers->peers_fe->id);
BUG/MINOR: peers: Incomplete peers sections should be validated. Before supporting "server" line in "peers" section, such sections without any local peer were removed from the configuration to get it validated. This patch fixes the issue where a "server" line without address and port which is a remote peer without address and port makes the configuration parsing fail. When encoutering such cases we now ignore such lines remove them from the configuration. Thank you to Jérôme Magnin for having reported this bug. Must be backported to 2.1 and 2.0.
2020-04-03 03:43:47 -04:00
}
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
goto out;
BUG/MINOR: peers: Incomplete peers sections should be validated. Before supporting "server" line in "peers" section, such sections without any local peer were removed from the configuration to get it validated. This patch fixes the issue where a "server" line without address and port which is a remote peer without address and port makes the configuration parsing fail. When encoutering such cases we now ignore such lines remove them from the configuration. Thank you to Jérôme Magnin for having reported this bug. Must be backported to 2.1 and 2.0.
2020-04-03 03:43:47 -04:00
}
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
BUG/MEDIUM: peers: fix localpeer regression with 'bind+server' config style A dumb mistake was made in f6ae25858 ("MINOR: peers: rely on srv->addr and remove peer->addr"). I completely overlooked the part where the bind address settings are used as implicit server's address settings when the peers are declared using the new bind+server config style (which is the new recommended method to declare peers as it follows the same logic as the one used in other proxy sections). As such, the peers synchro fails to work between previous and new process (localpeer mechanism) upon reload when declaring peers with way: global localpeer local peers mypeers bind 127.0.0.1:10001 server local And one has to use the 'old' config style to make it work: global localpeer local peers mypeers peer local 127.0.0.1:10001 -- To fix the issue, let's explicitly set the server's addr:port according to the bind's address settings (only the first listener is considered) when local peer was declared using the 'bind+server' method. No backport needed.
2024-04-17 12:43:25 -04:00
if (!parse_addr && bind_addr) {
/* local peer declared using "server": has name but no
* address: we use the known "bind" line addr settings
* as implicit server's addr and port.
*/
curpeers->peers_fe->srv->addr = *bind_addr;
curpeers->peers_fe->srv->svc_port = get_host_port(bind_addr);
}
MINOR: peers: Support for peer shards Add "shards" new keyword for "peers" section to configure the number of peer shards attached to such secions. This impact all the stick-tables attached to the section. Add "shard" new "server" parameter to configure the peers which participate to all the stick-tables contents distribution. Each peer receive the stick-tables updates only for keys with this shard value as distribution hash. The "shard" value is stored in ->shard new server struct member. cfg_parse_peers() which is the function which is called to parse all the lines of a "peers" section is modified to parse the "shards" parameter stored in ->nb_shards new peers struct member. Add srv_parse_shard() new callback into server.c to pare the "shard" parameter. Implement stksess_getkey_hash() to compute the distribution hash for a stick-table key as the 64-bits xxhash of the key concatenated to the stick-table name. This function is called by stksess_setkey_shard(), itself called by the already implemented function which create a new stick-table key (stksess_new()). Add ->idlen new stktable struct member to store the stick-table name length to not have to compute it each time a stick-table key hash is computed.
2022-10-17 08:58:19 -04:00
if (nb_shards && curpeers->peers_fe->srv->shard > nb_shards) {
ha_warning("parsing [%s:%d] : '%s %s' : %d peer shard greater value than %d shards value is ignored.\n",
file, linenum, args[0], args[1], curpeers->peers_fe->srv->shard, nb_shards);
curpeers->peers_fe->srv->shard = 0;
err_code |= ERR_WARN;
}
BUG/MINOR: peers: detect and warn on init_addr/resolvers/check/agent-check Some server keywords are currently silently ignored in the peers section, which is not good because it wastes time on user-side, trying to make something work while it cannot by design. With this patch we at least report a few of them (the most common ones), which are init_addr, resolvers, check, agent-check. Others might follow. This may be backported to 2.5 to encourage some cleaning of bogus configs.
2022-05-31 03:42:44 -04:00
if (curpeers->peers_fe->srv->init_addr_methods || curpeers->peers_fe->srv->resolvers_id ||
curpeers->peers_fe->srv->do_check || curpeers->peers_fe->srv->do_agent) {
ha_warning("parsing [%s:%d] : '%s %s' : init_addr, resolvers, check and agent are ignored for peers.\n", file, linenum, args[0], args[1]);
err_code |= ERR_WARN;
}
BUILD: threads: Rename SPIN/RWLOCK macros using HA_ prefix This remove any name conflicts, especially on Solaris.
2017-11-07 04:42:54 -05:00
HA_SPIN_INIT(&newpeer->lock);
REORG/MEDIUM: replace stream interface protocol functions by a proto pointer The stream interface now makes use of the socket protocol pointer instead of the direct functions.
2012-05-07 12:12:14 -04:00
BUG/MEDIUM: peers: Missing peer initializations. Initialize ->srv peer field for all the peers, the local peer included. Indeed, a haproxy process needs to connect to the local peer of a remote process. Furthermore, when a "peer" or "server" line is parsed by parse_server() the address must be copied to ->addr field of the peer object only if this address has been also parsed by parse_server(). This is not the case if this address belongs to the local peer and is provided on a "server" line. After having parsed the "peer" or "server" lines of a peer sections, the ->srv part of all the peer must be initialized for SSL, if enabled. Same thing for the binding part. Revert 1417f0b commit which is no more required. No backport is needed, this is purely 2.0.
2019-02-12 13:12:32 -05:00
newpeer->srv = curpeers->peers_fe->srv;
if (!newpeer->local)
CLEANUP: cfgparse: Return asap from cfg_parse_peers(). Avoid useless code indentation. May be backported to 1.5 and newer.
2018-04-25 09:13:38 -04:00
goto out;
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
/* The lines above are reserved to "peer" lines. */
if (*args[0] == 's')
MINOR: cfgparse: Useless frontend initialization in "peers" sections. Use ->local "peers" struct member to flag a "peers" section frontend has being initialized. This is to be able to initialize the frontend of "peers" sections on lines different from "peer" lines. May be backported to 1.5 and newer.
2018-04-25 09:32:18 -04:00
goto out;
CLEANUP: cfgparse: Code reindentation. May help the series of patches to be reviewed. May be backported to 1.5 and newer.
2019-01-11 05:27:16 -05:00
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
bind_conf = bind_conf_uniq_alloc(curpeers->peers_fe, file, linenum, args[2], xprt_get(XPRT_RAW));
BUG/MINOR: peers: fix possible NULL dereferences at config parsing Patch 49f6f4b ("BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections") introduced possible NULL dereferences when parsing the peers configuration. Fix the issue by checking the return value of bind_conf_uniq_alloc(). This patch should be backported as far as 2.0.
2022-07-06 08:30:23 -04:00
if (!bind_conf) {
ha_alert("parsing [%s:%d] : '%s %s' : Cannot allocate memory.\n", file, linenum, args[0], args[1]);
err_code |= ERR_FATAL;
goto out;
}
CLEANUP: cfgparse: Code reindentation. May help the series of patches to be reviewed. May be backported to 1.5 and newer.
2019-01-11 05:27:16 -05:00
MINOR: listener: move maxaccept from listener to bind_conf Like for previous values, maxaccept is really per-bind_conf, so let's move it there. Some frontends (peers, log) set it to 1 so the assignment was slightly moved.
2023-01-12 12:52:23 -05:00
bind_conf->maxaccept = 1;
MINOR: listener: move the ->accept callback to the bind_conf The accept callback directly derives from the upper layer, generally it's session_accept_fd(). As such it's also defined per bind line so it makes sense to move it there.
2023-01-12 13:10:17 -05:00
bind_conf->accept = session_accept_fd;
MINOR: listener: move LI_O_UNLIMITED and LI_O_NOSTOP to bind_conf These two flags are entirely for internal use and are even per proxy in practice since they're used for peers and CLI to indicate (for the first one) that the listener(s) are not subject to connection limits, and for the second that the listener(s) should not be stopped on soft-stop. No need to keep them in the listeners, let's move them to the bind_conf under names BC_O_UNLIMITED and BC_O_NOSTOP.
2023-01-12 13:58:42 -05:00
bind_conf->options |= BC_O_UNLIMITED; /* don't make the peers subject to global limits */
MINOR: listener: move maxaccept from listener to bind_conf Like for previous values, maxaccept is really per-bind_conf, so let's move it there. Some frontends (peers, log) set it to 1 so the assignment was slightly moved.
2023-01-12 12:52:23 -05:00
BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections If multiple "bind" lines were present on the "peers" section, multiple listeners were added to a list but the code mistakenly initialize the first member and this first listener was re-configured instead of the newly created one. The last one remains uninitialized causing a null dereference a soon a connection is received. In addition, the 'peers' sections and protocol are not currently designed to handle multiple listeners. This patch check if there is already a listener configured on the 'peers' section when we want to create a new one. This is rising an error if a listener is already present showing the file and line in the error message. To keep the file and line number of the previous listener available for the error message, the 'bind_conf_uniq_alloc' function was modified to keep the file/line data the struct 'bind_conf' was firstly allocated (previously it was updated each time the 'bind_conf' was reused). This patch should be backported until version 2.0
2022-05-25 04:12:07 -04:00
if (!LIST_ISEMPTY(&bind_conf->listeners)) {
ha_alert("parsing [%s:%d] : One listener per \"peers\" section is authorized but another is already configured at [%s:%d].\n", file, linenum, bind_conf->file, bind_conf->line);
err_code |= ERR_FATAL;
}
MINOR: cfgparse: Rework peers frontend init. Even if not already the case, we suppose that the frontend "peers" section may have been already initialized outside of "peer" line, we seperate their initializations from their binding initializations. May be backported to 1.5 and newer.
2019-01-11 05:43:53 -05:00
if (!str2listener(args[2], curpeers->peers_fe, bind_conf, file, linenum, &errmsg)) {
if (errmsg && *errmsg) {
indent_msg(&errmsg, 2);
ha_alert("parsing [%s:%d] : '%s %s' : %s\n", file, linenum, args[0], args[1], errmsg);
CLEANUP: cfgparse: Code reindentation. May help the series of patches to be reviewed. May be backported to 1.5 and newer.
2019-01-11 05:27:16 -05:00
}
MINOR: cfgparse: Rework peers frontend init. Even if not already the case, we suppose that the frontend "peers" section may have been already initialized outside of "peer" line, we seperate their initializations from their binding initializations. May be backported to 1.5 and newer.
2019-01-11 05:43:53 -05:00
else
ha_alert("parsing [%s:%d] : '%s %s' : error encountered while parsing listening address %s.\n",
file, linenum, args[0], args[1], args[2]);
err_code |= ERR_FATAL;
goto out;
}
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
BUG/MINOR: config: don't over-count the global maxsock value global.maxsock used to be augmented by the frontend's maxconn value for each frontend listener, which is absurd when there are many listeners in a frontend because the frontend's maxconn fixes an upper limit to how many connections will be accepted on all of its listeners anyway. What is needed instead is to add one to count the listening socket. In addition, the CLI's and peers' value was incremented twice, the first time when creating the listener and the second time in the main init code. Let's now make sure we only increment global.maxsock by the required amount of sockets. This means not adding maxconn for each listener, and relying on the global values when they are correct.
2019-02-27 10:25:28 -05:00
global.maxsock++; /* for the listening socket */
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
}
MINOR: peers: Support for peer shards Add "shards" new keyword for "peers" section to configure the number of peer shards attached to such secions. This impact all the stick-tables attached to the section. Add "shard" new "server" parameter to configure the peers which participate to all the stick-tables contents distribution. Each peer receive the stick-tables updates only for keys with this shard value as distribution hash. The "shard" value is stored in ->shard new server struct member. cfg_parse_peers() which is the function which is called to parse all the lines of a "peers" section is modified to parse the "shards" parameter stored in ->nb_shards new peers struct member. Add srv_parse_shard() new callback into server.c to pare the "shard" parameter. Implement stksess_getkey_hash() to compute the distribution hash for a stick-table key as the 64-bits xxhash of the key concatenated to the stick-table name. This function is called by stksess_setkey_shard(), itself called by the already implemented function which create a new stick-table key (stksess_new()). Add ->idlen new stktable struct member to store the stick-table name length to not have to compute it each time a stick-table key hash is computed.
2022-10-17 08:58:19 -04:00
else if (strcmp(args[0], "shards") == 0) {
char *endptr;
if (!*args[1]) {
ha_alert("parsing [%s:%d] : '%s' : missing value\n", file, linenum, args[0]);
err_code |= ERR_FATAL;
goto out;
}
curpeers->nb_shards = strtol(args[1], &endptr, 10);
if (*endptr != '\0') {
ha_alert("parsing [%s:%d] : '%s' : expects an integer argument, found '%s'\n",
file, linenum, args[0], args[1]);
err_code |= ERR_FATAL;
goto out;
}
if (!curpeers->nb_shards) {
ha_alert("parsing [%s:%d] : '%s' : expects a strictly positive integer argument\n",
file, linenum, args[0]);
err_code |= ERR_FATAL;
goto out;
}
nb_shards = curpeers->nb_shards;
}
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
else if (strcmp(args[0], "table") == 0) {
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
struct stktable *t, *other;
char *id;
MINOR: stick-table: Add prefixes to stick-table names. With this patch we add a prefix to stick-table names declared in "peers" sections concatenating the "peers" section name followed by a '/' character with the stick-table name. Consequently, "peers" sections have their own namespace for their stick-tables. Obviously, these stick-table names are not the ones which should be sent over the network. So these configurations must be compatible and should make A and B peers communicate with peers protocol: # haproxy A config, old way stick-table declerations peers mypeers peer A ... peer B ... backend t1 stick-table type string size 10m store gpc0 peers mypeers # haproxy B config, new way stick-table declerations peers mypeers peer A ... peer B ... table t1 type string size store gpc0 10m This "network" name is stored in ->nid new field of stktable struct. The "local" stktable-name is still stored in ->id.
2019-03-20 10:06:55 -04:00
size_t prefix_len;
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
/* Line number and peer ID are updated only if this peer is the local one. */
Revert "BUG/MINOR: peers: set the proxy's name to the peers section name" This reverts commit 356866accefd16458f0e3c335d1b784e24e86d2d. It seems that an undocumented expectation of peers is based on the peers proxy name to determine if the local peer is fully configured or not. Thus because of the commit above, we are no longer able to detect incomplete peers sections. On side effect of this bug is a segfault when HAProxy is stopped/reloaded if we try to perform a local resync on a mis-configured local peer. So waiting for a better solution, the patch is reverted. This patch must be backported as far as 2.5.
2022-07-25 09:10:44 -04:00
if (init_peers_frontend(file, -1, NULL, curpeers) != 0) {
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
MINOR: stick-table: Add prefixes to stick-table names. With this patch we add a prefix to stick-table names declared in "peers" sections concatenating the "peers" section name followed by a '/' character with the stick-table name. Consequently, "peers" sections have their own namespace for their stick-tables. Obviously, these stick-table names are not the ones which should be sent over the network. So these configurations must be compatible and should make A and B peers communicate with peers protocol: # haproxy A config, old way stick-table declerations peers mypeers peer A ... peer B ... backend t1 stick-table type string size 10m store gpc0 peers mypeers # haproxy B config, new way stick-table declerations peers mypeers peer A ... peer B ... table t1 type string size store gpc0 10m This "network" name is stored in ->nid new field of stktable struct. The "local" stktable-name is still stored in ->id.
2019-03-20 10:06:55 -04:00
/* Build the stick-table name, concatenating the "peers" section name
* followed by a '/' character and the table name argument.
*/
chunk_reset(&trash);
MINOR: peers: Do not emit global stick-table names. This commit "MINOR: stick-table: Add prefixes to stick-table names" prepended the "peers" section name to stick-table names declared in such "peers" sections followed by a '/' character. This is not this name which must be sent over the network to avoid collisions with stick-table name declared as backends. As the '/' character is forbidden as first character of a backend name, we prefix the stick-table names declared in peers sections only with a '/' character. With such declarations: peers mypeers table t1 backend t1 stick-table ... peers mypeers at peer protocol level, "t1" declared as stick-table in "mypeers" section is different of "t1" stick-table declared as backend. In src/peers.c, only two modifications were required: use ->nid stktable struct member in place of ->id in peer_prepare_switchmsg() to prepare the stick-table definition messages. Same thing in peer_treat_definemsg() to treat a stick-table definition messages.
2019-03-20 10:09:45 -04:00
if (!chunk_strcpy(&trash, curpeers->id)) {
MINOR: stick-table: Add prefixes to stick-table names. With this patch we add a prefix to stick-table names declared in "peers" sections concatenating the "peers" section name followed by a '/' character with the stick-table name. Consequently, "peers" sections have their own namespace for their stick-tables. Obviously, these stick-table names are not the ones which should be sent over the network. So these configurations must be compatible and should make A and B peers communicate with peers protocol: # haproxy A config, old way stick-table declerations peers mypeers peer A ... peer B ... backend t1 stick-table type string size 10m store gpc0 peers mypeers # haproxy B config, new way stick-table declerations peers mypeers peer A ... peer B ... table t1 type string size store gpc0 10m This "network" name is stored in ->nid new field of stktable struct. The "local" stktable-name is still stored in ->id.
2019-03-20 10:06:55 -04:00
ha_alert("parsing [%s:%d]: '%s %s' : stick-table name too long.\n",
file, linenum, args[0], args[1]);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
prefix_len = trash.data;
MINOR: peers: Do not emit global stick-table names. This commit "MINOR: stick-table: Add prefixes to stick-table names" prepended the "peers" section name to stick-table names declared in such "peers" sections followed by a '/' character. This is not this name which must be sent over the network to avoid collisions with stick-table name declared as backends. As the '/' character is forbidden as first character of a backend name, we prefix the stick-table names declared in peers sections only with a '/' character. With such declarations: peers mypeers table t1 backend t1 stick-table ... peers mypeers at peer protocol level, "t1" declared as stick-table in "mypeers" section is different of "t1" stick-table declared as backend. In src/peers.c, only two modifications were required: use ->nid stktable struct member in place of ->id in peer_prepare_switchmsg() to prepare the stick-table definition messages. Same thing in peer_treat_definemsg() to treat a stick-table definition messages.
2019-03-20 10:09:45 -04:00
if (!chunk_memcat(&trash, "/", 1) || !chunk_strcat(&trash, args[1])) {
MINOR: stick-table: Add prefixes to stick-table names. With this patch we add a prefix to stick-table names declared in "peers" sections concatenating the "peers" section name followed by a '/' character with the stick-table name. Consequently, "peers" sections have their own namespace for their stick-tables. Obviously, these stick-table names are not the ones which should be sent over the network. So these configurations must be compatible and should make A and B peers communicate with peers protocol: # haproxy A config, old way stick-table declerations peers mypeers peer A ... peer B ... backend t1 stick-table type string size 10m store gpc0 peers mypeers # haproxy B config, new way stick-table declerations peers mypeers peer A ... peer B ... table t1 type string size store gpc0 10m This "network" name is stored in ->nid new field of stktable struct. The "local" stktable-name is still stored in ->id.
2019-03-20 10:06:55 -04:00
ha_alert("parsing [%s:%d]: '%s %s' : stick-table name too long.\n",
file, linenum, args[0], args[1]);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
t = calloc(1, sizeof *t);
MINOR: stick-table: Add prefixes to stick-table names. With this patch we add a prefix to stick-table names declared in "peers" sections concatenating the "peers" section name followed by a '/' character with the stick-table name. Consequently, "peers" sections have their own namespace for their stick-tables. Obviously, these stick-table names are not the ones which should be sent over the network. So these configurations must be compatible and should make A and B peers communicate with peers protocol: # haproxy A config, old way stick-table declerations peers mypeers peer A ... peer B ... backend t1 stick-table type string size 10m store gpc0 peers mypeers # haproxy B config, new way stick-table declerations peers mypeers peer A ... peer B ... table t1 type string size store gpc0 10m This "network" name is stored in ->nid new field of stktable struct. The "local" stktable-name is still stored in ->id.
2019-03-20 10:06:55 -04:00
id = strdup(trash.area);
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
if (!t || !id) {
ha_alert("parsing [%s:%d]: '%s %s' : memory allocation failed\n",
file, linenum, args[0], args[1]);
BUG/MINOR: Fix memory leaks cfg_parse_peers When memory allocation fails in cfg_parse_peers or when an error occurs while parsing a stick-table, the temporary table and its id must be freed. This fixes github issue #854. It should be backported as far as 2.0.
2020-09-18 05:55:17 -04:00
free(t);
free(id);
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
BUG/MINOR: config: fix stick table duplicate name check When a stick-table is defined within a peers section, the name is prefixed with the peers section name. However when checking for duplicate table names, the check was using the table name without the prefix, and would thus never match. Must be backported as far as 2.6.
2023-06-26 14:14:47 -04:00
other = stktable_find_by_name(trash.area);
if (other) {
ha_alert("parsing [%s:%d] : stick-table name '%s' conflicts with table declared in %s '%s' at %s:%d.\n",
file, linenum, args[1],
other->proxy ? proxy_cap_str(other->proxy->cap) : "peers",
other->proxy ? other->id : other->peers.p->id,
other->conf.file, other->conf.line);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
MINOR: stick-table: Add prefixes to stick-table names. With this patch we add a prefix to stick-table names declared in "peers" sections concatenating the "peers" section name followed by a '/' character with the stick-table name. Consequently, "peers" sections have their own namespace for their stick-tables. Obviously, these stick-table names are not the ones which should be sent over the network. So these configurations must be compatible and should make A and B peers communicate with peers protocol: # haproxy A config, old way stick-table declerations peers mypeers peer A ... peer B ... backend t1 stick-table type string size 10m store gpc0 peers mypeers # haproxy B config, new way stick-table declerations peers mypeers peer A ... peer B ... table t1 type string size store gpc0 10m This "network" name is stored in ->nid new field of stktable struct. The "local" stktable-name is still stored in ->id.
2019-03-20 10:06:55 -04:00
err_code |= parse_stick_table(file, linenum, args, t, id, id + prefix_len, curpeers);
BUG/MINOR: Fix memory leaks cfg_parse_peers When memory allocation fails in cfg_parse_peers or when an error occurs while parsing a stick-table, the temporary table and its id must be freed. This fixes github issue #854. It should be backported as far as 2.0.
2020-09-18 05:55:17 -04:00
if (err_code & ERR_FATAL) {
free(t);
free(id);
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
goto out;
BUG/MINOR: Fix memory leaks cfg_parse_peers When memory allocation fails in cfg_parse_peers or when an error occurs while parsing a stick-table, the temporary table and its id must be freed. This fixes github issue #854. It should be backported as far as 2.0.
2020-09-18 05:55:17 -04:00
}
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
stktable_store_name(t);
t->next = stktables_list;
stktables_list = t;
}
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
else if (strcmp(args[0], "disabled") == 0) { /* disables this peers section */
MINOR: proxy: Introduce proxy flags to replace disabled bitfield This change is required to support TCP/HTTP rules in defaults sections. The 'disabled' bitfield in the proxy structure, used to know if a proxy is disabled or stopped, is replaced a generic bitfield named 'flags'. PR_DISABLED and PR_STOPPED flags are renamed to PR_FL_DISABLED and PR_FL_STOPPED respectively. In addition, everywhere there is a test to know if a proxy is disabled or stopped, there is now a bitwise AND operation on PR_FL_DISABLED and/or PR_FL_STOPPED flags.
2021-10-06 08:24:19 -04:00
curpeers->disabled |= PR_FL_DISABLED;
MEDIUM: peers: add the ability to disable a peers section Sometimes it's very hard to disable the use of peers because an empty section is not valid, so it is necessary to comment out all references to the section, and not to forget to restore them in the same state after the operation. Let's add a "disabled" keyword just like for proxies. A ->state member in the peers struct is even present for this purpose but was never used at all. Maybe it would make sense to backport this to 1.5 as it's really cumbersome there.
2015-05-01 14:02:17 -04:00
}
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
else if (strcmp(args[0], "enabled") == 0) { /* enables this peers section (used to revert a disabled default) */
CLEANUP: peers: don't use the PR_ST* states to mark enabled/disabled The enabled/disabled config options were stored into a "state" field that is an integer but contained only PR_STNEW or PR_STSTOPPED, which is a bit confusing, and causes a dependency with proxies. This was renamed to "disabled" and is used as a boolean. The field was also moved to the end of the struct to stop creating a hole and fill another one.
2020-09-24 02:48:08 -04:00
curpeers->disabled = 0;
MEDIUM: peers: add the ability to disable a peers section Sometimes it's very hard to disable the use of peers because an empty section is not valid, so it is necessary to comment out all references to the section, and not to forget to restore them in the same state after the operation. Let's add a "disabled" keyword just like for proxies. A ->state member in the peers struct is even present for this purpose but was never used at all. Maybe it would make sense to backport this to 1.5 as it's really cumbersome there.
2015-05-01 14:02:17 -04:00
}
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
else if (*args[0] != 0) {
MINOR: peers: add peers keyword registration This adds support for registering keywords in the 'peers' section.
2023-06-26 14:43:48 -04:00
struct peers_kw_list *pkwl;
int index;
int rc = -1;
list_for_each_entry(pkwl, &peers_keywords.list, list) {
for (index = 0; pkwl->kw[index].kw != NULL; index++) {
if (strcmp(pkwl->kw[index].kw, args[0]) == 0) {
rc = pkwl->kw[index].parse(args, curpeers, file, linenum, &errmsg);
if (rc < 0) {
ha_alert("parsing [%s:%d] : %s\n", file, linenum, errmsg);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
else if (rc > 0) {
ha_warning("parsing [%s:%d] : %s\n", file, linenum, errmsg);
err_code |= ERR_WARN;
goto out;
}
goto out;
}
}
}
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : unknown keyword '%s' in '%s' section\n", file, linenum, args[0], cursection);
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
out:
CLEANUP: config: do not use multiple errmsg at once Several of the parsing functions made use of multiple errmsg/err_msg variables which had to be freed, while there is already one in each function that is freed upon exit. Adapt the code to use the existing variable exclusively.
2013-03-10 14:44:48 -04:00
free(errmsg);
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
return err_code;
}
MEDIUM: Add parsing of mailers section As mailer and mailers structures and allow parsing of a mailers section into those structures. These structures will subsequently be freed as it is not yet possible to use reference them in the configuration. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:58 -05:00
/*
CLEANUP: cfgparse: remove reference to 'ruleset' section The 'ruleset' section was never implemented. This patch remove references and tests about this keyword.
2015-04-14 10:35:22 -04:00
* Parse a line in a <listen>, <frontend> or <backend> section.
MEDIUM: Add parsing of mailers section As mailer and mailers structures and allow parsing of a mailers section into those structures. These structures will subsequently be freed as it is not yet possible to use reference them in the configuration. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:58 -05:00
* Returns the error code, 0 if OK, or any combination of :
* - ERR_ABORT: must abort ASAP
* - ERR_FATAL: we can continue parsing but not start the service
* - ERR_WARN: a warning has been emitted
* - ERR_ALERT: an alert has been emitted
* Only the two first ones can stop processing, the two others are just
* indicators.
*/
int cfg_parse_mailers(const char *file, int linenum, char **args, int kwm)
{
static struct mailers *curmailers = NULL;
struct mailer *newmailer = NULL;
const char *err;
int err_code = 0;
char *errmsg = NULL;
if (strcmp(args[0], "mailers") == 0) { /* new mailers section */
if (!*args[1]) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : missing name for mailers section.\n", file, linenum);
MEDIUM: Add parsing of mailers section As mailer and mailers structures and allow parsing of a mailers section into those structures. These structures will subsequently be freed as it is not yet possible to use reference them in the configuration. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:58 -05:00
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
err = invalid_char(args[1]);
if (err) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : character '%c' is not permitted in '%s' name '%s'.\n",
file, linenum, *err, args[0], args[1]);
MEDIUM: Add parsing of mailers section As mailer and mailers structures and allow parsing of a mailers section into those structures. These structures will subsequently be freed as it is not yet possible to use reference them in the configuration. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:58 -05:00
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
for (curmailers = mailers; curmailers != NULL; curmailers = curmailers->next) {
/*
* If there are two proxies with the same name only following
* combinations are allowed:
*/
if (strcmp(curmailers->id, args[1]) == 0) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Parsing [%s:%d]: mailers section '%s' has the same name as another mailers section declared at %s:%d.\n",
file, linenum, args[1], curmailers->conf.file, curmailers->conf.line);
MEDIUM: config: reject invalid config with name duplicates Since 1.4 we used to emit a warning when two frontends or two backends had the same name. In 1.5 we added the same warning for two peers sections. In 1.6 we added the same warning for two mailers sections. It's about time to reject such invalid configurations, the impact they have on the code complexity is huge and it is becoming a real obstacle to some improvements such as restoring servers check status across reloads. Now these errors are reported as fatal errors and will need to be fixed. Anyway, till now there was no guarantee that what was written was working as expected since the behaviour is not defined (eg: use_backend with a name used by two backends leads to undefined behaviour). Example of output : [ALERT] 145/104759 (31564) : Parsing [prx.cfg:12]: mailers section 'm' has the same name as another mailers section declared at prx.cfg:10. [ALERT] 145/104759 (31564) : Parsing [prx.cfg:16]: peers section 'p' has the same name as another peers section declared at prx.cfg:14. [ALERT] 145/104759 (31564) : Parsing [prx.cfg:21]: frontend 'f' has the same name as another frontend declared at prx.cfg:18. [ALERT] 145/104759 (31564) : Parsing [prx.cfg:27]: backend 'b' has the same name as another backend declared at prx.cfg:24. [ALERT] 145/104759 (31564) : Error(s) found in configuration file : prx.cfg [ALERT] 145/104759 (31564) : Fatal errors found in configuration.
2015-05-26 04:35:50 -04:00
err_code |= ERR_ALERT | ERR_FATAL;
MEDIUM: Add parsing of mailers section As mailer and mailers structures and allow parsing of a mailers section into those structures. These structures will subsequently be freed as it is not yet possible to use reference them in the configuration. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:58 -05:00
}
}
CLEANUP: uniformize last argument of malloc/calloc Instead of repeating the type of the LHS argument (sizeof(struct ...)) in calls to malloc/calloc, we directly use the pointer name (sizeof(*...)). The following Coccinelle patch was used: @@ type T; T *x; @@ x = malloc( - sizeof(T) + sizeof(*x) ) @@ type T; T *x; @@ x = calloc(1, - sizeof(T) + sizeof(*x) ) When the LHS is not just a variable name, no change is made. Moreover, the following patch was used to ensure that "1" is consistently used as a first argument of calloc, not the last one: @@ @@ calloc( + 1, ... - ,1 )
2016-04-03 07:48:43 -04:00
if ((curmailers = calloc(1, sizeof(*curmailers))) == NULL) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : out of memory.\n", file, linenum);
MEDIUM: Add parsing of mailers section As mailer and mailers structures and allow parsing of a mailers section into those structures. These structures will subsequently be freed as it is not yet possible to use reference them in the configuration. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:58 -05:00
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
curmailers->next = mailers;
mailers = curmailers;
curmailers->conf.file = strdup(file);
curmailers->conf.line = linenum;
curmailers->id = strdup(args[1]);
MINOR: mailers: make it possible to configure the connection timeout This patch introduces a configurable connection timeout for mailers with a new "timeout mail <time>" directive. Acked-by: Simon Horman <horms@verge.net.au>
2016-02-13 09:33:40 -05:00
curmailers->timeout.mail = DEF_MAILALERTTIME;/* XXX: Would like to Skip to the next alert, if any, ASAP.
* But need enough time so that timeouts don't occur
* during tcp procssing. For now just us an arbitrary default. */
MEDIUM: Add parsing of mailers section As mailer and mailers structures and allow parsing of a mailers section into those structures. These structures will subsequently be freed as it is not yet possible to use reference them in the configuration. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:58 -05:00
}
else if (strcmp(args[0], "mailer") == 0) { /* mailer definition */
struct sockaddr_storage *sk;
int port1, port2;
struct protocol *proto;
if (!*args[2]) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : '%s' expects <name> and <addr>[:<port>] as arguments.\n",
file, linenum, args[0]);
MEDIUM: Add parsing of mailers section As mailer and mailers structures and allow parsing of a mailers section into those structures. These structures will subsequently be freed as it is not yet possible to use reference them in the configuration. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:58 -05:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
err = invalid_char(args[1]);
if (err) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : character '%c' is not permitted in server name '%s'.\n",
file, linenum, *err, args[1]);
MEDIUM: Add parsing of mailers section As mailer and mailers structures and allow parsing of a mailers section into those structures. These structures will subsequently be freed as it is not yet possible to use reference them in the configuration. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:58 -05:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
CLEANUP: uniformize last argument of malloc/calloc Instead of repeating the type of the LHS argument (sizeof(struct ...)) in calls to malloc/calloc, we directly use the pointer name (sizeof(*...)). The following Coccinelle patch was used: @@ type T; T *x; @@ x = malloc( - sizeof(T) + sizeof(*x) ) @@ type T; T *x; @@ x = calloc(1, - sizeof(T) + sizeof(*x) ) When the LHS is not just a variable name, no change is made. Moreover, the following patch was used to ensure that "1" is consistently used as a first argument of calloc, not the last one: @@ @@ calloc( + 1, ... - ,1 )
2016-04-03 07:48:43 -04:00
if ((newmailer = calloc(1, sizeof(*newmailer))) == NULL) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : out of memory.\n", file, linenum);
MEDIUM: Add parsing of mailers section As mailer and mailers structures and allow parsing of a mailers section into those structures. These structures will subsequently be freed as it is not yet possible to use reference them in the configuration. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:58 -05:00
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
/* the mailers are linked backwards first */
curmailers->count++;
newmailer->next = curmailers->mailer_list;
curmailers->mailer_list = newmailer;
newmailer->mailers = curmailers;
newmailer->conf.file = strdup(file);
newmailer->conf.line = linenum;
newmailer->id = strdup(args[1]);
MINOR: tools: make str2sa_range() directly return type hints str2sa_range() already allows the caller to provide <proto> in order to get a pointer on the protocol matching with the string input thanks to 5fc9328a ("MINOR: tools: make str2sa_range() directly return the protocol") However, as stated into the commit message, there is a trick: "we can fail to return a protocol in case the caller accepts an fqdn for use later. This is what servers do and in this case it is valid to return no protocol" In this case, we're unable to return protocol because the protocol lookup depends on both the [proto type + xprt type] and the [family type] to be known. While family type might not be directly resolved when fqdn is involved (because family type might be discovered using DNS queries), proto type and xprt type are already known. As such, the caller might be interested in knowing those address related hints even if the address family type is not yet resolved and thus the matching protocol cannot be looked up. Thus in this patch we add the optional net_addr_type (custom type) argument to str2sa_range to enable the caller to check the protocol type and transport type when the function succeeds.
2023-11-09 05:19:24 -05:00
sk = str2sa_range(args[2], NULL, &port1, &port2, NULL, &proto, NULL,
MINOR: tools: extend str2sa_range to add an alt parameter Add a new parameter "alt" that will store wether this configuration use an alternate protocol. This alt pointer will contain a value that can be transparently passed to protocol_lookup to obtain an appropriate protocol structure. This change is needed to allow for example the servers to know if it need to use an alternate protocol or not.
2024-08-26 05:50:24 -04:00
&errmsg, NULL, NULL, NULL,
MEDIUM: tools: make str2sa_range() check that the protocol has ->connect() Most callers of str2sa_range() need the protocol only to check that it provides a ->connect() method. It used to be used to verify that it's a stream protocol, but it might be a bit early to get rid of it. Let's keep the test for now but move it to str2sa_range() when the new flag PA_O_CONNECT is present. This way almost all call places could be cleaned from this. There's a strange test in the server address parsing code that rechecks the family from the socket which seems to be a duplicate of the previously removed tests. It will have to be rechecked.
2020-09-16 13:17:08 -04:00
PA_O_RESOLVE | PA_O_PORT_OK | PA_O_PORT_MAND | PA_O_STREAM | PA_O_XPRT | PA_O_CONNECT);
MEDIUM: Add parsing of mailers section As mailer and mailers structures and allow parsing of a mailers section into those structures. These structures will subsequently be freed as it is not yet possible to use reference them in the configuration. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:58 -05:00
if (!sk) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : '%s %s' : %s\n", file, linenum, args[0], args[1], errmsg);
MEDIUM: Add parsing of mailers section As mailer and mailers structures and allow parsing of a mailers section into those structures. These structures will subsequently be freed as it is not yet possible to use reference them in the configuration. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:58 -05:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
MEDIUM: tools: make str2sa_range() check that the protocol has ->connect() Most callers of str2sa_range() need the protocol only to check that it provides a ->connect() method. It used to be used to verify that it's a stream protocol, but it might be a bit early to get rid of it. Let's keep the test for now but move it to str2sa_range() when the new flag PA_O_CONNECT is present. This way almost all call places could be cleaned from this. There's a strange test in the server address parsing code that rechecks the family from the socket which seems to be a duplicate of the previously removed tests. It will have to be rechecked.
2020-09-16 13:17:08 -04:00
if (proto->sock_prot != IPPROTO_TCP) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : '%s %s' : TCP not supported for this address family.\n",
file, linenum, args[0], args[1]);
MEDIUM: Add parsing of mailers section As mailer and mailers structures and allow parsing of a mailers section into those structures. These structures will subsequently be freed as it is not yet possible to use reference them in the configuration. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:58 -05:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
newmailer->addr = *sk;
newmailer->proto = proto;
CLEANUP: connection: remove all direct references to raw_sock and ssl_sock Now we exclusively use xprt_get(XPRT_RAW) instead of &raw_sock or xprt_get(XPRT_SSL) for &ssl_sock. This removes a bunch of #ifdef and include spread over a number of location including backend, cfgparse, checks, cli, hlua, log, server and session.
2016-12-22 14:44:00 -05:00
newmailer->xprt = xprt_get(XPRT_RAW);
MEDIUM: Add parsing of mailers section As mailer and mailers structures and allow parsing of a mailers section into those structures. These structures will subsequently be freed as it is not yet possible to use reference them in the configuration. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:58 -05:00
newmailer->sock_init_arg = NULL;
MINOR: mailers: make it possible to configure the connection timeout This patch introduces a configurable connection timeout for mailers with a new "timeout mail <time>" directive. Acked-by: Simon Horman <horms@verge.net.au>
2016-02-13 09:33:40 -05:00
}
else if (strcmp(args[0], "timeout") == 0) {
if (!*args[1]) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : '%s' expects 'mail' and <time> as arguments.\n",
file, linenum, args[0]);
MINOR: mailers: make it possible to configure the connection timeout This patch introduces a configurable connection timeout for mailers with a new "timeout mail <time>" directive. Acked-by: Simon Horman <horms@verge.net.au>
2016-02-13 09:33:40 -05:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
else if (strcmp(args[1], "mail") == 0) {
const char *res;
unsigned int timeout_mail;
if (!*args[2]) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : '%s %s' expects <time> as argument.\n",
file, linenum, args[0], args[1]);
MINOR: mailers: make it possible to configure the connection timeout This patch introduces a configurable connection timeout for mailers with a new "timeout mail <time>" directive. Acked-by: Simon Horman <horms@verge.net.au>
2016-02-13 09:33:40 -05:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
res = parse_time_err(args[2], &timeout_mail, TIME_UNIT_MS);
MEDIUM: tools: improve time format error detection As reported in GH issue #109 and in discourse issue https://discourse.haproxy.org/t/haproxy-returns-408-or-504-error-when-timeout-client-value-is-every-25d the time parser doesn't error on overflows nor underflows. This is a recurring problem which additionally has the bad taste of taking a long time before hitting the user. This patch makes parse_time_err() return special error codes for overflows and underflows, and adds the control in the call places to report suitable errors depending on the requested unit. In practice, underflows are almost never returned as the parsing function takes care of rounding values up, so this might possibly happen on 64-bit overflows returning exactly zero after rounding though. It is not really possible to cut the patch into pieces as it changes the function's API, hence all callers. Tests were run on about every relevant part (cookie maxlife/maxidle, server inter, stats timeout, timeout*, cli's set timeout command, tcp-request/response inspect-delay).
2019-06-07 13:00:37 -04:00
if (res == PARSE_TIME_OVER) {
ha_alert("parsing [%s:%d]: timer overflow in argument <%s> to <%s %s>, maximum value is 2147483647 ms (~24.8 days).\n",
file, linenum, args[2], args[0], args[1]);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
else if (res == PARSE_TIME_UNDER) {
ha_alert("parsing [%s:%d]: timer underflow in argument <%s> to <%s %s>, minimum non-null value is 1 ms.\n",
file, linenum, args[2], args[0], args[1]);
MINOR: mailers: make it possible to configure the connection timeout This patch introduces a configurable connection timeout for mailers with a new "timeout mail <time>" directive. Acked-by: Simon Horman <horms@verge.net.au>
2016-02-13 09:33:40 -05:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
MEDIUM: tools: improve time format error detection As reported in GH issue #109 and in discourse issue https://discourse.haproxy.org/t/haproxy-returns-408-or-504-error-when-timeout-client-value-is-every-25d the time parser doesn't error on overflows nor underflows. This is a recurring problem which additionally has the bad taste of taking a long time before hitting the user. This patch makes parse_time_err() return special error codes for overflows and underflows, and adds the control in the call places to report suitable errors depending on the requested unit. In practice, underflows are almost never returned as the parsing function takes care of rounding values up, so this might possibly happen on 64-bit overflows returning exactly zero after rounding though. It is not really possible to cut the patch into pieces as it changes the function's API, hence all callers. Tests were run on about every relevant part (cookie maxlife/maxidle, server inter, stats timeout, timeout*, cli's set timeout command, tcp-request/response inspect-delay).
2019-06-07 13:00:37 -04:00
else if (res) {
ha_alert("parsing [%s:%d]: unexpected character '%c' in argument to <%s %s>.\n",
file, linenum, *res, args[0], args[1]);
MINOR: mailers: make it possible to configure the connection timeout This patch introduces a configurable connection timeout for mailers with a new "timeout mail <time>" directive. Acked-by: Simon Horman <horms@verge.net.au>
2016-02-13 09:33:40 -05:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
curmailers->timeout.mail = timeout_mail;
} else {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : '%s' expects 'mail' and <time> as arguments got '%s'.\n",
MINOR: mailers: make it possible to configure the connection timeout This patch introduces a configurable connection timeout for mailers with a new "timeout mail <time>" directive. Acked-by: Simon Horman <horms@verge.net.au>
2016-02-13 09:33:40 -05:00
file, linenum, args[0], args[1]);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
}
MEDIUM: Add parsing of mailers section As mailer and mailers structures and allow parsing of a mailers section into those structures. These structures will subsequently be freed as it is not yet possible to use reference them in the configuration. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:58 -05:00
else if (*args[0] != 0) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : unknown keyword '%s' in '%s' section\n", file, linenum, args[0], cursection);
MEDIUM: Add parsing of mailers section As mailer and mailers structures and allow parsing of a mailers section into those structures. These structures will subsequently be freed as it is not yet possible to use reference them in the configuration. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:58 -05:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
out:
free(errmsg);
return err_code;
}
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
MAJOR: namespace: add Linux network namespace support This patch makes it possible to create binds and servers in separate namespaces. This can be used to proxy between multiple completely independent virtual networks (with possibly overlapping IP addresses) and a non-namespace-aware proxy implementation that supports the proxy protocol (v2). The setup is something like this: net1 on VLAN 1 (namespace 1) -\ net2 on VLAN 2 (namespace 2) -- haproxy ==== proxy (namespace 0) net3 on VLAN 3 (namespace 3) -/ The proxy is configured to make server connections through haproxy and sending the expected source/target addresses to haproxy using the proxy protocol. The network namespace setup on the haproxy node is something like this: = 8< = $ cat setup.sh ip netns add 1 ip link add link eth1 type vlan id 1 ip link set eth1.1 netns 1 ip netns exec 1 ip addr add 192.168.91.2/24 dev eth1.1 ip netns exec 1 ip link set eth1.$id up ... = 8< = = 8< = $ cat haproxy.cfg frontend clients bind 127.0.0.1:50022 namespace 1 transparent default_backend scb backend server mode tcp server server1 192.168.122.4:2222 namespace 2 send-proxy-v2 = 8< = A bind line creates the listener in the specified namespace, and connections originating from that listener also have their network namespace set to that of the listener. A server line either forces the connection to be made in a specified namespace or may use the namespace from the client-side connection if that was set. For more documentation please read the documentation included in the patch itself. Signed-off-by: KOVACS Tamas <ktamas@balabit.com> Signed-off-by: Sarkozi Laszlo <laszlo.sarkozi@balabit.com> Signed-off-by: KOVACS Krisztian <hidden@balabit.com>
2014-11-17 09:11:45 -05:00
int
cfg_parse_netns(const char *file, int linenum, char **args, int kwm)
{
CLEANUP: build: rename some build macros to use the USE_* ones We still have quite a number of build macros which are mapped 1:1 to a USE_something setting in the makefile but which have a different name. This patch cleans this up by renaming them to use the USE_something one, allowing to clean up the makefile and make it more obvious when reading the code what build option needs to be added. The following renames were done : ENABLE_POLL -> USE_POLL ENABLE_EPOLL -> USE_EPOLL ENABLE_KQUEUE -> USE_KQUEUE ENABLE_EVPORTS -> USE_EVPORTS TPROXY -> USE_TPROXY NETFILTER -> USE_NETFILTER NEED_CRYPT_H -> USE_CRYPT_H CONFIG_HAP_CRYPT -> USE_LIBCRYPT CONFIG_HAP_NS -> DUSE_NS CONFIG_HAP_LINUX_SPLICE -> USE_LINUX_SPLICE CONFIG_HAP_LINUX_TPROXY -> USE_LINUX_TPROXY CONFIG_HAP_LINUX_VSYSCALL -> USE_LINUX_VSYSCALL
2019-05-22 13:24:06 -04:00
#ifdef USE_NS
MAJOR: namespace: add Linux network namespace support This patch makes it possible to create binds and servers in separate namespaces. This can be used to proxy between multiple completely independent virtual networks (with possibly overlapping IP addresses) and a non-namespace-aware proxy implementation that supports the proxy protocol (v2). The setup is something like this: net1 on VLAN 1 (namespace 1) -\ net2 on VLAN 2 (namespace 2) -- haproxy ==== proxy (namespace 0) net3 on VLAN 3 (namespace 3) -/ The proxy is configured to make server connections through haproxy and sending the expected source/target addresses to haproxy using the proxy protocol. The network namespace setup on the haproxy node is something like this: = 8< = $ cat setup.sh ip netns add 1 ip link add link eth1 type vlan id 1 ip link set eth1.1 netns 1 ip netns exec 1 ip addr add 192.168.91.2/24 dev eth1.1 ip netns exec 1 ip link set eth1.$id up ... = 8< = = 8< = $ cat haproxy.cfg frontend clients bind 127.0.0.1:50022 namespace 1 transparent default_backend scb backend server mode tcp server server1 192.168.122.4:2222 namespace 2 send-proxy-v2 = 8< = A bind line creates the listener in the specified namespace, and connections originating from that listener also have their network namespace set to that of the listener. A server line either forces the connection to be made in a specified namespace or may use the namespace from the client-side connection if that was set. For more documentation please read the documentation included in the patch itself. Signed-off-by: KOVACS Tamas <ktamas@balabit.com> Signed-off-by: Sarkozi Laszlo <laszlo.sarkozi@balabit.com> Signed-off-by: KOVACS Krisztian <hidden@balabit.com>
2014-11-17 09:11:45 -05:00
const char *err;
const char *item = args[0];
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
if (strcmp(item, "namespace_list") == 0) {
MAJOR: namespace: add Linux network namespace support This patch makes it possible to create binds and servers in separate namespaces. This can be used to proxy between multiple completely independent virtual networks (with possibly overlapping IP addresses) and a non-namespace-aware proxy implementation that supports the proxy protocol (v2). The setup is something like this: net1 on VLAN 1 (namespace 1) -\ net2 on VLAN 2 (namespace 2) -- haproxy ==== proxy (namespace 0) net3 on VLAN 3 (namespace 3) -/ The proxy is configured to make server connections through haproxy and sending the expected source/target addresses to haproxy using the proxy protocol. The network namespace setup on the haproxy node is something like this: = 8< = $ cat setup.sh ip netns add 1 ip link add link eth1 type vlan id 1 ip link set eth1.1 netns 1 ip netns exec 1 ip addr add 192.168.91.2/24 dev eth1.1 ip netns exec 1 ip link set eth1.$id up ... = 8< = = 8< = $ cat haproxy.cfg frontend clients bind 127.0.0.1:50022 namespace 1 transparent default_backend scb backend server mode tcp server server1 192.168.122.4:2222 namespace 2 send-proxy-v2 = 8< = A bind line creates the listener in the specified namespace, and connections originating from that listener also have their network namespace set to that of the listener. A server line either forces the connection to be made in a specified namespace or may use the namespace from the client-side connection if that was set. For more documentation please read the documentation included in the patch itself. Signed-off-by: KOVACS Tamas <ktamas@balabit.com> Signed-off-by: Sarkozi Laszlo <laszlo.sarkozi@balabit.com> Signed-off-by: KOVACS Krisztian <hidden@balabit.com>
2014-11-17 09:11:45 -05:00
return 0;
}
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
else if (strcmp(item, "namespace") == 0) {
MAJOR: namespace: add Linux network namespace support This patch makes it possible to create binds and servers in separate namespaces. This can be used to proxy between multiple completely independent virtual networks (with possibly overlapping IP addresses) and a non-namespace-aware proxy implementation that supports the proxy protocol (v2). The setup is something like this: net1 on VLAN 1 (namespace 1) -\ net2 on VLAN 2 (namespace 2) -- haproxy ==== proxy (namespace 0) net3 on VLAN 3 (namespace 3) -/ The proxy is configured to make server connections through haproxy and sending the expected source/target addresses to haproxy using the proxy protocol. The network namespace setup on the haproxy node is something like this: = 8< = $ cat setup.sh ip netns add 1 ip link add link eth1 type vlan id 1 ip link set eth1.1 netns 1 ip netns exec 1 ip addr add 192.168.91.2/24 dev eth1.1 ip netns exec 1 ip link set eth1.$id up ... = 8< = = 8< = $ cat haproxy.cfg frontend clients bind 127.0.0.1:50022 namespace 1 transparent default_backend scb backend server mode tcp server server1 192.168.122.4:2222 namespace 2 send-proxy-v2 = 8< = A bind line creates the listener in the specified namespace, and connections originating from that listener also have their network namespace set to that of the listener. A server line either forces the connection to be made in a specified namespace or may use the namespace from the client-side connection if that was set. For more documentation please read the documentation included in the patch itself. Signed-off-by: KOVACS Tamas <ktamas@balabit.com> Signed-off-by: Sarkozi Laszlo <laszlo.sarkozi@balabit.com> Signed-off-by: KOVACS Krisztian <hidden@balabit.com>
2014-11-17 09:11:45 -05:00
size_t idx = 1;
const char *current;
while (*(current = args[idx++])) {
err = invalid_char(current);
if (err) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: character '%c' is not permitted in '%s' name '%s'.\n",
file, linenum, *err, item, current);
MAJOR: namespace: add Linux network namespace support This patch makes it possible to create binds and servers in separate namespaces. This can be used to proxy between multiple completely independent virtual networks (with possibly overlapping IP addresses) and a non-namespace-aware proxy implementation that supports the proxy protocol (v2). The setup is something like this: net1 on VLAN 1 (namespace 1) -\ net2 on VLAN 2 (namespace 2) -- haproxy ==== proxy (namespace 0) net3 on VLAN 3 (namespace 3) -/ The proxy is configured to make server connections through haproxy and sending the expected source/target addresses to haproxy using the proxy protocol. The network namespace setup on the haproxy node is something like this: = 8< = $ cat setup.sh ip netns add 1 ip link add link eth1 type vlan id 1 ip link set eth1.1 netns 1 ip netns exec 1 ip addr add 192.168.91.2/24 dev eth1.1 ip netns exec 1 ip link set eth1.$id up ... = 8< = = 8< = $ cat haproxy.cfg frontend clients bind 127.0.0.1:50022 namespace 1 transparent default_backend scb backend server mode tcp server server1 192.168.122.4:2222 namespace 2 send-proxy-v2 = 8< = A bind line creates the listener in the specified namespace, and connections originating from that listener also have their network namespace set to that of the listener. A server line either forces the connection to be made in a specified namespace or may use the namespace from the client-side connection if that was set. For more documentation please read the documentation included in the patch itself. Signed-off-by: KOVACS Tamas <ktamas@balabit.com> Signed-off-by: Sarkozi Laszlo <laszlo.sarkozi@balabit.com> Signed-off-by: KOVACS Krisztian <hidden@balabit.com>
2014-11-17 09:11:45 -05:00
return ERR_ALERT | ERR_FATAL;
}
if (netns_store_lookup(current, strlen(current))) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: Namespace '%s' is already added.\n",
file, linenum, current);
MAJOR: namespace: add Linux network namespace support This patch makes it possible to create binds and servers in separate namespaces. This can be used to proxy between multiple completely independent virtual networks (with possibly overlapping IP addresses) and a non-namespace-aware proxy implementation that supports the proxy protocol (v2). The setup is something like this: net1 on VLAN 1 (namespace 1) -\ net2 on VLAN 2 (namespace 2) -- haproxy ==== proxy (namespace 0) net3 on VLAN 3 (namespace 3) -/ The proxy is configured to make server connections through haproxy and sending the expected source/target addresses to haproxy using the proxy protocol. The network namespace setup on the haproxy node is something like this: = 8< = $ cat setup.sh ip netns add 1 ip link add link eth1 type vlan id 1 ip link set eth1.1 netns 1 ip netns exec 1 ip addr add 192.168.91.2/24 dev eth1.1 ip netns exec 1 ip link set eth1.$id up ... = 8< = = 8< = $ cat haproxy.cfg frontend clients bind 127.0.0.1:50022 namespace 1 transparent default_backend scb backend server mode tcp server server1 192.168.122.4:2222 namespace 2 send-proxy-v2 = 8< = A bind line creates the listener in the specified namespace, and connections originating from that listener also have their network namespace set to that of the listener. A server line either forces the connection to be made in a specified namespace or may use the namespace from the client-side connection if that was set. For more documentation please read the documentation included in the patch itself. Signed-off-by: KOVACS Tamas <ktamas@balabit.com> Signed-off-by: Sarkozi Laszlo <laszlo.sarkozi@balabit.com> Signed-off-by: KOVACS Krisztian <hidden@balabit.com>
2014-11-17 09:11:45 -05:00
return ERR_ALERT | ERR_FATAL;
}
if (!netns_store_insert(current)) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: Cannot open namespace '%s'.\n",
file, linenum, current);
MAJOR: namespace: add Linux network namespace support This patch makes it possible to create binds and servers in separate namespaces. This can be used to proxy between multiple completely independent virtual networks (with possibly overlapping IP addresses) and a non-namespace-aware proxy implementation that supports the proxy protocol (v2). The setup is something like this: net1 on VLAN 1 (namespace 1) -\ net2 on VLAN 2 (namespace 2) -- haproxy ==== proxy (namespace 0) net3 on VLAN 3 (namespace 3) -/ The proxy is configured to make server connections through haproxy and sending the expected source/target addresses to haproxy using the proxy protocol. The network namespace setup on the haproxy node is something like this: = 8< = $ cat setup.sh ip netns add 1 ip link add link eth1 type vlan id 1 ip link set eth1.1 netns 1 ip netns exec 1 ip addr add 192.168.91.2/24 dev eth1.1 ip netns exec 1 ip link set eth1.$id up ... = 8< = = 8< = $ cat haproxy.cfg frontend clients bind 127.0.0.1:50022 namespace 1 transparent default_backend scb backend server mode tcp server server1 192.168.122.4:2222 namespace 2 send-proxy-v2 = 8< = A bind line creates the listener in the specified namespace, and connections originating from that listener also have their network namespace set to that of the listener. A server line either forces the connection to be made in a specified namespace or may use the namespace from the client-side connection if that was set. For more documentation please read the documentation included in the patch itself. Signed-off-by: KOVACS Tamas <ktamas@balabit.com> Signed-off-by: Sarkozi Laszlo <laszlo.sarkozi@balabit.com> Signed-off-by: KOVACS Krisztian <hidden@balabit.com>
2014-11-17 09:11:45 -05:00
return ERR_ALERT | ERR_FATAL;
}
}
}
return 0;
#else
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: namespace support is not compiled in.",
file, linenum);
MAJOR: namespace: add Linux network namespace support This patch makes it possible to create binds and servers in separate namespaces. This can be used to proxy between multiple completely independent virtual networks (with possibly overlapping IP addresses) and a non-namespace-aware proxy implementation that supports the proxy protocol (v2). The setup is something like this: net1 on VLAN 1 (namespace 1) -\ net2 on VLAN 2 (namespace 2) -- haproxy ==== proxy (namespace 0) net3 on VLAN 3 (namespace 3) -/ The proxy is configured to make server connections through haproxy and sending the expected source/target addresses to haproxy using the proxy protocol. The network namespace setup on the haproxy node is something like this: = 8< = $ cat setup.sh ip netns add 1 ip link add link eth1 type vlan id 1 ip link set eth1.1 netns 1 ip netns exec 1 ip addr add 192.168.91.2/24 dev eth1.1 ip netns exec 1 ip link set eth1.$id up ... = 8< = = 8< = $ cat haproxy.cfg frontend clients bind 127.0.0.1:50022 namespace 1 transparent default_backend scb backend server mode tcp server server1 192.168.122.4:2222 namespace 2 send-proxy-v2 = 8< = A bind line creates the listener in the specified namespace, and connections originating from that listener also have their network namespace set to that of the listener. A server line either forces the connection to be made in a specified namespace or may use the namespace from the client-side connection if that was set. For more documentation please read the documentation included in the patch itself. Signed-off-by: KOVACS Tamas <ktamas@balabit.com> Signed-off-by: Sarkozi Laszlo <laszlo.sarkozi@balabit.com> Signed-off-by: KOVACS Krisztian <hidden@balabit.com>
2014-11-17 09:11:45 -05:00
return ERR_ALERT | ERR_FATAL;
#endif
}
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
int
cfg_parse_users(const char *file, int linenum, char **args, int kwm)
{
int err_code = 0;
const char *err;
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
if (strcmp(args[0], "userlist") == 0) { /* new userlist */
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
struct userlist *newul;
if (!*args[1]) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: '%s' expects <name> as arguments.\n",
file, linenum, args[0]);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
MEDIUM: cfgparse: check section maximum number of arguments This patch checks the number of arguments of the keywords: 'global', 'defaults', 'listen', 'backend', 'frontend', 'peers' and 'userlist' The 'global' section does not take any arguments. Proxy sections does not support bind address as argument anymore. Those sections supports only an <id> argument. The 'defaults' section didn't had any check on its arguments. It takes an optional <name> argument. 'peers' section takes a <peersect> argument. 'userlist' section takes a <listname> argument.
2015-04-28 10:55:23 -04:00
if (alertif_too_many_args(1, file, linenum, args, &err_code))
goto out;
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
err = invalid_char(args[1]);
if (err) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: character '%c' is not permitted in '%s' name '%s'.\n",
file, linenum, *err, args[0], args[1]);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
for (newul = userlist; newul; newul = newul->next)
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
if (strcmp(newul->name, args[1]) == 0) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("parsing [%s:%d]: ignoring duplicated userlist '%s'.\n",
file, linenum, args[1]);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
err_code |= ERR_WARN;
goto out;
}
CLEANUP: uniformize last argument of malloc/calloc Instead of repeating the type of the LHS argument (sizeof(struct ...)) in calls to malloc/calloc, we directly use the pointer name (sizeof(*...)). The following Coccinelle patch was used: @@ type T; T *x; @@ x = malloc( - sizeof(T) + sizeof(*x) ) @@ type T; T *x; @@ x = calloc(1, - sizeof(T) + sizeof(*x) ) When the LHS is not just a variable name, no change is made. Moreover, the following patch was used to ensure that "1" is consistently used as a first argument of calloc, not the last one: @@ @@ calloc( + 1, ... - ,1 )
2016-04-03 07:48:43 -04:00
newul = calloc(1, sizeof(*newul));
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
if (!newul) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: out of memory.\n", file, linenum);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
newul->name = strdup(args[1]);
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 12:38:02 -05:00
if (!newul->name) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: out of memory.\n", file, linenum);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
err_code |= ERR_ALERT | ERR_ABORT;
BUG/MINOR: cfgparse: couple of small memory leaks. During the config parse in some code paths, there is some forgotten pointers freeing, and as often, during errors handlings.
2016-04-08 05:35:26 -04:00
free(newul);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
goto out;
}
newul->next = userlist;
userlist = newul;
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
} else if (strcmp(args[0], "group") == 0) { /* new group */
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 12:38:02 -05:00
int cur_arg;
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
const char *err;
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 12:38:02 -05:00
struct auth_groups *ag;
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
if (!*args[1]) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: '%s' expects <name> as arguments.\n",
file, linenum, args[0]);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
err = invalid_char(args[1]);
if (err) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: character '%c' is not permitted in '%s' name '%s'.\n",
file, linenum, *err, args[0], args[1]);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
BUG/MEDIUM: cfgparse: segfault when userlist is misused If the 'userlist' keyword parsing returns an error and no userlist were previously created. The parsing of 'user' and 'group' leads to NULL derefence. The userlist pointer is now tested to prevent this issue.
2015-05-28 12:03:51 -04:00
if (!userlist)
goto out;
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 12:38:02 -05:00
for (ag = userlist->groups; ag; ag = ag->next)
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
if (strcmp(ag->name, args[1]) == 0) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("parsing [%s:%d]: ignoring duplicated group '%s' in userlist '%s'.\n",
file, linenum, args[1], userlist->name);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
err_code |= ERR_ALERT;
goto out;
}
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 12:38:02 -05:00
ag = calloc(1, sizeof(*ag));
if (!ag) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: out of memory.\n", file, linenum);
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 12:38:02 -05:00
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
ag->name = strdup(args[1]);
MINOR: cfgparse: few memory leaks fixes. Some minor memory leak during the config parsing.
2016-08-22 18:27:42 -04:00
if (!ag->name) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: out of memory.\n", file, linenum);
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 12:38:02 -05:00
err_code |= ERR_ALERT | ERR_ABORT;
MINOR: cfgparse: few memory leaks fixes. Some minor memory leak during the config parsing.
2016-08-22 18:27:42 -04:00
free(ag);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
goto out;
}
cur_arg = 2;
while (*args[cur_arg]) {
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
if (strcmp(args[cur_arg], "users") == 0) {
BUG/MINOR: config/userlist: Support one 'users' option for 'group' directive When a group is defined in a userlist section, only one 'users' option is expected. But it was not tested. Thus it was possible to set several options leading to a memory leak. It is now tested, and it is not allowed to redefine the users option. It was reported by Coverity in #2841: CID 1587771. This patch could be backported to all stable versions.
2025-02-06 10:21:20 -05:00
if (ag->groupusers) {
ha_alert("parsing [%s:%d]: 'users' option already defined in '%s' name '%s'.\n",
file, linenum, args[0], args[1]);
err_code |= ERR_ALERT | ERR_FATAL;
free(ag->groupusers);
free(ag->name);
free(ag);
goto out;
}
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 12:38:02 -05:00
ag->groupusers = strdup(args[cur_arg + 1]);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
cur_arg += 2;
continue;
} else {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: '%s' only supports 'users' option.\n",
file, linenum, args[0]);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
err_code |= ERR_ALERT | ERR_FATAL;
MINOR: cfgparse: few memory leaks fixes. Some minor memory leak during the config parsing.
2016-08-22 18:27:42 -04:00
free(ag->groupusers);
free(ag->name);
free(ag);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
goto out;
}
}
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 12:38:02 -05:00
ag->next = userlist->groups;
userlist->groups = ag;
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
} else if (strcmp(args[0], "user") == 0) { /* new user */
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
struct auth_users *newuser;
int cur_arg;
if (!*args[1]) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: '%s' expects <name> as arguments.\n",
file, linenum, args[0]);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
BUG/MEDIUM: cfgparse: segfault when userlist is misused If the 'userlist' keyword parsing returns an error and no userlist were previously created. The parsing of 'user' and 'group' leads to NULL derefence. The userlist pointer is now tested to prevent this issue.
2015-05-28 12:03:51 -04:00
if (!userlist)
goto out;
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
for (newuser = userlist->users; newuser; newuser = newuser->next)
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
if (strcmp(newuser->user, args[1]) == 0) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("parsing [%s:%d]: ignoring duplicated user '%s' in userlist '%s'.\n",
file, linenum, args[1], userlist->name);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
err_code |= ERR_ALERT;
goto out;
}
CLEANUP: uniformize last argument of malloc/calloc Instead of repeating the type of the LHS argument (sizeof(struct ...)) in calls to malloc/calloc, we directly use the pointer name (sizeof(*...)). The following Coccinelle patch was used: @@ type T; T *x; @@ x = malloc( - sizeof(T) + sizeof(*x) ) @@ type T; T *x; @@ x = calloc(1, - sizeof(T) + sizeof(*x) ) When the LHS is not just a variable name, no change is made. Moreover, the following patch was used to ensure that "1" is consistently used as a first argument of calloc, not the last one: @@ @@ calloc( + 1, ... - ,1 )
2016-04-03 07:48:43 -04:00
newuser = calloc(1, sizeof(*newuser));
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
if (!newuser) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: out of memory.\n", file, linenum);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
newuser->user = strdup(args[1]);
newuser->next = userlist->users;
userlist->users = newuser;
cur_arg = 2;
while (*args[cur_arg]) {
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
if (strcmp(args[cur_arg], "password") == 0) {
CLEANUP: build: rename some build macros to use the USE_* ones We still have quite a number of build macros which are mapped 1:1 to a USE_something setting in the makefile but which have a different name. This patch cleans this up by renaming them to use the USE_something one, allowing to clean up the makefile and make it more obvious when reading the code what build option needs to be added. The following renames were done : ENABLE_POLL -> USE_POLL ENABLE_EPOLL -> USE_EPOLL ENABLE_KQUEUE -> USE_KQUEUE ENABLE_EVPORTS -> USE_EVPORTS TPROXY -> USE_TPROXY NETFILTER -> USE_NETFILTER NEED_CRYPT_H -> USE_CRYPT_H CONFIG_HAP_CRYPT -> USE_LIBCRYPT CONFIG_HAP_NS -> DUSE_NS CONFIG_HAP_LINUX_SPLICE -> USE_LINUX_SPLICE CONFIG_HAP_LINUX_TPROXY -> USE_LINUX_TPROXY CONFIG_HAP_LINUX_VSYSCALL -> USE_LINUX_VSYSCALL
2019-05-22 13:24:06 -04:00
#ifdef USE_LIBCRYPT
BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported When an unknown encryption algorithm is used in userlists or the password is not pasted correctly in the configuration, http authentication silently fails. An initial check is now performed during the configuration parsing, in order to verify that the encrypted password is supported. An unsupported password will fail with a fatal error. This patch should be backported to 1.4 and 1.5.
2014-08-29 14:20:02 -04:00
if (!crypt("", args[cur_arg + 1])) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: the encrypted password used for user '%s' is not supported by crypt(3).\n",
file, linenum, newuser->user);
BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported When an unknown encryption algorithm is used in userlists or the password is not pasted correctly in the configuration, http authentication silently fails. An initial check is now performed during the configuration parsing, in order to verify that the encrypted password is supported. An unsupported password will fail with a fatal error. This patch should be backported to 1.4 and 1.5.
2014-08-29 14:20:02 -04:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
#else
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("parsing [%s:%d]: no crypt(3) support compiled, encrypted passwords will not work.\n",
file, linenum);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
err_code |= ERR_ALERT;
#endif
newuser->pass = strdup(args[cur_arg + 1]);
cur_arg += 2;
continue;
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
} else if (strcmp(args[cur_arg], "insecure-password") == 0) {
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
newuser->pass = strdup(args[cur_arg + 1]);
newuser->flags |= AU_O_INSECURE;
cur_arg += 2;
continue;
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
} else if (strcmp(args[cur_arg], "groups") == 0) {
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 12:38:02 -05:00
newuser->u.groups_names = strdup(args[cur_arg + 1]);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
cur_arg += 2;
continue;
} else {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: '%s' only supports 'password', 'insecure-password' and 'groups' options.\n",
file, linenum, args[0]);
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
}
} else {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: unknown keyword '%s' in '%s' section\n", file, linenum, args[0], "users");
[MINOR] generic auth support with groups and encrypted passwords Add generic authentication & authorization support. Groups are implemented as bitmaps so the count is limited to sizeof(int)*8 == 32. Encrypted passwords are supported with libcrypt and crypt(3), so it is possible to use any method supported by your system. For example modern Linux/glibc instalations support MD5/SHA-256/SHA-512 and of course classic, DES-based encryption.
2010-01-29 11:50:44 -05:00
err_code |= ERR_ALERT | ERR_FATAL;
}
out:
return err_code;
}
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
MINOR: cfgparse: Parse scope lines and save the last one parsed A scope is a section name between square bracket, alone on its line, ie: [scope-name] ... The spaces at the beginning and at the end of the line are skipped. Comments at the end of the line are also skipped. When a scope is parsed, its name is saved in the global variable cfg_scope. Initially, cfg_scope is NULL and it remains NULL until a valid scope line is parsed. This feature remains unused in the HAProxy configuration file and undocumented. However, it will be used during SPOE configuration parsing.
2016-11-04 17:36:15 -04:00
int
cfg_parse_scope(const char *file, int linenum, char *line)
{
char *beg, *end, *scope = NULL;
int err_code = 0;
const char *err;
beg = line + 1;
end = strchr(beg, ']');
/* Detect end of scope declaration */
if (!end || end == beg) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : empty scope name is forbidden.\n",
file, linenum);
MINOR: cfgparse: Parse scope lines and save the last one parsed A scope is a section name between square bracket, alone on its line, ie: [scope-name] ... The spaces at the beginning and at the end of the line are skipped. Comments at the end of the line are also skipped. When a scope is parsed, its name is saved in the global variable cfg_scope. Initially, cfg_scope is NULL and it remains NULL until a valid scope line is parsed. This feature remains unused in the HAProxy configuration file and undocumented. However, it will be used during SPOE configuration parsing.
2016-11-04 17:36:15 -04:00
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
/* Get scope name and check its validity */
scope = my_strndup(beg, end-beg);
err = invalid_char(scope);
if (err) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : character '%c' is not permitted in a scope name.\n",
file, linenum, *err);
MINOR: cfgparse: Parse scope lines and save the last one parsed A scope is a section name between square bracket, alone on its line, ie: [scope-name] ... The spaces at the beginning and at the end of the line are skipped. Comments at the end of the line are also skipped. When a scope is parsed, its name is saved in the global variable cfg_scope. Initially, cfg_scope is NULL and it remains NULL until a valid scope line is parsed. This feature remains unused in the HAProxy configuration file and undocumented. However, it will be used during SPOE configuration parsing.
2016-11-04 17:36:15 -04:00
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
/* Be sure to have a scope declaration alone on its line */
line = end+1;
while (isspace((unsigned char)*line))
line++;
if (*line && *line != '#' && *line != '\n' && *line != '\r') {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d] : character '%c' is not permitted after scope declaration.\n",
file, linenum, *line);
MINOR: cfgparse: Parse scope lines and save the last one parsed A scope is a section name between square bracket, alone on its line, ie: [scope-name] ... The spaces at the beginning and at the end of the line are skipped. Comments at the end of the line are also skipped. When a scope is parsed, its name is saved in the global variable cfg_scope. Initially, cfg_scope is NULL and it remains NULL until a valid scope line is parsed. This feature remains unused in the HAProxy configuration file and undocumented. However, it will be used during SPOE configuration parsing.
2016-11-04 17:36:15 -04:00
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
/* We have a valid scope declaration, save it */
free(cfg_scope);
cfg_scope = scope;
scope = NULL;
out:
free(scope);
return err_code;
}
MINOR: config: Enable tracking of up to MAX_SESS_STKCTR stick counters. This patch really adds support for up to MAX_SESS_STKCTR stick counters.
2018-01-29 06:05:07 -05:00
int
cfg_parse_track_sc_num(unsigned int *track_sc_num,
const char *arg, const char *end, char **errmsg)
{
const char *p;
unsigned int num;
p = arg;
num = read_uint64(&arg, end);
if (arg != end) {
memprintf(errmsg, "Wrong track-sc number '%s'", p);
return -1;
}
MEDIUM: stick-table: set the track-sc limit at boottime via tune.stick-counters The number of stick-counter entries usable by track-sc rules is currently set at build time. There is no good value for this since the vast majority of users don't need any, most need only a few and rare users need more. Adding more counters for everyone increases memory and CPU usages for no reason. This patch moves the per-session and per-stream arrays to a pool of a size defined at boot time. This way it becomes possible to set the number of entries at boot time via a new global setting "tune.stick-counters" that sets the limit for the whole process. When not set, the MAX_SESS_STR_CTR value still applies, or 3 if not set, as before. It is also possible to lower the value to 0 to save a bit of memory if not used at all. Note that a few low-level sample-fetch functions had to be protected due to the ability to use sample-fetches in the global section to set some variables.
2023-01-06 10:09:58 -05:00
if (num >= global.tune.nb_stk_ctr) {
if (!global.tune.nb_stk_ctr)
memprintf(errmsg, "%u track-sc number not usable, stick-counters "
"are disabled by tune.stick-counters", num);
else
memprintf(errmsg, "%u track-sc number exceeding "
"%d (tune.stick-counters-1) value", num, global.tune.nb_stk_ctr - 1);
MINOR: config: Enable tracking of up to MAX_SESS_STKCTR stick counters. This patch really adds support for up to MAX_SESS_STKCTR stick counters.
2018-01-29 06:05:07 -05:00
return -1;
}
*track_sc_num = num;
return 0;
}
MINOR: config: diag if global section after non-global Detect if a global section is present after another section and reports a diagnostic about it.
2021-03-31 05:43:47 -04:00
/*
* Detect a global section after a non-global one and output a diagnostic
* warning.
*/
MINOR: cfgparse: Always check the section position In diag mode, the section position is checked and a warning is emitted if a global section is defined after any non-global one. Now, this check is always performed. But the warning is still only emitted in diag mode. In addition, the result of this check is now stored in a global variable, to be used from anywhere. The aim of this patch is to be able to restrict usage of some global directives to the very first global sections. It will be useful to avoid undefined behaviors. Indeed, some config parts may depend on global settings and it is a problem if these settings are changed after.
2022-11-18 09:46:06 -05:00
static void check_section_position(char *section_name, const char *file, int linenum)
MINOR: config: diag if global section after non-global Detect if a global section is present after another section and reports a diagnostic about it.
2021-03-31 05:43:47 -04:00
{
CLEANUP: Apply strcmp.cocci This fixes the use of the various *cmp functions to use != 0 or == 0.
2021-10-16 11:48:15 -04:00
if (strcmp(section_name, "global") == 0) {
MINOR: cfgparse: Always check the section position In diag mode, the section position is checked and a warning is emitted if a global section is defined after any non-global one. Now, this check is always performed. But the warning is still only emitted in diag mode. In addition, the result of this check is now stored in a global variable, to be used from anywhere. The aim of this patch is to be able to restrict usage of some global directives to the very first global sections. It will be useful to avoid undefined behaviors. Indeed, some config parts may depend on global settings and it is a problem if these settings are changed after.
2022-11-18 09:46:06 -05:00
if ((global.mode & MODE_DIAG) && non_global_section_parsed == 1)
MINOR: config: diag if global section after non-global Detect if a global section is present after another section and reports a diagnostic about it.
2021-03-31 05:43:47 -04:00
_ha_diag_warning("parsing [%s:%d] : global section detected after a non-global one, the prevalence of their statements is unspecified\n", file, linenum);
}
MINOR: cfgparse: Always check the section position In diag mode, the section position is checked and a warning is emitted if a global section is defined after any non-global one. Now, this check is always performed. But the warning is still only emitted in diag mode. In addition, the result of this check is now stored in a global variable, to be used from anywhere. The aim of this patch is to be able to restrict usage of some global directives to the very first global sections. It will be useful to avoid undefined behaviors. Indeed, some config parts may depend on global settings and it is a problem if these settings are changed after.
2022-11-18 09:46:06 -05:00
else if (non_global_section_parsed == 0) {
non_global_section_parsed = 1;
MINOR: config: diag if global section after non-global Detect if a global section is present after another section and reports a diagnostic about it.
2021-03-31 05:43:47 -04:00
}
}
MINOR: config: add a new "default-path" global directive By default haproxy loads all files designated by a relative path from the location the process is started in. In some circumstances it might be desirable to force all relative paths to start from a different location just as if the process was started from such locations. This is what this directive is made for. Technically it will perform a temporary chdir() to the designated location while processing each configuration file, and will return to the original directory after processing each file. It takes an argument indicating the policy to use when loading files whose path does not start with a slash ('/'). A few options are offered, "current" (the default), "config" (files relative to config file's dir), "parent" (files relative to config file's parent dir), and "origin" with an absolute path. This should address issue #1198.
2021-04-27 14:29:11 -04:00
/* apply the current default_path setting for config file <file>, and
* optionally replace the current path to <origin> if not NULL while the
* default-path mode is set to "origin". Errors are returned into an
* allocated string passed to <err> if it's not NULL. Returns 0 on failure
* or non-zero on success.
*/
static int cfg_apply_default_path(const char *file, const char *origin, char **err)
{
const char *beg, *end;
/* make path start at <beg> and end before <end>, and switch it to ""
* if no slash was passed.
*/
beg = file;
end = strrchr(beg, '/');
if (!end)
end = beg;
if (!*initial_cwd) {
if (getcwd(initial_cwd, sizeof(initial_cwd)) == NULL) {
if (err)
memprintf(err, "Impossible to retrieve startup directory name: %s", strerror(errno));
return 0;
}
}
else if (chdir(initial_cwd) == -1) {
if (err)
memprintf(err, "Impossible to get back to initial directory '%s': %s", initial_cwd, strerror(errno));
return 0;
}
/* OK now we're (back) to initial_cwd */
switch (default_path_mode) {
case DEFAULT_PATH_CURRENT:
/* current_cwd never set, nothing to do */
return 1;
case DEFAULT_PATH_ORIGIN:
/* current_cwd set in the config */
if (origin &&
snprintf(current_cwd, sizeof(current_cwd), "%s", origin) > sizeof(current_cwd)) {
if (err)
memprintf(err, "Absolute path too long: '%s'", origin);
return 0;
}
break;
case DEFAULT_PATH_CONFIG:
if (end - beg >= sizeof(current_cwd)) {
if (err)
memprintf(err, "Config file path too long, cannot use for relative paths: '%s'", file);
return 0;
}
memcpy(current_cwd, beg, end - beg);
current_cwd[end - beg] = 0;
break;
case DEFAULT_PATH_PARENT:
if (end - beg + 3 >= sizeof(current_cwd)) {
if (err)
memprintf(err, "Config file path too long, cannot use for relative paths: '%s'", file);
return 0;
}
memcpy(current_cwd, beg, end - beg);
if (end > beg)
memcpy(current_cwd + (end - beg), "/..\0", 4);
else
memcpy(current_cwd + (end - beg), "..\0", 3);
break;
}
if (*current_cwd && chdir(current_cwd) == -1) {
if (err)
memprintf(err, "Impossible to get back to directory '%s': %s", initial_cwd, strerror(errno));
return 0;
}
return 1;
}
/* parses a global "default-path" directive. */
static int cfg_parse_global_def_path(char **args, int section_type, struct proxy *curpx,
const struct proxy *defpx, const char *file, int line,
char **err)
{
int ret = -1;
/* "current", "config", "parent", "origin <path>" */
if (strcmp(args[1], "current") == 0)
default_path_mode = DEFAULT_PATH_CURRENT;
else if (strcmp(args[1], "config") == 0)
default_path_mode = DEFAULT_PATH_CONFIG;
else if (strcmp(args[1], "parent") == 0)
default_path_mode = DEFAULT_PATH_PARENT;
else if (strcmp(args[1], "origin") == 0)
default_path_mode = DEFAULT_PATH_ORIGIN;
else {
memprintf(err, "%s default-path mode '%s' for '%s', supported modes include 'current', 'config', 'parent', and 'origin'.", *args[1] ? "unsupported" : "missing", args[1], args[0]);
goto end;
}
if (default_path_mode == DEFAULT_PATH_ORIGIN) {
if (!*args[2]) {
memprintf(err, "'%s %s' expects a directory as an argument.", args[0], args[1]);
goto end;
}
if (!cfg_apply_default_path(file, args[2], err)) {
memprintf(err, "couldn't set '%s' to origin '%s': %s.", args[0], args[2], *err);
goto end;
}
}
else if (!cfg_apply_default_path(file, NULL, err)) {
memprintf(err, "couldn't set '%s' to '%s': %s.", args[0], args[1], *err);
goto end;
}
/* note that once applied, the path is immediately updated */
ret = 0;
end:
return ret;
}
MINOR: startup: adapt list_append_word to use cfgfile list_append_word() helper was used before only to chain configuration file names in a list. As now we start to use cfgfile structure which represents entire file in memory and its metadata, let's adapt this helper to use this structure and let's rename it to list_append_cfgfile(). Adapt functions, which process configuration files and directories to use cfgfile structure and list_append_cfgfile() instead of wordlist.
2024-08-07 12:20:43 -04:00
/* append a copy of string <filename>, ptr to some allocated memory at the at
* the end of the list <li>.
REORG: tools: move list_append_word to cfgparse Let's move list_append_word to cfgparse.c as it is used only to fill cfg_cfgfiles list with configuration file names.
2024-08-07 12:12:48 -04:00
* On failure : return 0 and <err> filled with an error message.
MINOR: startup: adapt list_append_word to use cfgfile list_append_word() helper was used before only to chain configuration file names in a list. As now we start to use cfgfile structure which represents entire file in memory and its metadata, let's adapt this helper to use this structure and let's rename it to list_append_cfgfile(). Adapt functions, which process configuration files and directories to use cfgfile structure and list_append_cfgfile() instead of wordlist.
2024-08-07 12:20:43 -04:00
* The caller is responsible for freeing the <err> and <filename> copy
* memory area using free().
REORG: tools: move list_append_word to cfgparse Let's move list_append_word to cfgparse.c as it is used only to fill cfg_cfgfiles list with configuration file names.
2024-08-07 12:12:48 -04:00
*/
MINOR: startup: adapt list_append_word to use cfgfile list_append_word() helper was used before only to chain configuration file names in a list. As now we start to use cfgfile structure which represents entire file in memory and its metadata, let's adapt this helper to use this structure and let's rename it to list_append_cfgfile(). Adapt functions, which process configuration files and directories to use cfgfile structure and list_append_cfgfile() instead of wordlist.
2024-08-07 12:20:43 -04:00
int list_append_cfgfile(struct list *li, const char *filename, char **err)
REORG: tools: move list_append_word to cfgparse Let's move list_append_word to cfgparse.c as it is used only to fill cfg_cfgfiles list with configuration file names.
2024-08-07 12:12:48 -04:00
{
MINOR: startup: adapt list_append_word to use cfgfile list_append_word() helper was used before only to chain configuration file names in a list. As now we start to use cfgfile structure which represents entire file in memory and its metadata, let's adapt this helper to use this structure and let's rename it to list_append_cfgfile(). Adapt functions, which process configuration files and directories to use cfgfile structure and list_append_cfgfile() instead of wordlist.
2024-08-07 12:20:43 -04:00
struct cfgfile *entry = NULL;
REORG: tools: move list_append_word to cfgparse Let's move list_append_word to cfgparse.c as it is used only to fill cfg_cfgfiles list with configuration file names.
2024-08-07 12:12:48 -04:00
MINOR: startup: adapt list_append_word to use cfgfile list_append_word() helper was used before only to chain configuration file names in a list. As now we start to use cfgfile structure which represents entire file in memory and its metadata, let's adapt this helper to use this structure and let's rename it to list_append_cfgfile(). Adapt functions, which process configuration files and directories to use cfgfile structure and list_append_cfgfile() instead of wordlist.
2024-08-07 12:20:43 -04:00
entry = calloc(1, sizeof(*entry));
if (!entry) {
REORG: tools: move list_append_word to cfgparse Let's move list_append_word to cfgparse.c as it is used only to fill cfg_cfgfiles list with configuration file names.
2024-08-07 12:12:48 -04:00
memprintf(err, "out of memory");
MINOR: startup: adapt list_append_word to use cfgfile list_append_word() helper was used before only to chain configuration file names in a list. As now we start to use cfgfile structure which represents entire file in memory and its metadata, let's adapt this helper to use this structure and let's rename it to list_append_cfgfile(). Adapt functions, which process configuration files and directories to use cfgfile structure and list_append_cfgfile() instead of wordlist.
2024-08-07 12:20:43 -04:00
goto fail_entry;
REORG: tools: move list_append_word to cfgparse Let's move list_append_word to cfgparse.c as it is used only to fill cfg_cfgfiles list with configuration file names.
2024-08-07 12:12:48 -04:00
}
MINOR: startup: adapt list_append_word to use cfgfile list_append_word() helper was used before only to chain configuration file names in a list. As now we start to use cfgfile structure which represents entire file in memory and its metadata, let's adapt this helper to use this structure and let's rename it to list_append_cfgfile(). Adapt functions, which process configuration files and directories to use cfgfile structure and list_append_cfgfile() instead of wordlist.
2024-08-07 12:20:43 -04:00
entry->filename = strdup(filename);
if (!entry->filename) {
REORG: tools: move list_append_word to cfgparse Let's move list_append_word to cfgparse.c as it is used only to fill cfg_cfgfiles list with configuration file names.
2024-08-07 12:12:48 -04:00
memprintf(err, "out of memory");
MINOR: startup: adapt list_append_word to use cfgfile list_append_word() helper was used before only to chain configuration file names in a list. As now we start to use cfgfile structure which represents entire file in memory and its metadata, let's adapt this helper to use this structure and let's rename it to list_append_cfgfile(). Adapt functions, which process configuration files and directories to use cfgfile structure and list_append_cfgfile() instead of wordlist.
2024-08-07 12:20:43 -04:00
goto fail_entry_name;
REORG: tools: move list_append_word to cfgparse Let's move list_append_word to cfgparse.c as it is used only to fill cfg_cfgfiles list with configuration file names.
2024-08-07 12:12:48 -04:00
}
MINOR: startup: adapt list_append_word to use cfgfile list_append_word() helper was used before only to chain configuration file names in a list. As now we start to use cfgfile structure which represents entire file in memory and its metadata, let's adapt this helper to use this structure and let's rename it to list_append_cfgfile(). Adapt functions, which process configuration files and directories to use cfgfile structure and list_append_cfgfile() instead of wordlist.
2024-08-07 12:20:43 -04:00
LIST_APPEND(li, &entry->list);
REORG: tools: move list_append_word to cfgparse Let's move list_append_word to cfgparse.c as it is used only to fill cfg_cfgfiles list with configuration file names.
2024-08-07 12:12:48 -04:00
return 1;
MINOR: startup: adapt list_append_word to use cfgfile list_append_word() helper was used before only to chain configuration file names in a list. As now we start to use cfgfile structure which represents entire file in memory and its metadata, let's adapt this helper to use this structure and let's rename it to list_append_cfgfile(). Adapt functions, which process configuration files and directories to use cfgfile structure and list_append_cfgfile() instead of wordlist.
2024-08-07 12:20:43 -04:00
fail_entry_name:
free(entry->filename);
fail_entry:
free(entry);
REORG: tools: move list_append_word to cfgparse Let's move list_append_word to cfgparse.c as it is used only to fill cfg_cfgfiles list with configuration file names.
2024-08-07 12:12:48 -04:00
return 0;
}
MINOR: cfgparse: add load_cfg_in_mem Add load_cfg_in_mem() helper, which allows to store the content of a given file in memory.
2024-08-05 04:03:39 -04:00
/* loads the content of the given file in memory. On success, returns the number
* of bytes successfully stored at *cfg_content until EOF. On error, emits
* alerts, performs needed clean-up routines and returns -1.
*/
ssize_t load_cfg_in_mem(char *filename, char **cfg_content)
{
size_t bytes_to_read = LINESIZE;
size_t chunk_size = 0;
size_t read_bytes = 0;
MINOR: cfgparse: load_cfg_in_mem: take in account file size Let's take in account the given file size, when its reported via stat. It's very convenient for large configuration files, as this allows to perform only the one memory allocation call for precisely needeed file size. This also allows to perform only the one call to fread(). We need to provide to fread() file_stat.st_size + 1 to be able to grab EOF. Like this it sets feof(f)=1 flag and this allows to exit from the loop immediately, just after fread call. If /dev/stdin or /dev/null is provided as a file, we continue to read the configuration chunk by chunk, stat doesn't report the size.
2024-08-07 10:31:25 -04:00
struct stat file_stat;
MINOR: cfgparse: add load_cfg_in_mem Add load_cfg_in_mem() helper, which allows to store the content of a given file in memory.
2024-08-05 04:03:39 -04:00
char *new_area;
size_t ret = 0;
FILE *f;
MINOR: cfgparse: load_cfg_in_mem: take in account file size Let's take in account the given file size, when its reported via stat. It's very convenient for large configuration files, as this allows to perform only the one memory allocation call for precisely needeed file size. This also allows to perform only the one call to fread(). We need to provide to fread() file_stat.st_size + 1 to be able to grab EOF. Like this it sets feof(f)=1 flag and this allows to exit from the loop immediately, just after fread call. If /dev/stdin or /dev/null is provided as a file, we continue to read the configuration chunk by chunk, stat doesn't report the size.
2024-08-07 10:31:25 -04:00
/* let's try to obtain the size, if regular file */
if (stat(filename, &file_stat) != 0) {
ha_alert("stat() failed for configuration file %s : %s\n",
filename, strerror(errno));
return -1;
}
MINOR: cfgparse: load_cfg_in_mem: fix null ptr dereference reported by coverity This helps to optimize a bit load_cfg_in_mem() and fixes the potential null ptr dereference in fread() call. If (read_bytes + bytes_to_read) equals to initial chunk_size (zero), realloc is never called, *cfg_content keeps its NULL value. So, let's assure that initial number of bytes to read (read_bytes + bytes_to_read) is stricly positive, when we enter into loop at the first time.
2024-08-08 10:34:54 -04:00
if (file_stat.st_size > chunk_size)
bytes_to_read = file_stat.st_size;
MINOR: cfgparse: load_cfg_in_mem: take in account file size Let's take in account the given file size, when its reported via stat. It's very convenient for large configuration files, as this allows to perform only the one memory allocation call for precisely needeed file size. This also allows to perform only the one call to fread(). We need to provide to fread() file_stat.st_size + 1 to be able to grab EOF. Like this it sets feof(f)=1 flag and this allows to exit from the loop immediately, just after fread call. If /dev/stdin or /dev/null is provided as a file, we continue to read the configuration chunk by chunk, stat doesn't report the size.
2024-08-07 10:31:25 -04:00
MINOR: cfgparse: add load_cfg_in_mem Add load_cfg_in_mem() helper, which allows to store the content of a given file in memory.
2024-08-05 04:03:39 -04:00
if ((f = fopen(filename,"r")) == NULL) {
ha_alert("Could not open configuration file %s : %s\n",
filename, strerror(errno));
return -1;
}
*cfg_content = NULL;
while (1) {
MINOR: cfgparse: limit file size loaded via /dev/stdin load_cfg_in_mem() can continuously reallocate memory in order to load an extremely large input from /dev/stdin, until it fails with ENOMEM, which means that process has consumed all available RAM. In case of containers and virtualized environments it's not very good. So, in order to prevent this, let's introduce MAX_CFG_SIZE as 10MB, which will limit the size of input supplied via /dev/stdin.
2024-08-20 04:04:03 -04:00
if (!file_stat.st_size && ((read_bytes + bytes_to_read) > MAX_CFG_SIZE)) {
ha_alert("Loading %s: input is too large %ldMB, limited to %dMB. Exiting.\n",
filename, (long)(read_bytes + bytes_to_read)/(1024*1024),
MAX_CFG_SIZE/(1024*1024));
goto free_mem;
}
MINOR: cfgparse: add load_cfg_in_mem Add load_cfg_in_mem() helper, which allows to store the content of a given file in memory.
2024-08-05 04:03:39 -04:00
if (read_bytes + bytes_to_read > chunk_size) {
chunk_size = (read_bytes + bytes_to_read) * 2;
new_area = realloc(*cfg_content, chunk_size);
if (new_area == NULL) {
ha_alert("Loading %s: file too long, cannot allocate memory.\n",
filename);
goto free_mem;
}
*cfg_content = new_area;
}
bytes_to_read = chunk_size - read_bytes;
ret = fread(*cfg_content + read_bytes, sizeof(char), bytes_to_read, f);
read_bytes += ret;
if (!ret || feof(f) || ferror(f))
break;
}
fclose(f);
return read_bytes;
free_mem:
ha_free(cfg_content);
fclose(f);
return -1;
}
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
/*
MEDIUM: startup: load and parse configs from memory Let's call load_cfg_in_ram() helper for each configuration file to load it's content in some area in memory. Adapt readcfgfile() parser function respectively. In order to limit changes in its scope we give as an argument a cfgfile structure, already filled in init_args() and in load_cfg_in_ram() with file metadata and content. Parser function (readcfgfile()) uses now fgets_from_mem() instead of standard fgets from libc implementations. SPOE filter parses its own configuration file, pointed by 'config' keyword in the configuration already loaded in memory. So, let's allocate and fill for this a supplementary cfgfile structure, which is not referenced in cfg_cfgfiles list. This structure and the memory with content of SPOE filter configuration are freed immediately in parse_spoe_flt(), when readcfgfile() returns. HAProxy OpenTracing filter also uses its own configuration file. So, let's follow the same logic as we do for SPOE filter.
2024-08-07 10:53:50 -04:00
* This function parses the configuration file given in the argument.
* Returns the error code, 0 if OK, -1 if we are run out of memory,
CLEANUP: cfgparse: de-uglify early file error handling in readcfgfile() In readcfgfile() when malloc() fails to allocate a buffer for the config line, it currently says "parsing[<file>]: out of memory" while the error is unrelated to the config file and may make one think it has to do with the file's size. The second test (fopen() returning error) needs to release the previously allocated line. Both directly return -1 which is not even documented as a valid error code for the function. Let's simply make sure that the few variables freed at the end are properly preset, and jump there upon error, after having displayed a meaningful error message. Now at least we can get this: $ ./haproxy -f /dev/kmem [NOTICE] 116/191904 (23233) : haproxy version is 2.4-dev17-c3808c-13 [NOTICE] 116/191904 (23233) : path to executable is ./haproxy [ALERT] 116/191904 (23233) : Could not open configuration file /dev/kmem : Permission denied
2021-04-27 12:30:28 -04:00
* or any combination of :
[MINOR] config: improve error reporting in global section Try not to immediately exit on non-fatal errors while parsing the global section, so that the user has a chance to get most of the errors at once, which is quite convenient especially during config checks with the -c argument. Some other errors such as unresolved server names also don't make the parser exit too early.
2009-07-20 03:30:05 -04:00
* - ERR_ABORT: must abort ASAP
* - ERR_FATAL: we can continue parsing but not start the service
* - ERR_WARN: a warning has been emitted
* - ERR_ALERT: an alert has been emitted
* Only the two first ones can stop processing, the two others are just
* indicators.
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
*/
MINOR: startup: rename readcfgfile in parse_cfg As readcfgfile no longer opens configuration files and reads them with fgets, but performs only the parsing of provided data, let's rename it to parse_cfg by analogy with read_cfg in haproxy.c.
2024-08-05 04:04:03 -04:00
int parse_cfg(const struct cfgfile *cfg)
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
{
CLEANUP: cfgparse: de-uglify early file error handling in readcfgfile() In readcfgfile() when malloc() fails to allocate a buffer for the config line, it currently says "parsing[<file>]: out of memory" while the error is unrelated to the config file and may make one think it has to do with the file's size. The second test (fopen() returning error) needs to release the previously allocated line. Both directly return -1 which is not even documented as a valid error code for the function. Let's simply make sure that the few variables freed at the end are properly preset, and jump there upon error, after having displayed a meaningful error message. Now at least we can get this: $ ./haproxy -f /dev/kmem [NOTICE] 116/191904 (23233) : haproxy version is 2.4-dev17-c3808c-13 [NOTICE] 116/191904 (23233) : path to executable is ./haproxy [ALERT] 116/191904 (23233) : Could not open configuration file /dev/kmem : Permission denied
2021-04-27 12:30:28 -04:00
char *thisline = NULL;
MINOR: cfgparse: remove line size limitation Remove the line size limitation of the configuration parser. The buffer is now allocated dynamically and grows when the line is too long.
2015-05-12 08:25:37 -04:00
int linesize = LINESIZE;
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
int linenum = 0;
[MINOR] config: improve error reporting in global section Try not to immediately exit on non-fatal errors while parsing the global section, so that the user has a chance to get most of the errors at once, which is quite convenient especially during config checks with the -c argument. Some other errors such as unresolved server names also don't make the parser exit too early.
2009-07-20 03:30:05 -04:00
int err_code = 0;
MEDIUM: cfgparse: post section callback This commit implements a post section callback. This callback will be used at the end of a section parsing. Every call to cfg_register_section must be modified to use the new prototype: int cfg_register_section(char *section_name, int (*section_parser)(const char *, int, char **, int), int (*post_section_parser)());
2017-10-16 05:06:50 -04:00
struct cfg_section *cs = NULL, *pcs = NULL;
MEDIUM: config: Dynamic sections. This patch permit to register new sections in the haproxy's configuration file. This run like all the "keyword" registration, it is used during the haproxy initialization, typically with the "__attribute__((constructor))" functions.
2014-03-18 08:54:18 -04:00
struct cfg_section *ics;
MINOR: cfgparse: remove line size limitation Remove the line size limitation of the configuration parser. The buffer is now allocated dynamically and grows when the line is too long.
2015-05-12 08:25:37 -04:00
int readbytes = 0;
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
char *outline = NULL;
size_t outlen = 0;
size_t outlinesize = 0;
BUG/MEDIUM: cfgparse: stop after a reasonable amount of fatal error One issue with the config parser is that while it tries to report as many errors as possible at once, it's actually unbounded. Thus, when calling haproxy on a wrong file, it can take ages to process, such as here on half a gigabyte of map file instead of config file: $ time ./haproxy -c -f large.map 2>&1 |wc -l 16777220 real 0m31.324s user 0m22.595s sys 0m28.909s This patch modifies readcfgfile() to stop reading the config file after a reasonable amount of fatal errors. This threshold is set to 50, which seems more than enough to spot a recurrent issue with a bit of context in a terminal to address several issues at once, without filling logs nor taking time to parse the file. The difference is clear now: $ time ./haproxy -c -f large.map 2>&1 |wc -l 55 real 0m0.005s user 0m0.004s sys 0m0.003s This may be backported to older versions without causing too many difficulties. However the patch will not apply as-is, it will require to increment the "fatal" count for each place where ERR_FATAL is set in the parsing loop.
2020-06-16 11:14:33 -04:00
int fatal = 0;
MINOR: cfgparse: Warn on truncated lines / files As discussed on the list: https://www.mail-archive.com/haproxy@formilux.org/msg37698.html This patch adds warnings to the configuration parser that detect the following situations: - A line being truncated by a null byte in the middle. - A file not ending in a new line (and possibly being truncated).
2020-06-22 16:57:45 -04:00
int missing_lf = -1;
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
int nested_cond_lvl = 0;
enum nested_cond_state nested_conds[MAXNESTEDCONDS];
MINOR: config: add a new "default-path" global directive By default haproxy loads all files designated by a relative path from the location the process is started in. In some circumstances it might be desirable to force all relative paths to start from a different location just as if the process was started from such locations. This is what this directive is made for. Technically it will perform a temporary chdir() to the designated location while processing each configuration file, and will return to the original directory after processing each file. It takes an argument indicating the policy to use when loading files whose path does not start with a slash ('/'). A few options are offered, "current" (the default), "config" (files relative to config file's dir), "parent" (files relative to config file's parent dir), and "origin" with an absolute path. This should address issue #1198.
2021-04-27 14:29:11 -04:00
char *errmsg = NULL;
MEDIUM: startup: load and parse configs from memory Let's call load_cfg_in_ram() helper for each configuration file to load it's content in some area in memory. Adapt readcfgfile() parser function respectively. In order to limit changes in its scope we give as an argument a cfgfile structure, already filled in init_args() and in load_cfg_in_ram() with file metadata and content. Parser function (readcfgfile()) uses now fgets_from_mem() instead of standard fgets from libc implementations. SPOE filter parses its own configuration file, pointed by 'config' keyword in the configuration already loaded in memory. So, let's allocate and fill for this a supplementary cfgfile structure, which is not referenced in cfg_cfgfiles list. This structure and the memory with content of SPOE filter configuration are freed immediately in parse_spoe_flt(), when readcfgfile() returns. HAProxy OpenTracing filter also uses its own configuration file. So, let's follow the same logic as we do for SPOE filter.
2024-08-07 10:53:50 -04:00
const char *cur_position = cfg->content;
char *file = cfg->filename;
MINOR: cfgparse: remove line size limitation Remove the line size limitation of the configuration parser. The buffer is now allocated dynamically and grows when the line is too long.
2015-05-12 08:25:37 -04:00
MINOR: config: keep up-to-date current file/line/section in the global struct Let's add a few fields to the global struct to store information about the current file being processed, the current line number and the current section. This will be used to retrieve them using special variables.
2021-05-06 04:04:45 -04:00
global.cfg_curr_line = 0;
global.cfg_curr_file = file;
MINOR: cfgparse: remove line size limitation Remove the line size limitation of the configuration parser. The buffer is now allocated dynamically and grows when the line is too long.
2015-05-12 08:25:37 -04:00
if ((thisline = malloc(sizeof(*thisline) * linesize)) == NULL) {
CLEANUP: cfgparse: de-uglify early file error handling in readcfgfile() In readcfgfile() when malloc() fails to allocate a buffer for the config line, it currently says "parsing[<file>]: out of memory" while the error is unrelated to the config file and may make one think it has to do with the file's size. The second test (fopen() returning error) needs to release the previously allocated line. Both directly return -1 which is not even documented as a valid error code for the function. Let's simply make sure that the few variables freed at the end are properly preset, and jump there upon error, after having displayed a meaningful error message. Now at least we can get this: $ ./haproxy -f /dev/kmem [NOTICE] 116/191904 (23233) : haproxy version is 2.4-dev17-c3808c-13 [NOTICE] 116/191904 (23233) : path to executable is ./haproxy [ALERT] 116/191904 (23233) : Could not open configuration file /dev/kmem : Permission denied
2021-04-27 12:30:28 -04:00
ha_alert("Out of memory trying to allocate a buffer for a configuration line.\n");
err_code = -1;
goto err;
MINOR: cfgparse: remove line size limitation Remove the line size limitation of the configuration parser. The buffer is now allocated dynamically and grows when the line is too long.
2015-05-12 08:25:37 -04:00
}
MEDIUM: config: Dynamic sections. This patch permit to register new sections in the haproxy's configuration file. This run like all the "keyword" registration, it is used during the haproxy initialization, typically with the "__attribute__((constructor))" functions.
2014-03-18 08:54:18 -04:00
MINOR: config: add a new "default-path" global directive By default haproxy loads all files designated by a relative path from the location the process is started in. In some circumstances it might be desirable to force all relative paths to start from a different location just as if the process was started from such locations. This is what this directive is made for. Technically it will perform a temporary chdir() to the designated location while processing each configuration file, and will return to the original directory after processing each file. It takes an argument indicating the policy to use when loading files whose path does not start with a slash ('/'). A few options are offered, "current" (the default), "config" (files relative to config file's dir), "parent" (files relative to config file's parent dir), and "origin" with an absolute path. This should address issue #1198.
2021-04-27 14:29:11 -04:00
/* change to the new dir if required */
if (!cfg_apply_default_path(file, NULL, &errmsg)) {
ha_alert("parsing [%s:%d]: failed to apply default-path: %s.\n", file, linenum, errmsg);
free(errmsg);
err_code = -1;
goto err;
}
MEDIUM: cfgparse: expand environment variables Environment variables were expandables only in adresses. Now there are expandables everywhere in the configuration file within double quotes. This patch breaks compatibility with the previous behavior of environment variables in adresses, you must enclose adresses with double quotes to make it work.
2015-05-12 08:27:13 -04:00
next_line:
MEDIUM: startup: load and parse configs from memory Let's call load_cfg_in_ram() helper for each configuration file to load it's content in some area in memory. Adapt readcfgfile() parser function respectively. In order to limit changes in its scope we give as an argument a cfgfile structure, already filled in init_args() and in load_cfg_in_ram() with file metadata and content. Parser function (readcfgfile()) uses now fgets_from_mem() instead of standard fgets from libc implementations. SPOE filter parses its own configuration file, pointed by 'config' keyword in the configuration already loaded in memory. So, let's allocate and fill for this a supplementary cfgfile structure, which is not referenced in cfg_cfgfiles list. This structure and the memory with content of SPOE filter configuration are freed immediately in parse_spoe_flt(), when readcfgfile() returns. HAProxy OpenTracing filter also uses its own configuration file. So, let's follow the same logic as we do for SPOE filter.
2024-08-07 10:53:50 -04:00
while (fgets_from_mem(thisline + readbytes, linesize - readbytes,
&cur_position, cfg->content + cfg->size)) {
[MINOR] config: support resetting options do default values A new keyword prefix "default" has been introduced in order to reset some options to their default values. This can be needed for instance when an option is forced disabled or enabled in a defaults section and when later sections want to use automatic settings regardless of what was specified there. Right now it is only supported by options, just like the "no" prefix.
2009-06-14 05:39:52 -04:00
int arg, kwm = KWM_STD;
[MEDIUM] Handle long lines properly Currently, there is a hidden line length limit in the haproxy, set to 256-1 chars. With large acls (for example many hdr(host) matches) it may be not enough and which is even worse, error message may be totally confusing as everything above this limit is treated as a next line: echo -ne "frontend aqq 1.2.3.4:80\nmode http\nacl e hdr(host) -i X X X X X X X www.xx.example.com stats\n"| sed s/X/www.some-host-name.example.com/g > ha.cfg && haproxy -c -f ./ha.cfg [WARNING] 300/163906 (11342) : parsing [./ha.cfg:4] : 'stats' ignored because frontend 'aqq' has no backend capability. Recently I hit simmilar problem and it took me a while to find why requests for "stats" are not handled properly. This patch: - makes the limit configurable (LINESIZE) - increases default line length limit from 256 to 2048 - increases MAX_LINE_ARGS from 40 to 64 - fixes hidden assignment in fgets() - moves arg/end/args/line inside the loop, making code auditing easier - adds a check that shows error if the limit is reached - changes "*line++ = 0;" to "*line++ = '\0';" (cosmetics) With this patch, when LINESIZE is defined to 256, above example produces: [ALERT] 300/164724 (27364) : parsing [/tmp/ha.cfg:3]: line too long, limit: 255. [ALERT] 300/164724 (27364) : Error reading configuration file : /tmp/ha.cfg
2007-10-31 19:33:12 -04:00
char *end;
char *args[MAX_LINE_ARGS + 1];
char *line = thisline;
MINOR: cfgparse: Warn on truncated lines / files As discussed on the list: https://www.mail-archive.com/haproxy@formilux.org/msg37698.html This patch adds warnings to the configuration parser that detect the following situations: - A line being truncated by a null byte in the middle. - A file not ending in a new line (and possibly being truncated).
2020-06-22 16:57:45 -04:00
if (missing_lf != -1) {
MEDIUM: cfgparse: Emit hard error on truncated lines As announced within the emitted log message this is going to become a hard error in 2.3. It's 2.3 time now, let's do this. see 2fd5bdb439da29f15381aeb57c51327ba57674fc
2020-08-18 16:00:04 -04:00
ha_alert("parsing [%s:%d]: Stray NUL character at position %d.\n",
file, linenum, (missing_lf + 1));
err_code |= ERR_ALERT | ERR_FATAL;
MINOR: cfgparse: Warn on truncated lines / files As discussed on the list: https://www.mail-archive.com/haproxy@formilux.org/msg37698.html This patch adds warnings to the configuration parser that detect the following situations: - A line being truncated by a null byte in the middle. - A file not ending in a new line (and possibly being truncated).
2020-06-22 16:57:45 -04:00
missing_lf = -1;
MEDIUM: cfgparse: Emit hard error on truncated lines As announced within the emitted log message this is going to become a hard error in 2.3. It's 2.3 time now, let's do this. see 2fd5bdb439da29f15381aeb57c51327ba57674fc
2020-08-18 16:00:04 -04:00
break;
MINOR: cfgparse: Warn on truncated lines / files As discussed on the list: https://www.mail-archive.com/haproxy@formilux.org/msg37698.html This patch adds warnings to the configuration parser that detect the following situations: - A line being truncated by a null byte in the middle. - A file not ending in a new line (and possibly being truncated).
2020-06-22 16:57:45 -04:00
}
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
linenum++;
MINOR: config: keep up-to-date current file/line/section in the global struct Let's add a few fields to the global struct to store information about the current file being processed, the current line number and the current section. This will be used to retrieve them using special variables.
2021-05-06 04:04:45 -04:00
global.cfg_curr_line = linenum;
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
BUG/MEDIUM: cfgparse: stop after a reasonable amount of fatal error One issue with the config parser is that while it tries to report as many errors as possible at once, it's actually unbounded. Thus, when calling haproxy on a wrong file, it can take ages to process, such as here on half a gigabyte of map file instead of config file: $ time ./haproxy -c -f large.map 2>&1 |wc -l 16777220 real 0m31.324s user 0m22.595s sys 0m28.909s This patch modifies readcfgfile() to stop reading the config file after a reasonable amount of fatal errors. This threshold is set to 50, which seems more than enough to spot a recurrent issue with a bit of context in a terminal to address several issues at once, without filling logs nor taking time to parse the file. The difference is clear now: $ time ./haproxy -c -f large.map 2>&1 |wc -l 55 real 0m0.005s user 0m0.004s sys 0m0.003s This may be backported to older versions without causing too many difficulties. However the patch will not apply as-is, it will require to increment the "fatal" count for each place where ERR_FATAL is set in the parsing loop.
2020-06-16 11:14:33 -04:00
if (fatal >= 50) {
ha_alert("parsing [%s:%d]: too many fatal errors (%d), stopping now.\n", file, linenum, fatal);
break;
}
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
end = line + strlen(line);
MINOR: cfgparse: remove line size limitation Remove the line size limitation of the configuration parser. The buffer is now allocated dynamically and grows when the line is too long.
2015-05-12 08:25:37 -04:00
if (end-line == linesize-1 && *(end-1) != '\n') {
[MEDIUM] Handle long lines properly Currently, there is a hidden line length limit in the haproxy, set to 256-1 chars. With large acls (for example many hdr(host) matches) it may be not enough and which is even worse, error message may be totally confusing as everything above this limit is treated as a next line: echo -ne "frontend aqq 1.2.3.4:80\nmode http\nacl e hdr(host) -i X X X X X X X www.xx.example.com stats\n"| sed s/X/www.some-host-name.example.com/g > ha.cfg && haproxy -c -f ./ha.cfg [WARNING] 300/163906 (11342) : parsing [./ha.cfg:4] : 'stats' ignored because frontend 'aqq' has no backend capability. Recently I hit simmilar problem and it took me a while to find why requests for "stats" are not handled properly. This patch: - makes the limit configurable (LINESIZE) - increases default line length limit from 256 to 2048 - increases MAX_LINE_ARGS from 40 to 64 - fixes hidden assignment in fgets() - moves arg/end/args/line inside the loop, making code auditing easier - adds a check that shows error if the limit is reached - changes "*line++ = 0;" to "*line++ = '\0';" (cosmetics) With this patch, when LINESIZE is defined to 256, above example produces: [ALERT] 300/164724 (27364) : parsing [/tmp/ha.cfg:3]: line too long, limit: 255. [ALERT] 300/164724 (27364) : Error reading configuration file : /tmp/ha.cfg
2007-10-31 19:33:12 -04:00
/* Check if we reached the limit and the last char is not \n.
* Watch out for the last line without the terminating '\n'!
*/
MINOR: cfgparse: remove line size limitation Remove the line size limitation of the configuration parser. The buffer is now allocated dynamically and grows when the line is too long.
2015-05-12 08:25:37 -04:00
char *newline;
int newlinesize = linesize * 2;
newline = realloc(thisline, sizeof(*thisline) * newlinesize);
if (newline == NULL) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: line too long, cannot allocate memory.\n",
file, linenum);
MINOR: cfgparse: remove line size limitation Remove the line size limitation of the configuration parser. The buffer is now allocated dynamically and grows when the line is too long.
2015-05-12 08:25:37 -04:00
err_code |= ERR_ALERT | ERR_FATAL;
BUG/MEDIUM: cfgparse: stop after a reasonable amount of fatal error One issue with the config parser is that while it tries to report as many errors as possible at once, it's actually unbounded. Thus, when calling haproxy on a wrong file, it can take ages to process, such as here on half a gigabyte of map file instead of config file: $ time ./haproxy -c -f large.map 2>&1 |wc -l 16777220 real 0m31.324s user 0m22.595s sys 0m28.909s This patch modifies readcfgfile() to stop reading the config file after a reasonable amount of fatal errors. This threshold is set to 50, which seems more than enough to spot a recurrent issue with a bit of context in a terminal to address several issues at once, without filling logs nor taking time to parse the file. The difference is clear now: $ time ./haproxy -c -f large.map 2>&1 |wc -l 55 real 0m0.005s user 0m0.004s sys 0m0.003s This may be backported to older versions without causing too many difficulties. However the patch will not apply as-is, it will require to increment the "fatal" count for each place where ERR_FATAL is set in the parsing loop.
2020-06-16 11:14:33 -04:00
fatal++;
BUG/MINOR: cfgparse: don't increment linenum on incomplete lines When fgets() returns an incomplete line we must not increment linenum otherwise line numbers become incorrect. This may happen when parsing files with extremely long lines which require a realloc(). The bug has been present since unbounded line length was supported, so the fix should be backported to older branches.
2020-06-25 03:37:54 -04:00
linenum--;
MINOR: cfgparse: remove line size limitation Remove the line size limitation of the configuration parser. The buffer is now allocated dynamically and grows when the line is too long.
2015-05-12 08:25:37 -04:00
continue;
}
readbytes = linesize - 1;
linesize = newlinesize;
thisline = newline;
BUG/MINOR: cfgparse: don't increment linenum on incomplete lines When fgets() returns an incomplete line we must not increment linenum otherwise line numbers become incorrect. This may happen when parsing files with extremely long lines which require a realloc(). The bug has been present since unbounded line length was supported, so the fix should be backported to older branches.
2020-06-25 03:37:54 -04:00
linenum--;
MINOR: cfgparse: remove line size limitation Remove the line size limitation of the configuration parser. The buffer is now allocated dynamically and grows when the line is too long.
2015-05-12 08:25:37 -04:00
continue;
[MEDIUM] Handle long lines properly Currently, there is a hidden line length limit in the haproxy, set to 256-1 chars. With large acls (for example many hdr(host) matches) it may be not enough and which is even worse, error message may be totally confusing as everything above this limit is treated as a next line: echo -ne "frontend aqq 1.2.3.4:80\nmode http\nacl e hdr(host) -i X X X X X X X www.xx.example.com stats\n"| sed s/X/www.some-host-name.example.com/g > ha.cfg && haproxy -c -f ./ha.cfg [WARNING] 300/163906 (11342) : parsing [./ha.cfg:4] : 'stats' ignored because frontend 'aqq' has no backend capability. Recently I hit simmilar problem and it took me a while to find why requests for "stats" are not handled properly. This patch: - makes the limit configurable (LINESIZE) - increases default line length limit from 256 to 2048 - increases MAX_LINE_ARGS from 40 to 64 - fixes hidden assignment in fgets() - moves arg/end/args/line inside the loop, making code auditing easier - adds a check that shows error if the limit is reached - changes "*line++ = 0;" to "*line++ = '\0';" (cosmetics) With this patch, when LINESIZE is defined to 256, above example produces: [ALERT] 300/164724 (27364) : parsing [/tmp/ha.cfg:3]: line too long, limit: 255. [ALERT] 300/164724 (27364) : Error reading configuration file : /tmp/ha.cfg
2007-10-31 19:33:12 -04:00
}
MINOR: cfgparse: remove line size limitation Remove the line size limitation of the configuration parser. The buffer is now allocated dynamically and grows when the line is too long.
2015-05-12 08:25:37 -04:00
readbytes = 0;
BUG/MINOR: cfgparse: correctly deal with empty lines Issue 23653 in oss-fuzz reports a heap overflow bug which is in fact a bug introduced by commit 9e1758efb ("BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines") to address oss-fuzz issue 22689, which was only partially fixed by commit 70f58997f ("BUG/MINOR: cfgparse: Support configurations without newline at EOF"). Actually on an empty line, end == line so we cannot dereference end-1 to check for a trailing LF without first being sure that end is greater than line. No backport is needed, this is 2.2 only.
2020-06-26 11:24:54 -04:00
if (end > line && *(end-1) == '\n') {
BUG/MINOR: cfgparse: Support configurations without newline at EOF Fix parsing of configurations if the configuration file does not end with an LF. This patch fixes GitHub issue #704. It's a regression in 9e1758efbd68c8b1d27e17e2abe4444e110f3ebe which is 2.2 specific. No backport needed.
2020-06-22 16:57:44 -04:00
/* kill trailing LF */
*(end - 1) = 0;
}
MINOR: cfgparse: Warn on truncated lines / files As discussed on the list: https://www.mail-archive.com/haproxy@formilux.org/msg37698.html This patch adds warnings to the configuration parser that detect the following situations: - A line being truncated by a null byte in the middle. - A file not ending in a new line (and possibly being truncated).
2020-06-22 16:57:45 -04:00
else {
/* mark this line as truncated */
missing_lf = end - line;
}
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
/* skip leading spaces */
[CLEANUP] shut warnings 'is*' macros from ctype.h on solaris Solaris visibly uses an array for is*, which returns warnings about the use of signed chars as indexes. Good opportunity to put casts everywhere.
2007-06-17 15:51:38 -04:00
while (isspace((unsigned char)*line))
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
line++;
MEDIUM: cfgparse: introduce weak and strong quoting This patch introduces quoting which allows to write configuration string including spaces without escaping them. Strong (with single quotes) and weak (with double quotes) quoting are supported. Weak quoting supports escaping and special characters when strong quoting does not interpret anything. This patch could break configuration files where ' and " where used.
2015-05-05 11:37:14 -04:00
CLEANUP: Fix typos in the cfgparse subsystem Fix typos in the code comments of the cfgpase subsystem.
2018-11-15 17:04:19 -05:00
if (*line == '[') {/* This is the beginning if a scope */
MINOR: cfgparse: Parse scope lines and save the last one parsed A scope is a section name between square bracket, alone on its line, ie: [scope-name] ... The spaces at the beginning and at the end of the line are skipped. Comments at the end of the line are also skipped. When a scope is parsed, its name is saved in the global variable cfg_scope. Initially, cfg_scope is NULL and it remains NULL until a valid scope line is parsed. This feature remains unused in the HAProxy configuration file and undocumented. However, it will be used during SPOE configuration parsing.
2016-11-04 17:36:15 -04:00
err_code |= cfg_parse_scope(file, linenum, line);
goto next_line;
}
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
while (1) {
uint32_t err;
BUG/MINOR: cfgparse: consider the special case of empty arg caused by \x00 The reporting of the empty arg location added with commit 08d3caf30 ("MINOR: cfgparse: visually show the input line on empty args") falls victim of a special case detected by OSS Fuzz: https://issues.oss-fuzz.com/issues/415850462 In short, making an argument start with "\x00" doesn't make it empty for the parser, but still emits an empty string which is detected and displayed. Unfortunately in this case the error pointer is not set so the sanitization function crashes. What we're doing in this case is that we fall back to the position of the output argument as an estimate of where it was located in the input. It's clearly inexact (quoting etc) but will still help the user locate the problem. No backport is needed unless the commit above is backported.
2025-05-09 03:55:39 -04:00
const char *errptr = NULL;
MEDIUM: config: warn about the consequences of empty arguments on a config line For historical reasons, the config parser relies on the trailing '\0' to detect the end of the line being parsed. When the lines started to be tokenized into arguments, this principle has been preserved, and now all the parsers rely on *args[arg]='\0' to detect the end of a line. But as reported in issue #2944, while most of the time it breaks the parsing like below: http-request deny if { path_dir '' } it can also cause some elements to be silently ignored like below: acl bad_path path_sub '%2E' '' '%2F' This may also subtly happen with environment variables that don't exist or which are empty: acl bad_path path_sub '%2E' "$BAD_PATTERN" '%2F' Fortunately, parse_line() returns the number of arguments found, so it's easy from the callers to verify if any was empty. The goal of this commit is not to perform sensitive changes, it's only to mention when parsing a line that an empty argument was found and alert about its consequences using a warning. Most of the time when this happens, the config does not parse. But for examples as the ACLs above, there could be consequences that are better detected early. This patch depends on this previous fix: BUG/MINOR: tools: do not create an empty arg from trailing spaces Co-authored-by: Valentine Krasnobaeva <vkrasnobaeva@haproxy.com>
2025-05-02 09:47:41 -04:00
int check_arg;
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
CLEANUP: cfgparse: Remove duplication of `MAX_LINE_ARGS + 1` We can calculate the number of possible arguments based off the size of the `args` array. We should do so to prevent the two values from getting out of sync.
2021-06-05 18:50:20 -04:00
arg = sizeof(args) / sizeof(*args);
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
outlen = outlinesize;
err = parse_line(line, outline, &outlen, args, &arg,
PARSE_OPT_ENV | PARSE_OPT_DQUOTE | PARSE_OPT_SQUOTE |
MINOR: tools: support for word expansion of environment in parse_line Allow the syntax "${...[*]}" to expand an environment variable containing several values separated by spaces as individual arguments. A new flag PARSE_OPT_WORD_EXPAND has been added to toggle this feature on parse_line invocation. In case of an invalid syntax, a new error PARSE_ERR_WRONG_EXPAND will be triggered. This feature has been asked on the github issue #165.
2020-10-01 08:32:35 -04:00
PARSE_OPT_BKSLASH | PARSE_OPT_SHARP | PARSE_OPT_WORD_EXPAND,
&errptr);
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
if (err & PARSE_ERR_QUOTE) {
MINOR: cfgparse: sanitize the output a little bit With the rework of the config line parser, we've started to emit a dump of the initial line underlined by a caret character indicating the error location. But with extremely large lines it starts to take time and can even cause trouble to slow terminals (e.g. over ssh), and this becomes useless. In addition, control characters could be dumped as-is which is bad, especially when the input file is accidently wrong (an executable). This patch adds a string sanitization function which isolates an area around the error position in order to report only that area if the string is too large. The limit was set to 80 characters, which will result in roughly 40 chars around the error being reported only, prefixed and suffixed with "..." as needed. In addition, non-printable characters in the line are now replaced with '?' so as not to corrupt the terminal. This way invalid variable names, unmatched quotes etc will be easier to spot. A typical output is now: [ALERT] 176/092336 (23852) : parsing [bad.cfg:8]: forbidden first char in environment variable name at position 811957: ...c$PATH$PATH$d(xlc`%?$PATH$PATH$dgc?T$%$P?AH?$PATH$PATH$d(?$PATH$PATH$dgc?%... ^
2020-06-25 03:15:40 -04:00
size_t newpos = sanitize_for_printing(line, errptr - line, 80);
ha_alert("parsing [%s:%d]: unmatched quote at position %d:\n"
" %s\n %*s\n", file, linenum, (int)(errptr-thisline+1), line, (int)(newpos+1), "^");
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
err_code |= ERR_ALERT | ERR_FATAL;
BUG/MEDIUM: cfgparse: stop after a reasonable amount of fatal error One issue with the config parser is that while it tries to report as many errors as possible at once, it's actually unbounded. Thus, when calling haproxy on a wrong file, it can take ages to process, such as here on half a gigabyte of map file instead of config file: $ time ./haproxy -c -f large.map 2>&1 |wc -l 16777220 real 0m31.324s user 0m22.595s sys 0m28.909s This patch modifies readcfgfile() to stop reading the config file after a reasonable amount of fatal errors. This threshold is set to 50, which seems more than enough to spot a recurrent issue with a bit of context in a terminal to address several issues at once, without filling logs nor taking time to parse the file. The difference is clear now: $ time ./haproxy -c -f large.map 2>&1 |wc -l 55 real 0m0.005s user 0m0.004s sys 0m0.003s This may be backported to older versions without causing too many difficulties. However the patch will not apply as-is, it will require to increment the "fatal" count for each place where ERR_FATAL is set in the parsing loop.
2020-06-16 11:14:33 -04:00
fatal++;
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
goto next_line;
MEDIUM: cfgparse: introduce weak and strong quoting This patch introduces quoting which allows to write configuration string including spaces without escaping them. Strong (with single quotes) and weak (with double quotes) quoting are supported. Weak quoting supports escaping and special characters when strong quoting does not interpret anything. This patch could break configuration files where ' and " where used.
2015-05-05 11:37:14 -04:00
}
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
if (err & PARSE_ERR_BRACE) {
MINOR: cfgparse: sanitize the output a little bit With the rework of the config line parser, we've started to emit a dump of the initial line underlined by a caret character indicating the error location. But with extremely large lines it starts to take time and can even cause trouble to slow terminals (e.g. over ssh), and this becomes useless. In addition, control characters could be dumped as-is which is bad, especially when the input file is accidently wrong (an executable). This patch adds a string sanitization function which isolates an area around the error position in order to report only that area if the string is too large. The limit was set to 80 characters, which will result in roughly 40 chars around the error being reported only, prefixed and suffixed with "..." as needed. In addition, non-printable characters in the line are now replaced with '?' so as not to corrupt the terminal. This way invalid variable names, unmatched quotes etc will be easier to spot. A typical output is now: [ALERT] 176/092336 (23852) : parsing [bad.cfg:8]: forbidden first char in environment variable name at position 811957: ...c$PATH$PATH$d(xlc`%?$PATH$PATH$dgc?T$%$P?AH?$PATH$PATH$d(?$PATH$PATH$dgc?%... ^
2020-06-25 03:15:40 -04:00
size_t newpos = sanitize_for_printing(line, errptr - line, 80);
ha_alert("parsing [%s:%d]: unmatched brace in environment variable name at position %d:\n"
" %s\n %*s\n", file, linenum, (int)(errptr-thisline+1), line, (int)(newpos+1), "^");
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
err_code |= ERR_ALERT | ERR_FATAL;
BUG/MEDIUM: cfgparse: stop after a reasonable amount of fatal error One issue with the config parser is that while it tries to report as many errors as possible at once, it's actually unbounded. Thus, when calling haproxy on a wrong file, it can take ages to process, such as here on half a gigabyte of map file instead of config file: $ time ./haproxy -c -f large.map 2>&1 |wc -l 16777220 real 0m31.324s user 0m22.595s sys 0m28.909s This patch modifies readcfgfile() to stop reading the config file after a reasonable amount of fatal errors. This threshold is set to 50, which seems more than enough to spot a recurrent issue with a bit of context in a terminal to address several issues at once, without filling logs nor taking time to parse the file. The difference is clear now: $ time ./haproxy -c -f large.map 2>&1 |wc -l 55 real 0m0.005s user 0m0.004s sys 0m0.003s This may be backported to older versions without causing too many difficulties. However the patch will not apply as-is, it will require to increment the "fatal" count for each place where ERR_FATAL is set in the parsing loop.
2020-06-16 11:14:33 -04:00
fatal++;
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
goto next_line;
MEDIUM: cfgparse: introduce weak and strong quoting This patch introduces quoting which allows to write configuration string including spaces without escaping them. Strong (with single quotes) and weak (with double quotes) quoting are supported. Weak quoting supports escaping and special characters when strong quoting does not interpret anything. This patch could break configuration files where ' and " where used.
2015-05-05 11:37:14 -04:00
}
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
if (err & PARSE_ERR_VARNAME) {
MINOR: cfgparse: sanitize the output a little bit With the rework of the config line parser, we've started to emit a dump of the initial line underlined by a caret character indicating the error location. But with extremely large lines it starts to take time and can even cause trouble to slow terminals (e.g. over ssh), and this becomes useless. In addition, control characters could be dumped as-is which is bad, especially when the input file is accidently wrong (an executable). This patch adds a string sanitization function which isolates an area around the error position in order to report only that area if the string is too large. The limit was set to 80 characters, which will result in roughly 40 chars around the error being reported only, prefixed and suffixed with "..." as needed. In addition, non-printable characters in the line are now replaced with '?' so as not to corrupt the terminal. This way invalid variable names, unmatched quotes etc will be easier to spot. A typical output is now: [ALERT] 176/092336 (23852) : parsing [bad.cfg:8]: forbidden first char in environment variable name at position 811957: ...c$PATH$PATH$d(xlc`%?$PATH$PATH$dgc?T$%$P?AH?$PATH$PATH$d(?$PATH$PATH$dgc?%... ^
2020-06-25 03:15:40 -04:00
size_t newpos = sanitize_for_printing(line, errptr - line, 80);
ha_alert("parsing [%s:%d]: forbidden first char in environment variable name at position %d:\n"
" %s\n %*s\n", file, linenum, (int)(errptr-thisline+1), line, (int)(newpos+1), "^");
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
err_code |= ERR_ALERT | ERR_FATAL;
BUG/MEDIUM: cfgparse: stop after a reasonable amount of fatal error One issue with the config parser is that while it tries to report as many errors as possible at once, it's actually unbounded. Thus, when calling haproxy on a wrong file, it can take ages to process, such as here on half a gigabyte of map file instead of config file: $ time ./haproxy -c -f large.map 2>&1 |wc -l 16777220 real 0m31.324s user 0m22.595s sys 0m28.909s This patch modifies readcfgfile() to stop reading the config file after a reasonable amount of fatal errors. This threshold is set to 50, which seems more than enough to spot a recurrent issue with a bit of context in a terminal to address several issues at once, without filling logs nor taking time to parse the file. The difference is clear now: $ time ./haproxy -c -f large.map 2>&1 |wc -l 55 real 0m0.005s user 0m0.004s sys 0m0.003s This may be backported to older versions without causing too many difficulties. However the patch will not apply as-is, it will require to increment the "fatal" count for each place where ERR_FATAL is set in the parsing loop.
2020-06-16 11:14:33 -04:00
fatal++;
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
goto next_line;
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
}
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
if (err & PARSE_ERR_HEX) {
MINOR: cfgparse: sanitize the output a little bit With the rework of the config line parser, we've started to emit a dump of the initial line underlined by a caret character indicating the error location. But with extremely large lines it starts to take time and can even cause trouble to slow terminals (e.g. over ssh), and this becomes useless. In addition, control characters could be dumped as-is which is bad, especially when the input file is accidently wrong (an executable). This patch adds a string sanitization function which isolates an area around the error position in order to report only that area if the string is too large. The limit was set to 80 characters, which will result in roughly 40 chars around the error being reported only, prefixed and suffixed with "..." as needed. In addition, non-printable characters in the line are now replaced with '?' so as not to corrupt the terminal. This way invalid variable names, unmatched quotes etc will be easier to spot. A typical output is now: [ALERT] 176/092336 (23852) : parsing [bad.cfg:8]: forbidden first char in environment variable name at position 811957: ...c$PATH$PATH$d(xlc`%?$PATH$PATH$dgc?T$%$P?AH?$PATH$PATH$d(?$PATH$PATH$dgc?%... ^
2020-06-25 03:15:40 -04:00
size_t newpos = sanitize_for_printing(line, errptr - line, 80);
ha_alert("parsing [%s:%d]: truncated or invalid hexadecimal sequence at position %d:\n"
" %s\n %*s\n", file, linenum, (int)(errptr-thisline+1), line, (int)(newpos+1), "^");
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
err_code |= ERR_ALERT | ERR_FATAL;
BUG/MINOR: cfgparse: Add missing fatal++ in PARSE_ERR_HEX case This fixes up commit 32234e751320b60a3879f274d4a4753d7570e757. This patch should be backported whereever that commit is backported.
2020-06-16 12:14:21 -04:00
fatal++;
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
goto next_line;
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
}
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
MINOR: tools: support for word expansion of environment in parse_line Allow the syntax "${...[*]}" to expand an environment variable containing several values separated by spaces as individual arguments. A new flag PARSE_OPT_WORD_EXPAND has been added to toggle this feature on parse_line invocation. In case of an invalid syntax, a new error PARSE_ERR_WRONG_EXPAND will be triggered. This feature has been asked on the github issue #165.
2020-10-01 08:32:35 -04:00
if (err & PARSE_ERR_WRONG_EXPAND) {
size_t newpos = sanitize_for_printing(line, errptr - line, 80);
ha_alert("parsing [%s:%d]: truncated or invalid word expansion sequence at position %d:\n"
" %s\n %*s\n", file, linenum, (int)(errptr-thisline+1), line, (int)(newpos+1), "^");
err_code |= ERR_ALERT | ERR_FATAL;
fatal++;
goto next_line;
}
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
if (err & (PARSE_ERR_TOOLARGE|PARSE_ERR_OVERLAP)) {
outlinesize = (outlen + 1023) & -1024;
CLEANUP: cfgparse: replace "realloc" with "my_realloc2" to fix to memory leak on error my_realloc2 frees variable in case of allocation failure. fixes #1030 realloc was introduced in 9e1758efbd68c8b1d27e17e2abe4444e110f3ebe this might be backported to 2.2, 2.3
2021-01-07 12:45:13 -05:00
outline = my_realloc2(outline, outlinesize);
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
if (outline == NULL) {
ha_alert("parsing [%s:%d]: line too long, cannot allocate memory.\n",
file, linenum);
BUG/MINOR: cfgparse: abort earlier in case of allocation error In issue #1563, Coverity reported a very interesting issue about a possible UAF in the config parser if the config file ends in with a very large line followed by an empty one and the large one causes an allocation failure. The issue essentially is that we try to go on with the next line in case of allocation error, while there's no point doing so. If we failed to allocate memory to read one config line, the same may happen on the next one, and blatantly dropping it while trying to parse what follows it. In the best case, subsequent errors will be incorrect due to this prior error (e.g. a large ACL definition with many patterns, followed by a reference of this ACL). Let's just immediately abort in such a condition where there's no recovery possible. This may be backported to all versions once the issue is confirmed to be addressed. Thanks to Ilya for the report.
2022-05-20 03:13:38 -04:00
err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT;
BUG/MEDIUM: cfgparse: stop after a reasonable amount of fatal error One issue with the config parser is that while it tries to report as many errors as possible at once, it's actually unbounded. Thus, when calling haproxy on a wrong file, it can take ages to process, such as here on half a gigabyte of map file instead of config file: $ time ./haproxy -c -f large.map 2>&1 |wc -l 16777220 real 0m31.324s user 0m22.595s sys 0m28.909s This patch modifies readcfgfile() to stop reading the config file after a reasonable amount of fatal errors. This threshold is set to 50, which seems more than enough to spot a recurrent issue with a bit of context in a terminal to address several issues at once, without filling logs nor taking time to parse the file. The difference is clear now: $ time ./haproxy -c -f large.map 2>&1 |wc -l 55 real 0m0.005s user 0m0.004s sys 0m0.003s This may be backported to older versions without causing too many difficulties. However the patch will not apply as-is, it will require to increment the "fatal" count for each place where ERR_FATAL is set in the parsing loop.
2020-06-16 11:14:33 -04:00
fatal++;
BUG/MEDIUM: config: Reset outline buffer size on realloc error in readcfgfile() When the line parsing failed because outline buffer must be reallocated, if my_realloc2() call fails, the buffer size must be reset. Indeed, in this case the current line is skipped, a fatal error is reported and we jump to the next line. At this stage the outline buffer is NULL. If the buffer size is not reset, the next call to parse_line() crashes because we try to write in the buffer. We fail to detect the outline buffer is too small to copy any character. To fix the issue, outlinesize variable must be set to 0 when outline allocation failed. This patch should fix the issue #1563. It must be backported as far as 2.2.
2022-05-18 10:22:43 -04:00
outlinesize = 0;
BUG/MINOR: cfgparse: abort earlier in case of allocation error In issue #1563, Coverity reported a very interesting issue about a possible UAF in the config parser if the config file ends in with a very large line followed by an empty one and the large one causes an allocation failure. The issue essentially is that we try to go on with the next line in case of allocation error, while there's no point doing so. If we failed to allocate memory to read one config line, the same may happen on the next one, and blatantly dropping it while trying to parse what follows it. In the best case, subsequent errors will be incorrect due to this prior error (e.g. a large ACL definition with many patterns, followed by a reference of this ACL). Let's just immediately abort in such a condition where there's no recovery possible. This may be backported to all versions once the issue is confirmed to be addressed. Thanks to Ilya for the report.
2022-05-20 03:13:38 -04:00
goto err;
MEDIUM: cfgparse: expand environment variables Environment variables were expandables only in adresses. Now there are expandables everywhere in the configuration file within double quotes. This patch breaks compatibility with the previous behavior of environment variables in adresses, you must enclose adresses with double quotes to make it work.
2015-05-12 08:27:13 -04:00
}
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
/* try again */
continue;
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
}
BUG/MINOR: cfgparse: report extraneous args *after* the string is allocated The config parser change in commit 9e1758efb ("BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines") is wrong when displaying the last parsed word, because it doesn't verify that the output string was properly allocated. This may fail in two cases: - very first line (outline is NULL, as in oss-fuzz issue 23657) - much longer line than previous ones, requiring a realloc(), in which case the final 0 is out of the allocated space. This patch moves the reporting after the allocation check to fix this. No backport is needed, this is 2.2 only.
2020-06-25 01:41:22 -04:00
if (err & PARSE_ERR_TOOMANY) {
/* only check this *after* being sure the output is allocated */
ha_alert("parsing [%s:%d]: too many words, truncating after word %d, position %ld: <%s>.\n",
file, linenum, MAX_LINE_ARGS, (long)(args[MAX_LINE_ARGS-1] - outline + 1), args[MAX_LINE_ARGS-1]);
err_code |= ERR_ALERT | ERR_FATAL;
fatal++;
goto next_line;
}
BUG/MINOR: config: emit warning for empty args only in discovery mode Hide warning about empty argument outside of discovery mode. This is necessary, else the message will be displayed twice, which hampers haproxy output lisibility. This should fix github isue #2995. This should be backported up to 3.2.
2025-06-04 05:26:27 -04:00
if ((global.mode & MODE_DISCOVERY)) {
/* Only print empty arg warning in discovery mode to prevent double display. */
for (check_arg = 0; check_arg < arg; check_arg++) {
if (!*args[check_arg]) {
size_t newpos;
/* if an empty arg was found, its pointer should be in <errptr>, except
* for rare cases such as '\x00' etc. We need to check errptr in any case
* and if it's not set, we'll fall back to args's position in the output
* string instead (less accurate but still useful).
*/
if (!errptr) {
newpos = args[check_arg] - outline;
if (newpos >= strlen(line))
newpos = 0; // impossible to report anything, start at the beginning.
errptr = line + newpos;
}
/* sanitize input line in-place */
newpos = sanitize_for_printing(line, errptr - line, 80);
ha_warning("parsing [%s:%d]: argument number %d at position %d is empty and marks the end of the "
BUG/MINOR: config: fix arg number reported on empty arg warning If an empty argument is used in configuration, for example due to an undefined environment variable, the rest of the line is not parsed. As such, a warning is emitted to report this. The warning was not totally correct as it reported the wrong argument index. Fix this by this patch. Note that there is still an issue with the "^" indicator, but this is not as easy to fix yet. This is related to github issue #2995. This should be backported up to 3.2.
2025-06-04 09:36:13 -04:00
"argument list; all subsequent arguments will be ignored:\n %s\n %*s\n",
file, linenum, check_arg, (int)(errptr - thisline + 1), line, (int)(newpos + 1), "^");
BUG/MINOR: config: emit warning for empty args only in discovery mode Hide warning about empty argument outside of discovery mode. This is necessary, else the message will be displayed twice, which hampers haproxy output lisibility. This should fix github isue #2995. This should be backported up to 3.2.
2025-06-04 05:26:27 -04:00
break;
BUG/MINOR: cfgparse: improve the empty arg position report's robustness OSS Fuzz found that the previous fix ebb19fb367 ("BUG/MINOR: cfgparse: consider the special case of empty arg caused by \x00") was incomplete, as the output can sometimes be larger than the input (due to variables expansion) in which case the work around to try to report a bad arg will fail. While the parse_line() function has been made more robust now in order to avoid this condition, let's fix the handling of this special case anyway by just pointing to the beginning of the line if the supposed error location is out of the line's buffer. All details here: https://oss-fuzz.com/testcase-detail/5202563081502720 No backport is needed unless the fix above is backported.
2025-05-12 10:06:28 -04:00
}
MINOR: cfgparse: visually show the input line on empty args Now when an empty arg is found on a line, we emit the sanitized input line and the position of the first empty arg so as to help the user figure the cause (likely an empty environment variable). Co-authored-by: Valentine Krasnobaeva <vkrasnobaeva@haproxy.com>
2025-05-05 10:13:33 -04:00
}
MEDIUM: config: warn about the consequences of empty arguments on a config line For historical reasons, the config parser relies on the trailing '\0' to detect the end of the line being parsed. When the lines started to be tokenized into arguments, this principle has been preserved, and now all the parsers rely on *args[arg]='\0' to detect the end of a line. But as reported in issue #2944, while most of the time it breaks the parsing like below: http-request deny if { path_dir '' } it can also cause some elements to be silently ignored like below: acl bad_path path_sub '%2E' '' '%2F' This may also subtly happen with environment variables that don't exist or which are empty: acl bad_path path_sub '%2E' "$BAD_PATTERN" '%2F' Fortunately, parse_line() returns the number of arguments found, so it's easy from the callers to verify if any was empty. The goal of this commit is not to perform sensitive changes, it's only to mention when parsing a line that an empty argument was found and alert about its consequences using a warning. Most of the time when this happens, the config does not parse. But for examples as the ACLs above, there could be consequences that are better detected early. This patch depends on this previous fix: BUG/MINOR: tools: do not create an empty arg from trailing spaces Co-authored-by: Valentine Krasnobaeva <vkrasnobaeva@haproxy.com>
2025-05-02 09:47:41 -04:00
}
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
/* everything's OK */
break;
MEDIUM: cfgparse: introduce weak and strong quoting This patch introduces quoting which allows to write configuration string including spaces without escaping them. Strong (with single quotes) and weak (with double quotes) quoting are supported. Weak quoting supports escaping and special characters when strong quoting does not interpret anything. This patch could break configuration files where ' and " where used.
2015-05-05 11:37:14 -04:00
}
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
MINOR: config: add command-line -dC to dump the configuration file This commit adds a new command line option -dC to dump the configuration file. An optional key may be appended to -dC in order to produce an anonymized dump using this key. The anonymizing process uses the same algorithm as the CLI so that the same key will produce the same hashes for the same identifiers. This way an admin may share an anonymized extract of a configuration to match against live dumps. Note that key 0 will not anonymize the output. However, in any case, the configuration is dumped after tokenizing, thus comments are lost.
2022-09-14 11:51:55 -04:00
/* dump cfg */
if (global.mode & MODE_DUMP_CFG) {
if (args[0] != NULL) {
struct cfg_section *sect;
int is_sect = 0;
int i = 0;
uint32_t g_key = HA_ATOMIC_LOAD(&global.anon_key);
MINOR: config: Add option line when the configuration file is dumped Add an option to dump the number lines of the configuration file when it's dumped. Other options can be easily added. Options are separated by ',' when tapping the command line: './haproxy -dC[key],line -f [file]' No backport needed, except if anonymization mechanism is backported.
2022-09-29 04:34:04 -04:00
if (global.mode & MODE_DUMP_NB_L)
qfprintf(stdout, "%d\t", linenum);
MINOR: config: add command-line -dC to dump the configuration file This commit adds a new command line option -dC to dump the configuration file. An optional key may be appended to -dC in order to produce an anonymized dump using this key. The anonymizing process uses the same algorithm as the CLI so that the same key will produce the same hashes for the same identifiers. This way an admin may share an anonymized extract of a configuration to match against live dumps. Note that key 0 will not anonymize the output. However, in any case, the configuration is dumped after tokenizing, thus comments are lost.
2022-09-14 11:51:55 -04:00
/* if a word is in sections list, is_sect = 1 */
list_for_each_entry(sect, &sections, list) {
MEDIUM: initcall: allow to register mutiple post_section_parser per section Before this patch, REGISTER_CONFIG_SECTION() allowed to register one and only one callback (<post>) called after the parsing of a section. It was limitating because you couldn't register a post callback from anywhere else in the code. This patch introduces the new REGISTER_CONFIG_SECTION_POST() macros which allows to register a new post callback for a section keyword from anywhere. This patch introduces the feature by allowing `struct cfg_section` entries that does not have a `section_parser`, and then iterating on all cfg_section with a post_section_parser for a keyword.
2025-02-10 09:07:05 -05:00
/* look for a section_name, but also a section_parser, because there might be
* only a post_section_parser */
if (strcmp(args[0], sect->section_name) == 0 &&
sect->section_parser) {
MINOR: config: add command-line -dC to dump the configuration file This commit adds a new command line option -dC to dump the configuration file. An optional key may be appended to -dC in order to produce an anonymized dump using this key. The anonymizing process uses the same algorithm as the CLI so that the same key will produce the same hashes for the same identifiers. This way an admin may share an anonymized extract of a configuration to match against live dumps. Note that key 0 will not anonymize the output. However, in any case, the configuration is dumped after tokenizing, thus comments are lost.
2022-09-14 11:51:55 -04:00
is_sect = 1;
break;
}
}
if (g_key == 0) {
/* no anonymizing needed, dump the config as-is (but without comments).
* Note: tabs were lost during tokenizing, so we reinsert for non-section
* keywords.
*/
if (!is_sect)
qfprintf(stdout, "\t");
for (i = 0; i < arg; i++) {
qfprintf(stdout, "%s ", args[i]);
}
qfprintf(stdout, "\n");
continue;
}
/* We're anonymizing */
if (is_sect) {
/* new sections are optionally followed by an identifier */
if (arg >= 2) {
qfprintf(stdout, "%s %s\n", args[0], HA_ANON_ID(g_key, args[1]));
}
else {
qfprintf(stdout, "%s\n", args[0]);
}
continue;
}
/* non-section keywords start indented */
qfprintf(stdout, "\t");
/* some keywords deserve special treatment */
if (!*args[0]) {
qfprintf(stdout, "\n");
}
else if (strcmp(args[0], "anonkey") == 0) {
qfprintf(stdout, "%s [...]\n", args[0]);
}
else if (strcmp(args[0], "maxconn") == 0) {
qfprintf(stdout, "%s %s\n", args[0], args[1]);
}
else if (strcmp(args[0], "stats") == 0 &&
(strcmp(args[1], "timeout") == 0 || strcmp(args[1], "maxconn") == 0)) {
qfprintf(stdout, "%s %s %s\n", args[0], args[1], args[2]);
}
else if (strcmp(args[0], "stats") == 0 && strcmp(args[1], "socket") == 0) {
qfprintf(stdout, "%s %s ", args[0], args[1]);
MINOR: config: correct errors about argument number in condition in cfgparse.c Put the right number in condition that takes the wrong number of arguments. No backport needed, except if anonymization mechanism is backported.
2022-09-29 04:30:00 -04:00
if (arg > 2) {
MINOR: tools: modify hash_ipanon in order to use it in cli Add a parameter hasport to return a simple hash or ipstring when ipstring has no port. Doesn't hash if scramble is null. Add option PA_O_PORT_RESOLVE to str2sa_range. Add a case UNIX. Those modification permit to use hash_ipanon in cli section in order to dump the same anonymization of address in the configuration file and with CLI. No backport needed, except if anonymization mechanism is backported.
2022-09-29 04:25:31 -04:00
qfprintf(stdout, "%s ", hash_ipanon(g_key, args[2], 1));
MINOR: config: add command-line -dC to dump the configuration file This commit adds a new command line option -dC to dump the configuration file. An optional key may be appended to -dC in order to produce an anonymized dump using this key. The anonymizing process uses the same algorithm as the CLI so that the same key will produce the same hashes for the same identifiers. This way an admin may share an anonymized extract of a configuration to match against live dumps. Note that key 0 will not anonymize the output. However, in any case, the configuration is dumped after tokenizing, thus comments are lost.
2022-09-14 11:51:55 -04:00
MINOR: config: correct errors about argument number in condition in cfgparse.c Put the right number in condition that takes the wrong number of arguments. No backport needed, except if anonymization mechanism is backported.
2022-09-29 04:30:00 -04:00
if (arg > 3) {
MINOR: config: add command-line -dC to dump the configuration file This commit adds a new command line option -dC to dump the configuration file. An optional key may be appended to -dC in order to produce an anonymized dump using this key. The anonymizing process uses the same algorithm as the CLI so that the same key will produce the same hashes for the same identifiers. This way an admin may share an anonymized extract of a configuration to match against live dumps. Note that key 0 will not anonymize the output. However, in any case, the configuration is dumped after tokenizing, thus comments are lost.
2022-09-14 11:51:55 -04:00
qfprintf(stdout, "[...]\n");
}
else {
qfprintf(stdout, "\n");
}
}
else {
qfprintf(stdout, "\n");
}
}
else if (strcmp(args[0], "timeout") == 0) {
qfprintf(stdout, "%s %s %s\n", args[0], args[1], args[2]);
}
else if (strcmp(args[0], "mode") == 0) {
qfprintf(stdout, "%s %s\n", args[0], args[1]);
}
CLEANUP: assorted typo fixes in the code and comments This is 32nd iteration of typo fixes
2022-10-29 00:34:32 -04:00
/* It concerns user in global section and in userlist */
MINOR: config: add command-line -dC to dump the configuration file This commit adds a new command line option -dC to dump the configuration file. An optional key may be appended to -dC in order to produce an anonymized dump using this key. The anonymizing process uses the same algorithm as the CLI so that the same key will produce the same hashes for the same identifiers. This way an admin may share an anonymized extract of a configuration to match against live dumps. Note that key 0 will not anonymize the output. However, in any case, the configuration is dumped after tokenizing, thus comments are lost.
2022-09-14 11:51:55 -04:00
else if (strcmp(args[0], "user") == 0) {
qfprintf(stdout, "%s %s ", args[0], HA_ANON_ID(g_key, args[1]));
if (arg > 2) {
qfprintf(stdout, "[...]\n");
}
else {
qfprintf(stdout, "\n");
}
}
else if (strcmp(args[0], "bind") == 0) {
qfprintf(stdout, "%s ", args[0]);
MINOR: tools: modify hash_ipanon in order to use it in cli Add a parameter hasport to return a simple hash or ipstring when ipstring has no port. Doesn't hash if scramble is null. Add option PA_O_PORT_RESOLVE to str2sa_range. Add a case UNIX. Those modification permit to use hash_ipanon in cli section in order to dump the same anonymization of address in the configuration file and with CLI. No backport needed, except if anonymization mechanism is backported.
2022-09-29 04:25:31 -04:00
qfprintf(stdout, "%s ", hash_ipanon(g_key, args[1], 1));
MINOR: config: add command-line -dC to dump the configuration file This commit adds a new command line option -dC to dump the configuration file. An optional key may be appended to -dC in order to produce an anonymized dump using this key. The anonymizing process uses the same algorithm as the CLI so that the same key will produce the same hashes for the same identifiers. This way an admin may share an anonymized extract of a configuration to match against live dumps. Note that key 0 will not anonymize the output. However, in any case, the configuration is dumped after tokenizing, thus comments are lost.
2022-09-14 11:51:55 -04:00
if (arg > 2) {
qfprintf(stdout, "[...]\n");
}
else {
qfprintf(stdout, "\n");
}
}
else if (strcmp(args[0], "server") == 0) {
MINOR: config: Add other keywords when dump the anonymized configuration file Add keywords recognized during the dump of the configuration file, these keywords are followed by sensitive information. Remove the condition 'localhost' for the second argument of keyword 'server', consider as not essential and can disturb when comparing it in cli section (there is no exception 'localhost'). No backport needed, except if anonymization mechanism is backported.
2022-09-29 04:31:18 -04:00
qfprintf(stdout, "%s %s ", args[0], HA_ANON_ID(g_key, args[1]));
MINOR: config: add command-line -dC to dump the configuration file This commit adds a new command line option -dC to dump the configuration file. An optional key may be appended to -dC in order to produce an anonymized dump using this key. The anonymizing process uses the same algorithm as the CLI so that the same key will produce the same hashes for the same identifiers. This way an admin may share an anonymized extract of a configuration to match against live dumps. Note that key 0 will not anonymize the output. However, in any case, the configuration is dumped after tokenizing, thus comments are lost.
2022-09-14 11:51:55 -04:00
if (arg > 2) {
MINOR: tools: modify hash_ipanon in order to use it in cli Add a parameter hasport to return a simple hash or ipstring when ipstring has no port. Doesn't hash if scramble is null. Add option PA_O_PORT_RESOLVE to str2sa_range. Add a case UNIX. Those modification permit to use hash_ipanon in cli section in order to dump the same anonymization of address in the configuration file and with CLI. No backport needed, except if anonymization mechanism is backported.
2022-09-29 04:25:31 -04:00
qfprintf(stdout, "%s ", hash_ipanon(g_key, args[2], 1));
MINOR: config: add command-line -dC to dump the configuration file This commit adds a new command line option -dC to dump the configuration file. An optional key may be appended to -dC in order to produce an anonymized dump using this key. The anonymizing process uses the same algorithm as the CLI so that the same key will produce the same hashes for the same identifiers. This way an admin may share an anonymized extract of a configuration to match against live dumps. Note that key 0 will not anonymize the output. However, in any case, the configuration is dumped after tokenizing, thus comments are lost.
2022-09-14 11:51:55 -04:00
}
if (arg > 3) {
qfprintf(stdout, "[...]\n");
}
else {
qfprintf(stdout, "\n");
}
}
else if (strcmp(args[0], "redirect") == 0) {
qfprintf(stdout, "%s %s ", args[0], args[1]);
if (strcmp(args[1], "prefix") == 0 || strcmp(args[1], "location") == 0) {
qfprintf(stdout, "%s ", HA_ANON_PATH(g_key, args[2]));
}
else {
qfprintf(stdout, "%s ", args[2]);
}
if (arg > 3) {
qfprintf(stdout, "[...]");
}
qfprintf(stdout, "\n");
}
else if (strcmp(args[0], "acl") == 0) {
qfprintf(stdout, "%s %s %s ", args[0], HA_ANON_ID(g_key, args[1]), args[2]);
if (arg > 3) {
qfprintf(stdout, "[...]");
}
qfprintf(stdout, "\n");
}
else if (strcmp(args[0], "log") == 0) {
qfprintf(stdout, "log ");
if (strcmp(args[1], "global") == 0) {
qfprintf(stdout, "%s ", args[1]);
}
else {
MINOR: tools: modify hash_ipanon in order to use it in cli Add a parameter hasport to return a simple hash or ipstring when ipstring has no port. Doesn't hash if scramble is null. Add option PA_O_PORT_RESOLVE to str2sa_range. Add a case UNIX. Those modification permit to use hash_ipanon in cli section in order to dump the same anonymization of address in the configuration file and with CLI. No backport needed, except if anonymization mechanism is backported.
2022-09-29 04:25:31 -04:00
qfprintf(stdout, "%s ", hash_ipanon(g_key, args[1], 1));
MINOR: config: add command-line -dC to dump the configuration file This commit adds a new command line option -dC to dump the configuration file. An optional key may be appended to -dC in order to produce an anonymized dump using this key. The anonymizing process uses the same algorithm as the CLI so that the same key will produce the same hashes for the same identifiers. This way an admin may share an anonymized extract of a configuration to match against live dumps. Note that key 0 will not anonymize the output. However, in any case, the configuration is dumped after tokenizing, thus comments are lost.
2022-09-14 11:51:55 -04:00
}
if (arg > 2) {
qfprintf(stdout, "[...]");
}
qfprintf(stdout, "\n");
}
else if (strcmp(args[0], "peer") == 0) {
qfprintf(stdout, "%s %s ", args[0], HA_ANON_ID(g_key, args[1]));
MINOR: tools: modify hash_ipanon in order to use it in cli Add a parameter hasport to return a simple hash or ipstring when ipstring has no port. Doesn't hash if scramble is null. Add option PA_O_PORT_RESOLVE to str2sa_range. Add a case UNIX. Those modification permit to use hash_ipanon in cli section in order to dump the same anonymization of address in the configuration file and with CLI. No backport needed, except if anonymization mechanism is backported.
2022-09-29 04:25:31 -04:00
qfprintf(stdout, "%s ", hash_ipanon(g_key, args[2], 1));
MINOR: config: add command-line -dC to dump the configuration file This commit adds a new command line option -dC to dump the configuration file. An optional key may be appended to -dC in order to produce an anonymized dump using this key. The anonymizing process uses the same algorithm as the CLI so that the same key will produce the same hashes for the same identifiers. This way an admin may share an anonymized extract of a configuration to match against live dumps. Note that key 0 will not anonymize the output. However, in any case, the configuration is dumped after tokenizing, thus comments are lost.
2022-09-14 11:51:55 -04:00
if (arg > 3) {
qfprintf(stdout, "[...]");
}
qfprintf(stdout, "\n");
}
else if (strcmp(args[0], "use_backend") == 0) {
qfprintf(stdout, "%s %s ", args[0], HA_ANON_ID(g_key, args[1]));
if (arg > 2) {
qfprintf(stdout, "[...]");
}
qfprintf(stdout, "\n");
}
else if (strcmp(args[0], "default_backend") == 0) {
qfprintf(stdout, "%s %s\n", args[0], HA_ANON_ID(g_key, args[1]));
}
MINOR: config: Add other keywords when dump the anonymized configuration file Add keywords recognized during the dump of the configuration file, these keywords are followed by sensitive information. Remove the condition 'localhost' for the second argument of keyword 'server', consider as not essential and can disturb when comparing it in cli section (there is no exception 'localhost'). No backport needed, except if anonymization mechanism is backported.
2022-09-29 04:31:18 -04:00
else if (strcmp(args[0], "source") == 0) {
qfprintf(stdout, "%s %s ", args[0], hash_ipanon(g_key, args[1], 1));
if (arg > 2) {
qfprintf(stdout, "[...]");
}
qfprintf(stdout, "\n");
}
else if (strcmp(args[0], "nameserver") == 0) {
qfprintf(stdout, "%s %s %s ", args[0],
HA_ANON_ID(g_key, args[1]), hash_ipanon(g_key, args[2], 1));
if (arg > 3) {
qfprintf(stdout, "[...]");
}
qfprintf(stdout, "\n");
}
else if (strcmp(args[0], "http-request") == 0) {
qfprintf(stdout, "%s %s ", args[0], args[1]);
if (arg > 2)
qfprintf(stdout, "[...]");
qfprintf(stdout, "\n");
}
else if (strcmp(args[0], "http-response") == 0) {
qfprintf(stdout, "%s %s ", args[0], args[1]);
if (arg > 2)
qfprintf(stdout, "[...]");
qfprintf(stdout, "\n");
}
else if (strcmp(args[0], "http-after-response") == 0) {
qfprintf(stdout, "%s %s ", args[0], args[1]);
if (arg > 2)
qfprintf(stdout, "[...]");
qfprintf(stdout, "\n");
}
else if (strcmp(args[0], "filter") == 0) {
qfprintf(stdout, "%s %s ", args[0], args[1]);
if (arg > 2)
qfprintf(stdout, "[...]");
qfprintf(stdout, "\n");
}
else if (strcmp(args[0], "errorfile") == 0) {
qfprintf(stdout, "%s %s %s\n", args[0], args[1], HA_ANON_PATH(g_key, args[2]));
}
else if (strcmp(args[0], "cookie") == 0) {
qfprintf(stdout, "%s %s ", args[0], HA_ANON_ID(g_key, args[1]));
if (arg > 2)
qfprintf(stdout, "%s ", args[2]);
if (arg > 3)
qfprintf(stdout, "[...]");
qfprintf(stdout, "\n");
}
else if (strcmp(args[0], "stats") == 0 && strcmp(args[1], "auth") == 0) {
qfprintf(stdout, "%s %s %s\n", args[0], args[1], HA_ANON_STR(g_key, args[2]));
}
MINOR: config: add command-line -dC to dump the configuration file This commit adds a new command line option -dC to dump the configuration file. An optional key may be appended to -dC in order to produce an anonymized dump using this key. The anonymizing process uses the same algorithm as the CLI so that the same key will produce the same hashes for the same identifiers. This way an admin may share an anonymized extract of a configuration to match against live dumps. Note that key 0 will not anonymize the output. However, in any case, the configuration is dumped after tokenizing, thus comments are lost.
2022-09-14 11:51:55 -04:00
else {
/* display up to 3 words and mask the rest which might be confidential */
for (i = 0; i < MIN(arg, 3); i++) {
qfprintf(stdout, "%s ", args[i]);
}
if (arg > 3) {
qfprintf(stdout, "[...]");
}
qfprintf(stdout, "\n");
}
}
continue;
}
/* end of config dump */
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
/* empty line */
BUG/MINOR: cfgparse: parse_cfg: fix null ptr dereference reported by coverity This commit fixes potential null ptr dereferences reported by coverity, see more details about it in the issues #2676 and #2668. 'outline' ptr, which is initialized to NULL explicitly as a temporary buffer to store split keywords may be in theory implicitly dereferenced in some corner cases (which we haven't encountered yet with real world configurations) in 'if (!**args)'. parse_line() code, called before under some conditions assigns: args[arg] = outline + outpos and outpos initial value is 0.
2024-08-09 03:25:37 -04:00
if (!*args || !**args)
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
continue;
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
/* check for config macros */
if (*args[0] == '.') {
if (strcmp(args[0], ".if") == 0) {
MINOR: config: improve .if condition error reporting Let's return the position of the first unparsable character on error, so that instead of just saying "unparsable conditional expression blah" we can have: [ALERT] 125/150618 (13995) : parsing [test-conds2.cfg:1]: unparsable conditional expression '12/blah' in '.if' at position 1: .if 12/blah ^ This is important because conditions will be made from environment variables or later from more complex expressions where the error will not always be easy to locate.
2021-05-06 09:07:10 -04:00
const char *errptr = NULL;
MINOR: config: centralize the ".if"/".elif" condition parser and evaluator Instead of duplicating the condition evaluations, let's have a single function cfg_eval_condition() that returns true/false/error. It takes less code and will ease its extension.
2021-05-06 02:19:48 -04:00
char *errmsg = NULL;
int cond;
MINOR: cfgcond: remerge all arguments into a single line Till now we were dealing with single-word expressions but in order to extend the configuration condition language a bit more, we'll need to support slightly more complex expressions involving operators, and we must absolutely support spaces around them to keep them readable. As all arguments are pointers to the same line with spaces replaced by zeroes, we can trivially rebuild the whole line before calling the condition evaluator, and remove the test for extraneous argument. This is what this patch does.
2021-07-16 10:38:58 -04:00
char *w;
MINOR: config: centralize the ".if"/".elif" condition parser and evaluator Instead of duplicating the condition evaluations, let's have a single function cfg_eval_condition() that returns true/false/error. It takes less code and will ease its extension.
2021-05-06 02:19:48 -04:00
MINOR: cfgcond: remerge all arguments into a single line Till now we were dealing with single-word expressions but in order to extend the configuration condition language a bit more, we'll need to support slightly more complex expressions involving operators, and we must absolutely support spaces around them to keep them readable. As all arguments are pointers to the same line with spaces replaced by zeroes, we can trivially rebuild the whole line before calling the condition evaluator, and remove the test for extraneous argument. This is what this patch does.
2021-07-16 10:38:58 -04:00
/* remerge all words into a single expression */
for (w = *args; (w += strlen(w)) < outline + outlen - 1; *w = ' ')
;
MINOR: cfgparse: Fail when encountering extra arguments in macro This resolves GitHub issue #1124. This change should be backported as a *warning* to 2.4.
2021-05-26 11:45:33 -04:00
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
nested_cond_lvl++;
if (nested_cond_lvl >= MAXNESTEDCONDS) {
ha_alert("parsing [%s:%d]: too many nested '.if', max is %d.\n", file, linenum, MAXNESTEDCONDS);
err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT;
goto err;
}
BUG/MINOR: config: fix uninitialized initial state in ".if" block evaluator The condition to skip the block in the ".if" evaluator forgot to check that the level was high enough, resulting in rare cases where a random value matched one of the 5 values that cause the block to be skipped. No backport is needed as it's 2.4-only.
2021-05-06 02:46:11 -04:00
if (nested_cond_lvl > 1 &&
(nested_conds[nested_cond_lvl - 1] == NESTED_COND_IF_DROP ||
nested_conds[nested_cond_lvl - 1] == NESTED_COND_IF_SKIP ||
nested_conds[nested_cond_lvl - 1] == NESTED_COND_ELIF_DROP ||
nested_conds[nested_cond_lvl - 1] == NESTED_COND_ELIF_SKIP ||
nested_conds[nested_cond_lvl - 1] == NESTED_COND_ELSE_DROP)) {
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
nested_conds[nested_cond_lvl] = NESTED_COND_IF_SKIP;
MINOR: config: centralize the ".if"/".elif" condition parser and evaluator Instead of duplicating the condition evaluations, let's have a single function cfg_eval_condition() that returns true/false/error. It takes less code and will ease its extension.
2021-05-06 02:19:48 -04:00
goto next_line;
}
MINOR: config: improve .if condition error reporting Let's return the position of the first unparsable character on error, so that instead of just saying "unparsable conditional expression blah" we can have: [ALERT] 125/150618 (13995) : parsing [test-conds2.cfg:1]: unparsable conditional expression '12/blah' in '.if' at position 1: .if 12/blah ^ This is important because conditions will be made from environment variables or later from more complex expressions where the error will not always be easy to locate.
2021-05-06 09:07:10 -04:00
cond = cfg_eval_condition(args + 1, &errmsg, &errptr);
MINOR: config: centralize the ".if"/".elif" condition parser and evaluator Instead of duplicating the condition evaluations, let's have a single function cfg_eval_condition() that returns true/false/error. It takes less code and will ease its extension.
2021-05-06 02:19:48 -04:00
if (cond < 0) {
MINOR: config: improve .if condition error reporting Let's return the position of the first unparsable character on error, so that instead of just saying "unparsable conditional expression blah" we can have: [ALERT] 125/150618 (13995) : parsing [test-conds2.cfg:1]: unparsable conditional expression '12/blah' in '.if' at position 1: .if 12/blah ^ This is important because conditions will be made from environment variables or later from more complex expressions where the error will not always be easy to locate.
2021-05-06 09:07:10 -04:00
size_t newpos = sanitize_for_printing(args[1], errptr - args[1], 76);
ha_alert("parsing [%s:%d]: %s in '.if' at position %d:\n .if %s\n %*s\n",
file, linenum, errmsg,
(int)(errptr-args[1]+1), args[1], (int)(newpos+5), "^");
MINOR: config: centralize the ".if"/".elif" condition parser and evaluator Instead of duplicating the condition evaluations, let's have a single function cfg_eval_condition() that returns true/false/error. It takes less code and will ease its extension.
2021-05-06 02:19:48 -04:00
free(errmsg);
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT;
goto err;
}
MINOR: config: centralize the ".if"/".elif" condition parser and evaluator Instead of duplicating the condition evaluations, let's have a single function cfg_eval_condition() that returns true/false/error. It takes less code and will ease its extension.
2021-05-06 02:19:48 -04:00
if (cond)
nested_conds[nested_cond_lvl] = NESTED_COND_IF_TAKE;
else
nested_conds[nested_cond_lvl] = NESTED_COND_IF_DROP;
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
goto next_line;
}
else if (strcmp(args[0], ".elif") == 0) {
MINOR: config: improve .if condition error reporting Let's return the position of the first unparsable character on error, so that instead of just saying "unparsable conditional expression blah" we can have: [ALERT] 125/150618 (13995) : parsing [test-conds2.cfg:1]: unparsable conditional expression '12/blah' in '.if' at position 1: .if 12/blah ^ This is important because conditions will be made from environment variables or later from more complex expressions where the error will not always be easy to locate.
2021-05-06 09:07:10 -04:00
const char *errptr = NULL;
MINOR: config: centralize the ".if"/".elif" condition parser and evaluator Instead of duplicating the condition evaluations, let's have a single function cfg_eval_condition() that returns true/false/error. It takes less code and will ease its extension.
2021-05-06 02:19:48 -04:00
char *errmsg = NULL;
int cond;
MINOR: cfgcond: remerge all arguments into a single line Till now we were dealing with single-word expressions but in order to extend the configuration condition language a bit more, we'll need to support slightly more complex expressions involving operators, and we must absolutely support spaces around them to keep them readable. As all arguments are pointers to the same line with spaces replaced by zeroes, we can trivially rebuild the whole line before calling the condition evaluator, and remove the test for extraneous argument. This is what this patch does.
2021-07-16 10:38:58 -04:00
char *w;
MINOR: config: centralize the ".if"/".elif" condition parser and evaluator Instead of duplicating the condition evaluations, let's have a single function cfg_eval_condition() that returns true/false/error. It takes less code and will ease its extension.
2021-05-06 02:19:48 -04:00
MINOR: cfgcond: remerge all arguments into a single line Till now we were dealing with single-word expressions but in order to extend the configuration condition language a bit more, we'll need to support slightly more complex expressions involving operators, and we must absolutely support spaces around them to keep them readable. As all arguments are pointers to the same line with spaces replaced by zeroes, we can trivially rebuild the whole line before calling the condition evaluator, and remove the test for extraneous argument. This is what this patch does.
2021-07-16 10:38:58 -04:00
/* remerge all words into a single expression */
for (w = *args; (w += strlen(w)) < outline + outlen - 1; *w = ' ')
;
MINOR: cfgparse: Fail when encountering extra arguments in macro This resolves GitHub issue #1124. This change should be backported as a *warning* to 2.4.
2021-05-26 11:45:33 -04:00
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
if (!nested_cond_lvl) {
ha_alert("parsing [%s:%d]: lone '.elif' with no matching '.if'.\n", file, linenum);
err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT;
goto err;
}
if (nested_conds[nested_cond_lvl] == NESTED_COND_ELSE_TAKE ||
nested_conds[nested_cond_lvl] == NESTED_COND_ELSE_DROP) {
ha_alert("parsing [%s:%d]: '.elif' after '.else' is not permitted.\n", file, linenum);
err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT;
goto err;
}
if (nested_conds[nested_cond_lvl] == NESTED_COND_IF_TAKE ||
nested_conds[nested_cond_lvl] == NESTED_COND_IF_SKIP ||
BUG/MINOR: config: add a missing "ELIF_TAKE" test for ".elif" condition evaluator This missing state was causing a second elif condition to be evaluated after a first one succeeded after a .if failed. For example in the test below the else would be executed: .if 0 .elif 1 .elif 0 .else .endif No backport is needed, this is 2.4-only.
2021-05-06 02:48:09 -04:00
nested_conds[nested_cond_lvl] == NESTED_COND_ELIF_TAKE ||
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
nested_conds[nested_cond_lvl] == NESTED_COND_ELIF_SKIP) {
nested_conds[nested_cond_lvl] = NESTED_COND_ELIF_SKIP;
MINOR: config: centralize the ".if"/".elif" condition parser and evaluator Instead of duplicating the condition evaluations, let's have a single function cfg_eval_condition() that returns true/false/error. It takes less code and will ease its extension.
2021-05-06 02:19:48 -04:00
goto next_line;
}
MINOR: config: improve .if condition error reporting Let's return the position of the first unparsable character on error, so that instead of just saying "unparsable conditional expression blah" we can have: [ALERT] 125/150618 (13995) : parsing [test-conds2.cfg:1]: unparsable conditional expression '12/blah' in '.if' at position 1: .if 12/blah ^ This is important because conditions will be made from environment variables or later from more complex expressions where the error will not always be easy to locate.
2021-05-06 09:07:10 -04:00
cond = cfg_eval_condition(args + 1, &errmsg, &errptr);
MINOR: config: centralize the ".if"/".elif" condition parser and evaluator Instead of duplicating the condition evaluations, let's have a single function cfg_eval_condition() that returns true/false/error. It takes less code and will ease its extension.
2021-05-06 02:19:48 -04:00
if (cond < 0) {
MINOR: config: improve .if condition error reporting Let's return the position of the first unparsable character on error, so that instead of just saying "unparsable conditional expression blah" we can have: [ALERT] 125/150618 (13995) : parsing [test-conds2.cfg:1]: unparsable conditional expression '12/blah' in '.if' at position 1: .if 12/blah ^ This is important because conditions will be made from environment variables or later from more complex expressions where the error will not always be easy to locate.
2021-05-06 09:07:10 -04:00
size_t newpos = sanitize_for_printing(args[1], errptr - args[1], 74);
ha_alert("parsing [%s:%d]: %s in '.elif' at position %d:\n .elif %s\n %*s\n",
file, linenum, errmsg,
(int)(errptr-args[1]+1), args[1], (int)(newpos+7), "^");
MINOR: config: centralize the ".if"/".elif" condition parser and evaluator Instead of duplicating the condition evaluations, let's have a single function cfg_eval_condition() that returns true/false/error. It takes less code and will ease its extension.
2021-05-06 02:19:48 -04:00
free(errmsg);
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT;
goto err;
}
MINOR: config: centralize the ".if"/".elif" condition parser and evaluator Instead of duplicating the condition evaluations, let's have a single function cfg_eval_condition() that returns true/false/error. It takes less code and will ease its extension.
2021-05-06 02:19:48 -04:00
if (cond)
nested_conds[nested_cond_lvl] = NESTED_COND_ELIF_TAKE;
else
nested_conds[nested_cond_lvl] = NESTED_COND_ELIF_DROP;
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
goto next_line;
}
else if (strcmp(args[0], ".else") == 0) {
MINOR: cfgparse: Fail when encountering extra arguments in macro This resolves GitHub issue #1124. This change should be backported as a *warning* to 2.4.
2021-05-26 11:45:33 -04:00
if (*args[1]) {
CLEANUP: assorted typo fixes in the code and comments This is 24th iteration of typo fixes
2021-06-12 06:55:27 -04:00
ha_alert("parsing [%s:%d]: Unexpected argument '%s' for '%s'.\n",
MINOR: cfgparse: Fail when encountering extra arguments in macro This resolves GitHub issue #1124. This change should be backported as a *warning* to 2.4.
2021-05-26 11:45:33 -04:00
file, linenum, args[1], args[0]);
err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT;
break;
}
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
if (!nested_cond_lvl) {
ha_alert("parsing [%s:%d]: lone '.else' with no matching '.if'.\n", file, linenum);
err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT;
goto err;
}
if (nested_conds[nested_cond_lvl] == NESTED_COND_ELSE_TAKE ||
nested_conds[nested_cond_lvl] == NESTED_COND_ELSE_DROP) {
ha_alert("parsing [%s:%d]: '.else' after '.else' is not permitted.\n", file, linenum);
err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT;
goto err;
}
if (nested_conds[nested_cond_lvl] == NESTED_COND_IF_TAKE ||
nested_conds[nested_cond_lvl] == NESTED_COND_IF_SKIP ||
nested_conds[nested_cond_lvl] == NESTED_COND_ELIF_TAKE ||
nested_conds[nested_cond_lvl] == NESTED_COND_ELIF_SKIP) {
nested_conds[nested_cond_lvl] = NESTED_COND_ELSE_DROP;
} else {
/* otherwise we take the "else" */
nested_conds[nested_cond_lvl] = NESTED_COND_ELSE_TAKE;
}
goto next_line;
}
else if (strcmp(args[0], ".endif") == 0) {
MINOR: cfgparse: Fail when encountering extra arguments in macro This resolves GitHub issue #1124. This change should be backported as a *warning* to 2.4.
2021-05-26 11:45:33 -04:00
if (*args[1]) {
CLEANUP: assorted typo fixes in the code and comments This is 24th iteration of typo fixes
2021-06-12 06:55:27 -04:00
ha_alert("parsing [%s:%d]: Unexpected argument '%s' for '%s'.\n",
MINOR: cfgparse: Fail when encountering extra arguments in macro This resolves GitHub issue #1124. This change should be backported as a *warning* to 2.4.
2021-05-26 11:45:33 -04:00
file, linenum, args[1], args[0]);
err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT;
break;
}
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
if (!nested_cond_lvl) {
ha_alert("parsing [%s:%d]: lone '.endif' with no matching '.if'.\n", file, linenum);
MINOR: cfgparse: Fail when encountering extra arguments in macro This resolves GitHub issue #1124. This change should be backported as a *warning* to 2.4.
2021-05-26 11:45:33 -04:00
err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT;
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
break;
}
nested_cond_lvl--;
goto next_line;
}
}
if (nested_cond_lvl &&
(nested_conds[nested_cond_lvl] == NESTED_COND_IF_DROP ||
nested_conds[nested_cond_lvl] == NESTED_COND_IF_SKIP ||
nested_conds[nested_cond_lvl] == NESTED_COND_ELIF_DROP ||
nested_conds[nested_cond_lvl] == NESTED_COND_ELIF_SKIP ||
nested_conds[nested_cond_lvl] == NESTED_COND_ELSE_DROP)) {
/* The current block is masked out by the conditions */
goto next_line;
}
MINOR: config: add a new message directive: .diag This one works just like .notice/.warning/.alert except that it prints the message at level "DIAG" only when haproxy runs in diagnostic mode (-dD). This can be convenient for example to pass a few hints to help locate certain config parts or to leave messages about certain temporary workarounds. Example: .diag "WTA/2021-05-07: $.LINE: replace 'redirect' with 'return' after final switch to 2.4" http-request redirect location /goaway if ABUSE
2021-05-07 02:59:50 -04:00
/* .warning/.error/.notice/.diag */
BUG/MINOR: config: silence .notice/.warning/.alert in discovery mode When first pre-parsing the config to detect the presence or absence of the master mode, we must not emit messages because they are not supposed to be visible at this point, otherwise they appear twice each. The pre-parsing, also called discovery mode, is only for internal use, thus it should remain silent. This should be backported to 3.1 where this mode was introduced.
2025-04-01 03:06:25 -04:00
if (*args[0] == '.' && !(global.mode & MODE_DISCOVERY)) {
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
if (strcmp(args[0], ".alert") == 0) {
MINOR: cfgparse: Fail when encountering extra arguments in macro This resolves GitHub issue #1124. This change should be backported as a *warning* to 2.4.
2021-05-26 11:45:33 -04:00
if (*args[2]) {
ha_alert("parsing [%s:%d]: Unexpected argument '%s' for '%s'. Use quotes if the message should contain spaces.\n",
file, linenum, args[2], args[0]);
err_code |= ERR_ALERT | ERR_FATAL;
goto next_line;
}
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
ha_alert("parsing [%s:%d]: '%s'.\n", file, linenum, args[1]);
err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT;
goto err;
}
else if (strcmp(args[0], ".warning") == 0) {
MINOR: cfgparse: Fail when encountering extra arguments in macro This resolves GitHub issue #1124. This change should be backported as a *warning* to 2.4.
2021-05-26 11:45:33 -04:00
if (*args[2]) {
ha_alert("parsing [%s:%d]: Unexpected argument '%s' for '%s'. Use quotes if the message should contain spaces.\n",
file, linenum, args[2], args[0]);
err_code |= ERR_ALERT | ERR_FATAL;
goto next_line;
}
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
ha_warning("parsing [%s:%d]: '%s'.\n", file, linenum, args[1]);
err_code |= ERR_WARN;
goto next_line;
}
else if (strcmp(args[0], ".notice") == 0) {
MINOR: cfgparse: Fail when encountering extra arguments in macro This resolves GitHub issue #1124. This change should be backported as a *warning* to 2.4.
2021-05-26 11:45:33 -04:00
if (*args[2]) {
ha_alert("parsing [%s:%d]: Unexpected argument '%s' for '%s'. Use quotes if the message should contain spaces.\n",
file, linenum, args[2], args[0]);
err_code |= ERR_ALERT | ERR_FATAL;
goto next_line;
}
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
ha_notice("parsing [%s:%d]: '%s'.\n", file, linenum, args[1]);
goto next_line;
}
MINOR: config: add a new message directive: .diag This one works just like .notice/.warning/.alert except that it prints the message at level "DIAG" only when haproxy runs in diagnostic mode (-dD). This can be convenient for example to pass a few hints to help locate certain config parts or to leave messages about certain temporary workarounds. Example: .diag "WTA/2021-05-07: $.LINE: replace 'redirect' with 'return' after final switch to 2.4" http-request redirect location /goaway if ABUSE
2021-05-07 02:59:50 -04:00
else if (strcmp(args[0], ".diag") == 0) {
MINOR: cfgparse: Fail when encountering extra arguments in macro This resolves GitHub issue #1124. This change should be backported as a *warning* to 2.4.
2021-05-26 11:45:33 -04:00
if (*args[2]) {
ha_alert("parsing [%s:%d]: Unexpected argument '%s' for '%s'. Use quotes if the message should contain spaces.\n",
file, linenum, args[2], args[0]);
err_code |= ERR_ALERT | ERR_FATAL;
goto next_line;
}
MINOR: config: add a new message directive: .diag This one works just like .notice/.warning/.alert except that it prints the message at level "DIAG" only when haproxy runs in diagnostic mode (-dD). This can be convenient for example to pass a few hints to help locate certain config parts or to leave messages about certain temporary workarounds. Example: .diag "WTA/2021-05-07: $.LINE: replace 'redirect' with 'return' after final switch to 2.4" http-request redirect location /goaway if ABUSE
2021-05-07 02:59:50 -04:00
ha_diag_warning("parsing [%s:%d]: '%s'.\n", file, linenum, args[1]);
goto next_line;
}
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
else {
ha_alert("parsing [%s:%d]: unknown directive '%s'.\n", file, linenum, args[0]);
err_code |= ERR_ALERT | ERR_FATAL;
fatal++;
break;
}
}
[MINOR] config: support resetting options do default values A new keyword prefix "default" has been introduced in order to reset some options to their default values. This can be needed for instance when an option is forced disabled or enabled in a defaults section and when later sections want to use automatic settings regardless of what was specified there. Right now it is only supported by options, just like the "no" prefix.
2009-06-14 05:39:52 -04:00
/* check for keyword modifiers "no" and "default" */
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
if (strcmp(args[0], "no") == 0) {
MEDIUM: log: Use linked lists for loggers This patch settles the 2 loggers limitation. Loggers are now stored in linked lists. Using "global log", the global loggers list content is added at the end of the current proxy list. Each "log" entries are added at the end of the proxy list. "no log" flush a logger list.
2011-10-12 11:50:54 -04:00
char *tmp;
[MINOR] config: support resetting options do default values A new keyword prefix "default" has been introduced in order to reset some options to their default values. This can be needed for instance when an option is forced disabled or enabled in a defaults section and when later sections want to use automatic settings regardless of what was specified there. Right now it is only supported by options, just like the "no" prefix.
2009-06-14 05:39:52 -04:00
kwm = KWM_NO;
MEDIUM: log: Use linked lists for loggers This patch settles the 2 loggers limitation. Loggers are now stored in linked lists. Using "global log", the global loggers list content is added at the end of the current proxy list. Each "log" entries are added at the end of the proxy list. "no log" flush a logger list.
2011-10-12 11:50:54 -04:00
tmp = args[0];
[MINOR] config: support resetting options do default values A new keyword prefix "default" has been introduced in order to reset some options to their default values. This can be needed for instance when an option is forced disabled or enabled in a defaults section and when later sections want to use automatic settings regardless of what was specified there. Right now it is only supported by options, just like the "no" prefix.
2009-06-14 05:39:52 -04:00
for (arg=0; *args[arg+1]; arg++)
args[arg] = args[arg+1]; // shift args after inversion
MEDIUM: log: Use linked lists for loggers This patch settles the 2 loggers limitation. Loggers are now stored in linked lists. Using "global log", the global loggers list content is added at the end of the current proxy list. Each "log" entries are added at the end of the proxy list. "no log" flush a logger list.
2011-10-12 11:50:54 -04:00
*tmp = '\0'; // fix the next arg to \0
args[arg] = tmp;
[MINOR] config: support resetting options do default values A new keyword prefix "default" has been introduced in order to reset some options to their default values. This can be needed for instance when an option is forced disabled or enabled in a defaults section and when later sections want to use automatic settings regardless of what was specified there. Right now it is only supported by options, just like the "no" prefix.
2009-06-14 05:39:52 -04:00
}
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
else if (strcmp(args[0], "default") == 0) {
[MINOR] config: support resetting options do default values A new keyword prefix "default" has been introduced in order to reset some options to their default values. This can be needed for instance when an option is forced disabled or enabled in a defaults section and when later sections want to use automatic settings regardless of what was specified there. Right now it is only supported by options, just like the "no" prefix.
2009-06-14 05:39:52 -04:00
kwm = KWM_DEF;
[MEDIUM]: Inversion for options This patch adds a possibility to invert most of available options by introducing the "no" keyword, available as an additional prefix. If it is found arguments are shifted left and an additional flag (inv) is set. It allows to use all options from a current defaults section, except the selected ones, for example: -- cut here -- defaults contimeout 4200 clitimeout 50000 srvtimeout 40000 option contstats listen stats 1.2.3.4:80 no option contstats -- cut here -- Currenly inversion works only with the "option" keyword. The patch also moves last_checks calculation at the end of the readcfgfile() function and changes "PR_O_FORCE_CLO | PR_O_HTTP_CLOSE" into "PR_O_FORCE_CLO" in cfg_opts so it is possible to invert forceclose without breaking httpclose (and vice versa) and to invert tcpsplice in one proxy but to keep a proper last_checks value when tcpsplice is used in another proxy. Now, the code checks for PR_O_FORCE_CLO everywhere it checks for PR_O_HTTP_CLOSE. I also decided to depreciate "redisp" and "redispatch" keywords as it is IMHO better to use "option redispatch" which can be inverted. Some useful documentation were added and at the same time I sorted (alfabetically) all valid options both in the code and the documentation.
2007-12-24 20:40:22 -05:00
for (arg=0; *args[arg+1]; arg++)
args[arg] = args[arg+1]; // shift args after inversion
}
MINOR: config: allow no set-dumpable config option in global config parsing, we currently expect to have a possible no keyword (KWN_NO), but we never allow it in config parsing. another patch could have been to simply remove the code handling a possible KWN_NO. take this opportunity to update documentation of set-dumpable. Signed-off-by: William Dauchy <w.dauchy@criteo.com>
2019-10-27 15:08:10 -04:00
if (kwm != KWM_STD && strcmp(args[0], "option") != 0 &&
strcmp(args[0], "log") != 0 && strcmp(args[0], "busy-polling") != 0 &&
MEDIUM: init: prevent process and thread creation at runtime Some concerns are regularly raised about the risk to inherit some Lua files which make use of a fork (e.g. via os.execute()) as well as whether or not some of bugs we fix might or not be exploitable to run some code. Given that haproxy is event-driven, any foreground activity completely stops processing and is easy to detect, but background activity is a different story. A Lua script could very well discretely fork a sub-process connecting to a remote location and taking commands, and some injected code could also try to hide its activity by creating a process or a thread without blocking the rest of the processing. While such activities should be extremely limited when run in an empty chroot without any permission, it would be better to get a higher assurance they cannot happen. This patch introduces something very simple: it limits the number of processes and threads to zero in the workers after the last thread was created. By doing so, it effectively instructs the system to fail on any fork() or clone() syscall. Thus any undesired activity has to happen in the foreground and is way easier to detect. This will obviously break external checks (whose concept is already totally insecure), and for this reason a new option "insecure-fork-wanted" was added to disable this protection, and it is suggested in the fork() error report from the checks. It is obviously recommended not to use it and to reconsider the reasons leading to it being enabled in the first place. If for any reason we fail to disable forks, we still start because it could be imaginable that some operating systems refuse to set this limit to zero, but in this case we emit a warning, that may or may not be reported since we're after the fork point. Ideally over the long term it should be conditionned by strict-limits and cause a hard fail.
2019-12-03 01:07:36 -05:00
strcmp(args[0], "set-dumpable") != 0 && strcmp(args[0], "strict-limits") != 0 &&
MINOR: global: add option to disable numa detection Render numa detection optional with a global configuration statement 'no numa-cpu-mapping'. This can be used if the applied affinity of the algorithm is not optimal. Also complete the documentation with this new keyword.
2021-03-26 13:50:33 -04:00
strcmp(args[0], "insecure-fork-wanted") != 0 &&
strcmp(args[0], "numa-cpu-mapping") != 0) {
MINOR: config: allow no set-dumpable config option in global config parsing, we currently expect to have a possible no keyword (KWN_NO), but we never allow it in config parsing. another patch could have been to simply remove the code handling a possible KWN_NO. take this opportunity to update documentation of set-dumpable. Signed-off-by: William Dauchy <w.dauchy@criteo.com>
2019-10-27 15:08:10 -04:00
ha_alert("parsing [%s:%d]: negation/default currently "
MINOR: init: always fail when setrlimit fails this patch introduces a strict-limits parameter which enforces the setrlimit setting instead of a warning. This option can be forcingly disable with the "no" keyword. The general aim of this patch is to avoid bad surprises on a production environment where you change the maxconn for example, a new fd limit is calculated, but cannot be set because of sysfs setting. In that case you might want to have an explicit failure to be aware of it before seeing your traffic going down. During a global rollout it is also useful to explictly fail as most progressive rollout would simply check the general health check of the process. As discussed, plan to use the strict by default mode starting from v2.3. Signed-off-by: William Dauchy <w.dauchy@criteo.com>
2019-10-27 15:08:11 -04:00
"supported only for options, log, busy-polling, "
MINOR: global: add option to disable numa detection Render numa detection optional with a global configuration statement 'no numa-cpu-mapping'. This can be used if the applied affinity of the algorithm is not optimal. Also complete the documentation with this new keyword.
2021-03-26 13:50:33 -04:00
"set-dumpable, strict-limits, insecure-fork-wanted "
"and numa-cpu-mapping.\n", file, linenum);
[MINOR] config: improve error reporting in global section Try not to immediately exit on non-fatal errors while parsing the global section, so that the user has a chance to get most of the errors at once, which is quite convenient especially during config checks with the -c argument. Some other errors such as unresolved server names also don't make the parser exit too early.
2009-07-20 03:30:05 -04:00
err_code |= ERR_ALERT | ERR_FATAL;
BUG/MEDIUM: cfgparse: stop after a reasonable amount of fatal error One issue with the config parser is that while it tries to report as many errors as possible at once, it's actually unbounded. Thus, when calling haproxy on a wrong file, it can take ages to process, such as here on half a gigabyte of map file instead of config file: $ time ./haproxy -c -f large.map 2>&1 |wc -l 16777220 real 0m31.324s user 0m22.595s sys 0m28.909s This patch modifies readcfgfile() to stop reading the config file after a reasonable amount of fatal errors. This threshold is set to 50, which seems more than enough to spot a recurrent issue with a bit of context in a terminal to address several issues at once, without filling logs nor taking time to parse the file. The difference is clear now: $ time ./haproxy -c -f large.map 2>&1 |wc -l 55 real 0m0.005s user 0m0.004s sys 0m0.003s This may be backported to older versions without causing too many difficulties. However the patch will not apply as-is, it will require to increment the "fatal" count for each place where ERR_FATAL is set in the parsing loop.
2020-06-16 11:14:33 -04:00
fatal++;
[MEDIUM]: Inversion for options This patch adds a possibility to invert most of available options by introducing the "no" keyword, available as an additional prefix. If it is found arguments are shifted left and an additional flag (inv) is set. It allows to use all options from a current defaults section, except the selected ones, for example: -- cut here -- defaults contimeout 4200 clitimeout 50000 srvtimeout 40000 option contstats listen stats 1.2.3.4:80 no option contstats -- cut here -- Currenly inversion works only with the "option" keyword. The patch also moves last_checks calculation at the end of the readcfgfile() function and changes "PR_O_FORCE_CLO | PR_O_HTTP_CLOSE" into "PR_O_FORCE_CLO" in cfg_opts so it is possible to invert forceclose without breaking httpclose (and vice versa) and to invert tcpsplice in one proxy but to keep a proper last_checks value when tcpsplice is used in another proxy. Now, the code checks for PR_O_FORCE_CLO everywhere it checks for PR_O_HTTP_CLOSE. I also decided to depreciate "redisp" and "redispatch" keywords as it is IMHO better to use "option redispatch" which can be inverted. Some useful documentation were added and at the same time I sorted (alfabetically) all valid options both in the code and the documentation.
2007-12-24 20:40:22 -05:00
}
MEDIUM: config: Dynamic sections. This patch permit to register new sections in the haproxy's configuration file. This run like all the "keyword" registration, it is used during the haproxy initialization, typically with the "__attribute__((constructor))" functions.
2014-03-18 08:54:18 -04:00
/* detect section start */
list_for_each_entry(ics, &sections, list) {
MEDIUM: initcall: allow to register mutiple post_section_parser per section Before this patch, REGISTER_CONFIG_SECTION() allowed to register one and only one callback (<post>) called after the parsing of a section. It was limitating because you couldn't register a post callback from anywhere else in the code. This patch introduces the new REGISTER_CONFIG_SECTION_POST() macros which allows to register a new post callback for a section keyword from anywhere. This patch introduces the feature by allowing `struct cfg_section` entries that does not have a `section_parser`, and then iterating on all cfg_section with a post_section_parser for a keyword.
2025-02-10 09:07:05 -05:00
if (strcmp(args[0], ics->section_name) == 0 && ics->section_parser) {
MEDIUM: config: Dynamic sections. This patch permit to register new sections in the haproxy's configuration file. This run like all the "keyword" registration, it is used during the haproxy initialization, typically with the "__attribute__((constructor))" functions.
2014-03-18 08:54:18 -04:00
cursection = ics->section_name;
BUG/MINOR: cfgparse: Fix transition between 2 sections with the same name When a section's parser is registered, it can also define a post section callback, called at the end of the section parsing. But when 2 sections with the same name followed each other, the transition between them was missed. This induced 2 bugs. First, the call to the post section callback was skipped. Then, the parsing of the second section was mixed with the first one. This patch must be backported in 1.8.
2018-11-30 07:50:47 -05:00
pcs = cs;
MEDIUM: config: Dynamic sections. This patch permit to register new sections in the haproxy's configuration file. This run like all the "keyword" registration, it is used during the haproxy initialization, typically with the "__attribute__((constructor))" functions.
2014-03-18 08:54:18 -04:00
cs = ics;
MINOR: config: keep up-to-date current file/line/section in the global struct Let's add a few fields to the global struct to store information about the current file being processed, the current line number and the current section. This will be used to retrieve them using special variables.
2021-05-06 04:04:45 -04:00
free(global.cfg_curr_section);
global.cfg_curr_section = strdup(*args[1] ? args[1] : args[0]);
MINOR: cfgparse: Always check the section position In diag mode, the section position is checked and a warning is emitted if a global section is defined after any non-global one. Now, this check is always performed. But the warning is still only emitted in diag mode. In addition, the result of this check is now stored in a global variable, to be used from anywhere. The aim of this patch is to be able to restrict usage of some global directives to the very first global sections. It will be useful to avoid undefined behaviors. Indeed, some config parts may depend on global settings and it is a problem if these settings are changed after.
2022-11-18 09:46:06 -05:00
check_section_position(args[0], file, linenum);
MEDIUM: config: Dynamic sections. This patch permit to register new sections in the haproxy's configuration file. This run like all the "keyword" registration, it is used during the haproxy initialization, typically with the "__attribute__((constructor))" functions.
2014-03-18 08:54:18 -04:00
break;
}
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
}
MEDIUM: initcall: allow to register mutiple post_section_parser per section Before this patch, REGISTER_CONFIG_SECTION() allowed to register one and only one callback (<post>) called after the parsing of a section. It was limitating because you couldn't register a post callback from anywhere else in the code. This patch introduces the new REGISTER_CONFIG_SECTION_POST() macros which allows to register a new post callback for a section keyword from anywhere. This patch introduces the feature by allowing `struct cfg_section` entries that does not have a `section_parser`, and then iterating on all cfg_section with a post_section_parser for a keyword.
2025-02-10 09:07:05 -05:00
if (pcs) {
struct cfg_section *psect;
BUG/MEDIUM: cfgparse: stop after a reasonable amount of fatal error One issue with the config parser is that while it tries to report as many errors as possible at once, it's actually unbounded. Thus, when calling haproxy on a wrong file, it can take ages to process, such as here on half a gigabyte of map file instead of config file: $ time ./haproxy -c -f large.map 2>&1 |wc -l 16777220 real 0m31.324s user 0m22.595s sys 0m28.909s This patch modifies readcfgfile() to stop reading the config file after a reasonable amount of fatal errors. This threshold is set to 50, which seems more than enough to spot a recurrent issue with a bit of context in a terminal to address several issues at once, without filling logs nor taking time to parse the file. The difference is clear now: $ time ./haproxy -c -f large.map 2>&1 |wc -l 55 real 0m0.005s user 0m0.004s sys 0m0.003s This may be backported to older versions without causing too many difficulties. However the patch will not apply as-is, it will require to increment the "fatal" count for each place where ERR_FATAL is set in the parsing loop.
2020-06-16 11:14:33 -04:00
int status;
MEDIUM: cfgparse: parse only "global" section in MODE_DISCOVERY This commit is a part of the series to add a support of discovery mode in the configuration parser and in initialization sequence. So, in discovery mode, when we read the configuration the first time, we parse for the moment only the "global" section. Unknown section names will be ignored.
2024-10-01 10:11:01 -04:00
MEDIUM: initcall: allow to register mutiple post_section_parser per section Before this patch, REGISTER_CONFIG_SECTION() allowed to register one and only one callback (<post>) called after the parsing of a section. It was limitating because you couldn't register a post callback from anywhere else in the code. This patch introduces the new REGISTER_CONFIG_SECTION_POST() macros which allows to register a new post callback for a section keyword from anywhere. This patch introduces the feature by allowing `struct cfg_section` entries that does not have a `section_parser`, and then iterating on all cfg_section with a post_section_parser for a keyword.
2025-02-10 09:07:05 -05:00
/* look for every post_section_parser for the previous section name */
list_for_each_entry(psect, &sections, list) {
if (strcmp(pcs->section_name, psect->section_name) == 0 &&
psect->post_section_parser) {
BUG/MEDIUM: cfgparse: stop after a reasonable amount of fatal error One issue with the config parser is that while it tries to report as many errors as possible at once, it's actually unbounded. Thus, when calling haproxy on a wrong file, it can take ages to process, such as here on half a gigabyte of map file instead of config file: $ time ./haproxy -c -f large.map 2>&1 |wc -l 16777220 real 0m31.324s user 0m22.595s sys 0m28.909s This patch modifies readcfgfile() to stop reading the config file after a reasonable amount of fatal errors. This threshold is set to 50, which seems more than enough to spot a recurrent issue with a bit of context in a terminal to address several issues at once, without filling logs nor taking time to parse the file. The difference is clear now: $ time ./haproxy -c -f large.map 2>&1 |wc -l 55 real 0m0.005s user 0m0.004s sys 0m0.003s This may be backported to older versions without causing too many difficulties. However the patch will not apply as-is, it will require to increment the "fatal" count for each place where ERR_FATAL is set in the parsing loop.
2020-06-16 11:14:33 -04:00
MEDIUM: initcall: allow to register mutiple post_section_parser per section Before this patch, REGISTER_CONFIG_SECTION() allowed to register one and only one callback (<post>) called after the parsing of a section. It was limitating because you couldn't register a post callback from anywhere else in the code. This patch introduces the new REGISTER_CONFIG_SECTION_POST() macros which allows to register a new post callback for a section keyword from anywhere. This patch introduces the feature by allowing `struct cfg_section` entries that does not have a `section_parser`, and then iterating on all cfg_section with a post_section_parser for a keyword.
2025-02-10 09:07:05 -05:00
/* don't call post_section_parser in MODE_DISCOVERY */
if (global.mode & MODE_DISCOVERY)
goto section_parser;
status = psect->post_section_parser();
err_code |= status;
if (status & ERR_FATAL)
fatal++;
if (err_code & ERR_ABORT)
goto err;
}
}
BUG/MINOR: cfgparse: Fix transition between 2 sections with the same name When a section's parser is registered, it can also define a post section callback, called at the end of the section parsing. But when 2 sections with the same name followed each other, the transition between them was missed. This induced 2 bugs. First, the call to the post section callback was skipped. Then, the parsing of the second section was mixed with the first one. This patch must be backported in 1.8.
2018-11-30 07:50:47 -05:00
}
BUG/MINOR: cfgparse: Fix the call to post parser of the last sections parsed Wrong variable was used to know if we need to call the callback post_section_parser() or not. We must use 'cs' and not 'pcs'. This patch must be backported in 1.8 with the commit 7805e2b ("BUG/MINOR: cfgparse: Fix transition between 2 sections with the same name").
2018-12-02 03:37:38 -05:00
pcs = NULL;
BUG/MINOR: cfgparse: Fix transition between 2 sections with the same name When a section's parser is registered, it can also define a post section callback, called at the end of the section parsing. But when 2 sections with the same name followed each other, the transition between them was missed. This induced 2 bugs. First, the call to the post section callback was skipped. Then, the parsing of the second section was mixed with the first one. This patch must be backported in 1.8.
2018-11-30 07:50:47 -05:00
BUG/MINOR: mworker: section ignored in discovery after a post_section_parser When a new section is discovered, the post_section_parser of the previous section is called. However in the new master-worker mode the discovery mode will skip the post_section_parser. But instead of trying to parse the current section keyword after that, it would skip completely the current line. This is a minor bug since there isn't a lot of section with post_section_parser, and not a lot of section to parse in discovery mode. But this could be reproduced like this: global expose-deprecated-directives resolvers res parse-resolv-conf program foo command sleep 10 program bar command sleep 10 Ths 'resolvers' section has a post_section_parser which will be ignored in discovery mode with the consequence of ignoring the first program section. This must be backported in 3.1.
2025-02-12 06:09:05 -05:00
section_parser:
MEDIUM: cfgparse: post section callback This commit implements a post section callback. This callback will be used at the end of a section parsing. Every call to cfg_register_section must be modified to use the new prototype: int cfg_register_section(char *section_name, int (*section_parser)(const char *, int, char **, int), int (*post_section_parser)());
2017-10-16 05:06:50 -04:00
if (!cs) {
MEDIUM: cfgparse: parse only "global" section in MODE_DISCOVERY This commit is a part of the series to add a support of discovery mode in the configuration parser and in initialization sequence. So, in discovery mode, when we read the configuration the first time, we parse for the moment only the "global" section. Unknown section names will be ignored.
2024-10-01 10:11:01 -04:00
/* ignore unknown section names during the first read in MODE_DISCOVERY */
if (global.mode & MODE_DISCOVERY)
continue;
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("parsing [%s:%d]: unknown keyword '%s' out of section.\n", file, linenum, args[0]);
[MINOR] config: improve error reporting in global section Try not to immediately exit on non-fatal errors while parsing the global section, so that the user has a chance to get most of the errors at once, which is quite convenient especially during config checks with the -c argument. Some other errors such as unresolved server names also don't make the parser exit too early.
2009-07-20 03:30:05 -04:00
err_code |= ERR_ALERT | ERR_FATAL;
BUG/MEDIUM: cfgparse: stop after a reasonable amount of fatal error One issue with the config parser is that while it tries to report as many errors as possible at once, it's actually unbounded. Thus, when calling haproxy on a wrong file, it can take ages to process, such as here on half a gigabyte of map file instead of config file: $ time ./haproxy -c -f large.map 2>&1 |wc -l 16777220 real 0m31.324s user 0m22.595s sys 0m28.909s This patch modifies readcfgfile() to stop reading the config file after a reasonable amount of fatal errors. This threshold is set to 50, which seems more than enough to spot a recurrent issue with a bit of context in a terminal to address several issues at once, without filling logs nor taking time to parse the file. The difference is clear now: $ time ./haproxy -c -f large.map 2>&1 |wc -l 55 real 0m0.005s user 0m0.004s sys 0m0.003s This may be backported to older versions without causing too many difficulties. However the patch will not apply as-is, it will require to increment the "fatal" count for each place where ERR_FATAL is set in the parsing loop.
2020-06-16 11:14:33 -04:00
fatal++;
MEDIUM: cfgparse: post section callback This commit implements a post section callback. This callback will be used at the end of a section parsing. Every call to cfg_register_section must be modified to use the new prototype: int cfg_register_section(char *section_name, int (*section_parser)(const char *, int, char **, int), int (*post_section_parser)());
2017-10-16 05:06:50 -04:00
} else {
BUG/MEDIUM: cfgparse: stop after a reasonable amount of fatal error One issue with the config parser is that while it tries to report as many errors as possible at once, it's actually unbounded. Thus, when calling haproxy on a wrong file, it can take ages to process, such as here on half a gigabyte of map file instead of config file: $ time ./haproxy -c -f large.map 2>&1 |wc -l 16777220 real 0m31.324s user 0m22.595s sys 0m28.909s This patch modifies readcfgfile() to stop reading the config file after a reasonable amount of fatal errors. This threshold is set to 50, which seems more than enough to spot a recurrent issue with a bit of context in a terminal to address several issues at once, without filling logs nor taking time to parse the file. The difference is clear now: $ time ./haproxy -c -f large.map 2>&1 |wc -l 55 real 0m0.005s user 0m0.004s sys 0m0.003s This may be backported to older versions without causing too many difficulties. However the patch will not apply as-is, it will require to increment the "fatal" count for each place where ERR_FATAL is set in the parsing loop.
2020-06-16 11:14:33 -04:00
int status;
MINOR: cfgparse: add support for program section This patch is a part of series to reintroduce the program support in the new master-worker architecture. Programs are launched by master, thus only the master process needs its configuration. Therefore, program section parser should be called only in discovery mode, when master parses its configuration. Program section has a post section parser. It should be called only in discovery mode as well.
2024-10-09 17:11:07 -04:00
/* read only the "global" and "program" sections in MODE_DISCOVERY */
if (((global.mode & MODE_DISCOVERY) && (strcmp(cs->section_name, "global") != 0)
&& (strcmp(cs->section_name, "program") != 0)))
MEDIUM: cfgparse: parse only "global" section in MODE_DISCOVERY This commit is a part of the series to add a support of discovery mode in the configuration parser and in initialization sequence. So, in discovery mode, when we read the configuration the first time, we parse for the moment only the "global" section. Unknown section names will be ignored.
2024-10-01 10:11:01 -04:00
continue;
BUG/MEDIUM: cfgparse: stop after a reasonable amount of fatal error One issue with the config parser is that while it tries to report as many errors as possible at once, it's actually unbounded. Thus, when calling haproxy on a wrong file, it can take ages to process, such as here on half a gigabyte of map file instead of config file: $ time ./haproxy -c -f large.map 2>&1 |wc -l 16777220 real 0m31.324s user 0m22.595s sys 0m28.909s This patch modifies readcfgfile() to stop reading the config file after a reasonable amount of fatal errors. This threshold is set to 50, which seems more than enough to spot a recurrent issue with a bit of context in a terminal to address several issues at once, without filling logs nor taking time to parse the file. The difference is clear now: $ time ./haproxy -c -f large.map 2>&1 |wc -l 55 real 0m0.005s user 0m0.004s sys 0m0.003s This may be backported to older versions without causing too many difficulties. However the patch will not apply as-is, it will require to increment the "fatal" count for each place where ERR_FATAL is set in the parsing loop.
2020-06-16 11:14:33 -04:00
status = cs->section_parser(file, linenum, args, kwm);
err_code |= status;
if (status & ERR_FATAL)
fatal++;
MEDIUM: cfgparse: post section callback This commit implements a post section callback. This callback will be used at the end of a section parsing. Every call to cfg_register_section must be modified to use the new prototype: int cfg_register_section(char *section_name, int (*section_parser)(const char *, int, char **, int), int (*post_section_parser)());
2017-10-16 05:06:50 -04:00
if (err_code & ERR_ABORT)
goto err;
}
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
}
MEDIUM: cfgparse: post section callback This commit implements a post section callback. This callback will be used at the end of a section parsing. Every call to cfg_register_section must be modified to use the new prototype: int cfg_register_section(char *section_name, int (*section_parser)(const char *, int, char **, int), int (*post_section_parser)());
2017-10-16 05:06:50 -04:00
MINOR: cfgparse: Warn on truncated lines / files As discussed on the list: https://www.mail-archive.com/haproxy@formilux.org/msg37698.html This patch adds warnings to the configuration parser that detect the following situations: - A line being truncated by a null byte in the middle. - A file not ending in a new line (and possibly being truncated).
2020-06-22 16:57:45 -04:00
if (missing_lf != -1) {
MEDIUM: cfgparse: Emit hard error on truncated lines As announced within the emitted log message this is going to become a hard error in 2.3. It's 2.3 time now, let's do this. see 2fd5bdb439da29f15381aeb57c51327ba57674fc
2020-08-18 16:00:04 -04:00
ha_alert("parsing [%s:%d]: Missing LF on last line, file might have been truncated at position %d.\n",
file, linenum, (missing_lf + 1));
err_code |= ERR_ALERT | ERR_FATAL;
MINOR: cfgparse: Warn on truncated lines / files As discussed on the list: https://www.mail-archive.com/haproxy@formilux.org/msg37698.html This patch adds warnings to the configuration parser that detect the following situations: - A line being truncated by a null byte in the middle. - A file not ending in a new line (and possibly being truncated).
2020-06-22 16:57:45 -04:00
}
MINOR: config: keep up-to-date current file/line/section in the global struct Let's add a few fields to the global struct to store information about the current file being processed, the current line number and the current section. This will be used to retrieve them using special variables.
2021-05-06 04:04:45 -04:00
ha_free(&global.cfg_curr_section);
BUG/MINOR: mworker: post_section_parser for the last section in discovery Previous patch 2c270a05f ("BUG/MINOR: mworker: section ignored in discovery after a post_section_parser") needs an adjustment for the last section of the file. Indeed the post_section_parser of the last section must not be called in discovery mode. Must be backported in 3.1.
2025-02-12 06:31:11 -05:00
/* call post_section_parser of the last section when there is no more lines */
MEDIUM: initcall: allow to register mutiple post_section_parser per section Before this patch, REGISTER_CONFIG_SECTION() allowed to register one and only one callback (<post>) called after the parsing of a section. It was limitating because you couldn't register a post callback from anywhere else in the code. This patch introduces the new REGISTER_CONFIG_SECTION_POST() macros which allows to register a new post callback for a section keyword from anywhere. This patch introduces the feature by allowing `struct cfg_section` entries that does not have a `section_parser`, and then iterating on all cfg_section with a post_section_parser for a keyword.
2025-02-10 09:07:05 -05:00
if (cs) {
struct cfg_section *psect;
BUG/MINOR: startup: leave at first post_section_parser which fails Since we are now iterating on post_section_parser() for a same keyword, we need to exit at the first ERR_ABORT. The post_section_parser() is called when parsing a new section, but also at the end of the file to be called for the last section. The changes in 4de86bb ("MEDIUM: initcall: allow to register mutiple post_section_parser per section") should have added tests on the ERR_ABORT value. Also pcs->post_section_parser() must be called instead of cs->post_section_parser() because we could have a NULL ptr. This bug does not affect anything since we don't use REGISTER_CONFIG_POST_SECTION() yet.
2025-02-17 04:59:46 -05:00
int status;
MEDIUM: initcall: allow to register mutiple post_section_parser per section Before this patch, REGISTER_CONFIG_SECTION() allowed to register one and only one callback (<post>) called after the parsing of a section. It was limitating because you couldn't register a post callback from anywhere else in the code. This patch introduces the new REGISTER_CONFIG_SECTION_POST() macros which allows to register a new post callback for a section keyword from anywhere. This patch introduces the feature by allowing `struct cfg_section` entries that does not have a `section_parser`, and then iterating on all cfg_section with a post_section_parser for a keyword.
2025-02-10 09:07:05 -05:00
BUG/MINOR: mworker: post_section_parser for the last section in discovery Previous patch 2c270a05f ("BUG/MINOR: mworker: section ignored in discovery after a post_section_parser") needs an adjustment for the last section of the file. Indeed the post_section_parser of the last section must not be called in discovery mode. Must be backported in 3.1.
2025-02-12 06:31:11 -05:00
/* don't call post_section_parser in MODE_DISCOVERY */
MEDIUM: initcall: allow to register mutiple post_section_parser per section Before this patch, REGISTER_CONFIG_SECTION() allowed to register one and only one callback (<post>) called after the parsing of a section. It was limitating because you couldn't register a post callback from anywhere else in the code. This patch introduces the new REGISTER_CONFIG_SECTION_POST() macros which allows to register a new post callback for a section keyword from anywhere. This patch introduces the feature by allowing `struct cfg_section` entries that does not have a `section_parser`, and then iterating on all cfg_section with a post_section_parser for a keyword.
2025-02-10 09:07:05 -05:00
if (!(global.mode & MODE_DISCOVERY)) {
list_for_each_entry(psect, &sections, list) {
if (strcmp(cs->section_name, psect->section_name) == 0 &&
psect->post_section_parser) {
BUG/MINOR: startup: leave at first post_section_parser which fails Since we are now iterating on post_section_parser() for a same keyword, we need to exit at the first ERR_ABORT. The post_section_parser() is called when parsing a new section, but also at the end of the file to be called for the last section. The changes in 4de86bb ("MEDIUM: initcall: allow to register mutiple post_section_parser per section") should have added tests on the ERR_ABORT value. Also pcs->post_section_parser() must be called instead of cs->post_section_parser() because we could have a NULL ptr. This bug does not affect anything since we don't use REGISTER_CONFIG_POST_SECTION() yet.
2025-02-17 04:59:46 -05:00
status = psect->post_section_parser();
if (status & ERR_FATAL)
fatal++;
err_code |= status;
if (err_code & ERR_ABORT)
goto err;
MEDIUM: initcall: allow to register mutiple post_section_parser per section Before this patch, REGISTER_CONFIG_SECTION() allowed to register one and only one callback (<post>) called after the parsing of a section. It was limitating because you couldn't register a post callback from anywhere else in the code. This patch introduces the new REGISTER_CONFIG_SECTION_POST() macros which allows to register a new post callback for a section keyword from anywhere. This patch introduces the feature by allowing `struct cfg_section` entries that does not have a `section_parser`, and then iterating on all cfg_section with a post_section_parser for a keyword.
2025-02-10 09:07:05 -05:00
}
}
}
BUG/MINOR: mworker: post_section_parser for the last section in discovery Previous patch 2c270a05f ("BUG/MINOR: mworker: section ignored in discovery after a post_section_parser") needs an adjustment for the last section of the file. Indeed the post_section_parser of the last section must not be called in discovery mode. Must be backported in 3.1.
2025-02-12 06:31:11 -05:00
}
MEDIUM: cfgparse: post section callback This commit implements a post section callback. This callback will be used at the end of a section parsing. Every call to cfg_register_section must be modified to use the new prototype: int cfg_register_section(char *section_name, int (*section_parser)(const char *, int, char **, int), int (*post_section_parser)());
2017-10-16 05:06:50 -04:00
MINOR: cfgparse: implement a simple if/elif/else/endif macro block handler Very often, especially since reg-tests, it would be desirable to be able to conditionally comment out a config block, such as removing an SSL binding when SSL is disabled, or enabling HTX only for certain versions, etc. This patch introduces a very simple nested block management which takes ".if", ".elif", ".else" and ".endif" directives to take or ignore a block. For now the conditions are limited to empty string or "0" for false versus a non-nul integer for true, which already suffices to test environment variables. Still, it needs to be a bit more advanced with defines, versions etc. A set of ".notice", ".warning" and ".alert" statements are provided to emit messages, often in order to provide advice about how to fix certain conditions.
2021-02-12 11:59:10 -05:00
if (nested_cond_lvl) {
ha_alert("parsing [%s:%d]: non-terminated '.if' block.\n", file, linenum);
err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT;
}
MINOR: config: add a new "default-path" global directive By default haproxy loads all files designated by a relative path from the location the process is started in. In some circumstances it might be desirable to force all relative paths to start from a different location just as if the process was started from such locations. This is what this directive is made for. Technically it will perform a temporary chdir() to the designated location while processing each configuration file, and will return to the original directory after processing each file. It takes an argument indicating the policy to use when loading files whose path does not start with a slash ('/'). A few options are offered, "current" (the default), "config" (files relative to config file's dir), "parent" (files relative to config file's parent dir), and "origin" with an absolute path. This should address issue #1198.
2021-04-27 14:29:11 -04:00
MEDIUM: cfgparse: post section callback This commit implements a post section callback. This callback will be used at the end of a section parsing. Every call to cfg_register_section must be modified to use the new prototype: int cfg_register_section(char *section_name, int (*section_parser)(const char *, int, char **, int), int (*post_section_parser)());
2017-10-16 05:06:50 -04:00
err:
CLEANUP: tree-wide: replace free(x);x=NULL with ha_free(&x) This makes the code more readable and less prone to copy-paste errors. In addition, it allows to place some __builtin_constant_p() predicates to trigger a link-time error in case the compiler knows that the freed area is constant. It will also produce compile-time error if trying to free something that is not a regular pointer (e.g. a function). The DEBUG_MEM_STATS macro now also defines an instance for ha_free() so that all these calls can be checked. 178 occurrences were converted. The vast majority of them were handled by the following Coccinelle script, some slightly refined to better deal with "&*x" or with long lines: @ rule @ expression E; @@ - free(E); - E = NULL; + ha_free(&E); It was verified that the resulting code is the same, more or less a handful of cases where the compiler optimized slightly differently the temporary variable that holds the copy of the pointer. A non-negligible amount of {free(str);str=NULL;str_len=0;} are still present in the config part (mostly header names in proxies). These ones should also be cleaned for the same reasons, and probably be turned into ist strings.
2021-02-20 04:46:51 -05:00
ha_free(&cfg_scope);
[MINOR] report correct section type for unknown keywords. An unknown keyword was always reported in section "listen" for any section type (defaults, listen, frontend, backend, ...).
2008-01-22 10:44:08 -05:00
cursection = NULL;
MINOR: cfgparse: remove line size limitation Remove the line size limitation of the configuration parser. The buffer is now allocated dynamically and grows when the line is too long.
2015-05-12 08:25:37 -04:00
free(thisline);
BUG/MEDIUM: cfgparse: use parse_line() to expand/unquote/unescape config lines Issue 22689 in oss-fuzz shows that specially crafted config files can take a long time to process. This happens when variable expansion, backslash escaping or unquoting causes calls to memmove() and possibly to realloc() resulting in O(N^2) complexity with N following the line size. By using parse_line() we now have a safe parser that remains in O(N) regardless of the type of operation. Error reporting changed a little bit since the errors are not reported anymore from the deepest parsing level. As such we now report the beginning of the error. One benefit is that for many invalid character sequences, the original line is shown and the first bad char or sequence is designated with a caret ('^'), which tends to be visually easier to spot, for example: [ALERT] 167/170507 (14633) : parsing [mini5.cfg:19]: unmatched brace in environment variable name below: "${VAR"} ^ or: [ALERT] 167/170645 (14640) : parsing [mini5.cfg:18]: unmatched quote below: timeout client 10s' ^ In case the target buffer is too short for the new line, the output buffer is grown in 1kB chunks and kept till the end, so that it should not happen too often. Before this patch a test like below involving a 4 MB long line would take 138s to process, 98% of which were spent in __memmove_avx_unaligned_erms(), and now it takes only 65 milliseconds: $ perl -e 'print "\"\$A\""x1000000,"\n"' | ./haproxy -c -f /dev/stdin 2>/dev/null This may be backported to stable versions after a long period of observation to be sure nothing broke. It relies on patch "MINOR: tools: add a new configurable line parse, parse_line()".
2020-06-16 10:32:59 -04:00
free(outline);
MINOR: config: keep up-to-date current file/line/section in the global struct Let's add a few fields to the global struct to store information about the current file being processed, the current line number and the current section. This will be used to retrieve them using special variables.
2021-05-06 04:04:45 -04:00
global.cfg_curr_line = 0;
global.cfg_curr_file = NULL;
[MINOR] config: improve error reporting in global section Try not to immediately exit on non-fatal errors while parsing the global section, so that the user has a chance to get most of the errors at once, which is quite convenient especially during config checks with the -c argument. Some other errors such as unresolved server names also don't make the parser exit too early.
2009-07-20 03:30:05 -04:00
return err_code;
[MEDIUM] config: split parser and checker in two functions This is a first step towards support of multiple configuration files. Now readcfgfile() only reads a file in memory and performs very minimal parsing. The checks are performed afterwards.
2009-06-22 09:48:36 -04:00
}
[MINOR] config: improve error reporting when checking configuration Do not exit early at the first error found while checking configuration validity. This particularly helps spotting multiple wrong tracked server names at once.
2009-07-23 07:36:36 -04:00
/*
* Returns the error code, 0 if OK, or any combination of :
* - ERR_ABORT: must abort ASAP
* - ERR_FATAL: we can continue parsing but not start the service
* - ERR_WARN: a warning has been emitted
* - ERR_ALERT: an alert has been emitted
* Only the two first ones can stop processing, the two others are just
* indicators.
*/
[MEDIUM] config: split parser and checker in two functions This is a first step towards support of multiple configuration files. Now readcfgfile() only reads a file in memory and performs very minimal parsing. The checks are performed afterwards.
2009-06-22 09:48:36 -04:00
int check_config_validity()
{
int cfgerr = 0;
BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized Some initialisation for log forward proxies was missing such as ssl configuration on 'log-forward's 'bind' lines. After the loop on the proxy initialization code for proxies present in the main proxies list, this patch force to loop again on this code for proxies present in the log forward proxies list. Those two lists should be merged. This will be part of a global re-work of proxy initialization including peers proxies and resolver proxies. This patch was made in first attempt to fix the bug and to facilitate the backport on older branches waiting for a cleaner re-work on proxies initialization on the dev branch. This patch should be backported as far as 2.3.
2022-08-18 09:53:21 -04:00
struct proxy *init_proxies_list = NULL;
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
struct stktable *t;
[MEDIUM] config: split parser and checker in two functions This is a first step towards support of multiple configuration files. Now readcfgfile() only reads a file in memory and performs very minimal parsing. The checks are performed afterwards.
2009-06-22 09:48:36 -04:00
struct server *newsrv = NULL;
BUG/MEDIUM: server: fix race on servers_list during server deletion Each server is inserted in a global list named servers_list on new_server(). This list is then only used to finalize servers initialization after parsing. On dynamic server creation, there is no issue as new_server() is under thread isolation. However, when a server is deleted after its refcount reached zero, srv_drop() removes it from servers_list without lock protection. In the longterm, this can cause list corruption and crashes, especially if multiple adjacent servers are removed in parallel. To fix this, convert servers_list to a mt_list. This should not impact performance as servers_list is not used during runtime outside of server creation/deletion. This should fix github issue #2733. Thanks to Chris Staite who first found the issue here. This must be backported up to 2.6.
2024-10-23 12:18:48 -04:00
struct mt_list back;
[MINOR] config: improve error reporting when checking configuration Do not exit early at the first error found while checking configuration validity. This particularly helps spotting multiple wrong tracked server names at once.
2009-07-23 07:36:36 -04:00
int err_code = 0;
[MEDIUM] config: automatically find unused IDs for proxies, servers and listeners Until now it was required that every custom ID was above 1000 in order to avoid conflicts. Now we have the list of all assigned IDs and can automatically pick the first unused one. This means that it is perfectly possible to interleave automatic IDs with persistent IDs and the parser will automatically allocate unused values starting with 1.
2009-10-04 17:04:08 -04:00
unsigned int next_pxid = 1;
MEDIUM: config: replace ssl_conf by bind_conf Some settings need to be merged per-bind config line and are not necessarily SSL-specific. It becomes quite inconvenient to have this ssl_conf SSL-specific, so let's replace it with something more generic.
2012-09-13 11:54:29 -04:00
struct bind_conf *bind_conf;
MEDIUM: log-format: Use standard HAProxy log system to report errors The function log format emit its own error message using Alert(). This patch replaces this behavior and uses the standard HAProxy error system (with memprintf). The benefits are: - cleaning the log system - the logformat can ignore the caller (actually the caller must set a flag designing the caller function). - Make the usage of the logformat function easy for future components.
2016-11-22 18:41:28 -05:00
char *err;
MEDIUM: cfgparse: post parsing registration Allow to register a function which will be called after the configuration file parsing, at the end of the check_config_validity(). It's useful fo checking dependencies between sections or for resolving keywords, pointers or values.
2017-10-23 08:36:34 -04:00
struct cfg_postparser *postparser;
MINOR: resolvers: renames type dns_resolvers to resolvers. It also renames 'dns_resolvers' head list to sec_resolvers to avoid conflicts with local variables 'resolvers'.
2020-12-23 10:51:12 -05:00
struct resolvers *curr_resolvers = NULL;
MINOR: cfgparse: always alloc idle conns task The idle conn task is is a global task used to cleanup backend connections marked for deletion. Previously, it was only only allocated if at least one server in the configuration has idle connections. This assumption won't be valid anymore when new servers can be created at runtime with idle connections. Always allocate the global idle conn task.
2021-03-08 11:31:39 -05:00
int i;
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
MEDIUM: config: replace ssl_conf by bind_conf Some settings need to be merged per-bind config line and are not necessarily SSL-specific. It becomes quite inconvenient to have this ssl_conf SSL-specific, so let's replace it with something more generic.
2012-09-13 11:54:29 -04:00
bind_conf = NULL;
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
/*
* Now, check for the integrity of all that we have collected.
*/
MINOR: http: allow the cookie capture size to be changed Some users need more than 64 characters to log large cookies. The limit was set to 63 characters (and not 64 as previously documented). Now it is possible to change this using the global "tune.http.cookielen" setting if required.
2012-11-21 18:17:38 -05:00
if (!global.tune.max_http_hdr)
global.tune.max_http_hdr = MAX_HTTP_HDR;
if (!global.tune.cookie_len)
global.tune.cookie_len = CAPTURE_LEN;
MINOR: log: Add logurilen tunable. The default len of request uri in log messages is 1024. In some use cases, you need to keep the long trail of GET parameters. The only way to increase this len is to recompile with DEFINE=-DREQURI_LEN=2048. This commit introduces a tune.http.logurilen configuration directive, allowing to tune this at runtime.
2017-05-18 02:58:41 -04:00
if (!global.tune.requri_len)
global.tune.requri_len = REQURI_LEN;
MINOR: config: add thread-hard-limit to set an upper bound to nbthread On todays large systems, it's not always desired to run on all threads for light loads, and usually users enforce nbthread to a lower value (e.g. 8). The problem is that this is a fixed value, and moving such configs to smaller machines continues to enforce the value and this becomes extremely unproductive due to having more threads than CPUs. This also happens quite a bit in VMs, containers, or cloud instances of various sizes. This commit introduces the thread-hard-limit setting that allows to only set an upper bound to the number of threads without raising a lower value. This means that using "thread-hard-limit 8" will make sure that no more than 8 threads will be used when available, but it will remain two when run on a dual-core machine.
2024-05-24 03:46:49 -04:00
if (!global.thread_limit)
global.thread_limit = MAX_THREADS;
#if defined(USE_THREAD)
if (thread_cpus_enabled_at_boot > global.thread_limit)
thread_cpus_enabled_at_boot = global.thread_limit;
#endif
MEDIUM: cfgparse: remove now unused numa & thread-count detection Ths is not needed anymore since already done before landing here via thread_detect_count().
2023-07-20 11:22:35 -04:00
if (global.nbthread > global.thread_limit) {
MINOR: config: add thread-hard-limit to set an upper bound to nbthread On todays large systems, it's not always desired to run on all threads for light loads, and usually users enforce nbthread to a lower value (e.g. 8). The problem is that this is a fixed value, and moving such configs to smaller machines continues to enforce the value and this becomes extremely unproductive due to having more threads than CPUs. This also happens quite a bit in VMs, containers, or cloud instances of various sizes. This commit introduces the thread-hard-limit setting that allows to only set an upper bound to the number of threads without raising a lower value. This means that using "thread-hard-limit 8" will make sure that no more than 8 threads will be used when available, but it will remain two when run on a dual-core machine.
2024-05-24 03:46:49 -04:00
ha_warning("nbthread forced to a higher value (%d) than the configured thread-hard-limit (%d), enforcing the limit. "
"Please fix either value to remove this warning.\n",
global.nbthread, global.thread_limit);
global.nbthread = global.thread_limit;
}
MAJOR: threads: enable one thread per CPU by default Threads have long matured by now, still for most users their usage is not trivial. It's about time to enable them by default on platforms where we know the number of CPUs bound. This patch does this, it counts the number of CPUs the process is bound to upon startup, and enables as many threads by default. Of course, "nbthread" still overrides this, but if it's not set the default behaviour is to start one thread per CPU. The default number of threads is reported in "haproxy -vv". Simply using "taskset -c" is now enough to adjust this number of threads so that there is no more need for playing with cpu-map. And thanks to the previous patches on the listener, the vast majority of configurations will not need to duplicate "bind" lines with the "process x/y" statement anymore either, so a simple config will automatically adapt to the number of processors available.
2019-01-26 08:27:06 -05:00
MEDIUM: cfgparse: remove now unused numa & thread-count detection Ths is not needed anymore since already done before landing here via thread_detect_count().
2023-07-20 11:22:35 -04:00
/* in the worst case these were supposed to be set in thread_detect_count() */
BUG_ON(!global.nbthread);
BUG_ON(!global.nbtgroups);
MINOR: global: add a new "thread-groups" directive This is used to configure the number of thread groups. For now it can only be 1.
2021-09-22 06:07:23 -04:00
MEDIUM: threads: automatically assign threads to groups This takes care of unassigned threads groups and places unassigned threads there, in a more or less balanced way. Too sparse allocations may still fail though. For now with a maximum group number fixed to 1 nothing can really fail.
2021-09-27 04:10:26 -04:00
if (thread_map_to_groups() < 0) {
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
CLEANUP: pools: rename all pool functions and pointers to remove this "2" During the migration to the second version of the pools, the new functions and pool pointers were all called "pool_something2()" and "pool2_something". Now there's no more pool v1 code and it's a real pain to still have to deal with this. Let's clean this up now by removing the "2" everywhere, and by renaming the pool heads "pool_head_something".
2017-11-24 11:34:44 -05:00
pool_head_requri = create_pool("requri", global.tune.requri_len , MEM_F_SHARED);
BUG/MAJOR: http: fix buffer overflow on loguri buffer. The pool used to log the uri was created with a size of 0 because the configuration and 'tune.http.logurilen' were parsed too earlier. The fix consist to postpone the pool_create as it is done for cookie captures. Regression introduced with 'MINOR: log: Add logurilen tunable'
2017-07-05 07:33:16 -04:00
CLEANUP: pools: rename all pool functions and pointers to remove this "2" During the migration to the second version of the pools, the new functions and pool pointers were all called "pool_something2()" and "pool2_something". Now there's no more pool v1 code and it's a real pain to still have to deal with this. Let's clean this up now by removing the "2" everywhere, and by renaming the pool heads "pool_head_something".
2017-11-24 11:34:44 -05:00
pool_head_capture = create_pool("capture", global.tune.cookie_len, MEM_F_SHARED);
MINOR: http: allow the cookie capture size to be changed Some users need more than 64 characters to log large cookies. The limit was set to 63 characters (and not 64 as previously documented). Now it is possible to change this using the global "tune.http.cookielen" setting if required.
2012-11-21 18:17:38 -05:00
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 12:38:02 -05:00
/* Post initialisation of the users and groups lists. */
err_code = userlist_postinit();
if (err_code != ERR_NONE)
goto out;
[MEDIUM] reverse internal proxy declaration order to match configuration People are regularly complaining that proxies are linked in reverse order when reading the stats. This is now definitely fixed because the proxy order is now fixed to match configuration order.
2009-03-15 09:51:53 -04:00
/* first, we will invert the proxy list order */
curproxy = NULL;
MINOR/CLEANUP: proxy: rename "proxy" to "proxies_list" Rename the global variable "proxy" to "proxies_list". There's been multiple proxies in haproxy for quite some time, and "proxy" is a potential source of bugs, a number of functions have a "proxy" argument, and some code used "proxy" when it really meant "px" or "curproxy". It worked by pure luck, because it usually happened while parsing the config, and thus "proxy" pointed to the currently parsed proxy, but we should probably not rely on this. [wt: some of these are definitely fixes that are worth backporting]
2017-11-24 10:54:05 -05:00
while (proxies_list) {
[MEDIUM] reverse internal proxy declaration order to match configuration People are regularly complaining that proxies are linked in reverse order when reading the stats. This is now definitely fixed because the proxy order is now fixed to match configuration order.
2009-03-15 09:51:53 -04:00
struct proxy *next;
MINOR/CLEANUP: proxy: rename "proxy" to "proxies_list" Rename the global variable "proxy" to "proxies_list". There's been multiple proxies in haproxy for quite some time, and "proxy" is a potential source of bugs, a number of functions have a "proxy" argument, and some code used "proxy" when it really meant "px" or "curproxy". It worked by pure luck, because it usually happened while parsing the config, and thus "proxy" pointed to the currently parsed proxy, but we should probably not rely on this. [wt: some of these are definitely fixes that are worth backporting]
2017-11-24 10:54:05 -05:00
next = proxies_list->next;
proxies_list->next = curproxy;
curproxy = proxies_list;
[MEDIUM] reverse internal proxy declaration order to match configuration People are regularly complaining that proxies are linked in reverse order when reading the stats. This is now definitely fixed because the proxy order is now fixed to match configuration order.
2009-03-15 09:51:53 -04:00
if (!next)
break;
MINOR/CLEANUP: proxy: rename "proxy" to "proxies_list" Rename the global variable "proxy" to "proxies_list". There's been multiple proxies in haproxy for quite some time, and "proxy" is a potential source of bugs, a number of functions have a "proxy" argument, and some code used "proxy" when it really meant "px" or "curproxy". It worked by pure luck, because it usually happened while parsing the config, and thus "proxy" pointed to the currently parsed proxy, but we should probably not rely on this. [wt: some of these are definitely fixes that are worth backporting]
2017-11-24 10:54:05 -05:00
proxies_list = next;
[MEDIUM] reverse internal proxy declaration order to match configuration People are regularly complaining that proxies are linked in reverse order when reading the stats. This is now definitely fixed because the proxy order is now fixed to match configuration order.
2009-03-15 09:51:53 -04:00
}
MINOR: servers: Move the per-thread server initialization earlier Move the code responsible for calling per-thread server initialization earlier than it was done, so that per-thread structures are available a bit later, when we initialize load-balancing.
2025-04-17 04:42:25 -04:00
/*
* we must finish to initialize certain things on the servers,
MEDIUM: server: add and use srv_init() function rename _srv_postparse() internal function to srv_init() function and group srv_init_per_thr() plus idle conns list init inside it. This way we can perform some simplifications as srv_init() performs multiple server init steps after parsing. SRV_F_CHECKED flag was added, it is automatically set when srv_init() runs successfully. If the flag is already set and srv_init() is called again, nothing is done. This permis to manually call srv_init() earlier than the default POST_CHECK hook when needed without risking to do things twice.
2025-05-09 14:27:29 -04:00
* as some of the fields may be accessed soon
MINOR: servers: Move the per-thread server initialization earlier Move the code responsible for calling per-thread server initialization earlier than it was done, so that per-thread structures are available a bit later, when we initialize load-balancing.
2025-04-17 04:42:25 -04:00
*/
MT_LIST_FOR_EACH_ENTRY_LOCKED(newsrv, &servers_list, global_list, back) {
MEDIUM: server: add and use srv_init() function rename _srv_postparse() internal function to srv_init() function and group srv_init_per_thr() plus idle conns list init inside it. This way we can perform some simplifications as srv_init() performs multiple server init steps after parsing. SRV_F_CHECKED flag was added, it is automatically set when srv_init() runs successfully. If the flag is already set and srv_init() is called again, nothing is done. This permis to manually call srv_init() earlier than the default POST_CHECK hook when needed without risking to do things twice.
2025-05-09 14:27:29 -04:00
if (srv_init(newsrv) & ERR_CODE) {
MINOR: servers: Move the per-thread server initialization earlier Move the code responsible for calling per-thread server initialization earlier than it was done, so that per-thread structures are available a bit later, when we initialize load-balancing.
2025-04-17 04:42:25 -04:00
cfgerr++;
continue;
}
}
BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized Some initialisation for log forward proxies was missing such as ssl configuration on 'log-forward's 'bind' lines. After the loop on the proxy initialization code for proxies present in the main proxies list, this patch force to loop again on this code for proxies present in the log forward proxies list. Those two lists should be merged. This will be part of a global re-work of proxy initialization including peers proxies and resolver proxies. This patch was made in first attempt to fix the bug and to facilitate the backport on older branches waiting for a cleaner re-work on proxies initialization on the dev branch. This patch should be backported as far as 2.3.
2022-08-18 09:53:21 -04:00
/* starting to initialize the main proxies list */
init_proxies_list = proxies_list;
init_proxies_list_stage1:
for (curproxy = init_proxies_list; curproxy; curproxy = curproxy->next) {
[MAJOR] added the 'use_backend' keyword for full content-switching The new "use_backend" keyword permits full content switching by the use of ACLs. Its usage is simple : use_backend <backend_name> {if|unless} <acl_cond>
2007-06-17 13:56:27 -04:00
struct switching_rule *rule;
MEDIUM: session: implement the "use-server" directive Sometimes it is desirable to forward a particular request to a specific server without having to declare a dedicated backend for this server. This can be achieved using the "use-server" rules. These rules are evaluated after the "redirect" rules and before evaluating cookies, and they have precedence on them. There may be as many "use-server" rules as desired. All of these rules are evaluated in their declaration order, and the first one which matches will assign the server.
2012-04-05 15:09:48 -04:00
struct server_rule *srule;
[MEDIUM] Add stick table configuration and init.
2010-01-04 09:45:53 -05:00
struct sticking_rule *mrule;
MEDIUM: tree-wide: logsrv struct becomes logger When 'log' directive was implemented, the internal representation was named 'struct logsrv', because the 'log' directive would directly point to the log target, which used to be a (UDP) log server exclusively at that time, hence the name. But things have become more complex, since today 'log' directive can point to ring targets (implicit, or named) for example. Indeed, a 'log' directive does no longer reference the "final" server to which the log will be sent, but instead it describes which log API and parameters to use for transporting the log messages to the proper log destination. So now the term 'logsrv' is rather confusing and prevents us from introducing a new level of abstraction because they would be mixed with logsrv. So in order to better designate this 'log' directive, and make it more generic, we chose the word 'logger' which now replaces logsrv everywhere it was used in the code (including related comments). This is internal rewording, so no functional change should be expected on user-side.
2023-09-11 09:06:53 -04:00
struct logger *tmplogger;
[MEDIUM] config: automatically find unused IDs for proxies, servers and listeners Until now it was required that every custom ID was above 1000 in order to avoid conflicts. Now we have the list of all assigned IDs and can automatically pick the first unused one. This means that it is perfectly possible to interleave automatic IDs with persistent IDs and the parser will automatically allocate unused values starting with 1.
2009-10-04 17:04:08 -04:00
unsigned int next_id;
MINOR: proxies: Initialize the per-thread structure earlier. Move the call to initialize the proxy's per-thread structure earlier than currently done, so that they are usable when we're initializing the load balancers.
2025-04-17 11:05:07 -04:00
proxy_init_per_thr(curproxy);
BUG/MEDIUM: cfgparse: do not allocate IDs to automatic internal proxies Recent commit 83614a9fb ("MINOR: httpclient: initialize the proxy") broke reg tests that match the output of "show stats" or "show servers state" because it changed the proxies' numeric ID. In fact it did nothing wrong, it just registers a proxy and adds it at the head of the list. But the automatic numbering scheme, which was made to make sure that temporarily disabled proxies in the config keep their ID instead of shifting all others, sees one more proxy and increments next_pxid for all subsequent proxies. This patch avoids this by not assigning automatic IDs to such internal proxies, leaving them with their ID of -1, and by not shifting next_pxid for them. This is important because the user might experience them appearing or disappearing depending on apparently unrelated config options or build options, and this must not cause visible proxy IDs to change (e.g. stats or minitoring may break). Though the issue has always been there, it only became a problem with the recent proxy additions so there is no need to backport this.
2021-08-20 04:15:40 -04:00
if (!(curproxy->cap & PR_CAP_INT) && curproxy->uuid < 0) {
[MEDIUM] config: automatically find unused IDs for proxies, servers and listeners Until now it was required that every custom ID was above 1000 in order to avoid conflicts. Now we have the list of all assigned IDs and can automatically pick the first unused one. This means that it is perfectly possible to interleave automatic IDs with persistent IDs and the parser will automatically allocate unused values starting with 1.
2009-10-04 17:04:08 -04:00
/* proxy ID not set, use automatic numbering with first
BUG/MEDIUM: cfgparse: do not allocate IDs to automatic internal proxies Recent commit 83614a9fb ("MINOR: httpclient: initialize the proxy") broke reg tests that match the output of "show stats" or "show servers state" because it changed the proxies' numeric ID. In fact it did nothing wrong, it just registers a proxy and adds it at the head of the list. But the automatic numbering scheme, which was made to make sure that temporarily disabled proxies in the config keep their ID instead of shifting all others, sees one more proxy and increments next_pxid for all subsequent proxies. This patch avoids this by not assigning automatic IDs to such internal proxies, leaving them with their ID of -1, and by not shifting next_pxid for them. This is important because the user might experience them appearing or disappearing depending on apparently unrelated config options or build options, and this must not cause visible proxy IDs to change (e.g. stats or minitoring may break). Though the issue has always been there, it only became a problem with the recent proxy additions so there is no need to backport this.
2021-08-20 04:15:40 -04:00
* spare entry starting with next_pxid. We don't assign
* numbers for internal proxies as they may depend on
* build or config options and we don't want them to
* possibly reuse existing IDs.
[MEDIUM] config: automatically find unused IDs for proxies, servers and listeners Until now it was required that every custom ID was above 1000 in order to avoid conflicts. Now we have the list of all assigned IDs and can automatically pick the first unused one. This means that it is perfectly possible to interleave automatic IDs with persistent IDs and the parser will automatically allocate unused values starting with 1.
2009-10-04 17:04:08 -04:00
*/
next_pxid = get_next_id(&used_proxy_id, next_pxid);
curproxy->conf.id.key = curproxy->uuid = next_pxid;
eb32_insert(&used_proxy_id, &curproxy->conf.id);
}
[BUG] pxid/puid/luid: don't shift IDs when some of them are forced [WT: it was not a bug, I did it on purpose to leave no hole between IDs, though it's not very practical when admins want to force some entries after they have been used, because they'd rather leave a hole than renumber everything ] Forcing some of IDs should not shift others. Regression introduced in 53fb4ae261b6e0e33e618f5cabbacc1657c19cc5 ---cut here--- global stats socket /home/ole/haproxy.stat user ole group ole mode 660 frontend F1 bind 127.0.0.1:9999 mode http backend B1 mode http backend B2 mode http id 9999 backend B3 mode http backend B4 mode http ---cut here--- Before 53fb4ae261b6e0e33e618f5cabbacc1657c19cc5: $ echo "show stat" | socat unix-connect:/home/ole/haproxy.stat stdio|cut -d , -f 28 iid 1 2 9999 4 5 After 53fb4ae261b6e0e33e618f5cabbacc1657c19cc5: $ echo "show stat" | socat unix-connect:/home/ole/haproxy.stat stdio|cut -d , -f 28 iid 1 2 9999 3 4 With this patch: $ echo "show stat" | socat unix-connect:/home/ole/haproxy.stat stdio|cut -d , -f 28 iid 1 2 9999 4 5
2010-02-05 14:58:27 -05:00
BUG/MINOR: config: reject configs using HTTP with bufsize >= 256 MB As seen in commit 5ef965606 ("BUG/MINOR: lua: use strlcpy2() not strncpy() to copy sample keywords"), configs with large values of tune.bufsize were not practically usable since Lua was introduced, regardless of the machine's available memory. In addition, HTX encoding already limits block sizes to 256 MB, thus it is not technically possible to use that large a buffer size when HTTP is in use. This is absurdly high anyway, and for example Lua initialization would take around one minute on a 4 GHz CPU. Better prevent such a config from starting than having to deal with bug reports that make no sense. The check is only enforced if at least one HTX proxy was found, as there is no techincal reason to block it for configs that are solely based on raw TCP, and it could still be imagined that some such might exist with single connections (e.g. a log forwarder that buffers to cover for the storage I/O latencies). This should be backported to all HTX-enabled versions (2.0 and above).
2021-08-26 09:59:44 -04:00
if (curproxy->mode == PR_MODE_HTTP && global.tune.bufsize >= (256 << 20) && ONLY_ONCE()) {
ha_alert("global.tune.bufsize must be below 256 MB when HTTP is in use (current value = %d).\n",
global.tune.bufsize);
cfgerr++;
}
BUG/MEDIUM: cfgparse: do not allocate IDs to automatic internal proxies Recent commit 83614a9fb ("MINOR: httpclient: initialize the proxy") broke reg tests that match the output of "show stats" or "show servers state" because it changed the proxies' numeric ID. In fact it did nothing wrong, it just registers a proxy and adds it at the head of the list. But the automatic numbering scheme, which was made to make sure that temporarily disabled proxies in the config keep their ID instead of shifting all others, sees one more proxy and increments next_pxid for all subsequent proxies. This patch avoids this by not assigning automatic IDs to such internal proxies, leaving them with their ID of -1, and by not shifting next_pxid for them. This is important because the user might experience them appearing or disappearing depending on apparently unrelated config options or build options, and this must not cause visible proxy IDs to change (e.g. stats or minitoring may break). Though the issue has always been there, it only became a problem with the recent proxy additions so there is no need to backport this.
2021-08-20 04:15:40 -04:00
/* next IDs are shifted even if the proxy is disabled, this
* guarantees that a proxy that is temporarily disabled in the
* configuration doesn't cause a renumbering. Internal proxies
* that are not assigned a static ID must never shift the IDs
* either since they may appear in any order (Lua, logs, etc).
* The GLOBAL proxy that carries the stats socket has its ID
* forced to zero.
*/
if (curproxy->uuid >= 0)
next_pxid++;
[MAJOR] added the 'use_backend' keyword for full content-switching The new "use_backend" keyword permits full content switching by the use of ACLs. Its usage is simple : use_backend <backend_name> {if|unless} <acl_cond>
2007-06-17 13:56:27 -04:00
MINOR: proxy: Introduce proxy flags to replace disabled bitfield This change is required to support TCP/HTTP rules in defaults sections. The 'disabled' bitfield in the proxy structure, used to know if a proxy is disabled or stopped, is replaced a generic bitfield named 'flags'. PR_DISABLED and PR_STOPPED flags are renamed to PR_FL_DISABLED and PR_FL_STOPPED respectively. In addition, everywhere there is a test to know if a proxy is disabled or stopped, there is now a bitwise AND operation on PR_FL_DISABLED and/or PR_FL_STOPPED flags.
2021-10-06 08:24:19 -04:00
if (curproxy->flags & PR_FL_DISABLED) {
MEDIUM: init: stop disabled proxies after initializing fdtab During the startup process we don't have any fdtab nor fd_updt for quite a long time, and as such some operations on the listeners are not permitted, such as fd_want_*/fd_stop_* or fd_delete(). The latter is of particular concern because it's used when stopping a disabled frontend, and it's performed very early during check_config_validity() while there is no fdtab yet. The trick till now relies on the listener's state which is a bit brittle. There is absolutely no valid reason for stopping a proxy's listeners this early, we can postpone it after init_pollers() which will at least have allocated fdtab.
2020-10-07 12:36:54 -04:00
/* ensure we don't keep listeners uselessly bound. We
* can't disable their listeners yet (fdtab not
* allocated yet) but let's skip them.
*/
BUG/MEDIUM: stick-table: fix regression caused by a change in proxy struct In commit 1b8e68e ("MEDIUM: stick-table: Stop handling stick-tables as proxies."), the ->table member of proxy struct was replaced by a pointer that is not always checked and in some situations can cause a segfault, eg. during reload or while using "show table" on CLI socket. No backport is needed.
2019-05-07 08:16:18 -04:00
if (curproxy->table) {
CLEANUP: tree-wide: replace free(x);x=NULL with ha_free(&x) This makes the code more readable and less prone to copy-paste errors. In addition, it allows to place some __builtin_constant_p() predicates to trigger a link-time error in case the compiler knows that the freed area is constant. It will also produce compile-time error if trying to free something that is not a regular pointer (e.g. a function). The DEBUG_MEM_STATS macro now also defines an instance for ha_free() so that all these calls can be checked. 178 occurrences were converted. The vast majority of them were handled by the following Coccinelle script, some slightly refined to better deal with "&*x" or with long lines: @ rule @ expression E; @@ - free(E); - E = NULL; + ha_free(&E); It was verified that the resulting code is the same, more or less a handful of cases where the compiler optimized slightly differently the temporary variable that holds the copy of the pointer. A non-negligible amount of {free(str);str=NULL;str_len=0;} are still present in the config part (mostly header names in proxies). These ones should also be cleaned for the same reasons, and probably be turned into ist strings.
2021-02-20 04:46:51 -05:00
ha_free(&curproxy->table->peers.name);
BUG/MEDIUM: stick-table: fix regression caused by a change in proxy struct In commit 1b8e68e ("MEDIUM: stick-table: Stop handling stick-tables as proxies."), the ->table member of proxy struct was replaced by a pointer that is not always checked and in some situations can cause a segfault, eg. during reload or while using "show table" on CLI socket. No backport is needed.
2019-05-07 08:16:18 -04:00
curproxy->table->peers.p = NULL;
}
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
continue;
}
MINOR: config: Finish configuration for referenced default proxies If a not-ready default proxy is referenced by a proxy during the configuration validity check, its configuration is also finished and PR_FL_READY flag is set on it. For now, the arguments resolution is the only step performed. This patch is mandatory to support TCP/HTTP rules in defaults sections.
2021-10-13 05:04:10 -04:00
/* The current proxy is referencing a default proxy. We must
* finalize its config, but only once. If the default proxy is
* ready (PR_FL_READY) it means it was already fully configured.
*/
if (curproxy->defpx) {
if (!(curproxy->defpx->flags & PR_FL_READY)) {
MEDIUM: rules/acl: Parse TCP/HTTP rules and acls defined in defaults sections TCP and HTTP rules can now be defined in defaults sections, but only those with a name. Because these rules may use conditions based on ACLs, ACLs can also be defined in defaults sections. However there are some limitations: * A defaults section defining TCP/HTTP rules cannot be used by a defaults section * A defaults section defining TCP/HTTP rules cannot be used bu a listen section * A defaults sections defining TCP/HTTP rules cannot be used by frontends and backends at the same time * A defaults sections defining 'tcp-request connection' or 'tcp-request session' rules cannot be used by backends * A defaults sections defining 'tcp-response content' rules cannot be used by frontends The TCP request/response inspect-delay of a proxy is now inherited from the defaults section it uses. For now, these rules are only parsed. No evaluation is performed.
2021-10-13 09:40:15 -04:00
/* check validity for 'tcp-request' layer 4/5/6/7 rules */
cfgerr += check_action_rules(&curproxy->defpx->tcp_req.l4_rules, curproxy->defpx, &err_code);
cfgerr += check_action_rules(&curproxy->defpx->tcp_req.l5_rules, curproxy->defpx, &err_code);
cfgerr += check_action_rules(&curproxy->defpx->tcp_req.inspect_rules, curproxy->defpx, &err_code);
cfgerr += check_action_rules(&curproxy->defpx->tcp_rep.inspect_rules, curproxy->defpx, &err_code);
cfgerr += check_action_rules(&curproxy->defpx->http_req_rules, curproxy->defpx, &err_code);
cfgerr += check_action_rules(&curproxy->defpx->http_res_rules, curproxy->defpx, &err_code);
cfgerr += check_action_rules(&curproxy->defpx->http_after_res_rules, curproxy->defpx, &err_code);
MINOR: config: Finish configuration for referenced default proxies If a not-ready default proxy is referenced by a proxy during the configuration validity check, its configuration is also finished and PR_FL_READY flag is set on it. For now, the arguments resolution is the only step performed. This patch is mandatory to support TCP/HTTP rules in defaults sections.
2021-10-13 05:04:10 -04:00
err = NULL;
i = smp_resolve_args(curproxy->defpx, &err);
cfgerr += i;
if (i) {
indent_msg(&err, 8);
ha_alert("%s%s\n", i > 1 ? "multiple argument resolution errors:" : "", err);
ha_free(&err);
}
else
cfgerr += acl_find_targets(curproxy->defpx);
/* default proxy is now ready. Set the right FE/BE capabilities */
curproxy->defpx->flags |= PR_FL_READY;
}
}
MEDIUM: listener: inherit the process mask from the proxy When a process list is specified on either the proxy or the bind lines, the latter is refined to the intersection of the two. A warning is emitted if no intersection is found, and the situation is fixed by either falling back to the first process of the proxy or to all processes.
2014-05-09 11:06:11 -04:00
/* check and reduce the bind-proc of each listener */
list_for_each_entry(bind_conf, &curproxy->conf.bind, by_fe) {
REORG: listener: move the bind_conf's thread setup code to listener.c What used to be only two lines to apply a mask in a loop in check_config_validity() grew into a 130-line block that performs deeply listener-specific operations that do not have their place there anymore. In addition it's worth noting that the peers code still doesn't support shards nor being bound to more than one group, which is a second reason for moving that code to its own function. Nothing was changed except recreating the missing variables from the bind_conf itself (the fe only).
2023-04-22 17:25:38 -04:00
int ret;
MEDIUM: listener: inherit the process mask from the proxy When a process list is specified on either the proxy or the bind lines, the latter is refined to the intersection of the two. A warning is emitted if no intersection is found, and the situation is fixed by either falling back to the first process of the proxy or to all processes.
2014-05-09 11:06:11 -04:00
MEDIUM: config: ensure that tune.bufsize is at least 16384 when using HTTP/2 HTTP/2 mandates the support of 16384 bytes frames by default, so we need a large enough buffer to process them. Till now if tune.bufsize was too small, H2 connections were simply rejected during their establishment, making it quite hard to troubleshoot the issue. Now we detect when HTTP/2 is enabled on an HTTP frontend and emit an error if tune.bufsize is not large enough, with the appropriate recommendation.
2017-11-24 05:28:00 -05:00
/* HTTP frontends with "h2" as ALPN/NPN will work in
* HTTP/2 and absolutely require buffers 16kB or larger.
*/
#ifdef USE_OPENSSL
MINOR: config: add "no-alpn" support for bind lines It's possible to replace a previously set ALPN but not to disable ALPN if it was previously set. The new "no-alpn" setting allows to disable a previously set ALPN setting by preparing an empty one that will be replaced and freed when the config is validated.
2023-04-19 02:28:40 -04:00
/* no-alpn ? If so, it's the right moment to remove it */
if (bind_conf->ssl_conf.alpn_str && !bind_conf->ssl_conf.alpn_len) {
CLEANUP: Reapply ha_free.cocci This reapplies ha_free.cocci across the whole src/ tree.
2024-03-29 13:21:53 -04:00
ha_free(&bind_conf->ssl_conf.alpn_str);
MINOR: config: add "no-alpn" support for bind lines It's possible to replace a previously set ALPN but not to disable ALPN if it was previously set. The new "no-alpn" setting allows to disable a previously set ALPN setting by preparing an empty one that will be replaced and freed when the config is validated.
2023-04-19 02:28:40 -04:00
}
MEDIUM: config: set useful ALPN defaults for HTTPS and QUIC This commit makes sure that if three is no "alpn", "npn" nor "no-alpn" setting on a "bind" line which corresponds to an HTTPS or QUIC frontend, we automatically turn on "h2,http/1.1" as an ALPN default for an HTTP listener, and "h3" for a QUIC listener. This simplifies the configuration for end users since they won't have to explicitly configure the ALPN string to enable H2, considering that at the time of writing, HTTP/1.1 represents less than 7% of the traffic on large infrastructures. The doc and regtests were updated. For more info, refer to the following thread: https://www.mail-archive.com/haproxy@formilux.org/msg43410.html
2023-04-19 03:12:33 -04:00
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
else if (!bind_conf->ssl_conf.alpn_str && !bind_conf->ssl_conf.npn_str &&
((bind_conf->options & BC_O_USE_SSL) || bind_conf->xprt == xprt_get(XPRT_QUIC)) &&
curproxy->mode == PR_MODE_HTTP && global.tune.bufsize >= 16384) {
/* Neither ALPN nor NPN were explicitly set nor disabled, we're
* in HTTP mode with an SSL or QUIC listener, we can enable ALPN.
* Note that it's in binary form.
*/
if (bind_conf->xprt == xprt_get(XPRT_QUIC))
bind_conf->ssl_conf.alpn_str = strdup("\002h3");
else
bind_conf->ssl_conf.alpn_str = strdup("\002h2\010http/1.1");
if (!bind_conf->ssl_conf.alpn_str) {
ha_alert("Proxy '%s': out of memory while trying to allocate a default alpn string in 'bind %s' at [%s:%d].\n",
curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr++;
err_code |= ERR_FATAL | ERR_ALERT;
goto out;
}
bind_conf->ssl_conf.alpn_len = strlen(bind_conf->ssl_conf.alpn_str);
}
#endif
MINOR: config: add "no-alpn" support for bind lines It's possible to replace a previously set ALPN but not to disable ALPN if it was previously set. The new "no-alpn" setting allows to disable a previously set ALPN setting by preparing an empty one that will be replaced and freed when the config is validated.
2023-04-19 02:28:40 -04:00
MEDIUM: config: ensure that tune.bufsize is at least 16384 when using HTTP/2 HTTP/2 mandates the support of 16384 bytes frames by default, so we need a large enough buffer to process them. Till now if tune.bufsize was too small, H2 connections were simply rejected during their establishment, making it quite hard to troubleshoot the issue. Now we detect when HTTP/2 is enabled on an HTTP frontend and emit an error if tune.bufsize is not large enough, with the appropriate recommendation.
2017-11-24 05:28:00 -05:00
if (curproxy->mode == PR_MODE_HTTP && global.tune.bufsize < 16384) {
#ifdef OPENSSL_NPN_NEGOTIATED
/* check NPN */
BUG/MINOR: config: better detect the presence of the h2 pattern in npn/alpn In 1.8, commit 45a66cc ("MEDIUM: config: ensure that tune.bufsize is at least 16384 when using HTTP/2") tried to avoid an annoying issue making H2 fail when haproxy is built with default buffer sizes smaller than 16kB, which used to be the case for a very long time. Sadly, the test only sees when NPN/ALPN exactly match "h2" and not when it's combined like "h2,http/1.1" nor "http/1.1,h2". We can safely use strstr() there because the string is prefixed by the token's length (0x02) which is unambiguous as it cannot be part of any other token. This fix should be backported to 1.8 as a safety guard against bad configurations.
2018-11-11 04:36:25 -05:00
if (bind_conf->ssl_conf.npn_str && strstr(bind_conf->ssl_conf.npn_str, "\002h2")) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_alert("HTTP frontend '%s' enables HTTP/2 via NPN at [%s:%d], so global.tune.bufsize must be at least 16384 bytes (%d now).\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
curproxy->id, bind_conf->file, bind_conf->line, global.tune.bufsize);
MEDIUM: config: ensure that tune.bufsize is at least 16384 when using HTTP/2 HTTP/2 mandates the support of 16384 bytes frames by default, so we need a large enough buffer to process them. Till now if tune.bufsize was too small, H2 connections were simply rejected during their establishment, making it quite hard to troubleshoot the issue. Now we detect when HTTP/2 is enabled on an HTTP frontend and emit an error if tune.bufsize is not large enough, with the appropriate recommendation.
2017-11-24 05:28:00 -05:00
cfgerr++;
}
#endif
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
/* check ALPN */
BUG/MINOR: config: better detect the presence of the h2 pattern in npn/alpn In 1.8, commit 45a66cc ("MEDIUM: config: ensure that tune.bufsize is at least 16384 when using HTTP/2") tried to avoid an annoying issue making H2 fail when haproxy is built with default buffer sizes smaller than 16kB, which used to be the case for a very long time. Sadly, the test only sees when NPN/ALPN exactly match "h2" and not when it's combined like "h2,http/1.1" nor "http/1.1,h2". We can safely use strstr() there because the string is prefixed by the token's length (0x02) which is unambiguous as it cannot be part of any other token. This fix should be backported to 1.8 as a safety guard against bad configurations.
2018-11-11 04:36:25 -05:00
if (bind_conf->ssl_conf.alpn_str && strstr(bind_conf->ssl_conf.alpn_str, "\002h2")) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_alert("HTTP frontend '%s' enables HTTP/2 via ALPN at [%s:%d], so global.tune.bufsize must be at least 16384 bytes (%d now).\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
curproxy->id, bind_conf->file, bind_conf->line, global.tune.bufsize);
MEDIUM: config: ensure that tune.bufsize is at least 16384 when using HTTP/2 HTTP/2 mandates the support of 16384 bytes frames by default, so we need a large enough buffer to process them. Till now if tune.bufsize was too small, H2 connections were simply rejected during their establishment, making it quite hard to troubleshoot the issue. Now we detect when HTTP/2 is enabled on an HTTP frontend and emit an error if tune.bufsize is not large enough, with the appropriate recommendation.
2017-11-24 05:28:00 -05:00
cfgerr++;
}
#endif
} /* HTTP && bufsize < 16384 */
#endif
MINOR: quic: transform pacing settings into a global option Pacing support was previously activated on each bind line individually, via an optional argument of quic-cc-algo keyword. Remove this optional argument and introduce a global setting to enable/disable pacing. Pacing activation is still flagged as experimental. One important change is that previously BBR usage automatically activated pacing support. This is not the case anymore, so users should now always explicitely activate pacing if BBR is selected. A new warning message will be displayed if this is not the case. Another consequence of this change is that now pacing_inter callback is always defined for every quic_cc_algo types. As such, QUIC MUX uses global.tune.options to determine if pacing is required. This should be backported up to 3.1, after a period of observation.
2025-01-30 08:50:19 -05:00
#ifdef USE_QUIC
if (bind_conf->xprt == xprt_get(XPRT_QUIC)) {
const struct quic_cc_algo *cc_algo = bind_conf->quic_cc_algo ?
bind_conf->quic_cc_algo : default_quic_cc_algo;
if (!(cc_algo->flags & QUIC_CC_ALGO_FL_OPT_PACING) &&
BUILD: quic: fix overflow in global tune A new global option was recently introduced to disable pacing. However, the value used (1<<31) caused issue with some compiler as options field used for storage is declared as int. Move pacing deactivation flag outside into the newly defined quic_tune to fix this. This should be backported up to 3.1 after a period of observation. Note that it relied on the previous patch which defined new quic_tune type.
2025-01-30 12:01:53 -05:00
quic_tune.options & QUIC_TUNE_NO_PACING) {
MINOR: quic: transform pacing settings into a global option Pacing support was previously activated on each bind line individually, via an optional argument of quic-cc-algo keyword. Remove this optional argument and introduce a global setting to enable/disable pacing. Pacing activation is still flagged as experimental. One important change is that previously BBR usage automatically activated pacing support. This is not the case anymore, so users should now always explicitely activate pacing if BBR is selected. A new warning message will be displayed if this is not the case. Another consequence of this change is that now pacing_inter callback is always defined for every quic_cc_algo types. As such, QUIC MUX uses global.tune.options to determine if pacing is required. This should be backported up to 3.1, after a period of observation.
2025-01-30 08:50:19 -05:00
ha_warning("Binding [%s:%d] for %s %s: using the selected congestion algorithm without pacing may cause slowdowns or high loss rates during transfers.\n",
bind_conf->file, bind_conf->line,
proxy_type_str(curproxy), curproxy->id);
err_code |= ERR_WARN;
}
}
#endif /* USE_QUIC */
REORG: listener: move the bind_conf's thread setup code to listener.c What used to be only two lines to apply a mask in a loop in check_config_validity() grew into a 130-line block that performs deeply listener-specific operations that do not have their place there anymore. In addition it's worth noting that the peers code still doesn't support shards nor being bound to more than one group, which is a second reason for moving that code to its own function. Nothing was changed except recreating the missing variables from the bind_conf itself (the fe only).
2023-04-22 17:25:38 -04:00
/* finish the bind setup */
ret = bind_complete_thread_setup(bind_conf, &err_code);
if (ret != 0) {
cfgerr += ret;
if (err_code & ERR_FATAL)
goto out;
MEDIUM: listeners: split the thread mask between receiver and bind_conf With groups at some point we'll have to have distinct masks/groups in the receiver and the bind_conf, because a single bind_conf might require to instantiate multiple receivers (one per group). Let's split the thread mask and group to have one for the bind_conf and another one for the receiver while it remains easy to do. This will later allow to use different storage for the bind_conf if needed (e.g. support multiple groups).
2021-10-12 02:47:54 -04:00
}
MINOR: listener: implement GUID support This commit is similar with the two previous ones. Its purpose is to add GUID support on listeners. Due to bind_conf and listeners configuration, some specifities were required. Its possible to define several listeners on a single bind line, for example by specifying multiple addresses. As such, it's impossible to support a "guid" keyword on a bind line. The problem is exacerbated by the cloning of listeners when sharding is used. To resolve this, a new keyword "guid-prefix" is defined for bind lines. It allows to specify a string which will be used as a prefix for automatically generated GUID for each listeners attached to a bind_conf. Automatic GUID listeners generation is implemented via a new function bind_generate_guid(). It is called on post-parsing, after bind_complete_thread_setup(). For each listeners on a bind_conf, a new GUID is generated with bind_conf prefix and the index of the listener relative to other listeners in the bind_conf. This last value is stored in a new bind_conf field named <guid_idx>. If a GUID cannot be inserted, for example due to a non-unique value, an error is returned, startup is interrupted with configuration rejected.
2024-04-02 04:44:08 -04:00
if (bind_generate_guid(bind_conf)) {
cfgerr++;
err_code |= ERR_FATAL | ERR_ALERT;
goto out;
}
MEDIUM: listener: inherit the process mask from the proxy When a process list is specified on either the proxy or the bind lines, the latter is refined to the intersection of the two. A warning is emitted if no intersection is found, and the situation is fixed by either falling back to the first process of the proxy or to all processes.
2014-05-09 11:06:11 -04:00
}
[MINOR] cfgparse: some cleanups in the consistency checks Check for servers in health mode, for health mode in pure-backends. Some code have been refactored for better organization.
2009-03-15 08:46:16 -04:00
switch (curproxy->mode) {
case PR_MODE_TCP:
[MEDIUM] config: split parser and checker in two functions This is a first step towards support of multiple configuration files. Now readcfgfile() only reads a file in memory and performs very minimal parsing. The checks are performed afterwards.
2009-06-22 09:48:36 -04:00
cfgerr += proxy_cfg_ensure_no_http(curproxy);
MINOR: log/backend: ensure log exclusive params are not used in other modes add proxy_cfg_ensure_no_log() function (similar to proxy_cfg_ensure_no_http()) to ensure at the end of proxy parsing that no log exclusive options are found if the proxy is not in log mode.
2023-11-15 06:18:52 -05:00
cfgerr += proxy_cfg_ensure_no_log(curproxy);
[MINOR] cfgparse: some cleanups in the consistency checks Check for servers in health mode, for health mode in pure-backends. Some code have been refactored for better organization.
2009-03-15 08:46:16 -04:00
break;
case PR_MODE_HTTP:
MINOR: log/backend: ensure log exclusive params are not used in other modes add proxy_cfg_ensure_no_log() function (similar to proxy_cfg_ensure_no_http()) to ensure at the end of proxy parsing that no log exclusive options are found if the proxy is not in log mode.
2023-11-15 06:18:52 -05:00
cfgerr += proxy_cfg_ensure_no_log(curproxy);
MEDIUM: proxy: remove acl_requires and just keep a flag "http_needed" Proxy's acl_requires was a copy of all bits taken from ACLs, but we'll get rid of ACL flags and only rely on sample fetches soon. The proxy's acl_requires was only used to allocate an HTTP context when needed, and was even forced in HTTP mode. So better have a flag which exactly says what it's supposed to be used for.
2013-03-24 02:22:08 -04:00
curproxy->http_needed = 1;
[MINOR] cfgparse: some cleanups in the consistency checks Check for servers in health mode, for health mode in pure-backends. Some code have been refactored for better organization.
2009-03-15 08:46:16 -04:00
break;
MEDIUM: cli: implement 'mode cli' proxy analyzers This patch implements analysers for parsing the CLI and extra features for the master's CLI. For each command (sent alone, or separated by ; or \n) the request analyser will determine to which server it should send the request. The 'mode cli' proxy is able to parse a prefix for each command which is used to select the apropriate server. The prefix start by @ and is followed by "master", the PID preceded by ! or the relative PID. (e.g. @master, @1, @!1234). The servers are not round-robined anymore. The command is sent with a SHUTW which force the server to close the connection after sending its response. However the proxy allows a keepalive connection on the client side and does not close. The response analyser does not do much stuff, it only reinits the connection when it received a close from the server, and forward the response. It does not analyze the response data. The only guarantee of the end of the response is the close of the server, we can't rely on the double \n since it's not send by every command. This could be reimplemented later as a filter.
2018-10-26 08:47:40 -04:00
case PR_MODE_CLI:
cfgerr += proxy_cfg_ensure_no_http(curproxy);
MINOR: log/backend: ensure log exclusive params are not used in other modes add proxy_cfg_ensure_no_log() function (similar to proxy_cfg_ensure_no_http()) to ensure at the end of proxy parsing that no log exclusive options are found if the proxy is not in log mode.
2023-11-15 06:18:52 -05:00
cfgerr += proxy_cfg_ensure_no_log(curproxy);
MEDIUM: cli: implement 'mode cli' proxy analyzers This patch implements analysers for parsing the CLI and extra features for the master's CLI. For each command (sent alone, or separated by ; or \n) the request analyser will determine to which server it should send the request. The 'mode cli' proxy is able to parse a prefix for each command which is used to select the apropriate server. The prefix start by @ and is followed by "master", the PID preceded by ! or the relative PID. (e.g. @master, @1, @!1234). The servers are not round-robined anymore. The command is sent with a SHUTW which force the server to close the connection after sending its response. However the proxy allows a keepalive connection on the client side and does not close. The response analyser does not do much stuff, it only reinits the connection when it received a close from the server, and forward the response. It does not analyze the response data. The only guarantee of the end of the response is the close of the server, we can't rely on the double \n since it's not send by every command. This could be reimplemented later as a filter.
2018-10-26 08:47:40 -04:00
break;
BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized Some initialisation for log forward proxies was missing such as ssl configuration on 'log-forward's 'bind' lines. After the loop on the proxy initialization code for proxies present in the main proxies list, this patch force to loop again on this code for proxies present in the log forward proxies list. Those two lists should be merged. This will be part of a global re-work of proxy initialization including peers proxies and resolver proxies. This patch was made in first attempt to fix the bug and to facilitate the backport on older branches waiting for a cleaner re-work on proxies initialization on the dev branch. This patch should be backported as far as 2.3.
2022-08-18 09:53:21 -04:00
MINOR: log: adds syslog udp message handler and parsing. This patch introduce a new fd handler used to parse syslog message on udp. The parsing function returns level, facility and metadata that can be immediatly reused to forward message to a log server. This handler is enabled on udp listeners if proxy is internally set to mode PR_MODE_SYSLOG
2020-07-07 03:43:24 -04:00
case PR_MODE_SYSLOG:
BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized Some initialisation for log forward proxies was missing such as ssl configuration on 'log-forward's 'bind' lines. After the loop on the proxy initialization code for proxies present in the main proxies list, this patch force to loop again on this code for proxies present in the log forward proxies list. Those two lists should be merged. This will be part of a global re-work of proxy initialization including peers proxies and resolver proxies. This patch was made in first attempt to fix the bug and to facilitate the backport on older branches waiting for a cleaner re-work on proxies initialization on the dev branch. This patch should be backported as far as 2.3.
2022-08-18 09:53:21 -04:00
/* this mode is initialized as the classic tcp proxy */
cfgerr += proxy_cfg_ensure_no_http(curproxy);
break;
MEDIUM: proxy/spoe: Add a SPOP mode The SPOE was significantly lightened. It is now possible to refactor it to use a dedicated multiplexer. The first step is to add a SPOP mode for proxies. The corresponding multiplexer mode is also added. For now, there is no SPOP multiplexer, so it is only declarative. But at the end, the SPOP multiplexer will be automatically selected for servers inside a SPOP backend. The related issue is #2502.
2024-07-04 03:58:12 -04:00
case PR_MODE_SPOP:
cfgerr += proxy_cfg_ensure_no_http(curproxy);
cfgerr += proxy_cfg_ensure_no_log(curproxy);
break;
MEDIUM: proxy: add mode PR_MODE_PEERS to flag peers frontends For now we cannot easily distinguish a peers frontend from another one, which will be problematic to avoid reporting them when stopping their listeners. Let's add PR_MODE_PEERS for this. It's not supposed to cause any issue since all non-HTTP proxies are handled similarly now.
2020-10-07 11:49:42 -04:00
case PR_MODE_PEERS:
MINOR: log: adds syslog udp message handler and parsing. This patch introduce a new fd handler used to parse syslog message on udp. The parsing function returns level, facility and metadata that can be immediatly reused to forward message to a log server. This handler is enabled on udp listeners if proxy is internally set to mode PR_MODE_SYSLOG
2020-07-07 03:43:24 -04:00
case PR_MODES:
/* should not happen, bug gcc warn missing switch statement */
BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized Some initialisation for log forward proxies was missing such as ssl configuration on 'log-forward's 'bind' lines. After the loop on the proxy initialization code for proxies present in the main proxies list, this patch force to loop again on this code for proxies present in the log forward proxies list. Those two lists should be merged. This will be part of a global re-work of proxy initialization including peers proxies and resolver proxies. This patch was made in first attempt to fix the bug and to facilitate the backport on older branches waiting for a cleaner re-work on proxies initialization on the dev branch. This patch should be backported as far as 2.3.
2022-08-18 09:53:21 -04:00
ha_alert("%s '%s' cannot initialize this proxy mode (peers) in this way. NOTE: PLEASE REPORT THIS TO DEVELOPERS AS YOU'RE NOT SUPPOSED TO BE ABLE TO CREATE A CONFIGURATION TRIGGERING THIS!\n",
MINOR: log: adds syslog udp message handler and parsing. This patch introduce a new fd handler used to parse syslog message on udp. The parsing function returns level, facility and metadata that can be immediatly reused to forward message to a log server. This handler is enabled on udp listeners if proxy is internally set to mode PR_MODE_SYSLOG
2020-07-07 03:43:24 -04:00
proxy_type_str(curproxy), curproxy->id);
cfgerr++;
break;
[MINOR] cfgparse: some cleanups in the consistency checks Check for servers in health mode, for health mode in pure-backends. Some code have been refactored for better organization.
2009-03-15 08:46:16 -04:00
}
MINOR: proxy: disable warnings for internal proxies The internal proxies should be part of the proxies list, because of this, the check_config_validity() fonction could emit warnings about these proxies. This patch disables 3 startup warnings for internal proxies: - "has no 'bind' directive" (this one was already ignored for the CLI frontend, but we made it generic instead) - "missing timeouts" - "log format ignored"
2021-08-13 09:21:12 -04:00
if (!(curproxy->cap & PR_CAP_INT) && (curproxy->cap & PR_CAP_FE) && LIST_ISEMPTY(&curproxy->conf.listeners)) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("%s '%s' has no 'bind' directive. Please declare it as a backend if this was intended.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
proxy_type_str(curproxy), curproxy->id);
MEDIUM: config: emit a warning on a frontend without listener Commit c6678e2 ("MEDIUM: config: authorize frontend and listen without bind") completely removed the test for bind lines in frontends in order to make it easier for automated tools to generate configs (eg: replacing a bind with another one passing via a temporary config without any bind line). The problem is that some common mistakes are totally hidden now. For example, this apparently valid entry is silently ignored : listen 1.2.3.4:8000 server s1 127.0.0.1:8000 Hint: 1.2.3.4:8000 is mistakenly the proxy name here. Thus instead we now emit a warning to indicate that a frontend was found with no listener. This should be backported to 1.5 to help spot abnormal configurations.
2015-08-11 05:36:45 -04:00
err_code |= ERR_WARN;
}
MEDIUM: proxy: remove obsolete "mode health" As discussed here during 2.1-dev, "mode health" is totally obsolete: https://www.mail-archive.com/haproxy@formilux.org/msg35204.html It's fundamentally incompatible with usage of SSL, doesn't support source filtering, and imposes the presence of file descriptors with hard-coded syscalls directly in the generic accept path. It's very unlikely that anyone has used it in the last 10 years for anything beyond testing. In the worst case if anyone would depend on it, replacing it with "http-request return status 200" and "mode http" would certainly do the trick. The keyword is still detected as special by the config parser to help users update their configurations appropriately.
2020-10-14 09:44:27 -04:00
if (curproxy->cap & PR_CAP_BE) {
[MINOR] backend: separate declarations of LB algos from their lookup method LB algo macros were composed of the LB algo by itself without any indication of the method to use to look up a server (the lb function itself). This method was implied by the LB algo, which was not very convenient to add more algorithms. Now we have several fields in the LB macros, some to describe what to look for in the requests, some to describe how to transform that (kind of algo) and some to describe what lookup function to use. The next patch will make it possible to factor out some code for all algos which rely on a map.
2009-10-03 06:21:20 -04:00
if (curproxy->lbprm.algo & BE_LB_KIND) {
[MINOR] cfgparse: set backends to "balance roundrobin" by default When a backend has no LB algo specified and is not in dispatch, proxy nor transparent mode, use "balance roundrobin" by default instead of complaining. This will be particularly useful with stats and redirects.
2009-03-15 09:06:41 -04:00
if (curproxy->options & PR_O_TRANSP) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_alert("%s '%s' cannot use both transparent and balance mode.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
proxy_type_str(curproxy), curproxy->id);
[MINOR] cfgparse: set backends to "balance roundrobin" by default When a backend has no LB algo specified and is not in dispatch, proxy nor transparent mode, use "balance roundrobin" by default instead of complaining. This will be particularly useful with stats and redirects.
2009-03-15 09:06:41 -04:00
cfgerr++;
}
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
#ifdef WE_DONT_SUPPORT_SERVERLESS_LISTENERS
[MINOR] cfgparse: set backends to "balance roundrobin" by default When a backend has no LB algo specified and is not in dispatch, proxy nor transparent mode, use "balance roundrobin" by default instead of complaining. This will be particularly useful with stats and redirects.
2009-03-15 09:06:41 -04:00
else if (curproxy->srv == NULL) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_alert("%s '%s' needs at least 1 server in balance mode.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
proxy_type_str(curproxy), curproxy->id);
[MINOR] cfgparse: set backends to "balance roundrobin" by default When a backend has no LB algo specified and is not in dispatch, proxy nor transparent mode, use "balance roundrobin" by default instead of complaining. This will be particularly useful with stats and redirects.
2009-03-15 09:06:41 -04:00
cfgerr++;
}
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
#endif
[MEDIUM] checks: group health checks methods by values and save option bits Adding health checks has become a real pain, with cross-references to all checks everywhere because they're all a single bit. Since they're all exclusive, let's change this to have a check number only. We reserve 4 bits allowing up to 16 checks (15+tcp), only 7 of which are currently used. The code has shrunk by almost 1kB and we saved a few option bits. The "dispatch" option has been moved to px->options, making a few tests a bit cleaner.
2011-08-06 11:05:02 -04:00
else if (curproxy->options & PR_O_DISPATCH) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("dispatch address of %s '%s' will be ignored in balance mode.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
proxy_type_str(curproxy), curproxy->id);
[MINOR] config: improve error reporting when checking configuration Do not exit early at the first error found while checking configuration validity. This particularly helps spotting multiple wrong tracked server names at once.
2009-07-23 07:36:36 -04:00
err_code |= ERR_WARN;
[MINOR] cfgparse: set backends to "balance roundrobin" by default When a backend has no LB algo specified and is not in dispatch, proxy nor transparent mode, use "balance roundrobin" by default instead of complaining. This will be particularly useful with stats and redirects.
2009-03-15 09:06:41 -04:00
}
}
MEDIUM: proxy: remove long-broken 'option http_proxy' This option had always been broken in HTX, which means that the first breakage appeared in 1.9, that it was broken by default in 2.0 and that no workaround existed starting with 2.1. The way this option works is praticularly unfit to the rest of the configuration and to the internal architecture. It had some uses when it was introduced 14 years ago but nowadays it's possible to do much better and more reliable using a set of "http-request set-dst" and "http-request set-uri" rules, which additionally are compatible with DNS resolution (via do-resolve) and are not exclusive to normal load balancing. The "option-http_proxy" example config file was updated to reflect this. The option is still parsed so that an error message gives hints about what to look for.
2021-07-18 13:18:56 -04:00
else if (!(curproxy->options & (PR_O_TRANSP | PR_O_DISPATCH))) {
[MINOR] cfgparse: set backends to "balance roundrobin" by default When a backend has no LB algo specified and is not in dispatch, proxy nor transparent mode, use "balance roundrobin" by default instead of complaining. This will be particularly useful with stats and redirects.
2009-03-15 09:06:41 -04:00
/* If no LB algo is set in a backend, and we're not in
* transparent mode, dispatch mode nor proxy mode, we
* want to use balance roundrobin by default.
*/
curproxy->lbprm.algo &= ~BE_LB_ALGO;
curproxy->lbprm.algo |= BE_LB_ALGO_RR;
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
}
}
[MEDIUM] fix configuration sanity checks for TCP listeners A log chain of if/else prevented many sanity checks from being performed on TCP listeners, resulting in dangerous configs being accepted. Removed the offending 'else'.
2007-09-17 04:17:23 -04:00
[MEDIUM] checks: group health checks methods by values and save option bits Adding health checks has become a real pain, with cross-references to all checks everywhere because they're all a single bit. Since they're all exclusive, let's change this to have a check number only. We reserve 4 bits allowing up to 16 checks (15+tcp), only 7 of which are currently used. The code has shrunk by almost 1kB and we saved a few option bits. The "dispatch" option has been moved to px->options, making a few tests a bit cleaner.
2011-08-06 11:05:02 -04:00
if (curproxy->options & PR_O_DISPATCH)
MEDIUM: proxy: remove long-broken 'option http_proxy' This option had always been broken in HTX, which means that the first breakage appeared in 1.9, that it was broken by default in 2.0 and that no workaround existed starting with 2.1. The way this option works is praticularly unfit to the rest of the configuration and to the internal architecture. It had some uses when it was introduced 14 years ago but nowadays it's possible to do much better and more reliable using a set of "http-request set-dst" and "http-request set-uri" rules, which additionally are compatible with DNS resolution (via do-resolve) and are not exclusive to normal load balancing. The "option-http_proxy" example config file was updated to reflect this. The option is still parsed so that an error message gives hints about what to look for.
2021-07-18 13:18:56 -04:00
curproxy->options &= ~PR_O_TRANSP;
[MEDIUM] checks: group health checks methods by values and save option bits Adding health checks has become a real pain, with cross-references to all checks everywhere because they're all a single bit. Since they're all exclusive, let's change this to have a check number only. We reserve 4 bits allowing up to 16 checks (15+tcp), only 7 of which are currently used. The code has shrunk by almost 1kB and we saved a few option bits. The "dispatch" option has been moved to px->options, making a few tests a bit cleaner.
2011-08-06 11:05:02 -04:00
else if (curproxy->options & PR_O_TRANSP)
MEDIUM: proxy: remove long-broken 'option http_proxy' This option had always been broken in HTX, which means that the first breakage appeared in 1.9, that it was broken by default in 2.0 and that no workaround existed starting with 2.1. The way this option works is praticularly unfit to the rest of the configuration and to the internal architecture. It had some uses when it was introduced 14 years ago but nowadays it's possible to do much better and more reliable using a set of "http-request set-dst" and "http-request set-uri" rules, which additionally are compatible with DNS resolution (via do-resolve) and are not exclusive to normal load balancing. The "option-http_proxy" example config file was updated to reflect this. The option is still parsed so that an error message gives hints about what to look for.
2021-07-18 13:18:56 -04:00
curproxy->options &= ~PR_O_DISPATCH;
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
MAJOR: checks: Implement HTTP check using tcp-check rules HTTP health-checks are now internally based on tcp-checks. Of course all the configuration parsing of the "http-check" keyword and the httpchk option has been rewritten. But the main changes is that now, as for tcp-check ruleset, it is possible to perform several send/expect sequences into the same health-checks. Thus the connect rule is now also available from HTTP checks, jst like set-var, unset-var and comment rules. Because the request defined by the "option httpchk" line is used for the first request only, it is now possible to set the method, the uri and the version on a "http-check send" line.
2020-04-15 05:32:03 -04:00
if ((curproxy->tcpcheck_rules.flags & TCPCHK_RULES_UNUSED_HTTP_RS)) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("%s '%s' uses http-check rules without 'option httpchk', so the rules are ignored.\n",
MAJOR: checks: Implement HTTP check using tcp-check rules HTTP health-checks are now internally based on tcp-checks. Of course all the configuration parsing of the "http-check" keyword and the httpchk option has been rewritten. But the main changes is that now, as for tcp-check ruleset, it is possible to perform several send/expect sequences into the same health-checks. Thus the connect rule is now also available from HTTP checks, jst like set-var, unset-var and comment rules. Because the request defined by the "option httpchk" line is used for the first request only, it is now possible to set the method, the uri and the version on a "http-check send" line.
2020-04-15 05:32:03 -04:00
proxy_type_str(curproxy), curproxy->id);
err_code |= ERR_WARN;
}
if ((curproxy->options2 & PR_O2_CHK_ANY) == PR_O2_TCPCHK_CHK &&
BUG/MINOR: checks: Fix test on http-check rulesets during config validity check When checking the config validity of the http-check rulesets, the test on the ruleset type is inverted. So a warning about ignored directive is emitted when the config is valid and omitted when it should be reported. No backport needed.
2020-06-03 13:00:42 -04:00
(curproxy->tcpcheck_rules.flags & TCPCHK_RULES_PROTO_CHK) != TCPCHK_RULES_HTTP_CHK) {
[MEDIUM] checks: group health checks methods by values and save option bits Adding health checks has become a real pain, with cross-references to all checks everywhere because they're all a single bit. Since they're all exclusive, let's change this to have a check number only. We reserve 4 bits allowing up to 16 checks (15+tcp), only 7 of which are currently used. The code has shrunk by almost 1kB and we saved a few option bits. The "dispatch" option has been moved to px->options, making a few tests a bit cleaner.
2011-08-06 11:05:02 -04:00
if (curproxy->options & PR_O_DISABLE404) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("'%s' will be ignored for %s '%s' (requires 'option httpchk').\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
"disable-on-404", proxy_type_str(curproxy), curproxy->id);
[MEDIUM] checks: group health checks methods by values and save option bits Adding health checks has become a real pain, with cross-references to all checks everywhere because they're all a single bit. Since they're all exclusive, let's change this to have a check number only. We reserve 4 bits allowing up to 16 checks (15+tcp), only 7 of which are currently used. The code has shrunk by almost 1kB and we saved a few option bits. The "dispatch" option has been moved to px->options, making a few tests a bit cleaner.
2011-08-06 11:05:02 -04:00
err_code |= ERR_WARN;
curproxy->options &= ~PR_O_DISABLE404;
}
if (curproxy->options2 & PR_O2_CHK_SNDST) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("'%s' will be ignored for %s '%s' (requires 'option httpchk').\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
"send-state", proxy_type_str(curproxy), curproxy->id);
[MEDIUM] checks: group health checks methods by values and save option bits Adding health checks has become a real pain, with cross-references to all checks everywhere because they're all a single bit. Since they're all exclusive, let's change this to have a check number only. We reserve 4 bits allowing up to 16 checks (15+tcp), only 7 of which are currently used. The code has shrunk by almost 1kB and we saved a few option bits. The "dispatch" option has been moved to px->options, making a few tests a bit cleaner.
2011-08-06 11:05:02 -04:00
err_code |= ERR_WARN;
BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state warning In GH issue #2586 @Bbulatov reported a bug where the http-check send-state flag is removed from options instead of options2 when http-check is disabled. It only has an effect when this option is set and http-check disabled, where it displays a warning indicating this will be ignored. The option removed instead is srvtcpka when this happens. It's likely that both options being so minor, nobody ever faced it. This can be backported to all versions.
2024-05-31 12:30:16 -04:00
curproxy->options2 &= ~PR_O2_CHK_SNDST;
[MEDIUM] checks: group health checks methods by values and save option bits Adding health checks has become a real pain, with cross-references to all checks everywhere because they're all a single bit. Since they're all exclusive, let's change this to have a check number only. We reserve 4 bits allowing up to 16 checks (15+tcp), only 7 of which are currently used. The code has shrunk by almost 1kB and we saved a few option bits. The "dispatch" option has been moved to px->options, making a few tests a bit cleaner.
2011-08-06 11:05:02 -04:00
}
[MINOR] checks: add the server's status in the checks Now a server can check the contents of the header X-Haproxy-Server-State to know how haproxy sees it. The same values as those reported in the stats are provided : - up/down status + check counts - throttle - weight vs backend weight - active sessions vs backend sessions - queue length - haproxy node name
2010-01-27 05:53:01 -05:00
}
MEDIUM: Add external check Add an external check which makes use of an external process to check the status of a server.
2014-06-19 23:30:16 -04:00
if ((curproxy->options2 & PR_O2_CHK_ANY) == PR_O2_EXT_CHK) {
if (!global.external_check) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s' : '%s' unable to find required 'global.external-check'.\n",
curproxy->id, "option external-check");
MEDIUM: Add external check Add an external check which makes use of an external process to check the status of a server.
2014-06-19 23:30:16 -04:00
cfgerr++;
}
if (!curproxy->check_command) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s' : '%s' unable to find required 'external-check command'.\n",
curproxy->id, "option external-check");
MEDIUM: Add external check Add an external check which makes use of an external process to check the status of a server.
2014-06-19 23:30:16 -04:00
cfgerr++;
}
MEDIUM: init: prevent process and thread creation at runtime Some concerns are regularly raised about the risk to inherit some Lua files which make use of a fork (e.g. via os.execute()) as well as whether or not some of bugs we fix might or not be exploitable to run some code. Given that haproxy is event-driven, any foreground activity completely stops processing and is easy to detect, but background activity is a different story. A Lua script could very well discretely fork a sub-process connecting to a remote location and taking commands, and some injected code could also try to hide its activity by creating a process or a thread without blocking the rest of the processing. While such activities should be extremely limited when run in an empty chroot without any permission, it would be better to get a higher assurance they cannot happen. This patch introduces something very simple: it limits the number of processes and threads to zero in the workers after the last thread was created. By doing so, it effectively instructs the system to fail on any fork() or clone() syscall. Thus any undesired activity has to happen in the foreground and is way easier to detect. This will obviously break external checks (whose concept is already totally insecure), and for this reason a new option "insecure-fork-wanted" was added to disable this protection, and it is suggested in the fork() error report from the checks. It is obviously recommended not to use it and to reconsider the reasons leading to it being enabled in the first place. If for any reason we fail to disable forks, we still start because it could be imaginable that some operating systems refuse to set this limit to zero, but in this case we emit a warning, that may or may not be reported since we're after the fork point. Ideally over the long term it should be conditionned by strict-limits and cause a hard fail.
2019-12-03 01:07:36 -05:00
if (!(global.tune.options & GTUNE_INSECURE_FORK)) {
ha_warning("Proxy '%s' : 'insecure-fork-wanted' not enabled in the global section, '%s' will likely fail.\n",
curproxy->id, "option external-check");
err_code |= ERR_WARN;
}
MEDIUM: Add external check Add an external check which makes use of an external process to check the status of a server.
2014-06-19 23:30:16 -04:00
}
BUG/MINOR: proxy: fix email-alert leak on deinit() (2nd try) As shown in GH #2608 and ("BUG/MEDIUM: proxy: fix email-alert invalid free"), simply calling free_email_alert() from free_proxy() is not the right thing to do. In this patch, we reuse proxy->email_alert.set memory space to introduce proxy->email_alert.flags in order to support 2 flags: PR_EMAIL_ALERT_SET (to mimic proxy->email_alert.set) and PR_EMAIL_ALERT_RESOLVED (set once init_email_alert() was called on the proxy to resolve email_alert.mailer pointer). Thanks to PR_EMAIL_ALERT_RESOLVED flag, free_email_alert() may now properly handle the freeing of proxy email_alert settings: if the RESOLVED flag is set, then it means the .email_alert.mailers.name parsing hint was replaced by the actual mailers pointer, thus no free should be attempted. No backport needed: as described in ("BUG/MEDIUM: proxy: fix email-alert invalid free"), this historical leak is not sensitive as it cannot be triggered during runtime.. thus given that the fix is not backport- friendly, it's not worth the trouble.
2024-06-17 12:53:48 -04:00
if (curproxy->email_alert.flags & PR_EMAIL_ALERT_SET) {
MEDIUM: Support sending email alerts Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:23:00 -05:00
if (!(curproxy->email_alert.mailers.name && curproxy->email_alert.from && curproxy->email_alert.to)) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("'email-alert' will be ignored for %s '%s' (the presence any of "
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
"'email-alert from', 'email-alert level' 'email-alert mailers', "
"'email-alert myhostname', or 'email-alert to' "
"requires each of 'email-alert from', 'email-alert mailers' and 'email-alert to' "
"to be present).\n",
proxy_type_str(curproxy), curproxy->id);
MEDIUM: Support sending email alerts Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:23:00 -05:00
err_code |= ERR_WARN;
free_email_alert(curproxy);
}
if (!curproxy->email_alert.myhostname)
BUG/MINOR: checks: email-alert causes a segfault when an unknown mailers section is configured A segfault can occur during at the initialization phase, when an unknown "mailers" name is configured. This happens when "email-alert myhostname" is not set, where a direct pointer to an array is used instead of copying the string, causing the segfault when haproxy tries to free the memory. This is a minor issue because the configuration is invalid and a fatal error will remain, but it should be fixed to prevent reload issues. Example of minimal configuration to reproduce the bug : backend example email-alert mailers NOT_FOUND email-alert from foo@localhost email-alert to bar@localhost This fix must be backported to 1.6.
2015-12-03 21:07:07 -05:00
curproxy->email_alert.myhostname = strdup(hostname);
MEDIUM: Allow configuration of email alerts This currently does nothing beyond parsing the configuration and storing in the proxy as there is no implementation of email alerts. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:59 -05:00
}
MEDIUM: Add external check Add an external check which makes use of an external process to check the status of a server.
2014-06-19 23:30:16 -04:00
if (curproxy->check_command) {
int clear = 0;
if ((curproxy->options2 & PR_O2_CHK_ANY) != PR_O2_EXT_CHK) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("'%s' will be ignored for %s '%s' (requires 'option external-check').\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
"external-check command", proxy_type_str(curproxy), curproxy->id);
MEDIUM: Add external check Add an external check which makes use of an external process to check the status of a server.
2014-06-19 23:30:16 -04:00
err_code |= ERR_WARN;
clear = 1;
}
if (curproxy->check_command[0] != '/' && !curproxy->check_path) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': '%s' does not have a leading '/' and 'external-check path' is not set.\n",
curproxy->id, "external-check command");
MEDIUM: Add external check Add an external check which makes use of an external process to check the status of a server.
2014-06-19 23:30:16 -04:00
cfgerr++;
}
if (clear) {
CLEANUP: tree-wide: replace free(x);x=NULL with ha_free(&x) This makes the code more readable and less prone to copy-paste errors. In addition, it allows to place some __builtin_constant_p() predicates to trigger a link-time error in case the compiler knows that the freed area is constant. It will also produce compile-time error if trying to free something that is not a regular pointer (e.g. a function). The DEBUG_MEM_STATS macro now also defines an instance for ha_free() so that all these calls can be checked. 178 occurrences were converted. The vast majority of them were handled by the following Coccinelle script, some slightly refined to better deal with "&*x" or with long lines: @ rule @ expression E; @@ - free(E); - E = NULL; + ha_free(&E); It was verified that the resulting code is the same, more or less a handful of cases where the compiler optimized slightly differently the temporary variable that holds the copy of the pointer. A non-negligible amount of {free(str);str=NULL;str_len=0;} are still present in the config part (mostly header names in proxies). These ones should also be cleaned for the same reasons, and probably be turned into ist strings.
2021-02-20 04:46:51 -05:00
ha_free(&curproxy->check_command);
MEDIUM: Add external check Add an external check which makes use of an external process to check the status of a server.
2014-06-19 23:30:16 -04:00
}
}
if (curproxy->check_path) {
if ((curproxy->options2 & PR_O2_CHK_ANY) != PR_O2_EXT_CHK) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("'%s' will be ignored for %s '%s' (requires 'option external-check').\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
"external-check path", proxy_type_str(curproxy), curproxy->id);
MEDIUM: Add external check Add an external check which makes use of an external process to check the status of a server.
2014-06-19 23:30:16 -04:00
err_code |= ERR_WARN;
CLEANUP: tree-wide: replace free(x);x=NULL with ha_free(&x) This makes the code more readable and less prone to copy-paste errors. In addition, it allows to place some __builtin_constant_p() predicates to trigger a link-time error in case the compiler knows that the freed area is constant. It will also produce compile-time error if trying to free something that is not a regular pointer (e.g. a function). The DEBUG_MEM_STATS macro now also defines an instance for ha_free() so that all these calls can be checked. 178 occurrences were converted. The vast majority of them were handled by the following Coccinelle script, some slightly refined to better deal with "&*x" or with long lines: @ rule @ expression E; @@ - free(E); - E = NULL; + ha_free(&E); It was verified that the resulting code is the same, more or less a handful of cases where the compiler optimized slightly differently the temporary variable that holds the copy of the pointer. A non-negligible amount of {free(str);str=NULL;str_len=0;} are still present in the config part (mostly header names in proxies). These ones should also be cleaned for the same reasons, and probably be turned into ist strings.
2021-02-20 04:46:51 -05:00
ha_free(&curproxy->check_path);
MEDIUM: Add external check Add an external check which makes use of an external process to check the status of a server.
2014-06-19 23:30:16 -04:00
}
}
[MEDIUM] implemented the "default_backend" keyword The "default_backend" keyword used in a frontend sets the default backend which will be used if no setbe rule matches.
2007-01-01 17:11:07 -05:00
/* if a default backend was specified, let's find it */
if (curproxy->defbe.name) {
struct proxy *target;
MEDIUM: config: clarify the conflicting modes detection for backend rules We don't use findproxy_mode() anymore so we can check the conflicting modes and report the anomalies accordingly with line numbers and more explicit details.
2015-05-26 06:04:09 -04:00
target = proxy_be_by_name(curproxy->defbe.name);
[MEDIUM] Implement and use generic findproxy and relax duplicated proxy check This patch: - adds proxy_mode_str() similar to proxy_type_str() - adds a generic findproxy function used with default_backend/setbe/use_backed - rewrite default_backend/senbe/use_backed to use introduced findproxy() - relaxes duplicated proxy check - changes capabilities displaying from "%X" to "%s" with a call to proxy_type_str()
2007-11-03 18:41:58 -04:00
if (!target) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': unable to find required default_backend: '%s'.\n",
curproxy->id, curproxy->defbe.name);
[MEDIUM] implemented the "default_backend" keyword The "default_backend" keyword used in a frontend sets the default backend which will be used if no setbe rule matches.
2007-01-01 17:11:07 -05:00
cfgerr++;
} else if (target == curproxy) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': loop detected for default_backend: '%s'.\n",
curproxy->id, curproxy->defbe.name);
[MINOR] config: improve error reporting when checking configuration Do not exit early at the first error found while checking configuration validity. This particularly helps spotting multiple wrong tracked server names at once.
2009-07-23 07:36:36 -04:00
cfgerr++;
MEDIUM: config: clarify the conflicting modes detection for backend rules We don't use findproxy_mode() anymore so we can check the conflicting modes and report the anomalies accordingly with line numbers and more explicit details.
2015-05-26 06:04:09 -04:00
} else if (target->mode != curproxy->mode &&
!(curproxy->mode == PR_MODE_TCP && target->mode == PR_MODE_HTTP)) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("%s %s '%s' (%s:%d) tries to use incompatible %s %s '%s' (%s:%d) as its default backend (see 'mode').\n",
proxy_mode_str(curproxy->mode), proxy_type_str(curproxy), curproxy->id,
curproxy->conf.file, curproxy->conf.line,
proxy_mode_str(target->mode), proxy_type_str(target), target->id,
target->conf.file, target->conf.line);
MEDIUM: config: clarify the conflicting modes detection for backend rules We don't use findproxy_mode() anymore so we can check the conflicting modes and report the anomalies accordingly with line numbers and more explicit details.
2015-05-26 06:04:09 -04:00
cfgerr++;
[MEDIUM] implemented the "default_backend" keyword The "default_backend" keyword used in a frontend sets the default backend which will be used if no setbe rule matches.
2007-01-01 17:11:07 -05:00
} else {
free(curproxy->defbe.name);
curproxy->defbe.be = target;
MINOR: config: emit a warning when 'default_backend' masks servers When a "listen" instance uses a "default_backned" rule and has servers, the servers will never be used. Report it so that users don't get trapped.
2012-02-13 08:32:34 -05:00
/* Emit a warning if this proxy also has some servers */
if (curproxy->srv) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("In proxy '%s', the 'default_backend' rule always has precedence over the servers, which will never be used.\n",
curproxy->id);
MINOR: config: emit a warning when 'default_backend' masks servers When a "listen" instance uses a "default_backned" rule and has servers, the servers will never be used. Report it so that users don't get trapped.
2012-02-13 08:32:34 -05:00
err_code |= ERR_WARN;
}
MEDIUM: proxy: set PR_O_HTTP_UPG on implicit upgrades When a TCP frontend uses an HTTP backend, the stream is automatically upgraded and it results in a similar behavior as if a switch-mode http rule was evaluated since stream_set_http_mode() gets called in both situations and minimal HTTP analyzers are set. In the current implementation, some postparsing checks are generating errors or warnings when the frontend is in TCP mode with some HTTP options set and no upgrade is expected (no switch-rule http). But as you can guess, unfortunately this leads in issues when such "HTTP" only options are used in a frontend that has implicit switching rules (that is, when the frontend uses an HTTP backend for example), because in this case the PR_O_HTTP_UPG will not be set, so the postparsing checks will consider that some options are not relevant and will raise some warnings. Consider the following example: backend back mode http server s1 git.haproxy.org:80 frontend front mode tcp bind localhost:8080 http-request set-var(txn.test) str(TRUE),debug(WORKING,stderr) use_backend back By starting an haproxy instance with the above example conf, we end up having this warning: [WARNING] (400280) : config : 'http-request' rules ignored for frontend 'front' as they require HTTP mode. However, by making a request on the frontend, we notice that the request rules are still executed, and that's because the stream is effectively upgraded as a result of an implicit upgrade: [debug] WORKING: type=str <TRUE> So this confirms the previous description: since implicit and explicit upgrades result in approximately the same behavior on the frontend side, we should consider them both when doing postparsing checks. This is what we try to address in the following commit: PR_O_HTTP_UPG flag is now more generic in the sense that it refers to either implicit (through default_backend or use_backend rules) or explicit (switch-mode rules) upgrades. Indeed, everytime an HTTP or dynamic backend (where the mode cannot be assumed during parsing) is encountered in default_backend directive or use_backend rules, we explicitly position the upgrade flag so that further checks that depend on the proxy being in HTTP context don't report false warnings.
2023-12-05 09:58:49 -05:00
if (target->mode == PR_MODE_HTTP) {
/* at least one of the used backends will provoke an
* HTTP upgrade
*/
curproxy->options |= PR_O_HTTP_UPG;
}
[MEDIUM] implemented the "default_backend" keyword The "default_backend" keyword used in a frontend sets the default backend which will be used if no setbe rule matches.
2007-01-01 17:11:07 -05:00
}
}
[MAJOR] added the 'use_backend' keyword for full content-switching The new "use_backend" keyword permits full content switching by the use of ACLs. Its usage is simple : use_backend <backend_name> {if|unless} <acl_cond>
2007-06-17 13:56:27 -04:00
/* find the target proxy for 'use_backend' rules */
list_for_each_entry(rule, &curproxy->switching_rules, list) {
struct proxy *target;
MEDIUM: proxy: support use_backend with dynamic names We have a use case where we look up a customer ID in an HTTP header and direct it to the corresponding server. This can easily be done using ACLs and use_backend rules, but the configuration becomes painful to maintain when the number of customers grows to a few tens or even a several hundreds. We realized it would be nice if we could make the use_backend resolve its name at run time instead of config parsing time, and use a similar expression as http-request add-header to decide on the proper backend to use. This permits the use of prefixes or even complex names in backend expressions. If no name matches, then the default backend is used. Doing so allowed us to get rid of all the use_backend rules. Since there are some config checks on the use_backend rules to see if the referenced backend exists, we want to keep them to detect config errors in normal config. So this patch does not modify the default behaviour and proceeds this way : - if the backend name in the use_backend directive parses as a log format rule, it's used as-is and is resolved at run time ; - otherwise it's a static name which must be valid at config time. There was the possibility of doing this with the use-server directive instead of use_backend, but it seems like use_backend is more suited to this task, as it can be used for other purposes. For example, it becomes easy to serve a customer-specific proxy.pac file based on the customer ID by abusing the errorfile primitive : use_backend bk_cust_%[hdr(X-Cust-Id)] if { hdr(X-Cust-Id) -m found } default_backend bk_err_404 backend bk_cust_1 errorfile 200 /etc/haproxy/static/proxy.pac.cust1 Signed-off-by: Bertrand Jacquin <bjacquin@exosec.fr>
2013-11-19 05:43:06 -05:00
struct logformat_node *node;
char *pxname;
/* Try to parse the string as a log format expression. If the result
* of the parsing is only one entry containing a simple string, then
* it's a standard string corresponding to a static rule, thus the
* parsing is cancelled and be.name is restored to be resolved.
*/
pxname = rule->be.name;
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
lf_expr_init(&rule->be.expr);
MINOR: http/conf: store the use_backend configuration file and line for logs The error log of the directive use_backend doesn't provide the file and line containing the declaration. This patch stores theses informations.
2016-11-24 17:57:54 -05:00
curproxy->conf.args.ctx = ARGC_UBK;
curproxy->conf.args.file = rule->file;
curproxy->conf.args.line = rule->line;
MEDIUM: log-format: Use standard HAProxy log system to report errors The function log format emit its own error message using Alert(). This patch replaces this behavior and uses the standard HAProxy error system (with memprintf). The benefits are: - cleaning the log system - the logformat can ignore the caller (actually the caller must set a flag designing the caller function). - Make the usage of the logformat function easy for future components.
2016-11-22 18:41:28 -05:00
err = NULL;
if (!parse_logformat_string(pxname, curproxy, &rule->be.expr, 0, SMP_VAL_FE_HRQ_HDR, &err)) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Parsing [%s:%d]: failed to parse use_backend rule '%s' : %s.\n",
rule->file, rule->line, pxname, err);
MEDIUM: log-format: Use standard HAProxy log system to report errors The function log format emit its own error message using Alert(). This patch replaces this behavior and uses the standard HAProxy error system (with memprintf). The benefits are: - cleaning the log system - the logformat can ignore the caller (actually the caller must set a flag designing the caller function). - Make the usage of the logformat function easy for future components.
2016-11-22 18:41:28 -05:00
free(err);
MEDIUM: log-format/conf: take into account the parse_logformat_string() return code This patch takes into account the return code of the parse_logformat_string() function. Now the configuration parser will fail if the log_format is not strict.
2016-11-22 17:50:02 -05:00
cfgerr++;
continue;
}
MINOR: log: store lf_expr nodes inside substruct Add another struct level inside lf_expr struct to allow new information to be stored alongside lf_expr nodes.
2024-03-25 06:29:58 -04:00
node = LIST_NEXT(&rule->be.expr.nodes.list, struct logformat_node *, list);
MEDIUM: proxy: support use_backend with dynamic names We have a use case where we look up a customer ID in an HTTP header and direct it to the corresponding server. This can easily be done using ACLs and use_backend rules, but the configuration becomes painful to maintain when the number of customers grows to a few tens or even a several hundreds. We realized it would be nice if we could make the use_backend resolve its name at run time instead of config parsing time, and use a similar expression as http-request add-header to decide on the proper backend to use. This permits the use of prefixes or even complex names in backend expressions. If no name matches, then the default backend is used. Doing so allowed us to get rid of all the use_backend rules. Since there are some config checks on the use_backend rules to see if the referenced backend exists, we want to keep them to detect config errors in normal config. So this patch does not modify the default behaviour and proceeds this way : - if the backend name in the use_backend directive parses as a log format rule, it's used as-is and is resolved at run time ; - otherwise it's a static name which must be valid at config time. There was the possibility of doing this with the use-server directive instead of use_backend, but it seems like use_backend is more suited to this task, as it can be used for other purposes. For example, it becomes easy to serve a customer-specific proxy.pac file based on the customer ID by abusing the errorfile primitive : use_backend bk_cust_%[hdr(X-Cust-Id)] if { hdr(X-Cust-Id) -m found } default_backend bk_err_404 backend bk_cust_1 errorfile 200 /etc/haproxy/static/proxy.pac.cust1 Signed-off-by: Bertrand Jacquin <bjacquin@exosec.fr>
2013-11-19 05:43:06 -05:00
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
if (!lf_expr_isempty(&rule->be.expr)) {
MINOR: log: store lf_expr nodes inside substruct Add another struct level inside lf_expr struct to allow new information to be stored alongside lf_expr nodes.
2024-03-25 06:29:58 -04:00
if (node->type != LOG_FMT_TEXT || node->list.n != &rule->be.expr.nodes.list) {
MEDIUM: proxy: support use_backend with dynamic names We have a use case where we look up a customer ID in an HTTP header and direct it to the corresponding server. This can easily be done using ACLs and use_backend rules, but the configuration becomes painful to maintain when the number of customers grows to a few tens or even a several hundreds. We realized it would be nice if we could make the use_backend resolve its name at run time instead of config parsing time, and use a similar expression as http-request add-header to decide on the proper backend to use. This permits the use of prefixes or even complex names in backend expressions. If no name matches, then the default backend is used. Doing so allowed us to get rid of all the use_backend rules. Since there are some config checks on the use_backend rules to see if the referenced backend exists, we want to keep them to detect config errors in normal config. So this patch does not modify the default behaviour and proceeds this way : - if the backend name in the use_backend directive parses as a log format rule, it's used as-is and is resolved at run time ; - otherwise it's a static name which must be valid at config time. There was the possibility of doing this with the use-server directive instead of use_backend, but it seems like use_backend is more suited to this task, as it can be used for other purposes. For example, it becomes easy to serve a customer-specific proxy.pac file based on the customer ID by abusing the errorfile primitive : use_backend bk_cust_%[hdr(X-Cust-Id)] if { hdr(X-Cust-Id) -m found } default_backend bk_err_404 backend bk_cust_1 errorfile 200 /etc/haproxy/static/proxy.pac.cust1 Signed-off-by: Bertrand Jacquin <bjacquin@exosec.fr>
2013-11-19 05:43:06 -05:00
rule->dynamic = 1;
free(pxname);
MEDIUM: proxy: set PR_O_HTTP_UPG on implicit upgrades When a TCP frontend uses an HTTP backend, the stream is automatically upgraded and it results in a similar behavior as if a switch-mode http rule was evaluated since stream_set_http_mode() gets called in both situations and minimal HTTP analyzers are set. In the current implementation, some postparsing checks are generating errors or warnings when the frontend is in TCP mode with some HTTP options set and no upgrade is expected (no switch-rule http). But as you can guess, unfortunately this leads in issues when such "HTTP" only options are used in a frontend that has implicit switching rules (that is, when the frontend uses an HTTP backend for example), because in this case the PR_O_HTTP_UPG will not be set, so the postparsing checks will consider that some options are not relevant and will raise some warnings. Consider the following example: backend back mode http server s1 git.haproxy.org:80 frontend front mode tcp bind localhost:8080 http-request set-var(txn.test) str(TRUE),debug(WORKING,stderr) use_backend back By starting an haproxy instance with the above example conf, we end up having this warning: [WARNING] (400280) : config : 'http-request' rules ignored for frontend 'front' as they require HTTP mode. However, by making a request on the frontend, we notice that the request rules are still executed, and that's because the stream is effectively upgraded as a result of an implicit upgrade: [debug] WORKING: type=str <TRUE> So this confirms the previous description: since implicit and explicit upgrades result in approximately the same behavior on the frontend side, we should consider them both when doing postparsing checks. This is what we try to address in the following commit: PR_O_HTTP_UPG flag is now more generic in the sense that it refers to either implicit (through default_backend or use_backend rules) or explicit (switch-mode rules) upgrades. Indeed, everytime an HTTP or dynamic backend (where the mode cannot be assumed during parsing) is encountered in default_backend directive or use_backend rules, we explicitly position the upgrade flag so that further checks that depend on the proxy being in HTTP context don't report false warnings.
2023-12-05 09:58:49 -05:00
/* backend is not yet known so we cannot assume its type,
* thus we should consider that at least one of the used
* backends may provoke HTTP upgrade
*/
curproxy->options |= PR_O_HTTP_UPG;
MEDIUM: proxy: support use_backend with dynamic names We have a use case where we look up a customer ID in an HTTP header and direct it to the corresponding server. This can easily be done using ACLs and use_backend rules, but the configuration becomes painful to maintain when the number of customers grows to a few tens or even a several hundreds. We realized it would be nice if we could make the use_backend resolve its name at run time instead of config parsing time, and use a similar expression as http-request add-header to decide on the proper backend to use. This permits the use of prefixes or even complex names in backend expressions. If no name matches, then the default backend is used. Doing so allowed us to get rid of all the use_backend rules. Since there are some config checks on the use_backend rules to see if the referenced backend exists, we want to keep them to detect config errors in normal config. So this patch does not modify the default behaviour and proceeds this way : - if the backend name in the use_backend directive parses as a log format rule, it's used as-is and is resolved at run time ; - otherwise it's a static name which must be valid at config time. There was the possibility of doing this with the use-server directive instead of use_backend, but it seems like use_backend is more suited to this task, as it can be used for other purposes. For example, it becomes easy to serve a customer-specific proxy.pac file based on the customer ID by abusing the errorfile primitive : use_backend bk_cust_%[hdr(X-Cust-Id)] if { hdr(X-Cust-Id) -m found } default_backend bk_err_404 backend bk_cust_1 errorfile 200 /etc/haproxy/static/proxy.pac.cust1 Signed-off-by: Bertrand Jacquin <bjacquin@exosec.fr>
2013-11-19 05:43:06 -05:00
continue;
}
BUG/MINOR: config: Make use_backend and use-server post-parsing less obscur During use_backend and use-server post-parsing, if the log-format string used to specify the backend or the server is just a single string, the log-format string (a list, internally) is replaced by the string itself. Because the field is an union, the list is not emptied according to the rules of art. The element, when released, is not removed from the list. There is no bug, but it is clearly not obvious and error prone. This patch should fix #544. The fix for the use_backend post-parsing may be backported to all stable releases. use-server is static in 2.1 and prior.
2020-05-07 09:59:33 -04:00
/* Only one element in the list, a simple string: free the expression and
* fall back to static rule
*/
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
lf_expr_deinit(&rule->be.expr);
MEDIUM: proxy: support use_backend with dynamic names We have a use case where we look up a customer ID in an HTTP header and direct it to the corresponding server. This can easily be done using ACLs and use_backend rules, but the configuration becomes painful to maintain when the number of customers grows to a few tens or even a several hundreds. We realized it would be nice if we could make the use_backend resolve its name at run time instead of config parsing time, and use a similar expression as http-request add-header to decide on the proper backend to use. This permits the use of prefixes or even complex names in backend expressions. If no name matches, then the default backend is used. Doing so allowed us to get rid of all the use_backend rules. Since there are some config checks on the use_backend rules to see if the referenced backend exists, we want to keep them to detect config errors in normal config. So this patch does not modify the default behaviour and proceeds this way : - if the backend name in the use_backend directive parses as a log format rule, it's used as-is and is resolved at run time ; - otherwise it's a static name which must be valid at config time. There was the possibility of doing this with the use-server directive instead of use_backend, but it seems like use_backend is more suited to this task, as it can be used for other purposes. For example, it becomes easy to serve a customer-specific proxy.pac file based on the customer ID by abusing the errorfile primitive : use_backend bk_cust_%[hdr(X-Cust-Id)] if { hdr(X-Cust-Id) -m found } default_backend bk_err_404 backend bk_cust_1 errorfile 200 /etc/haproxy/static/proxy.pac.cust1 Signed-off-by: Bertrand Jacquin <bjacquin@exosec.fr>
2013-11-19 05:43:06 -05:00
}
rule->dynamic = 0;
rule->be.name = pxname;
[MAJOR] added the 'use_backend' keyword for full content-switching The new "use_backend" keyword permits full content switching by the use of ACLs. Its usage is simple : use_backend <backend_name> {if|unless} <acl_cond>
2007-06-17 13:56:27 -04:00
MEDIUM: config: clarify the conflicting modes detection for backend rules We don't use findproxy_mode() anymore so we can check the conflicting modes and report the anomalies accordingly with line numbers and more explicit details.
2015-05-26 06:04:09 -04:00
target = proxy_be_by_name(rule->be.name);
[MEDIUM] Implement and use generic findproxy and relax duplicated proxy check This patch: - adds proxy_mode_str() similar to proxy_type_str() - adds a generic findproxy function used with default_backend/setbe/use_backed - rewrite default_backend/senbe/use_backed to use introduced findproxy() - relaxes duplicated proxy check - changes capabilities displaying from "%X" to "%s" with a call to proxy_type_str()
2007-11-03 18:41:58 -04:00
if (!target) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': unable to find required use_backend: '%s'.\n",
curproxy->id, rule->be.name);
[MAJOR] added the 'use_backend' keyword for full content-switching The new "use_backend" keyword permits full content switching by the use of ACLs. Its usage is simple : use_backend <backend_name> {if|unless} <acl_cond>
2007-06-17 13:56:27 -04:00
cfgerr++;
} else if (target == curproxy) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': loop detected for use_backend: '%s'.\n",
curproxy->id, rule->be.name);
[MAJOR] added the 'use_backend' keyword for full content-switching The new "use_backend" keyword permits full content switching by the use of ACLs. Its usage is simple : use_backend <backend_name> {if|unless} <acl_cond>
2007-06-17 13:56:27 -04:00
cfgerr++;
MEDIUM: config: clarify the conflicting modes detection for backend rules We don't use findproxy_mode() anymore so we can check the conflicting modes and report the anomalies accordingly with line numbers and more explicit details.
2015-05-26 06:04:09 -04:00
} else if (target->mode != curproxy->mode &&
!(curproxy->mode == PR_MODE_TCP && target->mode == PR_MODE_HTTP)) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("%s %s '%s' (%s:%d) tries to use incompatible %s %s '%s' (%s:%d) in a 'use_backend' rule (see 'mode').\n",
proxy_mode_str(curproxy->mode), proxy_type_str(curproxy), curproxy->id,
curproxy->conf.file, curproxy->conf.line,
proxy_mode_str(target->mode), proxy_type_str(target), target->id,
target->conf.file, target->conf.line);
MEDIUM: config: clarify the conflicting modes detection for backend rules We don't use findproxy_mode() anymore so we can check the conflicting modes and report the anomalies accordingly with line numbers and more explicit details.
2015-05-26 06:04:09 -04:00
cfgerr++;
[MAJOR] added the 'use_backend' keyword for full content-switching The new "use_backend" keyword permits full content switching by the use of ACLs. Its usage is simple : use_backend <backend_name> {if|unless} <acl_cond>
2007-06-17 13:56:27 -04:00
} else {
CLEANUP: config: replace a few free() with ha_free() A few occurrences of calls to free() to free a section name, peers name or server name were using casts and didn't include the trailing free, let's switch them to ha_free().
2021-02-26 14:51:47 -05:00
ha_free(&rule->be.name);
[MAJOR] added the 'use_backend' keyword for full content-switching The new "use_backend" keyword permits full content switching by the use of ACLs. Its usage is simple : use_backend <backend_name> {if|unless} <acl_cond>
2007-06-17 13:56:27 -04:00
rule->be.backend = target;
MEDIUM: proxy: set PR_O_HTTP_UPG on implicit upgrades When a TCP frontend uses an HTTP backend, the stream is automatically upgraded and it results in a similar behavior as if a switch-mode http rule was evaluated since stream_set_http_mode() gets called in both situations and minimal HTTP analyzers are set. In the current implementation, some postparsing checks are generating errors or warnings when the frontend is in TCP mode with some HTTP options set and no upgrade is expected (no switch-rule http). But as you can guess, unfortunately this leads in issues when such "HTTP" only options are used in a frontend that has implicit switching rules (that is, when the frontend uses an HTTP backend for example), because in this case the PR_O_HTTP_UPG will not be set, so the postparsing checks will consider that some options are not relevant and will raise some warnings. Consider the following example: backend back mode http server s1 git.haproxy.org:80 frontend front mode tcp bind localhost:8080 http-request set-var(txn.test) str(TRUE),debug(WORKING,stderr) use_backend back By starting an haproxy instance with the above example conf, we end up having this warning: [WARNING] (400280) : config : 'http-request' rules ignored for frontend 'front' as they require HTTP mode. However, by making a request on the frontend, we notice that the request rules are still executed, and that's because the stream is effectively upgraded as a result of an implicit upgrade: [debug] WORKING: type=str <TRUE> So this confirms the previous description: since implicit and explicit upgrades result in approximately the same behavior on the frontend side, we should consider them both when doing postparsing checks. This is what we try to address in the following commit: PR_O_HTTP_UPG flag is now more generic in the sense that it refers to either implicit (through default_backend or use_backend rules) or explicit (switch-mode rules) upgrades. Indeed, everytime an HTTP or dynamic backend (where the mode cannot be assumed during parsing) is encountered in default_backend directive or use_backend rules, we explicitly position the upgrade flag so that further checks that depend on the proxy being in HTTP context don't report false warnings.
2023-12-05 09:58:49 -05:00
if (target->mode == PR_MODE_HTTP) {
/* at least one of the used backends will provoke an
* HTTP upgrade
*/
curproxy->options |= PR_O_HTTP_UPG;
}
[MAJOR] added the 'use_backend' keyword for full content-switching The new "use_backend" keyword permits full content switching by the use of ACLs. Its usage is simple : use_backend <backend_name> {if|unless} <acl_cond>
2007-06-17 13:56:27 -04:00
}
MINOR: payload/config: Warn if a L6 sample fetch is used from an HTTP proxy L6 sample fetches are now ignored when called from an HTTP proxy. Thus, a warning is emitted during the startup if such usage is detected. It is true for most ACLs and for log-format strings. Unfortunately, it is a bit painful to do so for sample expressions. This patch relies on the commit "MINOR: action: Use a generic function to check validity of an action rule list".
2021-03-26 05:02:46 -04:00
err_code |= warnif_tcp_http_cond(curproxy, rule->cond);
[MAJOR] added the 'use_backend' keyword for full content-switching The new "use_backend" keyword permits full content switching by the use of ACLs. Its usage is simple : use_backend <backend_name> {if|unless} <acl_cond>
2007-06-17 13:56:27 -04:00
}
MEDIUM: config: properly propagate process binding between proxies We now recursively propagate the bind-process values between frontends and backends instead of doing it during name resolving. This ensures that we're able to properly propagate all the bind-process directives even across "listen" instances, which are not perfectly covered at the moment, depending on the declaration order.
2014-09-16 06:17:36 -04:00
/* find the target server for 'use_server' rules */
MEDIUM: session: implement the "use-server" directive Sometimes it is desirable to forward a particular request to a specific server without having to declare a dedicated backend for this server. This can be achieved using the "use-server" rules. These rules are evaluated after the "redirect" rules and before evaluating cookies, and they have precedence on them. There may be as many "use-server" rules as desired. All of these rules are evaluated in their declaration order, and the first one which matches will assign the server.
2012-04-05 15:09:48 -04:00
list_for_each_entry(srule, &curproxy->server_rules, list) {
MEDIUM: stream: support use-server rules with dynamic names With server-template was introduced the possibility to scale the number of servers in a backend without needing a configuration change and associated reload. On the other hand it became impractical to write use-server rules for these servers as they would only accept existing server labels as argument. This patch allows the use of log-format notation to describe targets of a use-server rules, such as in the example below: listen test bind *:1234 use-server %[hdr(srv)] if { hdr(srv) -m found } use-server s1 if { path / } server s1 127.0.0.1:18080 server s2 127.0.0.1:18081 If a use-server rule is applied because it was conditionned by an ACL returning true, but the target of the use-server rule cannot be resolved, no other use-server rule is evaluated and we fall back to load balancing. This feature was requested on the ML, and bumped with issue #563.
2020-03-29 03:37:12 -04:00
struct server *target;
struct logformat_node *node;
char *server_name;
/* We try to parse the string as a log format expression. If the result of the parsing
* is only one entry containing a single string, then it's a standard string corresponding
* to a static rule, thus the parsing is cancelled and we fall back to setting srv.ptr.
*/
server_name = srule->srv.name;
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
lf_expr_init(&srule->expr);
MEDIUM: stream: support use-server rules with dynamic names With server-template was introduced the possibility to scale the number of servers in a backend without needing a configuration change and associated reload. On the other hand it became impractical to write use-server rules for these servers as they would only accept existing server labels as argument. This patch allows the use of log-format notation to describe targets of a use-server rules, such as in the example below: listen test bind *:1234 use-server %[hdr(srv)] if { hdr(srv) -m found } use-server s1 if { path / } server s1 127.0.0.1:18080 server s2 127.0.0.1:18081 If a use-server rule is applied because it was conditionned by an ACL returning true, but the target of the use-server rule cannot be resolved, no other use-server rule is evaluated and we fall back to load balancing. This feature was requested on the ML, and bumped with issue #563.
2020-03-29 03:37:12 -04:00
curproxy->conf.args.ctx = ARGC_USRV;
err = NULL;
if (!parse_logformat_string(server_name, curproxy, &srule->expr, 0, SMP_VAL_FE_HRQ_HDR, &err)) {
ha_alert("Parsing [%s:%d]; use-server rule failed to parse log-format '%s' : %s.\n",
srule->file, srule->line, server_name, err);
free(err);
cfgerr++;
continue;
}
MINOR: log: store lf_expr nodes inside substruct Add another struct level inside lf_expr struct to allow new information to be stored alongside lf_expr nodes.
2024-03-25 06:29:58 -04:00
node = LIST_NEXT(&srule->expr.nodes.list, struct logformat_node *, list);
MEDIUM: stream: support use-server rules with dynamic names With server-template was introduced the possibility to scale the number of servers in a backend without needing a configuration change and associated reload. On the other hand it became impractical to write use-server rules for these servers as they would only accept existing server labels as argument. This patch allows the use of log-format notation to describe targets of a use-server rules, such as in the example below: listen test bind *:1234 use-server %[hdr(srv)] if { hdr(srv) -m found } use-server s1 if { path / } server s1 127.0.0.1:18080 server s2 127.0.0.1:18081 If a use-server rule is applied because it was conditionned by an ACL returning true, but the target of the use-server rule cannot be resolved, no other use-server rule is evaluated and we fall back to load balancing. This feature was requested on the ML, and bumped with issue #563.
2020-03-29 03:37:12 -04:00
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
if (!lf_expr_isempty(&srule->expr)) {
MINOR: log: store lf_expr nodes inside substruct Add another struct level inside lf_expr struct to allow new information to be stored alongside lf_expr nodes.
2024-03-25 06:29:58 -04:00
if (node->type != LOG_FMT_TEXT || node->list.n != &srule->expr.nodes.list) {
MEDIUM: stream: support use-server rules with dynamic names With server-template was introduced the possibility to scale the number of servers in a backend without needing a configuration change and associated reload. On the other hand it became impractical to write use-server rules for these servers as they would only accept existing server labels as argument. This patch allows the use of log-format notation to describe targets of a use-server rules, such as in the example below: listen test bind *:1234 use-server %[hdr(srv)] if { hdr(srv) -m found } use-server s1 if { path / } server s1 127.0.0.1:18080 server s2 127.0.0.1:18081 If a use-server rule is applied because it was conditionned by an ACL returning true, but the target of the use-server rule cannot be resolved, no other use-server rule is evaluated and we fall back to load balancing. This feature was requested on the ML, and bumped with issue #563.
2020-03-29 03:37:12 -04:00
srule->dynamic = 1;
free(server_name);
continue;
}
BUG/MINOR: config: Make use_backend and use-server post-parsing less obscur During use_backend and use-server post-parsing, if the log-format string used to specify the backend or the server is just a single string, the log-format string (a list, internally) is replaced by the string itself. Because the field is an union, the list is not emptied according to the rules of art. The element, when released, is not removed from the list. There is no bug, but it is clearly not obvious and error prone. This patch should fix #544. The fix for the use_backend post-parsing may be backported to all stable releases. use-server is static in 2.1 and prior.
2020-05-07 09:59:33 -04:00
/* Only one element in the list, a simple string: free the expression and
* fall back to static rule
*/
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
lf_expr_deinit(&srule->expr);
MEDIUM: stream: support use-server rules with dynamic names With server-template was introduced the possibility to scale the number of servers in a backend without needing a configuration change and associated reload. On the other hand it became impractical to write use-server rules for these servers as they would only accept existing server labels as argument. This patch allows the use of log-format notation to describe targets of a use-server rules, such as in the example below: listen test bind *:1234 use-server %[hdr(srv)] if { hdr(srv) -m found } use-server s1 if { path / } server s1 127.0.0.1:18080 server s2 127.0.0.1:18081 If a use-server rule is applied because it was conditionned by an ACL returning true, but the target of the use-server rule cannot be resolved, no other use-server rule is evaluated and we fall back to load balancing. This feature was requested on the ML, and bumped with issue #563.
2020-03-29 03:37:12 -04:00
}
srule->dynamic = 0;
srule->srv.name = server_name;
target = findserver(curproxy, srule->srv.name);
MINOR: payload/config: Warn if a L6 sample fetch is used from an HTTP proxy L6 sample fetches are now ignored when called from an HTTP proxy. Thus, a warning is emitted during the startup if such usage is detected. It is true for most ACLs and for log-format strings. Unfortunately, it is a bit painful to do so for sample expressions. This patch relies on the commit "MINOR: action: Use a generic function to check validity of an action rule list".
2021-03-26 05:02:46 -04:00
err_code |= warnif_tcp_http_cond(curproxy, srule->cond);
MEDIUM: session: implement the "use-server" directive Sometimes it is desirable to forward a particular request to a specific server without having to declare a dedicated backend for this server. This can be achieved using the "use-server" rules. These rules are evaluated after the "redirect" rules and before evaluating cookies, and they have precedence on them. There may be as many "use-server" rules as desired. All of these rules are evaluated in their declaration order, and the first one which matches will assign the server.
2012-04-05 15:09:48 -04:00
if (!target) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_alert("%s '%s' : unable to find server '%s' referenced in a 'use-server' rule.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
proxy_type_str(curproxy), curproxy->id, srule->srv.name);
MEDIUM: session: implement the "use-server" directive Sometimes it is desirable to forward a particular request to a specific server without having to declare a dedicated backend for this server. This can be achieved using the "use-server" rules. These rules are evaluated after the "redirect" rules and before evaluating cookies, and they have precedence on them. There may be as many "use-server" rules as desired. All of these rules are evaluated in their declaration order, and the first one which matches will assign the server.
2012-04-05 15:09:48 -04:00
cfgerr++;
continue;
}
CLEANUP: config: replace a few free() with ha_free() A few occurrences of calls to free() to free a section name, peers name or server name were using casts and didn't include the trailing free, let's switch them to ha_free().
2021-02-26 14:51:47 -05:00
ha_free(&srule->srv.name);
MEDIUM: session: implement the "use-server" directive Sometimes it is desirable to forward a particular request to a specific server without having to declare a dedicated backend for this server. This can be achieved using the "use-server" rules. These rules are evaluated after the "redirect" rules and before evaluating cookies, and they have precedence on them. There may be as many "use-server" rules as desired. All of these rules are evaluated in their declaration order, and the first one which matches will assign the server.
2012-04-05 15:09:48 -04:00
srule->srv.ptr = target;
MINOR: server: mark referenced servers as non purgeable Mark servers that are referenced by configuration elements as non purgeable. This includes the following list : - tracked servers - servers referenced in a use-server rule - servers referenced in a sample fetch
2021-08-23 08:05:07 -04:00
target->flags |= SRV_F_NON_PURGEABLE;
MEDIUM: session: implement the "use-server" directive Sometimes it is desirable to forward a particular request to a specific server without having to declare a dedicated backend for this server. This can be achieved using the "use-server" rules. These rules are evaluated after the "redirect" rules and before evaluating cookies, and they have precedence on them. There may be as many "use-server" rules as desired. All of these rules are evaluated in their declaration order, and the first one which matches will assign the server.
2012-04-05 15:09:48 -04:00
}
[MEDIUM] Add stick table configuration and init.
2010-01-04 09:45:53 -05:00
/* find the target table for 'stick' rules */
list_for_each_entry(mrule, &curproxy->sticking_rules, list) {
[MEDIUM] Add stick and store rules analysers.
2010-01-04 09:47:17 -05:00
curproxy->be_req_ana |= AN_REQ_STICKING_RULES;
if (mrule->flags & STK_IS_STORE)
curproxy->be_rsp_ana |= AN_RES_STORE_RULES;
MINOR: proxy/stktable: add resolve_stick_rule helper function Simplify stick and store sticktable proxy rules postparsing by adding a sticking rule entry resolve (postparsing) function. This will ease code maintenance.
2023-08-08 05:37:59 -04:00
if (!resolve_stick_rule(curproxy, mrule))
[MEDIUM] Add stick table configuration and init.
2010-01-04 09:45:53 -05:00
cfgerr++;
MINOR: proxy/stktable: add resolve_stick_rule helper function Simplify stick and store sticktable proxy rules postparsing by adding a sticking rule entry resolve (postparsing) function. This will ease code maintenance.
2023-08-08 05:37:59 -04:00
MINOR: payload/config: Warn if a L6 sample fetch is used from an HTTP proxy L6 sample fetches are now ignored when called from an HTTP proxy. Thus, a warning is emitted during the startup if such usage is detected. It is true for most ACLs and for log-format strings. Unfortunately, it is a bit painful to do so for sample expressions. This patch relies on the commit "MINOR: action: Use a generic function to check validity of an action rule list".
2021-03-26 05:02:46 -04:00
err_code |= warnif_tcp_http_cond(curproxy, mrule->cond);
[MEDIUM] Add stick table configuration and init.
2010-01-04 09:45:53 -05:00
}
/* find the target table for 'store response' rules */
list_for_each_entry(mrule, &curproxy->storersp_rules, list) {
[MEDIUM] Add stick and store rules analysers.
2010-01-04 09:47:17 -05:00
curproxy->be_rsp_ana |= AN_RES_STORE_RULES;
MINOR: proxy/stktable: add resolve_stick_rule helper function Simplify stick and store sticktable proxy rules postparsing by adding a sticking rule entry resolve (postparsing) function. This will ease code maintenance.
2023-08-08 05:37:59 -04:00
if (!resolve_stick_rule(curproxy, mrule))
[MEDIUM] Add stick table configuration and init.
2010-01-04 09:45:53 -05:00
cfgerr++;
}
MINOR: action: Use a generic function to check validity of an action rule list The check_action_rules() function is now used to check the validity of an action rule list. It is used from check_config_validity() function to check L5/6/7 rulesets.
2021-03-25 12:19:04 -04:00
/* check validity for 'tcp-request' layer 4/5/6/7 rules */
cfgerr += check_action_rules(&curproxy->tcp_req.l4_rules, curproxy, &err_code);
cfgerr += check_action_rules(&curproxy->tcp_req.l5_rules, curproxy, &err_code);
cfgerr += check_action_rules(&curproxy->tcp_req.inspect_rules, curproxy, &err_code);
cfgerr += check_action_rules(&curproxy->tcp_rep.inspect_rules, curproxy, &err_code);
cfgerr += check_action_rules(&curproxy->http_req_rules, curproxy, &err_code);
cfgerr += check_action_rules(&curproxy->http_res_rules, curproxy, &err_code);
cfgerr += check_action_rules(&curproxy->http_after_res_rules, curproxy, &err_code);
MEDIUM: http: Add a ruleset evaluated on all responses just before forwarding This patch introduces the 'http-after-response' rules. These rules are evaluated at the end of the response analysis, just before the data forwarding, on ALL HTTP responses, the server ones but also all responses generated by HAProxy. Thanks to this ruleset, it is now possible for instance to add some headers to the responses generated by the stats applet. Following actions are supported : * allow * add-header * del-header * replace-header * replace-value * set-header * set-status * set-var * strict-mode * unset-var
2020-01-22 03:26:35 -05:00
MINOR: config/proxy: Warn if a TCP proxy without backend is upgradable to HTTP If a 'switch-mode http' tcp action is configured on a listener with no backend, a warning is displayed to remember HTTP connections cannot be routed to TCP servers. Indeed, backend connection is still established using the proxy mode.
2021-03-31 11:13:49 -04:00
/* Warn is a switch-mode http is used on a TCP listener with servers but no backend */
if (!curproxy->defbe.name && LIST_ISEMPTY(&curproxy->switching_rules) && curproxy->srv) {
if ((curproxy->options & PR_O_HTTP_UPG) && curproxy->mode == PR_MODE_TCP)
ha_warning("Proxy '%s' : 'switch-mode http' configured for a %s %s with no backend. "
"Incoming connections upgraded to HTTP cannot be routed to TCP servers\n",
curproxy->id, proxy_mode_str(curproxy->mode), proxy_type_str(curproxy));
}
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
if (curproxy->table && curproxy->table->peers.name) {
BUG/MINOR: peers: peer synchronization issue (with several peers sections). When several stick-tables were configured with several peers sections, only a part of them could be synchronized: the ones attached to the last parsed 'peers' section. This was due to the fact that, at least, the peer I/O handler refered to the wrong peer section list, in fact always the same: the last one parsed. The fact that the global peer section list was named "struct peers *peers" lead to this issue. This variable name is dangerous ;). So this patch renames global 'peers' variable to 'cfg_peers' to ensure that no such wrong references are still in use, then all the functions wich used old 'peers' variable have been modified to refer to the correct peer list. Must be backported to 1.6 and 1.7.
2017-07-13 03:07:09 -04:00
struct peers *curpeers;
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
BUG/MINOR: peers: peer synchronization issue (with several peers sections). When several stick-tables were configured with several peers sections, only a part of them could be synchronized: the ones attached to the last parsed 'peers' section. This was due to the fact that, at least, the peer I/O handler refered to the wrong peer section list, in fact always the same: the last one parsed. The fact that the global peer section list was named "struct peers *peers" lead to this issue. This variable name is dangerous ;). So this patch renames global 'peers' variable to 'cfg_peers' to ensure that no such wrong references are still in use, then all the functions wich used old 'peers' variable have been modified to refer to the correct peer list. Must be backported to 1.6 and 1.7.
2017-07-13 03:07:09 -04:00
for (curpeers = cfg_peers; curpeers; curpeers = curpeers->next) {
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
if (strcmp(curpeers->id, curproxy->table->peers.name) == 0) {
CLEANUP: config: replace a few free() with ha_free() A few occurrences of calls to free() to free a section name, peers name or server name were using casts and didn't include the trailing free, let's switch them to ha_free().
2021-02-26 14:51:47 -05:00
ha_free(&curproxy->table->peers.name);
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
curproxy->table->peers.p = curpeers;
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
break;
}
}
if (!curpeers) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': unable to find sync peers '%s'.\n",
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
curproxy->id, curproxy->table->peers.name);
CLEANUP: config: replace a few free() with ha_free() A few occurrences of calls to free() to free a section name, peers name or server name were using casts and didn't include the trailing free, let's switch them to ha_free().
2021-02-26 14:51:47 -05:00
ha_free(&curproxy->table->peers.name);
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
curproxy->table->peers.p = NULL;
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
cfgerr++;
}
CLEANUP: peers: don't use the PR_ST* states to mark enabled/disabled The enabled/disabled config options were stored into a "state" field that is an integer but contained only PR_STNEW or PR_STSTOPPED, which is a bit confusing, and causes a dependency with proxies. This was renamed to "disabled" and is used as a boolean. The field was also moved to the end of the struct to stop creating a hole and fill another one.
2020-09-24 02:48:08 -04:00
else if (curpeers->disabled) {
MEDIUM: peers: add the ability to disable a peers section Sometimes it's very hard to disable the use of peers because an empty section is not valid, so it is necessary to comment out all references to the section, and not to forget to restore them in the same state after the operation. Let's add a "disabled" keyword just like for proxies. A ->state member in the peers struct is even present for this purpose but was never used at all. Maybe it would make sense to backport this to 1.5 as it's really cumbersome there.
2015-05-01 14:02:17 -04:00
/* silently disable this peers section */
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
curproxy->table->peers.p = NULL;
MEDIUM: peers: add the ability to disable a peers section Sometimes it's very hard to disable the use of peers because an empty section is not valid, so it is necessary to comment out all references to the section, and not to forget to restore them in the same state after the operation. Let's add a "disabled" keyword just like for proxies. A ->state member in the peers struct is even present for this purpose but was never used at all. Maybe it would make sense to backport this to 1.5 as it's really cumbersome there.
2015-05-01 14:02:17 -04:00
}
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
else if (!curpeers->peers_fe) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': unable to find local peer '%s' in peers section '%s'.\n",
curproxy->id, localpeer, curpeers->id);
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
curproxy->table->peers.p = NULL;
[MEDIUM] Manage peers section parsing and stick table registration on peers.
2010-09-23 12:39:19 -04:00
cfgerr++;
}
}
MEDIUM: Allow configuration of email alerts This currently does nothing beyond parsing the configuration and storing in the proxy as there is no implementation of email alerts. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:59 -05:00
if (curproxy->email_alert.mailers.name) {
struct mailers *curmailers = mailers;
for (curmailers = mailers; curmailers; curmailers = curmailers->next) {
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
if (strcmp(curmailers->id, curproxy->email_alert.mailers.name) == 0)
MEDIUM: Allow configuration of email alerts This currently does nothing beyond parsing the configuration and storing in the proxy as there is no implementation of email alerts. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:59 -05:00
break;
}
if (!curmailers) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': unable to find mailers '%s'.\n",
curproxy->id, curproxy->email_alert.mailers.name);
MEDIUM: Allow configuration of email alerts This currently does nothing beyond parsing the configuration and storing in the proxy as there is no implementation of email alerts. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:59 -05:00
free_email_alert(curproxy);
cfgerr++;
}
MEDIUM: mailers: Init alerts during conf parsing and refactor their processing Email alerts relies on checks to send emails. The link between a mailers section and a proxy was resolved during the configuration parsing, But initialization was done when the first alert is triggered. This implied memory allocations and tasks creations. With this patch, everything is now initialized during the configuration parsing. So when an alert is triggered, only the memory required by this alert is dynamically allocated. Moreover, alerts processing had a flaw. The task handler used to process alerts to be sent to the same mailer, process_email_alert, was designed to give back the control to the scheduler when an alert was sent. So there was a delay between the sending of 2 consecutives alerts (the min of "proxy->timeout.connect" and "mailer->timeout.mail"). To fix this problem, now, we try to process as much queued alerts as possible when the task is woken up.
2017-10-20 15:34:32 -04:00
else {
err = NULL;
if (init_email_alert(curmailers, curproxy, &err)) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': %s.\n", curproxy->id, err);
MEDIUM: mailers: Init alerts during conf parsing and refactor their processing Email alerts relies on checks to send emails. The link between a mailers section and a proxy was resolved during the configuration parsing, But initialization was done when the first alert is triggered. This implied memory allocations and tasks creations. With this patch, everything is now initialized during the configuration parsing. So when an alert is triggered, only the memory required by this alert is dynamically allocated. Moreover, alerts processing had a flaw. The task handler used to process alerts to be sent to the same mailer, process_email_alert, was designed to give back the control to the scheduler when an alert was sent. So there was a delay between the sending of 2 consecutives alerts (the min of "proxy->timeout.connect" and "mailer->timeout.mail"). To fix this problem, now, we try to process as much queued alerts as possible when the task is woken up.
2017-10-20 15:34:32 -04:00
free(err);
cfgerr++;
}
}
MEDIUM: Allow configuration of email alerts This currently does nothing beyond parsing the configuration and storing in the proxy as there is no implementation of email alerts. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:59 -05:00
}
MINOR: stats: use STAT_F_* prefix for flags Some flags are defined during statistics generation and output. They use the prefix STAT_* which is also used for other purposes. Rename them with the new prefix STAT_F_* to differentiate them from the other usages.
2024-04-22 08:42:09 -04:00
if (curproxy->uri_auth && !(curproxy->uri_auth->flags & STAT_F_CONVDONE) &&
[REORG] http: move the http-request rules to proto_http And also rename "req_acl_rule" "http_req_rule". At the beginning that was a bit confusing to me, especially the "req_acl" list which in fact holds what we call rules. After some digging, it appeared that some part of the code is 100% HTTP and not just related to authentication anymore, so let's move that part to HTTP and keep the auth-only code in auth.c.
2011-01-06 11:51:27 -05:00
!LIST_ISEMPTY(&curproxy->uri_auth->http_req_rules) &&
[MAJOR] use the new auth framework for http stats Support the new syntax (http-request allow/deny/auth) in http stats. Now it is possible to use the same syntax is the same like in the frontend/backend http-request access control: acl src_nagios src 192.168.66.66 acl stats_auth_ok http_auth(L1) stats http-request allow if src_nagios stats http-request allow if stats_auth_ok stats http-request auth realm LB The old syntax is still supported, but now it is emulated via private acls and an aditional userlist.
2010-01-29 13:29:32 -05:00
(curproxy->uri_auth->userlist || curproxy->uri_auth->auth_realm )) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("%s '%s': stats 'auth'/'realm' and 'http-request' can't be used at the same time.\n",
"proxy", curproxy->id);
[MAJOR] use the new auth framework for http stats Support the new syntax (http-request allow/deny/auth) in http stats. Now it is possible to use the same syntax is the same like in the frontend/backend http-request access control: acl src_nagios src 192.168.66.66 acl stats_auth_ok http_auth(L1) stats http-request allow if src_nagios stats http-request allow if stats_auth_ok stats http-request auth realm LB The old syntax is still supported, but now it is emulated via private acls and an aditional userlist.
2010-01-29 13:29:32 -05:00
cfgerr++;
goto out_uri_auth_compat;
}
MINOR: stats: get rid of the ST_CONVDONE flag This flag was added in 1.4-rc1 by commit 329f74d463 ("[BUG] uri_auth: do not attemp to convert uri_auth -> http-request more than once") to address the case where two proxies inherit the stats settings from the defaults instance, and the first one compiles the expression while the second one uses it. In this case since they use the exact same uri_auth pointer, only the first one should compile and the second one must not fail the check. This was addressed by adding an ST_CONVDONE flag indicating that the expression conversion was completed and didn't need to be done again. But this is a hack and it becomes cumbersome in the middle of the other flags which are all relevant to the stats applet. Let's instead fix it by checking if we're dealing with an alias of the defaults instance and refrain from compiling this twice. This allows us to remove the ST_CONVDONE flag. A typical config requiring this check is : defaults mode http stats auth foo:bar listen l1 bind :8080 listen l2 bind :8181 Without this (or previous) check it would cmoplain when checking l2's validity since the rule was already built.
2019-10-09 03:59:22 -04:00
if (curproxy->uri_auth && curproxy->uri_auth->userlist &&
MINOR: stats: use STAT_F_* prefix for flags Some flags are defined during statistics generation and output. They use the prefix STAT_* which is also used for other purposes. Rename them with the new prefix STAT_F_* to differentiate them from the other usages.
2024-04-22 08:42:09 -04:00
(!(curproxy->uri_auth->flags & STAT_F_CONVDONE) ||
MINOR: stats: get rid of the ST_CONVDONE flag This flag was added in 1.4-rc1 by commit 329f74d463 ("[BUG] uri_auth: do not attemp to convert uri_auth -> http-request more than once") to address the case where two proxies inherit the stats settings from the defaults instance, and the first one compiles the expression while the second one uses it. In this case since they use the exact same uri_auth pointer, only the first one should compile and the second one must not fail the check. This was addressed by adding an ST_CONVDONE flag indicating that the expression conversion was completed and didn't need to be done again. But this is a hack and it becomes cumbersome in the middle of the other flags which are all relevant to the stats applet. Let's instead fix it by checking if we're dealing with an alias of the defaults instance and refrain from compiling this twice. This allows us to remove the ST_CONVDONE flag. A typical config requiring this check is : defaults mode http stats auth foo:bar listen l1 bind :8080 listen l2 bind :8181 Without this (or previous) check it would cmoplain when checking l2's validity since the rule was already built.
2019-10-09 03:59:22 -04:00
LIST_ISEMPTY(&curproxy->uri_auth->http_req_rules))) {
[MEDIUM] add support for anonymous ACLs Anonymous ACLs allow the declaration of rules which rely directly on ACL expressions without passing via the declaration of an ACL. Example : With named ACLs : acl site_dead nbsrv(dynamic) lt 2 acl site_dead nbsrv(static) lt 2 monitor fail if site_dead With anonymous ACLs : monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
2010-02-01 07:05:50 -05:00
const char *uri_auth_compat_req[10];
MEDIUM: actions: Merge (http|tcp)-(request|reponse) action structs This patch is the first of a serie which merge all the action structs. The function "tcp-request content", "tcp-response-content", "http-request" and "http-response" have the same values and the same process for some defined actions, but the struct and the prototype of the declared function are different. This patch try to unify all of these entries.
2015-08-04 13:35:46 -04:00
struct act_rule *rule;
MINOR: cfgparse: always alloc idle conns task The idle conn task is is a global task used to cleanup backend connections marked for deletion. Previously, it was only only allocated if at least one server in the configuration has idle connections. This assumption won't be valid anymore when new servers can be created at runtime with idle connections. Always allocate the global idle conn task.
2021-03-08 11:31:39 -05:00
i = 0;
[MEDIUM] add support for anonymous ACLs Anonymous ACLs allow the declaration of rules which rely directly on ACL expressions without passing via the declaration of an ACL. Example : With named ACLs : acl site_dead nbsrv(dynamic) lt 2 acl site_dead nbsrv(static) lt 2 monitor fail if site_dead With anonymous ACLs : monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
2010-02-01 07:05:50 -05:00
/* build the ACL condition from scratch. We're relying on anonymous ACLs for that */
uri_auth_compat_req[i++] = "auth";
[MAJOR] use the new auth framework for http stats Support the new syntax (http-request allow/deny/auth) in http stats. Now it is possible to use the same syntax is the same like in the frontend/backend http-request access control: acl src_nagios src 192.168.66.66 acl stats_auth_ok http_auth(L1) stats http-request allow if src_nagios stats http-request allow if stats_auth_ok stats http-request auth realm LB The old syntax is still supported, but now it is emulated via private acls and an aditional userlist.
2010-01-29 13:29:32 -05:00
if (curproxy->uri_auth->auth_realm) {
[MEDIUM] add support for anonymous ACLs Anonymous ACLs allow the declaration of rules which rely directly on ACL expressions without passing via the declaration of an ACL. Example : With named ACLs : acl site_dead nbsrv(dynamic) lt 2 acl site_dead nbsrv(static) lt 2 monitor fail if site_dead With anonymous ACLs : monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
2010-02-01 07:05:50 -05:00
uri_auth_compat_req[i++] = "realm";
uri_auth_compat_req[i++] = curproxy->uri_auth->auth_realm;
}
[MAJOR] use the new auth framework for http stats Support the new syntax (http-request allow/deny/auth) in http stats. Now it is possible to use the same syntax is the same like in the frontend/backend http-request access control: acl src_nagios src 192.168.66.66 acl stats_auth_ok http_auth(L1) stats http-request allow if src_nagios stats http-request allow if stats_auth_ok stats http-request auth realm LB The old syntax is still supported, but now it is emulated via private acls and an aditional userlist.
2010-01-29 13:29:32 -05:00
[MEDIUM] add support for anonymous ACLs Anonymous ACLs allow the declaration of rules which rely directly on ACL expressions without passing via the declaration of an ACL. Example : With named ACLs : acl site_dead nbsrv(dynamic) lt 2 acl site_dead nbsrv(static) lt 2 monitor fail if site_dead With anonymous ACLs : monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
2010-02-01 07:05:50 -05:00
uri_auth_compat_req[i++] = "unless";
uri_auth_compat_req[i++] = "{";
uri_auth_compat_req[i++] = "http_auth(.internal-stats-userlist)";
uri_auth_compat_req[i++] = "}";
uri_auth_compat_req[i++] = "";
[MAJOR] use the new auth framework for http stats Support the new syntax (http-request allow/deny/auth) in http stats. Now it is possible to use the same syntax is the same like in the frontend/backend http-request access control: acl src_nagios src 192.168.66.66 acl stats_auth_ok http_auth(L1) stats http-request allow if src_nagios stats http-request allow if stats_auth_ok stats http-request auth realm LB The old syntax is still supported, but now it is emulated via private acls and an aditional userlist.
2010-01-29 13:29:32 -05:00
[REORG] http: move the http-request rules to proto_http And also rename "req_acl_rule" "http_req_rule". At the beginning that was a bit confusing to me, especially the "req_acl" list which in fact holds what we call rules. After some digging, it appeared that some part of the code is 100% HTTP and not just related to authentication anymore, so let's move that part to HTTP and keep the auth-only code in auth.c.
2011-01-06 11:51:27 -05:00
rule = parse_http_req_cond(uri_auth_compat_req, "internal-stats-auth-compat", 0, curproxy);
if (!rule) {
[MEDIUM] add support for anonymous ACLs Anonymous ACLs allow the declaration of rules which rely directly on ACL expressions without passing via the declaration of an ACL. Example : With named ACLs : acl site_dead nbsrv(dynamic) lt 2 acl site_dead nbsrv(static) lt 2 monitor fail if site_dead With anonymous ACLs : monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
2010-02-01 07:05:50 -05:00
cfgerr++;
break;
[MAJOR] use the new auth framework for http stats Support the new syntax (http-request allow/deny/auth) in http stats. Now it is possible to use the same syntax is the same like in the frontend/backend http-request access control: acl src_nagios src 192.168.66.66 acl stats_auth_ok http_auth(L1) stats http-request allow if src_nagios stats http-request allow if stats_auth_ok stats http-request auth realm LB The old syntax is still supported, but now it is emulated via private acls and an aditional userlist.
2010-01-29 13:29:32 -05:00
}
CLEANUP: lists/tree-wide: rename some list operations to avoid some confusion The current "ADD" vs "ADDQ" is confusing because when thinking in terms of appending at the end of a list, "ADD" naturally comes to mind, but here it does the opposite, it inserts. Several times already it's been incorrectly used where ADDQ was expected, the latest of which was a fortunate accident explained in 6fa922562 ("CLEANUP: stream: explain why we queue the stream at the head of the server list"). Let's use more explicit (but slightly longer) names now: LIST_ADD -> LIST_INSERT LIST_ADDQ -> LIST_APPEND LIST_ADDED -> LIST_INLIST LIST_DEL -> LIST_DELETE The same is true for MT_LISTs, including their "TRY" variant. LIST_DEL_INIT keeps its short name to encourage to use it instead of the lazier LIST_DELETE which is often less safe. The change is large (~674 non-comment entries) but is mechanical enough to remain safe. No permutation was performed, so any out-of-tree code can easily map older names to new ones. The list doc was updated.
2021-04-21 01:32:39 -04:00
LIST_APPEND(&curproxy->uri_auth->http_req_rules, &rule->list);
[MEDIUM] add support for anonymous ACLs Anonymous ACLs allow the declaration of rules which rely directly on ACL expressions without passing via the declaration of an ACL. Example : With named ACLs : acl site_dead nbsrv(dynamic) lt 2 acl site_dead nbsrv(static) lt 2 monitor fail if site_dead With anonymous ACLs : monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
2010-02-01 07:05:50 -05:00
[MAJOR] use the new auth framework for http stats Support the new syntax (http-request allow/deny/auth) in http stats. Now it is possible to use the same syntax is the same like in the frontend/backend http-request access control: acl src_nagios src 192.168.66.66 acl stats_auth_ok http_auth(L1) stats http-request allow if src_nagios stats http-request allow if stats_auth_ok stats http-request auth realm LB The old syntax is still supported, but now it is emulated via private acls and an aditional userlist.
2010-01-29 13:29:32 -05:00
if (curproxy->uri_auth->auth_realm) {
CLEANUP: tree-wide: replace free(x);x=NULL with ha_free(&x) This makes the code more readable and less prone to copy-paste errors. In addition, it allows to place some __builtin_constant_p() predicates to trigger a link-time error in case the compiler knows that the freed area is constant. It will also produce compile-time error if trying to free something that is not a regular pointer (e.g. a function). The DEBUG_MEM_STATS macro now also defines an instance for ha_free() so that all these calls can be checked. 178 occurrences were converted. The vast majority of them were handled by the following Coccinelle script, some slightly refined to better deal with "&*x" or with long lines: @ rule @ expression E; @@ - free(E); - E = NULL; + ha_free(&E); It was verified that the resulting code is the same, more or less a handful of cases where the compiler optimized slightly differently the temporary variable that holds the copy of the pointer. A non-negligible amount of {free(str);str=NULL;str_len=0;} are still present in the config part (mostly header names in proxies). These ones should also be cleaned for the same reasons, and probably be turned into ist strings.
2021-02-20 04:46:51 -05:00
ha_free(&curproxy->uri_auth->auth_realm);
[MAJOR] use the new auth framework for http stats Support the new syntax (http-request allow/deny/auth) in http stats. Now it is possible to use the same syntax is the same like in the frontend/backend http-request access control: acl src_nagios src 192.168.66.66 acl stats_auth_ok http_auth(L1) stats http-request allow if src_nagios stats http-request allow if stats_auth_ok stats http-request auth realm LB The old syntax is still supported, but now it is emulated via private acls and an aditional userlist.
2010-01-29 13:29:32 -05:00
}
MINOR: stats: use STAT_F_* prefix for flags Some flags are defined during statistics generation and output. They use the prefix STAT_* which is also used for other purposes. Rename them with the new prefix STAT_F_* to differentiate them from the other usages.
2024-04-22 08:42:09 -04:00
curproxy->uri_auth->flags |= STAT_F_CONVDONE;
[MAJOR] use the new auth framework for http stats Support the new syntax (http-request allow/deny/auth) in http stats. Now it is possible to use the same syntax is the same like in the frontend/backend http-request access control: acl src_nagios src 192.168.66.66 acl stats_auth_ok http_auth(L1) stats http-request allow if src_nagios stats http-request allow if stats_auth_ok stats http-request auth realm LB The old syntax is still supported, but now it is emulated via private acls and an aditional userlist.
2010-01-29 13:29:32 -05:00
}
out_uri_auth_compat:
MEDIUM: tree-wide: logsrv struct becomes logger When 'log' directive was implemented, the internal representation was named 'struct logsrv', because the 'log' directive would directly point to the log target, which used to be a (UDP) log server exclusively at that time, hence the name. But things have become more complex, since today 'log' directive can point to ring targets (implicit, or named) for example. Indeed, a 'log' directive does no longer reference the "final" server to which the log will be sent, but instead it describes which log API and parameters to use for transporting the log messages to the proper log destination. So now the term 'logsrv' is rather confusing and prevents us from introducing a new level of abstraction because they would be mixed with logsrv. So in order to better designate this 'log' directive, and make it more generic, we chose the word 'logger' which now replaces logsrv everywhere it was used in the code (including related comments). This is internal rewording, so no functional change should be expected on user-side.
2023-09-11 09:06:53 -04:00
/* check whether we have a logger that uses RFC5424 log format */
list_for_each_entry(tmplogger, &curproxy->loggers, list) {
if (tmplogger->format == LOG_FORMAT_RFC5424) {
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
if (!curproxy->logformat_sd.str) {
BUG/MEDIUM: logs: segfault writing to log from Lua Michael Ezzell reported a bug causing haproxy to segfault during startup when trying to send syslog message from Lua. The function __send_log() can be called with *p that is NULL and/or when the configuration is not fully parsed, as is the case with Lua. This patch fixes this problem by using individual vectors instead of the pre-generated strings log_htp and log_htp_rfc5424. Also, this patch fixes a problem causing haproxy to write the wrong pid in the logs -- the log_htp(_rfc5424) strings were generated at the haproxy start, but "pid" value would be changed after haproxy is started in daemon/systemd mode.
2015-10-01 07:18:13 -04:00
/* set the default logformat_sd_string */
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
curproxy->logformat_sd.str = default_rfc5424_sd_log_format;
BUG/MEDIUM: logs: segfault writing to log from Lua Michael Ezzell reported a bug causing haproxy to segfault during startup when trying to send syslog message from Lua. The function __send_log() can be called with *p that is NULL and/or when the configuration is not fully parsed, as is the case with Lua. This patch fixes this problem by using individual vectors instead of the pre-generated strings log_htp and log_htp_rfc5424. Also, this patch fixes a problem causing haproxy to write the wrong pid in the logs -- the log_htp(_rfc5424) strings were generated at the haproxy start, but "pid" value would be changed after haproxy is started in daemon/systemd mode.
2015-10-01 07:18:13 -04:00
}
MEDIUM: logs: add support for RFC5424 header format per logger The function __send_log() iterates over senders and passes the header as the first vector to sendmsg(), thus it can send a logger-specific header in each message. A new logger arguments "format rfc5424" should be used in order to enable RFC5424 header format. For example: log 10.2.3.4:1234 len 2048 format rfc5424 local2 info
2015-09-22 10:05:32 -04:00
break;
}
}
MEDIUM: logs: remove the hostname, tag and pid part from the logheader At the moment we have to call snprintf() for every log line just to rebuild a constant. Thanks to sendmsg(), we send the message in 3 parts: time-based header, proxy-specific hostname+log-tag+pid, session-specific message.
2015-09-19 16:35:44 -04:00
MAJOR: sample: maintain a per-proxy list of the fetch args to resolve While ACL args were resolved after all the config was parsed, it was not the case with sample fetch args because they're almost everywhere now. The issue is that ACLs now solely rely on sample fetches, so their args resolving doesn't work anymore. And many fetches involving a server, a proxy or a userlist don't work at all. The real issue is that at the bottom layers we have no information about proxies, line numbers, even ACLs in order to report understandable errors, and that at the top layers we have no visibility over the locations where fetches are referenced (think log node). After failing multiple unsatisfying solutions attempts, we now have a new concept of args list. The principle is that every proxy has a list head which contains a number of indications such as the config keyword, the context where it's used, the file and line number, etc... and a list of arguments. This list head is of the same type as the elements, so it serves as a template for adding new elements. This way, it is filled from top to bottom by the callers with the information they have (eg: line numbers, ACL name, ...) and the lower layers just have to duplicate it and add an element when they face an argument they cannot resolve yet. Then at the end of the configuration parsing, a loop passes over each proxy's list and resolves all the args in sequence. And this way there is all necessary information to report verbose errors. The first immediate benefit is that for the first time we got very precise location of issues (arg number in a keyword in its context, ...). Second, in order to do this we had to parse log-format and unique-id-format a bit earlier, so that was a great opportunity for doing so when the directives are encountered (unless it's a default section). This way, the recorded line numbers for these args are the ones of the place where the log format is declared, not the end of the file. Userlists report slightly more information now. They're the only remaining ones in the ACL resolving function.
2013-04-02 10:34:32 -04:00
/* compile the log format */
if (!(curproxy->cap & PR_CAP_FE)) {
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
lf_expr_deinit(&curproxy->logformat);
lf_expr_deinit(&curproxy->logformat_sd);
}
if (curproxy->logformat.str) {
BUG/MEDIUM: log: fix regression on log-format handling Commit a4312fa2 merged into dev18 improved log-format management by processing "log-format" and "unique-id-format" where they were declared, so that the faulty args could be reported with their correct line numbers. Unfortunately, the log-format parser considers the proxy mode (TCP/HTTP) and now if the directive is set before the "mode" statement, it can be rejected and report warnings. So we really need to parse these directives at the end of a section at least. Right now we do not have an "end of section" event, so we need to store the file name and line number for each of these directives, and take care of them at the end. One of the benefits is that now the line numbers can be inherited from the line passing "option httplog" even if it's in a defaults section. Future improvements should be performed to report line numbers in every log-format processed by the parser.
2013-04-12 12:13:46 -04:00
curproxy->conf.args.ctx = ARGC_LOG;
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
curproxy->conf.args.file = curproxy->logformat.conf.file;
curproxy->conf.args.line = curproxy->logformat.conf.line;
MEDIUM: log-format: Use standard HAProxy log system to report errors The function log format emit its own error message using Alert(). This patch replaces this behavior and uses the standard HAProxy error system (with memprintf). The benefits are: - cleaning the log system - the logformat can ignore the caller (actually the caller must set a flag designing the caller function). - Make the usage of the logformat function easy for future components.
2016-11-22 18:41:28 -05:00
err = NULL;
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
if (!lf_expr_compile(&curproxy->logformat, &curproxy->conf.args,
MINOR: log-format: allow to preserve spacing in log format strings Now it's possible to preserve spacing everywhere except in "log-format", "log-format-sd" and "unique-id-format" directives, where spaces are delimiters and are merged. That may be useful when the response payload is specified as a log format string by "lf-file" or "lf-string", or even for headers or anything else. In order to merge spaces, a new option LOG_OPT_MERGE_SPACES is applied exclusively on options passed to function parse_logformat_string(). This patch fixes an issue #701 ("http-request return log-format file evaluation altering spacing of ASCII output/art").
2020-06-23 12:16:44 -04:00
LOG_OPT_MANDATORY|LOG_OPT_MERGE_SPACES,
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
SMP_VAL_FE_LOG_END, &err) ||
!lf_expr_postcheck(&curproxy->logformat, curproxy, &err)) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Parsing [%s:%d]: failed to parse log-format : %s.\n",
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
curproxy->logformat.conf.file, curproxy->logformat.conf.line, err);
MEDIUM: log-format: Use standard HAProxy log system to report errors The function log format emit its own error message using Alert(). This patch replaces this behavior and uses the standard HAProxy error system (with memprintf). The benefits are: - cleaning the log system - the logformat can ignore the caller (actually the caller must set a flag designing the caller function). - Make the usage of the logformat function easy for future components.
2016-11-22 18:41:28 -05:00
free(err);
MEDIUM: log-format/conf: take into account the parse_logformat_string() return code This patch takes into account the return code of the parse_logformat_string() function. Now the configuration parser will fail if the log_format is not strict.
2016-11-22 17:50:02 -05:00
cfgerr++;
}
BUG/MEDIUM: log: fix regression on log-format handling Commit a4312fa2 merged into dev18 improved log-format management by processing "log-format" and "unique-id-format" where they were declared, so that the faulty args could be reported with their correct line numbers. Unfortunately, the log-format parser considers the proxy mode (TCP/HTTP) and now if the directive is set before the "mode" statement, it can be rejected and report warnings. So we really need to parse these directives at the end of a section at least. Right now we do not have an "end of section" event, so we need to store the file name and line number for each of these directives, and take care of them at the end. One of the benefits is that now the line numbers can be inherited from the line passing "option httplog" even if it's in a defaults section. Future improvements should be performed to report line numbers in every log-format processed by the parser.
2013-04-12 12:13:46 -04:00
curproxy->conf.args.file = NULL;
curproxy->conf.args.line = 0;
}
MAJOR: sample: maintain a per-proxy list of the fetch args to resolve While ACL args were resolved after all the config was parsed, it was not the case with sample fetch args because they're almost everywhere now. The issue is that ACLs now solely rely on sample fetches, so their args resolving doesn't work anymore. And many fetches involving a server, a proxy or a userlist don't work at all. The real issue is that at the bottom layers we have no information about proxies, line numbers, even ACLs in order to report understandable errors, and that at the top layers we have no visibility over the locations where fetches are referenced (think log node). After failing multiple unsatisfying solutions attempts, we now have a new concept of args list. The principle is that every proxy has a list head which contains a number of indications such as the config keyword, the context where it's used, the file and line number, etc... and a list of arguments. This list head is of the same type as the elements, so it serves as a template for adding new elements. This way, it is filled from top to bottom by the callers with the information they have (eg: line numbers, ACL name, ...) and the lower layers just have to duplicate it and add an element when they face an argument they cannot resolve yet. Then at the end of the configuration parsing, a loop passes over each proxy's list and resolves all the args in sequence. And this way there is all necessary information to report verbose errors. The first immediate benefit is that for the first time we got very precise location of issues (arg number in a keyword in its context, ...). Second, in order to do this we had to parse log-format and unique-id-format a bit earlier, so that was a great opportunity for doing so when the directives are encountered (unless it's a default section). This way, the recorded line numbers for these args are the ones of the place where the log format is declared, not the end of the file. Userlists report slightly more information now. They're the only remaining ones in the ACL resolving function.
2013-04-02 10:34:32 -04:00
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
if (curproxy->logformat_sd.str) {
MEDIUM: logs: add a new RFC5424 log-format for the structured-data This patch adds a new RFC5424-specific log-format for the structured-data that is automatically send by __send_log() when the sender is in RFC5424 mode. A new statement "log-format-sd" should be used in order to set log-format for the structured-data part in RFC5424 formatted syslog messages. Example: log-format-sd [exampleSDID@1234\ bytes=\"%B\"\ status=\"%ST\"]
2015-09-25 13:17:44 -04:00
curproxy->conf.args.ctx = ARGC_LOGSD;
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
curproxy->conf.args.file = curproxy->logformat_sd.conf.file;
curproxy->conf.args.line = curproxy->logformat_sd.conf.line;
MEDIUM: log-format: Use standard HAProxy log system to report errors The function log format emit its own error message using Alert(). This patch replaces this behavior and uses the standard HAProxy error system (with memprintf). The benefits are: - cleaning the log system - the logformat can ignore the caller (actually the caller must set a flag designing the caller function). - Make the usage of the logformat function easy for future components.
2016-11-22 18:41:28 -05:00
err = NULL;
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
if (!lf_expr_compile(&curproxy->logformat_sd, &curproxy->conf.args,
MINOR: log-format: allow to preserve spacing in log format strings Now it's possible to preserve spacing everywhere except in "log-format", "log-format-sd" and "unique-id-format" directives, where spaces are delimiters and are merged. That may be useful when the response payload is specified as a log format string by "lf-file" or "lf-string", or even for headers or anything else. In order to merge spaces, a new option LOG_OPT_MERGE_SPACES is applied exclusively on options passed to function parse_logformat_string(). This patch fixes an issue #701 ("http-request return log-format file evaluation altering spacing of ASCII output/art").
2020-06-23 12:16:44 -04:00
LOG_OPT_MANDATORY|LOG_OPT_MERGE_SPACES,
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
SMP_VAL_FE_LOG_END, &err) ||
!add_to_logformat_list(NULL, NULL, LF_SEPARATOR, &curproxy->logformat_sd, &err) ||
!lf_expr_postcheck(&curproxy->logformat_sd, curproxy, &err)) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Parsing [%s:%d]: failed to parse log-format-sd : %s.\n",
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
curproxy->logformat_sd.conf.file, curproxy->logformat_sd.conf.line, err);
MEDIUM: log-format: Use standard HAProxy log system to report errors The function log format emit its own error message using Alert(). This patch replaces this behavior and uses the standard HAProxy error system (with memprintf). The benefits are: - cleaning the log system - the logformat can ignore the caller (actually the caller must set a flag designing the caller function). - Make the usage of the logformat function easy for future components.
2016-11-22 18:41:28 -05:00
free(err);
MEDIUM: log-format/conf: take into account the parse_logformat_string() return code This patch takes into account the return code of the parse_logformat_string() function. Now the configuration parser will fail if the log_format is not strict.
2016-11-22 17:50:02 -05:00
cfgerr++;
}
MEDIUM: logs: add a new RFC5424 log-format for the structured-data This patch adds a new RFC5424-specific log-format for the structured-data that is automatically send by __send_log() when the sender is in RFC5424 mode. A new statement "log-format-sd" should be used in order to set log-format for the structured-data part in RFC5424 formatted syslog messages. Example: log-format-sd [exampleSDID@1234\ bytes=\"%B\"\ status=\"%ST\"]
2015-09-25 13:17:44 -04:00
curproxy->conf.args.file = NULL;
curproxy->conf.args.line = 0;
}
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
if (curproxy->format_unique_id.str) {
BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags When the sample validity flags are computed to check if a sample is used in a valid scope, the flags depending on the proxy capabilities must be cumulated. Historically, for a sample on the request, only the frontend capability was used to set the sample validity flags while for a sample on the response only the backend was used. But it is a problem for listen or defaults proxies. For those proxies, all frontend and backend samples should be valid. However, at many place, only frontend ones are possible. For instance, it is impossible to set the backend name (be_name) into a variable from a listen proxy. This bug exists on all stable versions. Thus this patch should probably be backported. But with some caution because the code has probably changed serveral times. Note that nobody has ever noticed this issue. So the need to backport this patch must be evaluated for each branch.
2021-10-13 11:22:17 -04:00
int where = 0;
BUG/MEDIUM: log: fix regression on log-format handling Commit a4312fa2 merged into dev18 improved log-format management by processing "log-format" and "unique-id-format" where they were declared, so that the faulty args could be reported with their correct line numbers. Unfortunately, the log-format parser considers the proxy mode (TCP/HTTP) and now if the directive is set before the "mode" statement, it can be rejected and report warnings. So we really need to parse these directives at the end of a section at least. Right now we do not have an "end of section" event, so we need to store the file name and line number for each of these directives, and take care of them at the end. One of the benefits is that now the line numbers can be inherited from the line passing "option httplog" even if it's in a defaults section. Future improvements should be performed to report line numbers in every log-format processed by the parser.
2013-04-12 12:13:46 -04:00
curproxy->conf.args.ctx = ARGC_UIF;
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
curproxy->conf.args.file = curproxy->format_unique_id.conf.file;
curproxy->conf.args.line = curproxy->format_unique_id.conf.line;
MEDIUM: log-format: Use standard HAProxy log system to report errors The function log format emit its own error message using Alert(). This patch replaces this behavior and uses the standard HAProxy error system (with memprintf). The benefits are: - cleaning the log system - the logformat can ignore the caller (actually the caller must set a flag designing the caller function). - Make the usage of the logformat function easy for future components.
2016-11-22 18:41:28 -05:00
err = NULL;
BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags When the sample validity flags are computed to check if a sample is used in a valid scope, the flags depending on the proxy capabilities must be cumulated. Historically, for a sample on the request, only the frontend capability was used to set the sample validity flags while for a sample on the response only the backend was used. But it is a problem for listen or defaults proxies. For those proxies, all frontend and backend samples should be valid. However, at many place, only frontend ones are possible. For instance, it is impossible to set the backend name (be_name) into a variable from a listen proxy. This bug exists on all stable versions. Thus this patch should probably be backported. But with some caution because the code has probably changed serveral times. Note that nobody has ever noticed this issue. So the need to backport this patch must be evaluated for each branch.
2021-10-13 11:22:17 -04:00
if (curproxy->cap & PR_CAP_FE)
where |= SMP_VAL_FE_HRQ_HDR;
if (curproxy->cap & PR_CAP_BE)
where |= SMP_VAL_BE_HRQ_HDR;
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
if (!lf_expr_compile(&curproxy->format_unique_id, &curproxy->conf.args,
LOG_OPT_HTTP|LOG_OPT_MERGE_SPACES, where, &err) ||
!lf_expr_postcheck(&curproxy->format_unique_id, curproxy, &err)) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Parsing [%s:%d]: failed to parse unique-id : %s.\n",
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
curproxy->format_unique_id.conf.file, curproxy->format_unique_id.conf.line, err);
MEDIUM: log-format: Use standard HAProxy log system to report errors The function log format emit its own error message using Alert(). This patch replaces this behavior and uses the standard HAProxy error system (with memprintf). The benefits are: - cleaning the log system - the logformat can ignore the caller (actually the caller must set a flag designing the caller function). - Make the usage of the logformat function easy for future components.
2016-11-22 18:41:28 -05:00
free(err);
MEDIUM: log-format/conf: take into account the parse_logformat_string() return code This patch takes into account the return code of the parse_logformat_string() function. Now the configuration parser will fail if the log_format is not strict.
2016-11-22 17:50:02 -05:00
cfgerr++;
}
BUG/MEDIUM: log: fix regression on log-format handling Commit a4312fa2 merged into dev18 improved log-format management by processing "log-format" and "unique-id-format" where they were declared, so that the faulty args could be reported with their correct line numbers. Unfortunately, the log-format parser considers the proxy mode (TCP/HTTP) and now if the directive is set before the "mode" statement, it can be rejected and report warnings. So we really need to parse these directives at the end of a section at least. Right now we do not have an "end of section" event, so we need to store the file name and line number for each of these directives, and take care of them at the end. One of the benefits is that now the line numbers can be inherited from the line passing "option httplog" even if it's in a defaults section. Future improvements should be performed to report line numbers in every log-format processed by the parser.
2013-04-12 12:13:46 -04:00
curproxy->conf.args.file = NULL;
curproxy->conf.args.line = 0;
}
MAJOR: sample: maintain a per-proxy list of the fetch args to resolve While ACL args were resolved after all the config was parsed, it was not the case with sample fetch args because they're almost everywhere now. The issue is that ACLs now solely rely on sample fetches, so their args resolving doesn't work anymore. And many fetches involving a server, a proxy or a userlist don't work at all. The real issue is that at the bottom layers we have no information about proxies, line numbers, even ACLs in order to report understandable errors, and that at the top layers we have no visibility over the locations where fetches are referenced (think log node). After failing multiple unsatisfying solutions attempts, we now have a new concept of args list. The principle is that every proxy has a list head which contains a number of indications such as the config keyword, the context where it's used, the file and line number, etc... and a list of arguments. This list head is of the same type as the elements, so it serves as a template for adding new elements. This way, it is filled from top to bottom by the callers with the information they have (eg: line numbers, ACL name, ...) and the lower layers just have to duplicate it and add an element when they face an argument they cannot resolve yet. Then at the end of the configuration parsing, a loop passes over each proxy's list and resolves all the args in sequence. And this way there is all necessary information to report verbose errors. The first immediate benefit is that for the first time we got very precise location of issues (arg number in a keyword in its context, ...). Second, in order to do this we had to parse log-format and unique-id-format a bit earlier, so that was a great opportunity for doing so when the directives are encountered (unless it's a default section). This way, the recorded line numbers for these args are the ones of the place where the log format is declared, not the end of the file. Userlists report slightly more information now. They're the only remaining ones in the ACL resolving function.
2013-04-02 10:34:32 -04:00
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
if (curproxy->logformat_error.str) {
MINOR: log: Add new "error-log-format" option This option can be used to define a specific log format that will be used in case of error, timeout, connection failure on a frontend... It will be used for any log line concerned by the log-separate-errors option. It will also replace the format of specific error messages decribed in section 8.2.6. If no "error-log-format" is defined, the legacy error messages are still emitted and the other error logs keep using the regular log-format.
2021-08-31 06:08:52 -04:00
curproxy->conf.args.ctx = ARGC_LOG;
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
curproxy->conf.args.file = curproxy->logformat_error.conf.file;
curproxy->conf.args.line = curproxy->logformat_error.conf.line;
MINOR: log: Add new "error-log-format" option This option can be used to define a specific log format that will be used in case of error, timeout, connection failure on a frontend... It will be used for any log line concerned by the log-separate-errors option. It will also replace the format of specific error messages decribed in section 8.2.6. If no "error-log-format" is defined, the legacy error messages are still emitted and the other error logs keep using the regular log-format.
2021-08-31 06:08:52 -04:00
err = NULL;
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
if (!lf_expr_compile(&curproxy->logformat_error, &curproxy->conf.args,
MINOR: log: Add new "error-log-format" option This option can be used to define a specific log format that will be used in case of error, timeout, connection failure on a frontend... It will be used for any log line concerned by the log-separate-errors option. It will also replace the format of specific error messages decribed in section 8.2.6. If no "error-log-format" is defined, the legacy error messages are still emitted and the other error logs keep using the regular log-format.
2021-08-31 06:08:52 -04:00
LOG_OPT_MANDATORY|LOG_OPT_MERGE_SPACES,
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
SMP_VAL_FE_LOG_END, &err) ||
!lf_expr_postcheck(&curproxy->logformat_error, curproxy, &err)) {
MINOR: log: Add new "error-log-format" option This option can be used to define a specific log format that will be used in case of error, timeout, connection failure on a frontend... It will be used for any log line concerned by the log-separate-errors option. It will also replace the format of specific error messages decribed in section 8.2.6. If no "error-log-format" is defined, the legacy error messages are still emitted and the other error logs keep using the regular log-format.
2021-08-31 06:08:52 -04:00
ha_alert("Parsing [%s:%d]: failed to parse error-log-format : %s.\n",
MEDIUM: proxy/log: leverage lf_expr API for logformat preparsing Currently, the way proxy-oriented logformat directives are handled is way too complicated. Indeed, "log-format", "log-format-error", "log-format-sd" and "unique-id-format" all rely on preparsing hints stored inside proxy->conf member struct. Those preparsing hints include the original string that should be compiled once the proxy parameters are known plus the config file and line number where the string was found to generate precise error messages in case of failure during the compiling process that happens within check_config_validity(). Now that lf_expr API permits to compile a lf_expr struct that was previously prepared (with original string and config hints), let's leverage lf_expr_compile() from check_config_validity() and instead of relying on individual proxy->conf hints for each logformat expression, store string and config hints in the lf_expr struct directly and use lf_expr helpers funcs to handle them when relevant (ie: original logformat string freeing is now done at a central place inside lf_expr_deinit(), which allows for some simplifications) Doing so allows us to greatly simplify the preparsing logic for those 4 proxy directives, and to finally save some space in the proxy struct. Also, since httpclient proxy has its "logformat" automatically compiled in check_config_validity(), we now use the file hint from the logformat expression struct to set an explicit name that will be reported in case of error ("parsing [httpclient:0] : ...") and remove the extraneous check in httpclient_precheck() (logformat was parsed twice previously..)
2024-03-05 09:44:43 -05:00
curproxy->logformat_error.conf.file, curproxy->logformat_error.conf.line, err);
MINOR: log: Add new "error-log-format" option This option can be used to define a specific log format that will be used in case of error, timeout, connection failure on a frontend... It will be used for any log line concerned by the log-separate-errors option. It will also replace the format of specific error messages decribed in section 8.2.6. If no "error-log-format" is defined, the legacy error messages are still emitted and the other error logs keep using the regular log-format.
2021-08-31 06:08:52 -04:00
free(err);
cfgerr++;
}
curproxy->conf.args.file = NULL;
curproxy->conf.args.line = 0;
}
MEDIUM: log/balance: support for the "hash" lb algorithm hash lb algorithm can be configured with the "log-balance hash <cnv_list>" directive. With this algorithm, the user specifies a converter list with <cnv_list>. The produced log message will be passed as-is to the provided converter list, and the resulting hash will be used to select the log server that will receive the log message.
2023-09-19 04:51:53 -04:00
/* "balance hash" needs to compile its expression
* (log backends will handle this in proxy log postcheck)
*/
if (curproxy->mode != PR_MODE_SYSLOG &&
(curproxy->lbprm.algo & BE_LB_ALGO) == BE_LB_ALGO_SMP) {
MEDIUM: backend: add new "balance hash <expr>" algorithm Almost all of our hash-based LB algorithms are implemented as special cases of something that can now be achieved using sample expressions, and some of them have adopted some options to adapt their behavior in ways that could also be achieved using converters. There are users who want to hash other parameters that are combined into variables, and who set headers from these values and use "balance hdr(name)" for this. Instead of constantly implementing specific options and having users hack around when they want a real hash, let's implement a native hash mode that applies to a standard sample expression. This way, any fetchable element (including variables) may be used to construct the hash, even modified by any converter if desired.
2022-04-25 04:25:34 -04:00
int idx = 0;
const char *args[] = {
curproxy->lbprm.arg_str,
NULL,
};
err = NULL;
curproxy->conf.args.ctx = ARGC_USRV; // same context as use_server.
curproxy->lbprm.expr =
sample_parse_expr((char **)args, &idx,
curproxy->conf.file, curproxy->conf.line,
&err, &curproxy->conf.args, NULL);
if (!curproxy->lbprm.expr) {
ha_alert("%s '%s' [%s:%d]: failed to parse 'balance hash' expression '%s' in : %s.\n",
proxy_type_str(curproxy), curproxy->id,
curproxy->conf.file, curproxy->conf.line,
curproxy->lbprm.arg_str, err);
ha_free(&err);
cfgerr++;
}
else if (!(curproxy->lbprm.expr->fetch->val & SMP_VAL_BE_SET_SRV)) {
ha_alert("%s '%s' [%s:%d]: error detected while parsing 'balance hash' expression '%s' "
"which requires information from %s, which is not available here.\n",
proxy_type_str(curproxy), curproxy->id,
curproxy->conf.file, curproxy->conf.line,
curproxy->lbprm.arg_str, sample_src_names(curproxy->lbprm.expr->fetch->use));
cfgerr++;
}
else if (curproxy->mode == PR_MODE_HTTP && (curproxy->lbprm.expr->fetch->use & SMP_USE_L6REQ)) {
ha_warning("%s '%s' [%s:%d]: L6 sample fetch <%s> will be ignored in 'balance hash' expression in HTTP mode.\n",
proxy_type_str(curproxy), curproxy->id,
curproxy->conf.file, curproxy->conf.line,
curproxy->lbprm.arg_str);
}
else
curproxy->http_needed |= !!(curproxy->lbprm.expr->fetch->use & SMP_USE_HTTP_ANY);
}
MEDIUM: proxy/http_ext: implement dynamic http_ext proxy http-only options implemented in http_ext were statically stored within proxy struct. We're making some changes so that http_ext are now stored in a dynamically allocated structs. http_ext related structs are only allocated when needed to save some space whenever possible, and they are automatically freed upon proxy deletion. Related PX_O_HTTP{7239,XFF,XOT) option flags were removed because we're now considering an http_ext option as 'active' if it is allocated (ptr is not NULL) A few checks (and BUG_ON) were added to make these changes safe because it adds some (acceptable) complexity to the previous design. Also, proxy.http was renamed to proxy.http_ext to make things more explicit.
2023-01-09 05:09:03 -05:00
MAJOR: auth: Change the internal authentication system. This patch remove the limit of 32 groups. It also permit to use standard "pat_parse_str()" function in place of "pat_parse_strcat()". The "pat_parse_strcat()" is no longer used and its removed. Before this patch, the groups are stored in a bitfield, now they are stored in a list of strings. The matching is slower, but the number of groups is low and generally the list of allowed groups is short. The fetch function "smp_fetch_http_auth_grp()" used with the name "http_auth_group" return valid username. It can be used as string for displaying the username or with the acl "http_auth_group" for checking the group of the user. Maybe the names of the ACL and fetch methods are no longer suitable, but I keep the current names for conserving the compatibility with existing configurations. The function "userlist_postinit()" is created from verification code stored in the big function "check_config_validity()". The code is adapted to the new authentication storage system and it is moved in the "src/auth.c" file. This function is used to check the validity of the users declared in groups and to check the validity of groups declared on the "user" entries. This resolve function is executed before the check of all proxy because many acl needs solved users and groups.
2014-01-22 12:38:02 -05:00
/* only now we can check if some args remain unresolved.
* This must be done after the users and groups resolution.
*/
MINOR: sample: make smp_resolve_args() return an allocate error message For now smp_resolve_args() complains on stderr via ha_alert(), but if we want to make it a bit more dynamic, we need it to return errors in an allocated message. Let's pass it an error pointer and have it fill it. On return we indent the output if it contains more than one line.
2021-03-26 11:11:55 -04:00
err = NULL;
i = smp_resolve_args(curproxy, &err);
cfgerr += i;
if (i) {
indent_msg(&err, 8);
ha_alert("%s%s\n", i > 1 ? "multiple argument resolution errors:" : "", err);
ha_free(&err);
} else
MAJOR: sample: maintain a per-proxy list of the fetch args to resolve While ACL args were resolved after all the config was parsed, it was not the case with sample fetch args because they're almost everywhere now. The issue is that ACLs now solely rely on sample fetches, so their args resolving doesn't work anymore. And many fetches involving a server, a proxy or a userlist don't work at all. The real issue is that at the bottom layers we have no information about proxies, line numbers, even ACLs in order to report understandable errors, and that at the top layers we have no visibility over the locations where fetches are referenced (think log node). After failing multiple unsatisfying solutions attempts, we now have a new concept of args list. The principle is that every proxy has a list head which contains a number of indications such as the config keyword, the context where it's used, the file and line number, etc... and a list of arguments. This list head is of the same type as the elements, so it serves as a template for adding new elements. This way, it is filled from top to bottom by the callers with the information they have (eg: line numbers, ACL name, ...) and the lower layers just have to duplicate it and add an element when they face an argument they cannot resolve yet. Then at the end of the configuration parsing, a loop passes over each proxy's list and resolves all the args in sequence. And this way there is all necessary information to report verbose errors. The first immediate benefit is that for the first time we got very precise location of issues (arg number in a keyword in its context, ...). Second, in order to do this we had to parse log-format and unique-id-format a bit earlier, so that was a great opportunity for doing so when the directives are encountered (unless it's a default section). This way, the recorded line numbers for these args are the ones of the place where the log format is declared, not the end of the file. Userlists report slightly more information now. They're the only remaining ones in the ACL resolving function.
2013-04-02 10:34:32 -04:00
cfgerr += acl_find_targets(curproxy);
[MINOR] acl: add http_auth and http_auth_group Add two acls to match http auth data: acl <name> http_auth(userlist) acl <name> http_auth_hroup(userlist) group1 group2 (...)
2010-01-29 13:26:18 -05:00
MINOR: proxy: disable warnings for internal proxies The internal proxies should be part of the proxies list, because of this, the check_config_validity() fonction could emit warnings about these proxies. This patch disables 3 startup warnings for internal proxies: - "has no 'bind' directive" (this one was already ignored for the CLI frontend, but we made it generic instead) - "missing timeouts" - "log format ignored"
2021-08-13 09:21:12 -04:00
if (!(curproxy->cap & PR_CAP_INT) && (curproxy->mode == PR_MODE_TCP || curproxy->mode == PR_MODE_HTTP) &&
[MAJOR] convert all expiration timers from timeval to ticks This is the first attempt at moving all internal parts from using struct timeval to integer ticks. Those provides simpler and faster code due to simplified operations, and this change also saved about 64 bytes per session. A new header file has been added : include/common/ticks.h. It is possible that some functions should finally not be inlined because they're used quite a lot (eg: tick_first, tick_add_ifset and tick_is_expired). More measurements are required in order to decide whether this is interesting or not. Some function and variable names are still subject to change for a better overall logics.
2008-07-06 18:09:58 -04:00
(((curproxy->cap & PR_CAP_FE) && !curproxy->timeout.client) ||
[MAJOR] replaced all timeouts with struct timeval The timeout functions were difficult to manipulate because they were rounding results to the millisecond. Thus, it was difficult to compare and to check what expired and what did not. Also, the comparison functions were heavy with multiplies and divides by 1000. Now, all timeouts are stored in timevals, reducing the number of operations for updates and leading to cleaner and more efficient code.
2007-05-12 16:35:00 -04:00
((curproxy->cap & PR_CAP_BE) && (curproxy->srv) &&
MEDIUM: session: add support for tunnel timeouts Tunnel timeouts are used when TCP connections are forwarded, or when forwarding upgraded HTTP connections (WebSocket) as well as CONNECT requests to proxies. This timeout allows long-lived sessions to be supported without having to set large timeouts to normal requests.
2012-05-12 06:50:00 -04:00
(!curproxy->timeout.connect ||
(!curproxy->timeout.server && (curproxy->mode == PR_MODE_HTTP || !curproxy->timeout.tunnel)))))) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("missing timeouts for %s '%s'.\n"
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
" | While not properly invalid, you will certainly encounter various problems\n"
" | with such a configuration. To fix this, please ensure that all following\n"
" | timeouts are set to a non-zero value: 'client', 'connect', 'server'.\n",
proxy_type_str(curproxy), curproxy->id);
[MINOR] config: improve error reporting when checking configuration Do not exit early at the first error found while checking configuration validity. This particularly helps spotting multiple wrong tracked server names at once.
2009-07-23 07:36:36 -04:00
err_code |= ERR_WARN;
[MEDIUM] now upon startup, haproxy will warn about missing timeouts. Too many problem reports were caused by missing timeouts. While there has never been any default value since version 1.0, having no timeout is abnormal in networked environments, and will lead to various problems such as CLOSE_WAIT sockets accumulating and nasty things like this. For this reason, it's better to annoy the users until they fix their configs than letting them run buggy configurations.
2006-07-08 11:28:09 -04:00
}
[MEDIUM] implement 'option ssl-hello-chk' to use CLIENT HELLO health checks. This makes it possible to relay SSL connections in pure TCP instances while ensuring the remote end really receives our data eventhough intermediate agents (firewalls, proxies, ...) might acknowledge the connection.
2006-07-09 10:42:34 -04:00
[MEDIUM] introduce separation between contimeout, and tarpit + queue Now the connect timeout, tarpit timeout and queue timeout are distinct. In order to retain compatibility with older versions, if either queue or tarpit is left unset both in the proxy and in the default proxy, then it is inherited from the connect timeout as before.
2007-12-02 18:36:16 -05:00
/* Historically, the tarpit and queue timeouts were inherited from contimeout.
* We must still support older configurations, so let's find out whether those
* parameters have been set or must be copied from contimeouts.
*/
BUG/MEDIUM: config: don't pick unset values from last defaults section Since commit 1.3.14 with commit 1fa3126ec ("[MEDIUM] introduce separation between contimeout, and tarpit + queue"), check_config_validity() looks at the last defaults section to update all proxies' queue and tarpit timeouts if they were not set! This was apparently an attempt to properly set them on the fallback values, except that the fallback values were taken from the default proxy before looking at the current proxy itself. The worst part of it is that it might have randomly worked by accident for some configurations when there was a single defaults section, but has certainly caused too short queue expirations once another defaults section was added later in the file with these explicitly defined. Let's remove the defproxy part and keep only the curproxy ones. This could be backported everywhere, the bug has been there for 13 years.
2021-02-12 05:14:35 -05:00
if (!curproxy->timeout.tarpit)
curproxy->timeout.tarpit = curproxy->timeout.connect;
if ((curproxy->cap & PR_CAP_BE) && !curproxy->timeout.queue)
curproxy->timeout.queue = curproxy->timeout.connect;
[MEDIUM] introduce separation between contimeout, and tarpit + queue Now the connect timeout, tarpit timeout and queue timeout are distinct. In order to retain compatibility with older versions, if either queue or tarpit is left unset both in the proxy and in the default proxy, then it is inherited from the connect timeout as before.
2007-12-02 18:36:16 -05:00
MAJOR: checks: Implement HTTP check using tcp-check rules HTTP health-checks are now internally based on tcp-checks. Of course all the configuration parsing of the "http-check" keyword and the httpchk option has been rewritten. But the main changes is that now, as for tcp-check ruleset, it is possible to perform several send/expect sequences into the same health-checks. Thus the connect rule is now also available from HTTP checks, jst like set-var, unset-var and comment rules. Because the request defined by the "option httpchk" line is used for the first request only, it is now possible to set the method, the uri and the version on a "http-check send" line.
2020-04-15 05:32:03 -04:00
if ((curproxy->tcpcheck_rules.flags & TCPCHK_RULES_UNUSED_TCP_RS)) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("%s '%s' uses tcp-check rules without 'option tcp-check', so the rules are ignored.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
proxy_type_str(curproxy), curproxy->id);
MINOR: config: warn when tcp-check rules are used without option tcp-check Since this case means that the rules will be ignored, better emit a warning.
2014-06-13 12:30:23 -04:00
err_code |= ERR_WARN;
}
MINOR: http: allow the cookie capture size to be changed Some users need more than 64 characters to log large cookies. The limit was set to 63 characters (and not 64 as previously documented). Now it is possible to change this using the global "tune.http.cookielen" setting if required.
2012-11-21 18:17:38 -05:00
/* ensure that cookie capture length is not too large */
if (curproxy->capture_len >= global.tune.cookie_len) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("truncating capture length to %d bytes for %s '%s'.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
global.tune.cookie_len - 1, proxy_type_str(curproxy), curproxy->id);
MINOR: http: allow the cookie capture size to be changed Some users need more than 64 characters to log large cookies. The limit was set to 63 characters (and not 64 as previously documented). Now it is possible to change this using the global "tune.http.cookielen" setting if required.
2012-11-21 18:17:38 -05:00
err_code |= ERR_WARN;
curproxy->capture_len = global.tune.cookie_len - 1;
}
[MAJOR] last bunch of capture changes for mempool v2 The header captures had lots of pools. They have all been transformed.
2007-05-13 16:46:04 -04:00
/* The small pools required for the capture lists */
MINOR: config: disable header captures in TCP mode and complain In order to help users fix their configs, report a warning when a capture has been set on a non-HTTP frontend. This should be backported to 1.4.
2012-03-24 03:33:05 -04:00
if (curproxy->nb_req_cap) {
MINOR: logs: don't limit HTTP header captures to HTTP frontends Similar to previous patches, HTTP header captures are performed when a TCP frontend switches to an HTTP backend, but are not possible to report. So let's relax the check to explicitly allow them to be present in TCP frontends.
2014-06-13 06:23:06 -04:00
curproxy->req_cap_pool = create_pool("ptrcap",
curproxy->nb_req_cap * sizeof(char *),
MEM_F_SHARED);
MINOR: config: disable header captures in TCP mode and complain In order to help users fix their configs, report a warning when a capture has been set on a non-HTTP frontend. This should be backported to 1.4.
2012-03-24 03:33:05 -04:00
}
if (curproxy->nb_rsp_cap) {
MINOR: logs: don't limit HTTP header captures to HTTP frontends Similar to previous patches, HTTP header captures are performed when a TCP frontend switches to an HTTP backend, but are not possible to report. So let's relax the check to explicitly allow them to be present in TCP frontends.
2014-06-13 06:23:06 -04:00
curproxy->rsp_cap_pool = create_pool("ptrcap",
curproxy->nb_rsp_cap * sizeof(char *),
MEM_F_SHARED);
MINOR: config: disable header captures in TCP mode and complain In order to help users fix their configs, report a warning when a capture has been set on a non-HTTP frontend. This should be backported to 1.4.
2012-03-24 03:33:05 -04:00
}
[MAJOR] last bunch of capture changes for mempool v2 The header captures had lots of pools. They have all been transformed.
2007-05-13 16:46:04 -04:00
MINOR: config: new backend directives: load-server-state-from-file and server-state-file-name This directive gives HAProxy the ability to use the either the global server-state-file directive or a local one using server-state-file-name to load server states. The state can be saved right before the reload by the init script, using the "show servers state" command on the stats socket redirecting output into a file.
2015-08-19 10:44:03 -04:00
switch (curproxy->load_server_state_from_file) {
case PR_SRV_STATE_FILE_UNSPEC:
curproxy->load_server_state_from_file = PR_SRV_STATE_FILE_NONE;
break;
case PR_SRV_STATE_FILE_GLOBAL:
if (!global.server_state_file) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("backend '%s' configured to load server state file from global section 'server-state-file' directive. Unfortunately, 'server-state-file' is not set!\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
curproxy->id);
MINOR: config: new backend directives: load-server-state-from-file and server-state-file-name This directive gives HAProxy the ability to use the either the global server-state-file directive or a local one using server-state-file-name to load server states. The state can be saved right before the reload by the init script, using the "show servers state" command on the stats socket redirecting output into a file.
2015-08-19 10:44:03 -04:00
err_code |= ERR_WARN;
}
break;
}
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
/* first, we will invert the servers list order */
newsrv = NULL;
while (curproxy->srv) {
struct server *next;
next = curproxy->srv->next;
curproxy->srv->next = newsrv;
newsrv = curproxy->srv;
if (!next)
break;
curproxy->srv = next;
}
MEDIUM: config: report a warning when multiple servers have the same name A config where multiple servers have the same name in the same backend is prone to a number of issues : logs are not really exploitable, stats get really tricky and even harder to change, etc... In fact, it can be safe to have the same name between multiple servers only when their respective IDs are known and used. So now we detect this situation and emit a warning for the first conflict detected per server if any of the servers uses an automatic ID.
2014-01-03 06:14:34 -05:00
/* Check that no server name conflicts. This causes trouble in the stats.
* We only emit a warning for the first conflict affecting each server,
* in order to avoid combinatory explosion if all servers have the same
* name. We do that only for servers which do not have an explicit ID,
* because these IDs were made also for distinguishing them and we don't
OPTIM: cfgparse: speed up duplicate server detection Surprisingly, the duplicate server name detection has never made use of the names tree, so lookups were still in O(N^2). It took 1 second to validate 50k servers spread into 25 backends at 2k per backend. By simply using the tree (and since the current server already is in the tree), we just have to walk using ebpt_prev_dup to visit previous servers with the same name. We can then detect which ones conflict without having an ID set and error. The config check time is now 1/4 of the previous one for 2k servers per backend, and more importantly it will make it simpler to check for any duplicates later.
2024-09-20 11:12:04 -04:00
* want to annoy people who correctly manage them. Since servers names
* are stored in a tree before landing here, we simply have to check for
* the current server's duplicates to spot conflicts.
MEDIUM: config: report a warning when multiple servers have the same name A config where multiple servers have the same name in the same backend is prone to a number of issues : logs are not really exploitable, stats get really tricky and even harder to change, etc... In fact, it can be safe to have the same name between multiple servers only when their respective IDs are known and used. So now we detect this situation and emit a warning for the first conflict detected per server if any of the servers uses an automatic ID.
2014-01-03 06:14:34 -05:00
*/
for (newsrv = curproxy->srv; newsrv; newsrv = newsrv->next) {
struct server *other_srv;
OPTIM: cfgparse: speed up duplicate server detection Surprisingly, the duplicate server name detection has never made use of the names tree, so lookups were still in O(N^2). It took 1 second to validate 50k servers spread into 25 backends at 2k per backend. By simply using the tree (and since the current server already is in the tree), we just have to walk using ebpt_prev_dup to visit previous servers with the same name. We can then detect which ones conflict without having an ID set and error. The config check time is now 1/4 of the previous one for 2k servers per backend, and more importantly it will make it simpler to check for any duplicates later.
2024-09-20 11:12:04 -04:00
/* Note: internal servers are not always registered and
* they do not conflict.
*/
if (!newsrv->conf.name.node.leaf_p)
MEDIUM: config: report a warning when multiple servers have the same name A config where multiple servers have the same name in the same backend is prone to a number of issues : logs are not really exploitable, stats get really tricky and even harder to change, etc... In fact, it can be safe to have the same name between multiple servers only when their respective IDs are known and used. So now we detect this situation and emit a warning for the first conflict detected per server if any of the servers uses an automatic ID.
2014-01-03 06:14:34 -05:00
continue;
OPTIM: cfgparse: speed up duplicate server detection Surprisingly, the duplicate server name detection has never made use of the names tree, so lookups were still in O(N^2). It took 1 second to validate 50k servers spread into 25 backends at 2k per backend. By simply using the tree (and since the current server already is in the tree), we just have to walk using ebpt_prev_dup to visit previous servers with the same name. We can then detect which ones conflict without having an ID set and error. The config check time is now 1/4 of the previous one for 2k servers per backend, and more importantly it will make it simpler to check for any duplicates later.
2024-09-20 11:12:04 -04:00
for (other_srv = newsrv;
(other_srv = container_of_safe(ebpt_prev_dup(&other_srv->conf.name),
struct server, conf.name)); ) {
if (!newsrv->puid && !other_srv->puid) {
MEDIUM: config: now alert when two servers have the same name We've been emitting warnings for over 5 years (since 1.5-dev22) about configs accidently carrying multiple servers with the same name in the same backend, and this starts to cause some real trouble in dynamic environments since it's still very difficult to accurately process a state-file and we still can't transport a server's name over the peers protocol because of this. It's about time to force users to fix their configs if they still hadn't given that there is zero technical justification for doing this, beyond the "yyp" (or copy-paste accident) when editing the config. The message remains as clear as before, indicating the file and lines of the conflict so that the user can easily fix it.
2019-05-27 13:31:06 -04:00
ha_alert("parsing [%s:%d] : %s '%s', another server named '%s' was already defined at line %d, please use distinct names.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
newsrv->conf.file, newsrv->conf.line,
proxy_type_str(curproxy), curproxy->id,
newsrv->id, other_srv->conf.line);
MEDIUM: config: now alert when two servers have the same name We've been emitting warnings for over 5 years (since 1.5-dev22) about configs accidently carrying multiple servers with the same name in the same backend, and this starts to cause some real trouble in dynamic environments since it's still very difficult to accurately process a state-file and we still can't transport a server's name over the peers protocol because of this. It's about time to force users to fix their configs if they still hadn't given that there is zero technical justification for doing this, beyond the "yyp" (or copy-paste accident) when editing the config. The message remains as clear as before, indicating the file and lines of the conflict so that the user can easily fix it.
2019-05-27 13:31:06 -04:00
cfgerr++;
MEDIUM: config: report a warning when multiple servers have the same name A config where multiple servers have the same name in the same backend is prone to a number of issues : logs are not really exploitable, stats get really tricky and even harder to change, etc... In fact, it can be safe to have the same name between multiple servers only when their respective IDs are known and used. So now we detect this situation and emit a warning for the first conflict detected per server if any of the servers uses an automatic ID.
2014-01-03 06:14:34 -05:00
break;
}
MEDIUM: cfgparse: warn about deprecated use of duplicate server names As discussed below, there are too many problems and limitations caused by still supporting duplicate server names. That's already particularly complicated and dissuasive to use since it requires these servers to have explicit IDs to be accept. Let's now warn on any duplicate, even with explicit IDs and remind that this will become forbidden in 3.3. Link: https://www.mail-archive.com/haproxy@formilux.org/msg45185.html
2024-09-20 11:15:11 -04:00
ha_warning("parsing [%s:%d] : %s '%s', another server named '%s' was already defined at line %d. This is dangerous and will not be supported anymore in version 3.3. Please use distinct names.\n",
newsrv->conf.file, newsrv->conf.line,
proxy_type_str(curproxy), curproxy->id,
newsrv->id, other_srv->conf.line);
MEDIUM: config: report a warning when multiple servers have the same name A config where multiple servers have the same name in the same backend is prone to a number of issues : logs are not really exploitable, stats get really tricky and even harder to change, etc... In fact, it can be safe to have the same name between multiple servers only when their respective IDs are known and used. So now we detect this situation and emit a warning for the first conflict detected per server if any of the servers uses an automatic ID.
2014-01-03 06:14:34 -05:00
}
}
[BUG] consistent hash: balance on all servers, not only 2 ! It was once reported at least by Dirk Taggesell that the consistent hash had a very poor distribution, making use of only two servers. Jeff Persch analysed the code and found the root cause. Consistent hash makes use of the server IDs, which are completed after the chash array initialization. This implies that each server which does not have an explicit "id" parameter will be merged at the same place in the chash tree and that in the end, only the first or last servers may be used. The now obvious fix (thanks to Jeff) is to assign the missing IDs earlier. However, it should be clearly understood that changing a hash algorithm on live systems will rebalance the whole system. Anyway, the only affected users will be the ones for which the system is quite unbalanced already. The ones who fix their IDs are not affected at all. Kudos to Jeff for spotting that bug which got merged 3 days after the consistent hashing !
2010-05-25 17:03:02 -04:00
/* assign automatic UIDs to servers which don't have one yet */
next_id = 1;
newsrv = curproxy->srv;
while (newsrv != NULL) {
if (!newsrv->puid) {
/* server ID not set, use automatic numbering with first
* spare entry starting with next_svid.
*/
next_id = get_next_id(&curproxy->conf.used_server_id, next_id);
newsrv->conf.id.key = newsrv->puid = next_id;
eb32_insert(&curproxy->conf.used_server_id, &newsrv->conf.id);
}
BUG/MINOR: stick-table: insert srv in used_name tree even with fixed id If the server id is fixed in the configuration, it is immediately inserted in the 'used_server_id' backend tree via srv_parse_id. On check_config_validity, the dynamic id generation is thus skipped for fixed-id servers. However, it must nevertheless be inserted in the 'used_server_name' backend tree. This bug seems to be not noticeable for the user. Indeed, before the fix, the search in sticking_rule_find_target always returned NULL for the name, then the fallback search with server id succeeded, so the persistence is properly applied. However with the fix the fallback search is not executed anymore, which saves from the locking of STK_SESS. This should be backported up to 2.0.
2021-06-14 11:04:25 -04:00
[BUG] consistent hash: balance on all servers, not only 2 ! It was once reported at least by Dirk Taggesell that the consistent hash had a very poor distribution, making use of only two servers. Jeff Persch analysed the code and found the root cause. Consistent hash makes use of the server IDs, which are completed after the chash array initialization. This implies that each server which does not have an explicit "id" parameter will be merged at the same place in the chash tree and that in the end, only the first or last servers may be used. The now obvious fix (thanks to Jeff) is to assign the missing IDs earlier. However, it should be clearly understood that changing a hash algorithm on live systems will rebalance the whole system. Anyway, the only affected users will be the ones for which the system is quite unbalanced already. The ones who fix their IDs are not affected at all. Kudos to Jeff for spotting that bug which got merged 3 days after the consistent hashing !
2010-05-25 17:03:02 -04:00
next_id++;
newsrv = newsrv->next;
}
[MEDIUM] differentiate between generic LB params and map-specific ones Since the introduction of server weights, all load balancing algorithms relied on a pre-computed map. Incidently, quite a bunch of map-specific parameters were used at random places in order to get the number of servers or their total weight. It was not architecturally acceptable that optimizations for the map computation had impact on external parts. For instance, during this cleanup it was found that a backend weight was seen as 1 when only the first backup server is used, whatever its weight. This cleanup consists in differentiating between LB-generic parameters, such as total weights, number of servers, etc... and map-specific ones. The struct proxy has been enhanced in order to make it easier to later support other algorithms. The recount_servers() function now also updates generic values such as total weights so that it's not needed anymore to call recalc_server_map() when weights are needed. This permitted to simplify some code which does not need to know about map internals anymore.
2007-11-15 17:26:18 -05:00
curproxy->lbprm.wmult = 1; /* default weight multiplier */
[MINOR] add a weight divisor to the struct proxy Under some circumstances, it will be useful to be able to have a server's effective weight bigger than the user weight, and this is particularly true for dynamic weight-based algorithms. In order to support this, we add a "wdiv" member to the lbprm structure which will always be used to divide the weights before reporting them.
2007-11-19 13:10:18 -05:00
curproxy->lbprm.wdiv = 1; /* default weight divider */
[MEDIUM] differentiate between generic LB params and map-specific ones Since the introduction of server weights, all load balancing algorithms relied on a pre-computed map. Incidently, quite a bunch of map-specific parameters were used at random places in order to get the number of servers or their total weight. It was not architecturally acceptable that optimizations for the map computation had impact on external parts. For instance, during this cleanup it was found that a backend weight was seen as 1 when only the first backup server is used, whatever its weight. This cleanup consists in differentiating between LB-generic parameters, such as total weights, number of servers, etc... and map-specific ones. The struct proxy has been enhanced in order to make it easier to later support other algorithms. The recount_servers() function now also updates generic values such as total weights so that it's not needed anymore to call recalc_server_map() when weights are needed. This permitted to simplify some code which does not need to know about map internals anymore.
2007-11-15 17:26:18 -05:00
BUG/MEDIUM: correctly disable servers tracking another disabled servers. In a config where server "s1" is marked disabled and "s2" tracks "s1", s2 appears disabled on the stats but is still inserted into the LB farm because the tracking is resolved too late in the configuration process. We now resolve tracked servers before building LB maps and we also mark the tracking server in maintenance mode, which previously was not done, causing half of the issue. Last point is that we also protect srv_is_usable() against electing a server marked for maintenance. This is not absolutely needed but is a safe choice and makes a lot of sense. This fix must be backported to 1.4.
2012-01-20 07:12:32 -05:00
/*
* If this server supports a maxconn parameter, it needs a dedicated
* tasks to fill the emptied slots when a connection leaves.
* Also, resolve deferred tracking dependency if needed.
*/
newsrv = curproxy->srv;
while (newsrv != NULL) {
REORG: config: use parsing ctx for server config check Initialize the parsing context when checking server config validity. Adjust the log messages to remove redundant config file/line and server name. Do a similar cleaning in prepare_srv from ssl_sock as this function is called at the same stage. This will standardize the stderr output on startup with the parse_server function.
2021-05-28 04:34:01 -04:00
set_usermsgs_ctx(newsrv->conf.file, newsrv->conf.line, &newsrv->obj_type);
MINOR: cfgparse/server: move (min/max)conn postparsing logic into dedicated function In check_config_validity() function, we performed some consistency checks to adjust minconn/maxconn attributes for each declared server. We move this logic into a dedicated function named srv_minmax_conn_apply() to be able to perform those checks later in the process life when needed (ie: dynamic servers)
2023-02-08 05:49:02 -05:00
srv_minmax_conn_apply(newsrv);
BUG/MEDIUM: correctly disable servers tracking another disabled servers. In a config where server "s1" is marked disabled and "s2" tracks "s1", s2 appears disabled on the stats but is still inserted into the LB farm because the tracking is resolved too late in the configuration process. We now resolve tracked servers before building LB maps and we also mark the tracking server in maintenance mode, which previously was not done, causing half of the issue. Last point is that we also protect srv_is_usable() against electing a server marked for maintenance. This is not absolutely needed but is a safe choice and makes a lot of sense. This fix must be backported to 1.4.
2012-01-20 07:12:32 -05:00
MEDIUM: cli/ssl: configure ssl on server at runtime in the context of a progressive backend migration, we want to be able to activate SSL on outgoing connections to the server at runtime without reloading. This patch adds a `set server ssl` command; in order to allow that: - add `srv_use_ssl` to `show servers state` command for compatibility, also update associated parsing - when using default-server ssl setting, and `no-ssl` on server line, init SSL ctx without activating it - when triggering ssl API, de/activate SSL connections as requested - clean ongoing connections as it is done for addr/port changes, without checking prior server state example config: backend be_foo default-server ssl server srv0 127.0.0.1:6011 weight 1 no-ssl show servers state: 5 be_foo 1 srv0 127.0.0.1 2 0 1 1 15 1 0 4 0 0 0 0 - 6011 - -1 where srv0 can switch to ssl later during the runtime: set server be_foo/srv0 ssl on 5 be_foo 1 srv0 127.0.0.1 2 0 1 1 15 1 0 4 0 0 0 0 - 6011 - 1 Also update existing tests and create a new one. Signed-off-by: William Dauchy <wdauchy@gmail.com>
2020-11-14 13:25:33 -05:00
/* this will also properly set the transport layer for
* prod and checks
* if default-server have use_ssl, prerare ssl init
* without activating it */
if (newsrv->use_ssl == 1 || newsrv->check.use_ssl == 1 ||
BUG/MINOR: server: Don't rely on last default-server to init server SSL context During post-parsing stage, the SSL context of a server is initialized if SSL is configured on the server or its default-server. It is required to be able to enable SSL at runtime. However a regression was introduced, because the last parsed default-server is used. But it is not necessarily the default-server line used to configure the server. This may lead to erroneously initialize the SSL context for a server without SSL parameter or the skip it while it should be done. The problem is the default-server used to configure a server is not saved during configuration parsing. So, the information is lost during the post-parsing. To fix the bug, the SRV_F_DEFSRV_USE_SSL flag is introduced. It is used to know when a server was initialized with a default-server using SSL. For the record, the commit f63704488e ("MEDIUM: cli/ssl: configure ssl on server at runtime") has introduced the bug. This patch must be backported as far as 2.4.
2021-12-01 03:50:41 -05:00
(newsrv->proxy->options & PR_O_TCPCHK_SSL) ||
((newsrv->flags & SRV_F_DEFSRV_USE_SSL) && newsrv->use_ssl != 1)) {
MINOR: ssl_sock: implement and use prepare_srv()/destroy_srv() Now we can simply check the transport layer at run time and decide whether or not to initialize or destroy these entries. This removes other ifdefs and includes from cfgparse.c, haproxy.c and hlua.c.
2016-12-22 15:16:08 -05:00
if (xprt_get(XPRT_SSL) && xprt_get(XPRT_SSL)->prepare_srv)
cfgerr += xprt_get(XPRT_SSL)->prepare_srv(newsrv);
}
MINOR: ssl: move ssl context init for servers from cfgparse.c to ssl_sock.c
2012-10-11 08:00:19 -04:00
MEDIUM: tcp: add the "tfo" option to support TCP fastopen on the server This implements support for the new API which relies on a call to setsockopt(). On systems that support it (currently, only Linux >= 4.11), this enables using TCP fast open when connecting to server. Please note that you should use the retry-on "conn-failure", "empty-response" and "response-timeout" keywords, or the request won't be able to be retried on failure. Co-authored-by: Olivier Houchard <ohouchard@haproxy.com>
2017-01-23 17:36:45 -05:00
if ((newsrv->flags & SRV_F_FASTOPEN) &&
((curproxy->retry_type & (PR_RE_DISCONNECTED | PR_RE_TIMEOUT)) !=
(PR_RE_DISCONNECTED | PR_RE_TIMEOUT)))
REORG: config: use parsing ctx for server config check Initialize the parsing context when checking server config validity. Adjust the log messages to remove redundant config file/line and server name. Do a similar cleaning in prepare_srv from ssl_sock as this function is called at the same stage. This will standardize the stderr output on startup with the parse_server function.
2021-05-28 04:34:01 -04:00
ha_warning("server has tfo activated, the backend should be configured with at least 'conn-failure', 'empty-response' and 'response-timeout' or we wouldn't be able to retry the connection on failure.\n");
MEDIUM: tcp: add the "tfo" option to support TCP fastopen on the server This implements support for the new API which relies on a call to setsockopt(). On systems that support it (currently, only Linux >= 4.11), this enables using TCP fast open when connecting to server. Please note that you should use the retry-on "conn-failure", "empty-response" and "response-timeout" keywords, or the request won't be able to be retried on failure. Co-authored-by: Olivier Houchard <ohouchard@haproxy.com>
2017-01-23 17:36:45 -05:00
BUG/MEDIUM: correctly disable servers tracking another disabled servers. In a config where server "s1" is marked disabled and "s2" tracks "s1", s2 appears disabled on the stats but is still inserted into the LB farm because the tracking is resolved too late in the configuration process. We now resolve tracked servers before building LB maps and we also mark the tracking server in maintenance mode, which previously was not done, causing half of the issue. Last point is that we also protect srv_is_usable() against electing a server marked for maintenance. This is not absolutely needed but is a safe choice and makes a lot of sense. This fix must be backported to 1.4.
2012-01-20 07:12:32 -05:00
if (newsrv->trackit) {
MINOR: srv: extract tracking server config function Extract the post-config tracking setup in a dedicated function srv_apply_track. This will be useful to implement track support for dynamic servers.
2021-07-13 04:35:23 -04:00
if (srv_apply_track(newsrv, curproxy)) {
++cfgerr;
BUG/MEDIUM: correctly disable servers tracking another disabled servers. In a config where server "s1" is marked disabled and "s2" tracks "s1", s2 appears disabled on the stats but is still inserted into the LB farm because the tracking is resolved too late in the configuration process. We now resolve tracked servers before building LB maps and we also mark the tracking server in maintenance mode, which previously was not done, causing half of the issue. Last point is that we also protect srv_is_usable() against electing a server marked for maintenance. This is not absolutely needed but is a safe choice and makes a lot of sense. This fix must be backported to 1.4.
2012-01-20 07:12:32 -05:00
goto next_srv;
}
}
MAJOR: server: add DNS-based server name resolution Relies on the DNS protocol freshly implemented in HAProxy. It performs a server IP addr resolution based on a server hostname.
2015-04-13 19:15:08 -04:00
BUG/MEDIUM: correctly disable servers tracking another disabled servers. In a config where server "s1" is marked disabled and "s2" tracks "s1", s2 appears disabled on the stats but is still inserted into the LB farm because the tracking is resolved too late in the configuration process. We now resolve tracked servers before building LB maps and we also mark the tracking server in maintenance mode, which previously was not done, causing half of the issue. Last point is that we also protect srv_is_usable() against electing a server marked for maintenance. This is not absolutely needed but is a safe choice and makes a lot of sense. This fix must be backported to 1.4.
2012-01-20 07:12:32 -05:00
next_srv:
REORG: config: use parsing ctx for server config check Initialize the parsing context when checking server config validity. Adjust the log messages to remove redundant config file/line and server name. Do a similar cleaning in prepare_srv from ssl_sock as this function is called at the same stage. This will standardize the stderr output on startup with the parse_server function.
2021-05-28 04:34:01 -04:00
reset_usermsgs_ctx();
BUG/MEDIUM: correctly disable servers tracking another disabled servers. In a config where server "s1" is marked disabled and "s2" tracks "s1", s2 appears disabled on the stats but is still inserted into the LB farm because the tracking is resolved too late in the configuration process. We now resolve tracked servers before building LB maps and we also mark the tracking server in maintenance mode, which previously was not done, causing half of the issue. Last point is that we also protect srv_is_usable() against electing a server marked for maintenance. This is not absolutely needed but is a safe choice and makes a lot of sense. This fix must be backported to 1.4.
2012-01-20 07:12:32 -05:00
newsrv = newsrv->next;
}
MINOR: server: Add dynamic session cookies. This adds a new "dynamic" keyword for the cookie option. If set, a cookie will be generated for each server (assuming one isn't already provided on the "server" line), from the IP of the server, the TCP port, and a secret key provided. To provide the secret key, a new keyword as been added, "dynamic-cookie-key", for backends. Example : backend bk_web balance roundrobin dynamic-cookie-key "bla" cookie WEBSRV insert dynamic server s1 127.0.0.1:80 check server s2 192.168.56.1:80 check This is a first step to be able to dynamically add and remove servers, without modifying the configuration file, and still have all the load balancers redirect the traffic to the right server. Provide a way to generate session cookies, based on the IP address of the server, the TCP port, and a secret key provided.
2017-03-14 15:01:29 -04:00
/*
* Try to generate dynamic cookies for servers now.
* It couldn't be done earlier, since at the time we parsed
* the server line, we may not have known yet that we
* should use dynamic cookies, or the secret key may not
* have been provided yet.
*/
if (curproxy->ck_opts & PR_CK_DYNAMIC) {
newsrv = curproxy->srv;
while (newsrv != NULL) {
srv_set_dyncookie(newsrv);
newsrv = newsrv->next;
}
}
[MINOR] backend: separate declarations of LB algos from their lookup method LB algo macros were composed of the LB algo by itself without any indication of the method to use to look up a server (the lb function itself). This method was implied by the LB algo, which was not very convenient to add more algorithms. Now we have several fields in the LB macros, some to describe what to look for in the requests, some to describe how to transform that (kind of algo) and some to describe what lookup function to use. The next patch will make it possible to factor out some code for all algos which rely on a map.
2009-10-03 06:21:20 -04:00
/* We have to initialize the server lookup mechanism depending
CLEANUP: Fix typos in the cfgparse subsystem Fix typos in the code comments of the cfgpase subsystem.
2018-11-15 17:04:19 -05:00
* on what LB algorithm was chosen.
[MINOR] backend: separate declarations of LB algos from their lookup method LB algo macros were composed of the LB algo by itself without any indication of the method to use to look up a server (the lb function itself). This method was implied by the LB algo, which was not very convenient to add more algorithms. Now we have several fields in the LB macros, some to describe what to look for in the requests, some to describe how to transform that (kind of algo) and some to describe what lookup function to use. The next patch will make it possible to factor out some code for all algos which rely on a map.
2009-10-03 06:21:20 -04:00
*/
curproxy->lbprm.algo &= ~(BE_LB_LKUP | BE_LB_PROP_DYN);
switch (curproxy->lbprm.algo & BE_LB_KIND) {
case BE_LB_KIND_RR:
[MEDIUM] backend: introduce the "static-rr" LB algorithm The "static-rr" is just the old round-robin algorithm. It is still in use when a hash algorithm is used and the data to hash is not present, but it was impossible to configure it explicitly. This one is cheaper in terms of CPU and supports unlimited numbers of servers, so it makes sense to be able to use it.
2009-10-03 06:56:50 -04:00
if ((curproxy->lbprm.algo & BE_LB_PARM) == BE_LB_RR_STATIC) {
curproxy->lbprm.algo |= BE_LB_LKUP_MAP;
init_server_map(curproxy);
MINOR: backend: implement random-based load balancing For large farms where servers are regularly added or removed, picking a random server from the pool can ensure faster load transitions than when using round-robin and less traffic surges on the newly added servers than when using leastconn. This commit introduces "balance random". It internally uses a random as the key to the consistent hashing mechanism, thus all features available in consistent hashing such as weights and bounded load via hash-balance- factor are usable. It is extremely convenient because one common concern when using random is what happens when a server is hammered a bit too much. Here that can trivially be avoided, like in the configuration below : backend bk0 balance random hash-balance-factor 110 server-template s 1-100 127.0.0.1:8000 check inter 1s Note that while "balance random" internally relies on a hash algorithm, it holds the same properties as round-robin and as such is compatible with reusing an existing server connection with "option prefer-last-server".
2018-05-03 01:20:40 -04:00
} else if ((curproxy->lbprm.algo & BE_LB_PARM) == BE_LB_RR_RANDOM) {
curproxy->lbprm.algo |= BE_LB_LKUP_CHTREE | BE_LB_PROP_DYN;
BUG/MINOR: proxy: Missing calloc return value check in chash_init_server_tree A memory allocation failure happening in chash_init_server_tree while trying to allocate a server's lb_nodes item used in consistent hashing would have resulted in a crash. This function is only called during configuration parsing. It was raised in GitHub issue #1233. It could be backported to all stable branches.
2021-05-19 10:40:28 -04:00
if (chash_init_server_tree(curproxy) < 0) {
cfgerr++;
}
[MEDIUM] backend: introduce the "static-rr" LB algorithm The "static-rr" is just the old round-robin algorithm. It is still in use when a hash algorithm is used and the data to hash is not present, but it was impossible to configure it explicitly. This one is cheaper in terms of CPU and supports unlimited numbers of servers, so it makes sense to be able to use it.
2009-10-03 06:56:50 -04:00
} else {
curproxy->lbprm.algo |= BE_LB_LKUP_RRTREE | BE_LB_PROP_DYN;
fwrr_init_server_groups(curproxy);
}
[MINOR] backend: separate declarations of LB algos from their lookup method LB algo macros were composed of the LB algo by itself without any indication of the method to use to look up a server (the lb function itself). This method was implied by the LB algo, which was not very convenient to add more algorithms. Now we have several fields in the LB macros, some to describe what to look for in the requests, some to describe how to transform that (kind of algo) and some to describe what lookup function to use. The next patch will make it possible to factor out some code for all algos which rely on a map.
2009-10-03 06:21:20 -04:00
break;
[MEDIUM] backend: implement consistent hashing variation Consistent hashing provides some interesting advantages over common hashing. It avoids full redistribution in case of a server failure, or when expanding the farm. This has a cost however, the hashing is far from being perfect, as we associate a server to a request by searching the server with the closest key in a tree. Since servers appear multiple times based on their weights, it is recommended to use weights larger than approximately 10-20 in order to smoothen the distribution a bit. In some cases, playing with weights will be the only solution to make a server appear more often and increase chances of being picked, so stats are very important with consistent hashing. In order to indicate the type of hashing, use : hash-type map-based (default, old one) hash-type consistent (new one) Consistent hashing can make sense in a cache farm, in order not to redistribute everyone when a cache changes state. It could also probably be used for long sessions such as terminal sessions, though that has not be attempted yet. More details on this method of hashing here : http://www.spiteful.com/2008/03/17/programmers-toolbox-part-3-consistent-hashing/
2009-10-01 01:52:15 -04:00
MINOR: backend: rework the LC definition to support other connection-based algos The leastconn algorithm should be of kind "connection-based", not "leastconn" if we want to later support other connection-based LB algos.
2012-02-13 10:57:44 -05:00
case BE_LB_KIND_CB:
MEDIUM: backend: add the 'first' balancing algorithm The principle behind this load balancing algorithm was first imagined and modeled by Steen Larsen then iteratively refined through several work sessions until it would totally address its original goal. The purpose of this algorithm is to always use the smallest number of servers so that extra servers can be powered off during non-intensive hours. Additional tools may be used to do that work, possibly by locally monitoring the servers' activity. The first server with available connection slots receives the connection. The servers are choosen from the lowest numeric identifier to the highest (see server parameter "id"), which defaults to the server's position in the farm. Once a server reaches its maxconn value, the next server is used. It does not make sense to use this algorithm without setting maxconn. Note that it can however make sense to use minconn so that servers are not used at full load before starting new servers, and so that introduction of new servers requires a progressively increasing load (the number of servers would more or less follow the square root of the load until maxconn is reached). This algorithm ignores the server weight, and is more beneficial to long sessions such as RDP or IMAP than HTTP, though it can be useful there too.
2012-02-13 11:12:08 -05:00
if ((curproxy->lbprm.algo & BE_LB_PARM) == BE_LB_CB_LC) {
curproxy->lbprm.algo |= BE_LB_LKUP_LCTREE | BE_LB_PROP_DYN;
fwlc_init_server_tree(curproxy);
} else {
curproxy->lbprm.algo |= BE_LB_LKUP_FSTREE | BE_LB_PROP_DYN;
fas_init_server_tree(curproxy);
}
[MINOR] backend: separate declarations of LB algos from their lookup method LB algo macros were composed of the LB algo by itself without any indication of the method to use to look up a server (the lb function itself). This method was implied by the LB algo, which was not very convenient to add more algorithms. Now we have several fields in the LB macros, some to describe what to look for in the requests, some to describe how to transform that (kind of algo) and some to describe what lookup function to use. The next patch will make it possible to factor out some code for all algos which rely on a map.
2009-10-03 06:21:20 -04:00
break;
[MEDIUM] backend: implement consistent hashing variation Consistent hashing provides some interesting advantages over common hashing. It avoids full redistribution in case of a server failure, or when expanding the farm. This has a cost however, the hashing is far from being perfect, as we associate a server to a request by searching the server with the closest key in a tree. Since servers appear multiple times based on their weights, it is recommended to use weights larger than approximately 10-20 in order to smoothen the distribution a bit. In some cases, playing with weights will be the only solution to make a server appear more often and increase chances of being picked, so stats are very important with consistent hashing. In order to indicate the type of hashing, use : hash-type map-based (default, old one) hash-type consistent (new one) Consistent hashing can make sense in a cache farm, in order not to redistribute everyone when a cache changes state. It could also probably be used for long sessions such as terminal sessions, though that has not be attempted yet. More details on this method of hashing here : http://www.spiteful.com/2008/03/17/programmers-toolbox-part-3-consistent-hashing/
2009-10-01 01:52:15 -04:00
[MINOR] backend: separate declarations of LB algos from their lookup method LB algo macros were composed of the LB algo by itself without any indication of the method to use to look up a server (the lb function itself). This method was implied by the LB algo, which was not very convenient to add more algorithms. Now we have several fields in the LB macros, some to describe what to look for in the requests, some to describe how to transform that (kind of algo) and some to describe what lookup function to use. The next patch will make it possible to factor out some code for all algos which rely on a map.
2009-10-03 06:21:20 -04:00
case BE_LB_KIND_HI:
[MEDIUM] backend: implement consistent hashing variation Consistent hashing provides some interesting advantages over common hashing. It avoids full redistribution in case of a server failure, or when expanding the farm. This has a cost however, the hashing is far from being perfect, as we associate a server to a request by searching the server with the closest key in a tree. Since servers appear multiple times based on their weights, it is recommended to use weights larger than approximately 10-20 in order to smoothen the distribution a bit. In some cases, playing with weights will be the only solution to make a server appear more often and increase chances of being picked, so stats are very important with consistent hashing. In order to indicate the type of hashing, use : hash-type map-based (default, old one) hash-type consistent (new one) Consistent hashing can make sense in a cache farm, in order not to redistribute everyone when a cache changes state. It could also probably be used for long sessions such as terminal sessions, though that has not be attempted yet. More details on this method of hashing here : http://www.spiteful.com/2008/03/17/programmers-toolbox-part-3-consistent-hashing/
2009-10-01 01:52:15 -04:00
if ((curproxy->lbprm.algo & BE_LB_HASH_TYPE) == BE_LB_HASH_CONS) {
curproxy->lbprm.algo |= BE_LB_LKUP_CHTREE | BE_LB_PROP_DYN;
BUG/MINOR: proxy: Missing calloc return value check in chash_init_server_tree A memory allocation failure happening in chash_init_server_tree while trying to allocate a server's lb_nodes item used in consistent hashing would have resulted in a crash. This function is only called during configuration parsing. It was raised in GitHub issue #1233. It could be backported to all stable branches.
2021-05-19 10:40:28 -04:00
if (chash_init_server_tree(curproxy) < 0) {
cfgerr++;
}
[MEDIUM] backend: implement consistent hashing variation Consistent hashing provides some interesting advantages over common hashing. It avoids full redistribution in case of a server failure, or when expanding the farm. This has a cost however, the hashing is far from being perfect, as we associate a server to a request by searching the server with the closest key in a tree. Since servers appear multiple times based on their weights, it is recommended to use weights larger than approximately 10-20 in order to smoothen the distribution a bit. In some cases, playing with weights will be the only solution to make a server appear more often and increase chances of being picked, so stats are very important with consistent hashing. In order to indicate the type of hashing, use : hash-type map-based (default, old one) hash-type consistent (new one) Consistent hashing can make sense in a cache farm, in order not to redistribute everyone when a cache changes state. It could also probably be used for long sessions such as terminal sessions, though that has not be attempted yet. More details on this method of hashing here : http://www.spiteful.com/2008/03/17/programmers-toolbox-part-3-consistent-hashing/
2009-10-01 01:52:15 -04:00
} else {
curproxy->lbprm.algo |= BE_LB_LKUP_MAP;
init_server_map(curproxy);
}
[MINOR] backend: separate declarations of LB algos from their lookup method LB algo macros were composed of the LB algo by itself without any indication of the method to use to look up a server (the lb function itself). This method was implied by the LB algo, which was not very convenient to add more algorithms. Now we have several fields in the LB macros, some to describe what to look for in the requests, some to describe how to transform that (kind of algo) and some to describe what lookup function to use. The next patch will make it possible to factor out some code for all algos which rely on a map.
2009-10-03 06:21:20 -04:00
break;
MINOR: lbprm: implement true "sticky" balance algo As previously mentioned in cd352c0db ("MINOR: log/balance: rename "log-sticky" to "sticky""), let's define a sticky algorithm that may be used from any protocol. Sticky algorithm sticks on the same server as long as it remains available. The documentation was updated accordingly.
2024-03-28 12:24:53 -04:00
case BE_LB_KIND_SA:
if ((curproxy->lbprm.algo & BE_LB_PARM) == BE_LB_SA_SS) {
curproxy->lbprm.algo |= BE_LB_PROP_DYN;
init_server_ss(curproxy);
}
break;
[MINOR] backend: separate declarations of LB algos from their lookup method LB algo macros were composed of the LB algo by itself without any indication of the method to use to look up a server (the lb function itself). This method was implied by the LB algo, which was not very convenient to add more algorithms. Now we have several fields in the LB macros, some to describe what to look for in the requests, some to describe how to transform that (kind of algo) and some to describe what lookup function to use. The next patch will make it possible to factor out some code for all algos which rely on a map.
2009-10-03 06:21:20 -04:00
}
MINOR: backend: replace the lbprm lock with an rwlock It was previously a spinlock, and it happens that a number of LB algos only lock it for lookups, without performing any modification. Let's first turn it to an rwlock and w-lock it everywhere. This is strictly identical. It was carefully checked that every HA_SPIN_LOCK() was turned to HA_RWLOCK_WRLOCK() and that HA_SPIN_UNLOCK() was turned to HA_RWLOCK_WRUNLOCK() on this lock. _INIT and _DESTROY were updated too.
2020-10-17 12:48:47 -04:00
HA_RWLOCK_INIT(&curproxy->lbprm.lock);
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
if (curproxy->options & PR_O_LOGASAP)
curproxy->to_log &= ~LW_BYTES;
MINOR: proxy: disable warnings for internal proxies The internal proxies should be part of the proxies list, because of this, the check_config_validity() fonction could emit warnings about these proxies. This patch disables 3 startup warnings for internal proxies: - "has no 'bind' directive" (this one was already ignored for the CLI frontend, but we made it generic instead) - "missing timeouts" - "log format ignored"
2021-08-13 09:21:12 -04:00
if (!(curproxy->cap & PR_CAP_INT) && (curproxy->mode == PR_MODE_TCP || curproxy->mode == PR_MODE_HTTP) &&
MEDIUM: tree-wide: logsrv struct becomes logger When 'log' directive was implemented, the internal representation was named 'struct logsrv', because the 'log' directive would directly point to the log target, which used to be a (UDP) log server exclusively at that time, hence the name. But things have become more complex, since today 'log' directive can point to ring targets (implicit, or named) for example. Indeed, a 'log' directive does no longer reference the "final" server to which the log will be sent, but instead it describes which log API and parameters to use for transporting the log messages to the proper log destination. So now the term 'logsrv' is rather confusing and prevents us from introducing a new level of abstraction because they would be mixed with logsrv. So in order to better designate this 'log' directive, and make it more generic, we chose the word 'logger' which now replaces logsrv everywhere it was used in the code (including related comments). This is internal rewording, so no functional change should be expected on user-side.
2023-09-11 09:06:53 -04:00
(curproxy->cap & PR_CAP_FE) && LIST_ISEMPTY(&curproxy->loggers) &&
MEDIUM: tree-wide: add logformat expressions wrapper log format expressions are broadly used within the code: once they are parsed from input string, they are converted to a linked list of logformat nodes. We're starting to face some limitations because we're simply storing the converted expression as a generic logformat_node list. The first issue we're facing is that storing logformat expressions that way doesn't allow us to add metadata alongside the list, which is part of the prerequites for implementing log-profiles. Another issue with storing logformat expressions as generic lists of logformat_node elements is that it's starting to become really hard to tell when we rely on logformat expressions or not in the code given that there isn't always a comment near the list declaration or manipulation to indicate that it's relying on logformat expressions under the hood, so this adds some complexity for code maintenance. This patch looks quite impressive due to changes in a lot of header and source files (since logformat expressions are broadly used), but it does a simple thing: it defines the lf_expr structure which itself holds a generic list of logformat nodes, and then declares some helpers to manipulate lf_expr elements and fixes the code so that we now exclusively manipulate logformat_node lists as lf_expr elements outside of log.c. For now, lf_expr struct only contains the list of logformat nodes (no additional metadata), but now that we have dedicated type and helpers, doing so in the future won't be problematic at all and won't require extensive code changes.
2024-02-23 09:57:21 -05:00
(!lf_expr_isempty(&curproxy->logformat) || !lf_expr_isempty(&curproxy->logformat_sd))) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("log format ignored for %s '%s' since it has no log address.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
proxy_type_str(curproxy), curproxy->id);
[BUG] log: option tcplog would log to global if no logger was defined Romuald du Song reported a strange bug causing "option tcplog" to unexpectedly use global log parameters if no log server was declared. Eventhough it can be useful in some circumstances, it only hides configuration bugs and can even cause traffic logs to be sent to the wrong logger, since global settings are just for the process. This has been fixed and a warning has been added for configurations where tcplog or httplog are set without any logger. This fix must be backported to 1.3.20, but not to 1.3.15.X in order not to risk any regression on old configurations.
2009-08-09 04:11:45 -04:00
err_code |= ERR_WARN;
}
MINOR: config/proxy: Don't warn for HTTP rules in TCP if 'switch-mode http' set Warnings about ignored HTTP directives in a TCP proxy are inhibited if at least one switch-mode tcp action is configured to perform HTTP upgraded.
2021-03-15 10:10:38 -04:00
if (curproxy->mode != PR_MODE_HTTP && !(curproxy->options & PR_O_HTTP_UPG)) {
[MINOR] config: emit warnings when HTTP-only options are used in TCP mode It's very common to see people getting trapped by HTTP-only options which don't work in TCP proxies. To help them definitely get rid of those configs, let's emit warnings for all options and statements which are not supported in their mode. That includes all HTTP-only options, the cookies and the stats. In order to ensure internal config correctness, the options are also disabled.
2010-03-25 02:22:56 -04:00
int optnum;
if (curproxy->uri_auth) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("'stats' statement ignored for %s '%s' as it requires HTTP mode.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
proxy_type_str(curproxy), curproxy->id);
[MINOR] config: emit warnings when HTTP-only options are used in TCP mode It's very common to see people getting trapped by HTTP-only options which don't work in TCP proxies. To help them definitely get rid of those configs, let's emit warnings for all options and statements which are not supported in their mode. That includes all HTTP-only options, the cookies and the stats. In order to ensure internal config correctness, the options are also disabled.
2010-03-25 02:22:56 -04:00
err_code |= ERR_WARN;
MEDIUM: uri_auth: implement clean uri_auth cleaning proxy auth_uri struct was manually cleaned up during deinit, but the logic behind was kind of akward because it was required to find out which ones were shared or not. Instead, let's switch to a proper refcount mechanism and free the auth_uri struct directly in proxy_free_common().
2024-11-13 13:54:32 -05:00
stats_uri_auth_drop(curproxy->uri_auth);
[MINOR] config: emit warnings when HTTP-only options are used in TCP mode It's very common to see people getting trapped by HTTP-only options which don't work in TCP proxies. To help them definitely get rid of those configs, let's emit warnings for all options and statements which are not supported in their mode. That includes all HTTP-only options, the cookies and the stats. In order to ensure internal config correctness, the options are also disabled.
2010-03-25 02:22:56 -04:00
curproxy->uri_auth = NULL;
}
MINOR: config: warn when some HTTP rules are used in a TCP proxy Surprizingly, http-request, http-response, block, redirect, and capture rules did not cause a warning to be emitted when used in a TCP proxy, so let's fix this. This patch may be backported to older versions as it helps spotting configuration issues.
2017-03-10 05:49:21 -05:00
if (curproxy->capture_name) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("'capture' statement ignored for %s '%s' as it requires HTTP mode.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
proxy_type_str(curproxy), curproxy->id);
MINOR: config: warn when some HTTP rules are used in a TCP proxy Surprizingly, http-request, http-response, block, redirect, and capture rules did not cause a warning to be emitted when used in a TCP proxy, so let's fix this. This patch may be backported to older versions as it helps spotting configuration issues.
2017-03-10 05:49:21 -05:00
err_code |= ERR_WARN;
}
MINOR: proxy: monitor-uri works with tcp->http upgrades Currently, we have a check in proxy_cfg_ensure_no_http() that generates a warning if the monitor-uri is configured on a proxy that doesn't have mode HTTP enabled. However, when we give a look at monitor-uri implementation, it's not 100% correct. Indeed, despite the warning message, the directive will still be evaluated when HTTP upgrade occurs from a TCP frontend. Thus the error is misleading. To make the error message comply with the actual behavior, the check was moved alongside other checks that accept both native HTTP mode or HTTP upgrades in cfgparse.c.
2023-12-06 05:01:01 -05:00
if (isttest(curproxy->monitor_uri)) {
ha_warning("'monitor-uri' statement ignored for %s '%s' as it requires HTTP mode.\n",
proxy_type_str(curproxy), curproxy->id);
err_code |= ERR_WARN;
}
MINOR: config: warn when some HTTP rules are used in a TCP proxy Surprizingly, http-request, http-response, block, redirect, and capture rules did not cause a warning to be emitted when used in a TCP proxy, so let's fix this. This patch may be backported to older versions as it helps spotting configuration issues.
2017-03-10 05:49:21 -05:00
if (!LIST_ISEMPTY(&curproxy->http_req_rules)) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("'http-request' rules ignored for %s '%s' as they require HTTP mode.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
proxy_type_str(curproxy), curproxy->id);
MINOR: config: warn when some HTTP rules are used in a TCP proxy Surprizingly, http-request, http-response, block, redirect, and capture rules did not cause a warning to be emitted when used in a TCP proxy, so let's fix this. This patch may be backported to older versions as it helps spotting configuration issues.
2017-03-10 05:49:21 -05:00
err_code |= ERR_WARN;
}
if (!LIST_ISEMPTY(&curproxy->http_res_rules)) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("'http-response' rules ignored for %s '%s' as they require HTTP mode.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
proxy_type_str(curproxy), curproxy->id);
MINOR: config: warn when some HTTP rules are used in a TCP proxy Surprizingly, http-request, http-response, block, redirect, and capture rules did not cause a warning to be emitted when used in a TCP proxy, so let's fix this. This patch may be backported to older versions as it helps spotting configuration issues.
2017-03-10 05:49:21 -05:00
err_code |= ERR_WARN;
}
BUG/MINOR: config: Add warning for http-after-response rules in TCP mode No warning is emitted if some http-after-response rules are configured on a TCP proxy while such warning messages are emitted for other HTTP ruleset in same condition. It is just an oversight. This patch may be backported as far as 2.2.
2021-03-15 10:09:21 -04:00
if (!LIST_ISEMPTY(&curproxy->http_after_res_rules)) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("'http-after-response' rules ignored for %s '%s' as they require HTTP mode.\n",
BUG/MINOR: config: Add warning for http-after-response rules in TCP mode No warning is emitted if some http-after-response rules are configured on a TCP proxy while such warning messages are emitted for other HTTP ruleset in same condition. It is just an oversight. This patch may be backported as far as 2.2.
2021-03-15 10:09:21 -04:00
proxy_type_str(curproxy), curproxy->id);
err_code |= ERR_WARN;
}
MINOR: config: warn when some HTTP rules are used in a TCP proxy Surprizingly, http-request, http-response, block, redirect, and capture rules did not cause a warning to be emitted when used in a TCP proxy, so let's fix this. This patch may be backported to older versions as it helps spotting configuration issues.
2017-03-10 05:49:21 -05:00
if (!LIST_ISEMPTY(&curproxy->redirect_rules)) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("'redirect' rules ignored for %s '%s' as they require HTTP mode.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
proxy_type_str(curproxy), curproxy->id);
MINOR: config: warn when some HTTP rules are used in a TCP proxy Surprizingly, http-request, http-response, block, redirect, and capture rules did not cause a warning to be emitted when used in a TCP proxy, so let's fix this. This patch may be backported to older versions as it helps spotting configuration issues.
2017-03-10 05:49:21 -05:00
err_code |= ERR_WARN;
}
[MINOR] config: emit warnings when HTTP-only options are used in TCP mode It's very common to see people getting trapped by HTTP-only options which don't work in TCP proxies. To help them definitely get rid of those configs, let's emit warnings for all options and statements which are not supported in their mode. That includes all HTTP-only options, the cookies and the stats. In order to ensure internal config correctness, the options are also disabled.
2010-03-25 02:22:56 -04:00
for (optnum = 0; cfg_opts[optnum].name; optnum++) {
if (cfg_opts[optnum].mode == PR_MODE_HTTP &&
(curproxy->cap & cfg_opts[optnum].cap) &&
(curproxy->options & cfg_opts[optnum].val)) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("'option %s' ignored for %s '%s' as it requires HTTP mode.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
cfg_opts[optnum].name, proxy_type_str(curproxy), curproxy->id);
[MINOR] config: emit warnings when HTTP-only options are used in TCP mode It's very common to see people getting trapped by HTTP-only options which don't work in TCP proxies. To help them definitely get rid of those configs, let's emit warnings for all options and statements which are not supported in their mode. That includes all HTTP-only options, the cookies and the stats. In order to ensure internal config correctness, the options are also disabled.
2010-03-25 02:22:56 -04:00
err_code |= ERR_WARN;
curproxy->options &= ~cfg_opts[optnum].val;
}
}
for (optnum = 0; cfg_opts2[optnum].name; optnum++) {
if (cfg_opts2[optnum].mode == PR_MODE_HTTP &&
(curproxy->cap & cfg_opts2[optnum].cap) &&
(curproxy->options2 & cfg_opts2[optnum].val)) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("'option %s' ignored for %s '%s' as it requires HTTP mode.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
cfg_opts2[optnum].name, proxy_type_str(curproxy), curproxy->id);
[MINOR] config: emit warnings when HTTP-only options are used in TCP mode It's very common to see people getting trapped by HTTP-only options which don't work in TCP proxies. To help them definitely get rid of those configs, let's emit warnings for all options and statements which are not supported in their mode. That includes all HTTP-only options, the cookies and the stats. In order to ensure internal config correctness, the options are also disabled.
2010-03-25 02:22:56 -04:00
err_code |= ERR_WARN;
curproxy->options2 &= ~cfg_opts2[optnum].val;
}
}
[MEDIUM] add ability to connect to a server from an IP found in a header Using get_ip_from_hdr2() we can look for occurrence #X or #-X and extract the IP it contains. This is typically designed for use with the X-Forwarded-For header. Using "usesrc hdr_ip(name,occ)", it becomes possible to use the IP address found in <name>, and possibly specify occurrence number <occ>, as the source to connect to a server. This is possible both in a server and in a backend's source statement. This is typically used to use the source IP previously set by a upstream proxy.
2009-09-07 05:51:47 -04:00
MAJOR: tproxy: remove support for cttproxy This was the first transparent proxy technology supported by haproxy circa 2005 but it was obsoleted in 2007 by Tproxy 4.0 which removed a lot of the earlier versions' shortcomings and was finally merged into the kernel. Since nobody has been using cttproxy for many years now and nobody has even just tried to compile the files, it's time to remove it. The doc was updated as well.
2015-08-20 13:35:14 -04:00
#if defined(CONFIG_HAP_TRANSPARENT)
MEDIUM: connection: introduce "struct conn_src" for servers and proxies Both servers and proxies share a common set of parameters for outgoing connections, and since they're not stored in a similar structure, a lot of code is duplicated in the connection setup, which is one sensible area. Let's first define a common struct for these settings and make use of it. Next patches will de-duplicate code. This change also fixes a build breakage that happens when USE_LINUX_TPROXY is not set but USE_CTTPROXY is set, which seem to be very unlikely considering that the issue was introduced almost 2 years ago an never reported.
2012-12-08 16:29:20 -05:00
if (curproxy->conn_src.bind_hdr_occ) {
curproxy->conn_src.bind_hdr_occ = 0;
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("%s '%s' : ignoring use of header %s as source IP in non-HTTP mode.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
proxy_type_str(curproxy), curproxy->id, curproxy->conn_src.bind_hdr_name);
[MEDIUM] add ability to connect to a server from an IP found in a header Using get_ip_from_hdr2() we can look for occurrence #X or #-X and extract the IP it contains. This is typically designed for use with the X-Forwarded-For header. Using "usesrc hdr_ip(name,occ)", it becomes possible to use the IP address found in <name>, and possibly specify occurrence number <occ>, as the source to connect to a server. This is possible both in a server and in a backend's source statement. This is typically used to use the source IP previously set by a upstream proxy.
2009-09-07 05:51:47 -04:00
err_code |= ERR_WARN;
}
[BUILD] config: last patch breaks build without CONFIG_HAP_LINUX_TPROXY A few ifdefs were missing in the config validity check function.
2010-03-30 14:13:29 -04:00
#endif
[MINOR] config: emit warnings when HTTP-only options are used in TCP mode It's very common to see people getting trapped by HTTP-only options which don't work in TCP proxies. To help them definitely get rid of those configs, let's emit warnings for all options and statements which are not supported in their mode. That includes all HTTP-only options, the cookies and the stats. In order to ensure internal config correctness, the options are also disabled.
2010-03-25 02:22:56 -04:00
}
Revert "[BUILD] backend.c and checks.c did not build without tproxy !" This reverts commit 3c3c0122f84d72eae1c4ef4b1826bfdbef7d95e6. This commit was buggy as it also removed previous tproxy changes !
2008-02-14 14:25:24 -05:00
/*
* ensure that we're not cross-dressing a TCP server into HTTP.
*/
newsrv = curproxy->srv;
while (newsrv != NULL) {
MINOR: config: tolerate server "cookie" setting in non-HTTP mode Up to now, if a cookie value was specified on a server when the proxy was in TCP mode, it would cause a fatal error. Now we only report a warning, since the cookie will be ignored. This makes it easier to generate configs from scripts.
2011-10-31 08:49:26 -04:00
if ((curproxy->mode != PR_MODE_HTTP) && newsrv->rdr_len) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_alert("%s '%s' : server cannot have cookie or redirect prefix in non-HTTP mode.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
proxy_type_str(curproxy), curproxy->id);
[MINOR] config: improve error reporting when checking configuration Do not exit early at the first error found while checking configuration validity. This particularly helps spotting multiple wrong tracked server names at once.
2009-07-23 07:36:36 -04:00
cfgerr++;
[MEDIUM] add ability to connect to a server from an IP found in a header Using get_ip_from_hdr2() we can look for occurrence #X or #-X and extract the IP it contains. This is typically designed for use with the X-Forwarded-For header. Using "usesrc hdr_ip(name,occ)", it becomes possible to use the IP address found in <name>, and possibly specify occurrence number <occ>, as the source to connect to a server. This is possible both in a server and in a backend's source statement. This is typically used to use the source IP previously set by a upstream proxy.
2009-09-07 05:51:47 -04:00
}
MINOR: config: tolerate server "cookie" setting in non-HTTP mode Up to now, if a cookie value was specified on a server when the proxy was in TCP mode, it would cause a fatal error. Now we only report a warning, since the cookie will be ignored. This makes it easier to generate configs from scripts.
2011-10-31 08:49:26 -04:00
if ((curproxy->mode != PR_MODE_HTTP) && newsrv->cklen) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("%s '%s' : ignoring cookie for server '%s' as HTTP mode is disabled.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
proxy_type_str(curproxy), curproxy->id, newsrv->id);
MINOR: config: tolerate server "cookie" setting in non-HTTP mode Up to now, if a cookie value was specified on a server when the proxy was in TCP mode, it would cause a fatal error. Now we only report a warning, since the cookie will be ignored. This makes it easier to generate configs from scripts.
2011-10-31 08:49:26 -04:00
err_code |= ERR_WARN;
MINOR: config: warn when a server with no specific port uses rdp-cookie Mathew Levett reported an issue which is a bit nasty and hard to track down. RDP cookies contain both the IP and the port, and haproxy matches them exactly. So if a server has no port specified (or a remapped port), it will never match a port specified in a cookie. Better warn the user when this is detected.
2013-08-13 11:19:08 -04:00
}
REORG/MEDIUM: server: split server state and flags in two different variables Till now, the server's state and flags were all saved as a single bit field. It causes some difficulties because we'd like to have an enum for the state and separate flags. This commit starts by splitting them in two distinct fields. The first one is srv->state (with its counter-part srv->prev_state) which are now enums, but which still contain bits (SRV_STF_*). The flags now lie in their own field (srv->flags). The function srv_is_usable() was updated to use the enum as input, since it already used to deal only with the state. Note that currently, the maintenance mode is still in the state for simplicity, but it must move as well.
2014-05-13 09:54:22 -04:00
if ((newsrv->flags & SRV_F_MAPPORTS) && (curproxy->options2 & PR_O2_RDPC_PRST)) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("%s '%s' : RDP cookie persistence will not work for server '%s' because it lacks an explicit port number.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
proxy_type_str(curproxy), curproxy->id, newsrv->id);
MINOR: config: warn when a server with no specific port uses rdp-cookie Mathew Levett reported an issue which is a bit nasty and hard to track down. RDP cookies contain both the IP and the port, and haproxy matches them exactly. So if a server has no port specified (or a remapped port), it will never match a port specified in a cookie. Better warn the user when this is detected.
2013-08-13 11:19:08 -04:00
err_code |= ERR_WARN;
MINOR: config: tolerate server "cookie" setting in non-HTTP mode Up to now, if a cookie value was specified on a server when the proxy was in TCP mode, it would cause a fatal error. Now we only report a warning, since the cookie will be ignored. This makes it easier to generate configs from scripts.
2011-10-31 08:49:26 -04:00
}
MAJOR: tproxy: remove support for cttproxy This was the first transparent proxy technology supported by haproxy circa 2005 but it was obsoleted in 2007 by Tproxy 4.0 which removed a lot of the earlier versions' shortcomings and was finally merged into the kernel. Since nobody has been using cttproxy for many years now and nobody has even just tried to compile the files, it's time to remove it. The doc was updated as well.
2015-08-20 13:35:14 -04:00
#if defined(CONFIG_HAP_TRANSPARENT)
MEDIUM: connection: introduce "struct conn_src" for servers and proxies Both servers and proxies share a common set of parameters for outgoing connections, and since they're not stored in a similar structure, a lot of code is duplicated in the connection setup, which is one sensible area. Let's first define a common struct for these settings and make use of it. Next patches will de-duplicate code. This change also fixes a build breakage that happens when USE_LINUX_TPROXY is not set but USE_CTTPROXY is set, which seem to be very unlikely considering that the issue was introduced almost 2 years ago an never reported.
2012-12-08 16:29:20 -05:00
if (curproxy->mode != PR_MODE_HTTP && newsrv->conn_src.bind_hdr_occ) {
newsrv->conn_src.bind_hdr_occ = 0;
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("%s '%s' : server %s cannot use header %s as source IP in non-HTTP mode.\n",
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
proxy_type_str(curproxy), curproxy->id, newsrv->id, newsrv->conn_src.bind_hdr_name);
[MEDIUM] add ability to connect to a server from an IP found in a header Using get_ip_from_hdr2() we can look for occurrence #X or #-X and extract the IP it contains. This is typically designed for use with the X-Forwarded-For header. Using "usesrc hdr_ip(name,occ)", it becomes possible to use the IP address found in <name>, and possibly specify occurrence number <occ>, as the source to connect to a server. This is possible both in a server and in a backend's source statement. This is typically used to use the source IP previously set by a upstream proxy.
2009-09-07 05:51:47 -04:00
err_code |= ERR_WARN;
Revert "[BUILD] backend.c and checks.c did not build without tproxy !" This reverts commit 3c3c0122f84d72eae1c4ef4b1826bfdbef7d95e6. This commit was buggy as it also removed previous tproxy changes !
2008-02-14 14:25:24 -05:00
}
[BUILD] config: last patch breaks build without CONFIG_HAP_LINUX_TPROXY A few ifdefs were missing in the config validity check function.
2010-03-30 14:13:29 -04:00
#endif
BUG/MINOR: config: emit a warning if http-reuse is enabled with incompatible options http-reuse should normally not be used in conjunction with the proxy protocol or with "usesrc clientip". While there's nothing fundamentally wrong with this, whenever these options are used, the server expects the IP address to be the source address for all requests, which doesn't make sense with http-reuse.
2017-01-06 06:21:38 -05:00
BUG/MINOR: config: disable http-reuse on TCP proxies Louis Chanouha reported an inappropriate warning when http-reuse is present in a defaults section while a TCP proxy accidently inherits it and finds a conflict with other options like the use of the PROXY protocol. To fix this patch removes the http-reuse option for TCP proxies. This fix needs to be backported to 1.8, 1.7 and possibly 1.6.
2018-04-28 01:18:15 -04:00
if ((curproxy->mode != PR_MODE_HTTP) && (curproxy->options & PR_O_REUSE_MASK) != PR_O_REUSE_NEVR)
curproxy->options &= ~PR_O_REUSE_MASK;
MEDIUM: spoe: Force the reuse 'always' mode for SPOP backends The reuse "always" mode is forced for SPOP backends. For now, SPOP connections cannot be idle, but once implemented, thanks to this patch, it will be possible to reuse SPOP connections. The related issue is #2502.
2024-07-08 13:14:35 -04:00
if (curproxy->mode == PR_MODE_SPOP)
curproxy->options |= PR_O_REUSE_ALWS;
BUG/MINOR: config: disable http-reuse on TCP proxies Louis Chanouha reported an inappropriate warning when http-reuse is present in a defaults section while a TCP proxy accidently inherits it and finds a conflict with other options like the use of the PROXY protocol. To fix this patch removes the http-reuse option for TCP proxies. This fix needs to be backported to 1.8, 1.7 and possibly 1.6.
2018-04-28 01:18:15 -04:00
MINOR: rhttp: large renaming to use rhttp prefix Previous commit renames 'proto_reverse_connect' module to 'proto_rhttp'. This commits follows this by replacing various custom prefix by 'rhttp_' to make the code uniform. Note that 'reverse_' prefix was kept in connection module. This is because if a new reversable protocol not based on HTTP is implemented, it may be necessary to reused the same connection function which are protocol agnostic.
2023-11-21 05:10:34 -05:00
if ((curproxy->mode != PR_MODE_HTTP) && newsrv->flags & SRV_F_RHTTP) {
ha_alert("%s '%s' : server %s uses reverse HTTP addressing which can only be used with HTTP mode.\n",
MINOR: server: define reverse-connect server Implement reverse-connect server. This server type cannot instantiate its own connection on transfer. Instead, it can only reuse connection from its idle pool. These connections will be populated using the future 'tcp-request session attach-srv' rule. A reverse-connect has no address. Instead, it uses a new custom server notation with '@' character prefix. For the moment, only '@reverse' is defined. An extra check is implemented to ensure server is used in a HTTP proxy.
2023-07-25 09:16:55 -04:00
proxy_type_str(curproxy), curproxy->id, newsrv->id);
cfgerr++;
err_code |= ERR_FATAL | ERR_ALERT;
goto out;
}
Revert "[BUILD] backend.c and checks.c did not build without tproxy !" This reverts commit 3c3c0122f84d72eae1c4ef4b1826bfdbef7d95e6. This commit was buggy as it also removed previous tproxy changes !
2008-02-14 14:25:24 -05:00
newsrv = newsrv->next;
}
MAJOR: filters: Add filters support This patch adds the support of filters in HAProxy. The main idea is to have a way to "easely" extend HAProxy by adding some "modules", called filters, that will be able to change HAProxy behavior in a programmatic way. To do so, many entry points has been added in code to let filters to hook up to different steps of the processing. A filter must define a flt_ops sutrctures (see include/types/filters.h for details). This structure contains all available callbacks that a filter can define: struct flt_ops { /* * Callbacks to manage the filter lifecycle */ int (*init) (struct proxy *p); void (*deinit)(struct proxy *p); int (*check) (struct proxy *p); /* * Stream callbacks */ void (*stream_start) (struct stream *s); void (*stream_accept) (struct stream *s); void (*session_establish)(struct stream *s); void (*stream_stop) (struct stream *s); /* * HTTP callbacks */ int (*http_start) (struct stream *s, struct http_msg *msg); int (*http_start_body) (struct stream *s, struct http_msg *msg); int (*http_start_chunk) (struct stream *s, struct http_msg *msg); int (*http_data) (struct stream *s, struct http_msg *msg); int (*http_last_chunk) (struct stream *s, struct http_msg *msg); int (*http_end_chunk) (struct stream *s, struct http_msg *msg); int (*http_chunk_trailers)(struct stream *s, struct http_msg *msg); int (*http_end_body) (struct stream *s, struct http_msg *msg); void (*http_end) (struct stream *s, struct http_msg *msg); void (*http_reset) (struct stream *s, struct http_msg *msg); int (*http_pre_process) (struct stream *s, struct http_msg *msg); int (*http_post_process) (struct stream *s, struct http_msg *msg); void (*http_reply) (struct stream *s, short status, const struct chunk *msg); }; To declare and use a filter, in the configuration, the "filter" keyword must be used in a listener/frontend section: frontend test ... filter <FILTER-NAME> [OPTIONS...] The filter referenced by the <FILTER-NAME> must declare a configuration parser on its own name to fill flt_ops and filter_conf field in the proxy's structure. An exemple will be provided later to make it perfectly clear. For now, filters cannot be used in backend section. But this is only a matter of time. Documentation will also be added later. This is the first commit of a long list about filters. It is possible to have several filters on the same listener/frontend. These filters are stored in an array of at most MAX_FILTERS elements (define in include/types/filters.h). Again, this will be replaced later by a list of filters. The filter API has been highly refactored. Main changes are: * Now, HA supports an infinite number of filters per proxy. To do so, filters are stored in list. * Because filters are stored in list, filters state has been moved from the channel structure to the filter structure. This is cleaner because there is no more info about filters in channel structure. * It is possible to defined filters on backends only. For such filters, stream_start/stream_stop callbacks are not called. Of course, it is possible to mix frontend and backend filters. * Now, TCP streams are also filtered. All callbacks without the 'http_' prefix are called for all kind of streams. In addition, 2 new callbacks were added to filter data exchanged through a TCP stream: - tcp_data: it is called when new data are available or when old unprocessed data are still waiting. - tcp_forward_data: it is called when some data can be consumed. * New callbacks attached to channel were added: - channel_start_analyze: it is called when a filter is ready to process data exchanged through a channel. 2 new analyzers (a frontend and a backend) are attached to channels to call this callback. For a frontend filter, it is called before any other analyzer. For a backend filter, it is called when a backend is attached to a stream. So some processing cannot be filtered in that case. - channel_analyze: it is called before each analyzer attached to a channel, expects analyzers responsible for data sending. - channel_end_analyze: it is called when all other analyzers have finished their processing. A new analyzers is attached to channels to call this callback. For a TCP stream, this is always the last one called. For a HTTP one, the callback is called when a request/response ends, so it is called one time for each request/response. * 'session_established' callback has been removed. Everything that is done in this callback can be handled by 'channel_start_analyze' on the response channel. * 'http_pre_process' and 'http_post_process' callbacks have been replaced by 'channel_analyze'. * 'http_start' callback has been replaced by 'http_headers'. This new one is called just before headers sending and parsing of the body. * 'http_end' callback has been replaced by 'channel_end_analyze'. * It is possible to set a forwarder for TCP channels. It was already possible to do it for HTTP ones. * Forwarders can partially consumed forwardable data. For this reason a new HTTP message state was added before HTTP_MSG_DONE : HTTP_MSG_ENDING. Now all filters can define corresponding callbacks (http_forward_data and tcp_forward_data). Each filter owns 2 offsets relative to buf->p, next and forward, to track, respectively, input data already parsed but not forwarded yet by the filter and parsed data considered as forwarded by the filter. A any time, we have the warranty that a filter cannot parse or forward more input than previous ones. And, of course, it cannot forward more input than it has parsed. 2 macros has been added to retrieve these offets: FLT_NXT and FLT_FWD. In addition, 2 functions has been added to change the 'next size' and the 'forward size' of a filter. When a filter parses input data, it can alter these data, so the size of these data can vary. This action has an effet on all previous filters that must be handled. To do so, the function 'filter_change_next_size' must be called, passing the size variation. In the same spirit, if a filter alter forwarded data, it must call the function 'filter_change_forward_size'. 'filter_change_next_size' can be called in 'http_data' and 'tcp_data' callbacks and only these ones. And 'filter_change_forward_size' can be called in 'http_forward_data' and 'tcp_forward_data' callbacks and only these ones. The data changes are the filter responsability, but with some limitation. It must not change already parsed/forwarded data or data that previous filters have not parsed/forwarded yet. Because filters can be used on backends, when we the backend is set for a stream, we add filters defined for this backend in the filter list of the stream. But we must only do that when the backend and the frontend of the stream are not the same. Else same filters are added a second time leading to undefined behavior. The HTTP compression code had to be moved. So it simplifies http_response_forward_body function. To do so, the way the data are forwarded has changed. Now, a filter (and only one) can forward data. In a commit to come, this limitation will be removed to let all filters take part to data forwarding. There are 2 new functions that filters should use to deal with this feature: * flt_set_http_data_forwarder: This function sets the filter (using its id) that will forward data for the specified HTTP message. It is possible if it was not already set by another filter _AND_ if no data was yet forwarded (msg->msg_state <= HTTP_MSG_BODY). It returns -1 if an error occurs. * flt_http_data_forwarder: This function returns the filter id that will forward data for the specified HTTP message. If there is no forwarder set, it returns -1. When an HTTP data forwarder is set for the response, the HTTP compression is disabled. Of course, this is not definitive.
2015-04-30 05:48:27 -04:00
/* Check filter configuration, if any */
cfgerr += flt_check(curproxy);
[MINOR] cleanup set_session_backend by using pre-computed analysers Analyser bitmaps are now stored in the frontend and backend, and combined at configuration time. That way, set_session_backend() does not need to perform any protocol-specific combinations.
2009-08-16 16:37:44 -04:00
if (curproxy->cap & PR_CAP_FE) {
MEDIUM: proxy: add the global frontend to the list of normal proxies Since recent changes on the global frontend, it was not possible anymore to soft-reload a process which had a stats socket because the socket would not be disabled upon reload. The only solution to this endless madness is to have the global frontend part of normal proxies. Since we don't want to get an ID that shifts all other proxies and causes trouble in deployed environments, we assign it ID #0 which other proxies can't grab, and we don't report it in the stats pages.
2012-10-04 02:47:34 -04:00
if (!curproxy->accept)
curproxy->accept = frontend_accept;
[MAJOR] frontend: split accept() into frontend_accept() and session_accept() A new function session_accept() is now called from the lower layer to instanciate a new session. Once the session is instanciated, the upper layer's frontent_accept() is called. This one can be service-dependant. That way, we have a 3-phase accept() sequence : 1) protocol-specific, session-less accept(), which is pointed to by the listener. It defaults to the generic stream_sock_accept(). 2) session_accept() which relies on a frontend but not necessarily for use in a proxy (eg: stats or any future service). 3) frontend_accept() which performs the accept for the service offerred by the frontend. It defaults to frontend_accept() which is really what is used by a proxy. The TCP/HTTP proxies have been moved to this mode so that we can now rely on frontend_accept() for any type of session initialization relying on a frontend. The next step will be to convert the stats to use the same system for the stats.
2010-06-01 11:45:26 -04:00
MEDIUM: rules/acl: Parse TCP/HTTP rules and acls defined in defaults sections TCP and HTTP rules can now be defined in defaults sections, but only those with a name. Because these rules may use conditions based on ACLs, ACLs can also be defined in defaults sections. However there are some limitations: * A defaults section defining TCP/HTTP rules cannot be used by a defaults section * A defaults section defining TCP/HTTP rules cannot be used bu a listen section * A defaults sections defining TCP/HTTP rules cannot be used by frontends and backends at the same time * A defaults sections defining 'tcp-request connection' or 'tcp-request session' rules cannot be used by backends * A defaults sections defining 'tcp-response content' rules cannot be used by frontends The TCP request/response inspect-delay of a proxy is now inherited from the defaults section it uses. For now, these rules are only parsed. No evaluation is performed.
2021-10-13 09:40:15 -04:00
if (!LIST_ISEMPTY(&curproxy->tcp_req.inspect_rules) ||
(curproxy->defpx && !LIST_ISEMPTY(&curproxy->defpx->tcp_req.inspect_rules)))
[MEDIUM] session: support "tcp-request content" rules in backends Sometimes it's necessary to be able to perform some "layer 6" analysis in the backend. TCP request rules were not available till now, although documented in the diagram. Enable them in backend now.
2010-08-03 08:02:05 -04:00
curproxy->fe_req_ana |= AN_REQ_INSPECT_FE;
[MINOR] cleanup set_session_backend by using pre-computed analysers Analyser bitmaps are now stored in the frontend and backend, and combined at configuration time. That way, set_session_backend() does not need to perform any protocol-specific combinations.
2009-08-16 16:37:44 -04:00
[MEDIUM] set rep->analysers from fe and be analysers sess_establish() used to resort to protocol-specific guesses in order to set rep->analysers. This is no longer needed as it gets set from the frontend and the backend as a copy of what was defined in the configuration.
2009-08-16 16:57:50 -04:00
if (curproxy->mode == PR_MODE_HTTP) {
[MINOR] cleanup set_session_backend by using pre-computed analysers Analyser bitmaps are now stored in the frontend and backend, and combined at configuration time. That way, set_session_backend() does not need to perform any protocol-specific combinations.
2009-08-16 16:37:44 -04:00
curproxy->fe_req_ana |= AN_REQ_WAIT_HTTP | AN_REQ_HTTP_PROCESS_FE;
[MAJOR] http: create the analyser which waits for a response The code part which waits for an HTTP response has been extracted from the old function. We now have two analysers and the second one may re-enable the first one when an 1xx response is encountered. This has been tested and works. The calls to stream_int_return() that were remaining in the wait analyser have been converted to stream_int_retnclose().
2009-10-18 16:53:08 -04:00
curproxy->fe_rsp_ana |= AN_RES_WAIT_HTTP | AN_RES_HTTP_PROCESS_FE;
[MEDIUM] set rep->analysers from fe and be analysers sess_establish() used to resort to protocol-specific guesses in order to set rep->analysers. This is no longer needed as it gets set from the frontend and the backend as a copy of what was defined in the configuration.
2009-08-16 16:57:50 -04:00
}
[MINOR] cleanup set_session_backend by using pre-computed analysers Analyser bitmaps are now stored in the frontend and backend, and combined at configuration time. That way, set_session_backend() does not need to perform any protocol-specific combinations.
2009-08-16 16:37:44 -04:00
MEDIUM: cli: implement 'mode cli' proxy analyzers This patch implements analysers for parsing the CLI and extra features for the master's CLI. For each command (sent alone, or separated by ; or \n) the request analyser will determine to which server it should send the request. The 'mode cli' proxy is able to parse a prefix for each command which is used to select the apropriate server. The prefix start by @ and is followed by "master", the PID preceded by ! or the relative PID. (e.g. @master, @1, @!1234). The servers are not round-robined anymore. The command is sent with a SHUTW which force the server to close the connection after sending its response. However the proxy allows a keepalive connection on the client side and does not close. The response analyser does not do much stuff, it only reinits the connection when it received a close from the server, and forward the response. It does not analyze the response data. The only guarantee of the end of the response is the close of the server, we can't rely on the double \n since it's not send by every command. This could be reimplemented later as a filter.
2018-10-26 08:47:40 -04:00
if (curproxy->mode == PR_MODE_CLI) {
curproxy->fe_req_ana |= AN_REQ_WAIT_CLI;
curproxy->fe_rsp_ana |= AN_RES_WAIT_CLI;
}
[MINOR] cleanup set_session_backend by using pre-computed analysers Analyser bitmaps are now stored in the frontend and backend, and combined at configuration time. That way, set_session_backend() does not need to perform any protocol-specific combinations.
2009-08-16 16:37:44 -04:00
/* both TCP and HTTP must check switching rules */
curproxy->fe_req_ana |= AN_REQ_SWITCHING_RULES;
MAJOR: filters: Add filters support This patch adds the support of filters in HAProxy. The main idea is to have a way to "easely" extend HAProxy by adding some "modules", called filters, that will be able to change HAProxy behavior in a programmatic way. To do so, many entry points has been added in code to let filters to hook up to different steps of the processing. A filter must define a flt_ops sutrctures (see include/types/filters.h for details). This structure contains all available callbacks that a filter can define: struct flt_ops { /* * Callbacks to manage the filter lifecycle */ int (*init) (struct proxy *p); void (*deinit)(struct proxy *p); int (*check) (struct proxy *p); /* * Stream callbacks */ void (*stream_start) (struct stream *s); void (*stream_accept) (struct stream *s); void (*session_establish)(struct stream *s); void (*stream_stop) (struct stream *s); /* * HTTP callbacks */ int (*http_start) (struct stream *s, struct http_msg *msg); int (*http_start_body) (struct stream *s, struct http_msg *msg); int (*http_start_chunk) (struct stream *s, struct http_msg *msg); int (*http_data) (struct stream *s, struct http_msg *msg); int (*http_last_chunk) (struct stream *s, struct http_msg *msg); int (*http_end_chunk) (struct stream *s, struct http_msg *msg); int (*http_chunk_trailers)(struct stream *s, struct http_msg *msg); int (*http_end_body) (struct stream *s, struct http_msg *msg); void (*http_end) (struct stream *s, struct http_msg *msg); void (*http_reset) (struct stream *s, struct http_msg *msg); int (*http_pre_process) (struct stream *s, struct http_msg *msg); int (*http_post_process) (struct stream *s, struct http_msg *msg); void (*http_reply) (struct stream *s, short status, const struct chunk *msg); }; To declare and use a filter, in the configuration, the "filter" keyword must be used in a listener/frontend section: frontend test ... filter <FILTER-NAME> [OPTIONS...] The filter referenced by the <FILTER-NAME> must declare a configuration parser on its own name to fill flt_ops and filter_conf field in the proxy's structure. An exemple will be provided later to make it perfectly clear. For now, filters cannot be used in backend section. But this is only a matter of time. Documentation will also be added later. This is the first commit of a long list about filters. It is possible to have several filters on the same listener/frontend. These filters are stored in an array of at most MAX_FILTERS elements (define in include/types/filters.h). Again, this will be replaced later by a list of filters. The filter API has been highly refactored. Main changes are: * Now, HA supports an infinite number of filters per proxy. To do so, filters are stored in list. * Because filters are stored in list, filters state has been moved from the channel structure to the filter structure. This is cleaner because there is no more info about filters in channel structure. * It is possible to defined filters on backends only. For such filters, stream_start/stream_stop callbacks are not called. Of course, it is possible to mix frontend and backend filters. * Now, TCP streams are also filtered. All callbacks without the 'http_' prefix are called for all kind of streams. In addition, 2 new callbacks were added to filter data exchanged through a TCP stream: - tcp_data: it is called when new data are available or when old unprocessed data are still waiting. - tcp_forward_data: it is called when some data can be consumed. * New callbacks attached to channel were added: - channel_start_analyze: it is called when a filter is ready to process data exchanged through a channel. 2 new analyzers (a frontend and a backend) are attached to channels to call this callback. For a frontend filter, it is called before any other analyzer. For a backend filter, it is called when a backend is attached to a stream. So some processing cannot be filtered in that case. - channel_analyze: it is called before each analyzer attached to a channel, expects analyzers responsible for data sending. - channel_end_analyze: it is called when all other analyzers have finished their processing. A new analyzers is attached to channels to call this callback. For a TCP stream, this is always the last one called. For a HTTP one, the callback is called when a request/response ends, so it is called one time for each request/response. * 'session_established' callback has been removed. Everything that is done in this callback can be handled by 'channel_start_analyze' on the response channel. * 'http_pre_process' and 'http_post_process' callbacks have been replaced by 'channel_analyze'. * 'http_start' callback has been replaced by 'http_headers'. This new one is called just before headers sending and parsing of the body. * 'http_end' callback has been replaced by 'channel_end_analyze'. * It is possible to set a forwarder for TCP channels. It was already possible to do it for HTTP ones. * Forwarders can partially consumed forwardable data. For this reason a new HTTP message state was added before HTTP_MSG_DONE : HTTP_MSG_ENDING. Now all filters can define corresponding callbacks (http_forward_data and tcp_forward_data). Each filter owns 2 offsets relative to buf->p, next and forward, to track, respectively, input data already parsed but not forwarded yet by the filter and parsed data considered as forwarded by the filter. A any time, we have the warranty that a filter cannot parse or forward more input than previous ones. And, of course, it cannot forward more input than it has parsed. 2 macros has been added to retrieve these offets: FLT_NXT and FLT_FWD. In addition, 2 functions has been added to change the 'next size' and the 'forward size' of a filter. When a filter parses input data, it can alter these data, so the size of these data can vary. This action has an effet on all previous filters that must be handled. To do so, the function 'filter_change_next_size' must be called, passing the size variation. In the same spirit, if a filter alter forwarded data, it must call the function 'filter_change_forward_size'. 'filter_change_next_size' can be called in 'http_data' and 'tcp_data' callbacks and only these ones. And 'filter_change_forward_size' can be called in 'http_forward_data' and 'tcp_forward_data' callbacks and only these ones. The data changes are the filter responsability, but with some limitation. It must not change already parsed/forwarded data or data that previous filters have not parsed/forwarded yet. Because filters can be used on backends, when we the backend is set for a stream, we add filters defined for this backend in the filter list of the stream. But we must only do that when the backend and the frontend of the stream are not the same. Else same filters are added a second time leading to undefined behavior. The HTTP compression code had to be moved. So it simplifies http_response_forward_body function. To do so, the way the data are forwarded has changed. Now, a filter (and only one) can forward data. In a commit to come, this limitation will be removed to let all filters take part to data forwarding. There are 2 new functions that filters should use to deal with this feature: * flt_set_http_data_forwarder: This function sets the filter (using its id) that will forward data for the specified HTTP message. It is possible if it was not already set by another filter _AND_ if no data was yet forwarded (msg->msg_state <= HTTP_MSG_BODY). It returns -1 if an error occurs. * flt_http_data_forwarder: This function returns the filter id that will forward data for the specified HTTP message. If there is no forwarder set, it returns -1. When an HTTP data forwarder is set for the response, the HTTP compression is disabled. Of course, this is not definitive.
2015-04-30 05:48:27 -04:00
/* Add filters analyzers if needed */
MINOR: filters: Extract proxy stuff from the struct filter Now, filter's configuration (.id, .conf and .ops fields) is stored in the structure 'flt_conf'. So proxies own a flt_conf list instead of a filter list. When a filter is attached to a stream, it gets a pointer on its configuration. This avoids mixing the filter's context (owns by a stream) and its configuration (owns by a proxy). It also saves 2 pointers per filter instance.
2016-02-04 07:40:26 -05:00
if (!LIST_ISEMPTY(&curproxy->filter_configs)) {
BUG/MAJOR: channel: Fix the definition order of channel analyzers It is important to defined analyzers (AN_REQ_* and AN_RES_*) in the same order they are evaluated in process_stream. This order is really important because during analyzers evaluation, we run them in the order of the lower bit to the higher one. This way, when an analyzer adds/removes another one during its evaluation, we know if it is located before or after it. So, when it adds an analyzer which is located before it, we can switch to it immediately, even if it has already been called once but removed since. With the time, and introduction of new analyzers, this order was broken up. the main problems come from the filter analyzers. We used values not related with their evaluation order. Furthermore, we used same values for request and response analyzers. So, to fix the bug, filter analyzers have been splitted in 2 distinct lists to have different analyzers for the request channel than those for the response channel. And of course, we have moved them to the right place. Some other analyzers have been reordered to respect the evaluation order: * AN_REQ_HTTP_TARPIT has been moved just before AN_REQ_SRV_RULES * AN_REQ_PRST_RDP_COOKIE has been moved just before AN_REQ_STICKING_RULES * AN_RES_STORE_RULES has been moved just after AN_RES_WAIT_HTTP Note today we have 29 analyzers, all stored into a 32 bits bitfield. So we can still add 4 more analyzers before having a problem. A good way to fend off the problem for a while could be to have a different bitfield for request and response analyzers. [wt: all of this must be backported to 1.7, and part of it must be backported to 1.6 and 1.5]
2017-01-05 08:06:34 -05:00
curproxy->fe_req_ana |= AN_REQ_FLT_START_FE | AN_REQ_FLT_XFER_DATA | AN_REQ_FLT_END;
curproxy->fe_rsp_ana |= AN_RES_FLT_START_FE | AN_RES_FLT_XFER_DATA | AN_RES_FLT_END;
MAJOR: filters: Add filters support This patch adds the support of filters in HAProxy. The main idea is to have a way to "easely" extend HAProxy by adding some "modules", called filters, that will be able to change HAProxy behavior in a programmatic way. To do so, many entry points has been added in code to let filters to hook up to different steps of the processing. A filter must define a flt_ops sutrctures (see include/types/filters.h for details). This structure contains all available callbacks that a filter can define: struct flt_ops { /* * Callbacks to manage the filter lifecycle */ int (*init) (struct proxy *p); void (*deinit)(struct proxy *p); int (*check) (struct proxy *p); /* * Stream callbacks */ void (*stream_start) (struct stream *s); void (*stream_accept) (struct stream *s); void (*session_establish)(struct stream *s); void (*stream_stop) (struct stream *s); /* * HTTP callbacks */ int (*http_start) (struct stream *s, struct http_msg *msg); int (*http_start_body) (struct stream *s, struct http_msg *msg); int (*http_start_chunk) (struct stream *s, struct http_msg *msg); int (*http_data) (struct stream *s, struct http_msg *msg); int (*http_last_chunk) (struct stream *s, struct http_msg *msg); int (*http_end_chunk) (struct stream *s, struct http_msg *msg); int (*http_chunk_trailers)(struct stream *s, struct http_msg *msg); int (*http_end_body) (struct stream *s, struct http_msg *msg); void (*http_end) (struct stream *s, struct http_msg *msg); void (*http_reset) (struct stream *s, struct http_msg *msg); int (*http_pre_process) (struct stream *s, struct http_msg *msg); int (*http_post_process) (struct stream *s, struct http_msg *msg); void (*http_reply) (struct stream *s, short status, const struct chunk *msg); }; To declare and use a filter, in the configuration, the "filter" keyword must be used in a listener/frontend section: frontend test ... filter <FILTER-NAME> [OPTIONS...] The filter referenced by the <FILTER-NAME> must declare a configuration parser on its own name to fill flt_ops and filter_conf field in the proxy's structure. An exemple will be provided later to make it perfectly clear. For now, filters cannot be used in backend section. But this is only a matter of time. Documentation will also be added later. This is the first commit of a long list about filters. It is possible to have several filters on the same listener/frontend. These filters are stored in an array of at most MAX_FILTERS elements (define in include/types/filters.h). Again, this will be replaced later by a list of filters. The filter API has been highly refactored. Main changes are: * Now, HA supports an infinite number of filters per proxy. To do so, filters are stored in list. * Because filters are stored in list, filters state has been moved from the channel structure to the filter structure. This is cleaner because there is no more info about filters in channel structure. * It is possible to defined filters on backends only. For such filters, stream_start/stream_stop callbacks are not called. Of course, it is possible to mix frontend and backend filters. * Now, TCP streams are also filtered. All callbacks without the 'http_' prefix are called for all kind of streams. In addition, 2 new callbacks were added to filter data exchanged through a TCP stream: - tcp_data: it is called when new data are available or when old unprocessed data are still waiting. - tcp_forward_data: it is called when some data can be consumed. * New callbacks attached to channel were added: - channel_start_analyze: it is called when a filter is ready to process data exchanged through a channel. 2 new analyzers (a frontend and a backend) are attached to channels to call this callback. For a frontend filter, it is called before any other analyzer. For a backend filter, it is called when a backend is attached to a stream. So some processing cannot be filtered in that case. - channel_analyze: it is called before each analyzer attached to a channel, expects analyzers responsible for data sending. - channel_end_analyze: it is called when all other analyzers have finished their processing. A new analyzers is attached to channels to call this callback. For a TCP stream, this is always the last one called. For a HTTP one, the callback is called when a request/response ends, so it is called one time for each request/response. * 'session_established' callback has been removed. Everything that is done in this callback can be handled by 'channel_start_analyze' on the response channel. * 'http_pre_process' and 'http_post_process' callbacks have been replaced by 'channel_analyze'. * 'http_start' callback has been replaced by 'http_headers'. This new one is called just before headers sending and parsing of the body. * 'http_end' callback has been replaced by 'channel_end_analyze'. * It is possible to set a forwarder for TCP channels. It was already possible to do it for HTTP ones. * Forwarders can partially consumed forwardable data. For this reason a new HTTP message state was added before HTTP_MSG_DONE : HTTP_MSG_ENDING. Now all filters can define corresponding callbacks (http_forward_data and tcp_forward_data). Each filter owns 2 offsets relative to buf->p, next and forward, to track, respectively, input data already parsed but not forwarded yet by the filter and parsed data considered as forwarded by the filter. A any time, we have the warranty that a filter cannot parse or forward more input than previous ones. And, of course, it cannot forward more input than it has parsed. 2 macros has been added to retrieve these offets: FLT_NXT and FLT_FWD. In addition, 2 functions has been added to change the 'next size' and the 'forward size' of a filter. When a filter parses input data, it can alter these data, so the size of these data can vary. This action has an effet on all previous filters that must be handled. To do so, the function 'filter_change_next_size' must be called, passing the size variation. In the same spirit, if a filter alter forwarded data, it must call the function 'filter_change_forward_size'. 'filter_change_next_size' can be called in 'http_data' and 'tcp_data' callbacks and only these ones. And 'filter_change_forward_size' can be called in 'http_forward_data' and 'tcp_forward_data' callbacks and only these ones. The data changes are the filter responsability, but with some limitation. It must not change already parsed/forwarded data or data that previous filters have not parsed/forwarded yet. Because filters can be used on backends, when we the backend is set for a stream, we add filters defined for this backend in the filter list of the stream. But we must only do that when the backend and the frontend of the stream are not the same. Else same filters are added a second time leading to undefined behavior. The HTTP compression code had to be moved. So it simplifies http_response_forward_body function. To do so, the way the data are forwarded has changed. Now, a filter (and only one) can forward data. In a commit to come, this limitation will be removed to let all filters take part to data forwarding. There are 2 new functions that filters should use to deal with this feature: * flt_set_http_data_forwarder: This function sets the filter (using its id) that will forward data for the specified HTTP message. It is possible if it was not already set by another filter _AND_ if no data was yet forwarded (msg->msg_state <= HTTP_MSG_BODY). It returns -1 if an error occurs. * flt_http_data_forwarder: This function returns the filter id that will forward data for the specified HTTP message. If there is no forwarder set, it returns -1. When an HTTP data forwarder is set for the response, the HTTP compression is disabled. Of course, this is not definitive.
2015-04-30 05:48:27 -04:00
}
[MINOR] cleanup set_session_backend by using pre-computed analysers Analyser bitmaps are now stored in the frontend and backend, and combined at configuration time. That way, set_session_backend() does not need to perform any protocol-specific combinations.
2009-08-16 16:37:44 -04:00
}
if (curproxy->cap & PR_CAP_BE) {
MEDIUM: rules/acl: Parse TCP/HTTP rules and acls defined in defaults sections TCP and HTTP rules can now be defined in defaults sections, but only those with a name. Because these rules may use conditions based on ACLs, ACLs can also be defined in defaults sections. However there are some limitations: * A defaults section defining TCP/HTTP rules cannot be used by a defaults section * A defaults section defining TCP/HTTP rules cannot be used bu a listen section * A defaults sections defining TCP/HTTP rules cannot be used by frontends and backends at the same time * A defaults sections defining 'tcp-request connection' or 'tcp-request session' rules cannot be used by backends * A defaults sections defining 'tcp-response content' rules cannot be used by frontends The TCP request/response inspect-delay of a proxy is now inherited from the defaults section it uses. For now, these rules are only parsed. No evaluation is performed.
2021-10-13 09:40:15 -04:00
if (!LIST_ISEMPTY(&curproxy->tcp_req.inspect_rules) ||
(curproxy->defpx && !LIST_ISEMPTY(&curproxy->defpx->tcp_req.inspect_rules)))
[MEDIUM] session: support "tcp-request content" rules in backends Sometimes it's necessary to be able to perform some "layer 6" analysis in the backend. TCP request rules were not available till now, although documented in the diagram. Enable them in backend now.
2010-08-03 08:02:05 -04:00
curproxy->be_req_ana |= AN_REQ_INSPECT_BE;
MEDIUM: rules/acl: Parse TCP/HTTP rules and acls defined in defaults sections TCP and HTTP rules can now be defined in defaults sections, but only those with a name. Because these rules may use conditions based on ACLs, ACLs can also be defined in defaults sections. However there are some limitations: * A defaults section defining TCP/HTTP rules cannot be used by a defaults section * A defaults section defining TCP/HTTP rules cannot be used bu a listen section * A defaults sections defining TCP/HTTP rules cannot be used by frontends and backends at the same time * A defaults sections defining 'tcp-request connection' or 'tcp-request session' rules cannot be used by backends * A defaults sections defining 'tcp-response content' rules cannot be used by frontends The TCP request/response inspect-delay of a proxy is now inherited from the defaults section it uses. For now, these rules are only parsed. No evaluation is performed.
2021-10-13 09:40:15 -04:00
if (!LIST_ISEMPTY(&curproxy->tcp_rep.inspect_rules) ||
(curproxy->defpx && !LIST_ISEMPTY(&curproxy->defpx->tcp_rep.inspect_rules)))
[MEDIUM] Implement tcp inspect response rules
2010-09-23 11:56:44 -04:00
curproxy->be_rsp_ana |= AN_RES_INSPECT;
[MEDIUM] set rep->analysers from fe and be analysers sess_establish() used to resort to protocol-specific guesses in order to set rep->analysers. This is no longer needed as it gets set from the frontend and the backend as a copy of what was defined in the configuration.
2009-08-16 16:57:50 -04:00
if (curproxy->mode == PR_MODE_HTTP) {
[MINOR] cleanup set_session_backend by using pre-computed analysers Analyser bitmaps are now stored in the frontend and backend, and combined at configuration time. That way, set_session_backend() does not need to perform any protocol-specific combinations.
2009-08-16 16:37:44 -04:00
curproxy->be_req_ana |= AN_REQ_WAIT_HTTP | AN_REQ_HTTP_INNER | AN_REQ_HTTP_PROCESS_BE;
[MAJOR] http: create the analyser which waits for a response The code part which waits for an HTTP response has been extracted from the old function. We now have two analysers and the second one may re-enable the first one when an 1xx response is encountered. This has been tested and works. The calls to stream_int_return() that were remaining in the wait analyser have been converted to stream_int_retnclose().
2009-10-18 16:53:08 -04:00
curproxy->be_rsp_ana |= AN_RES_WAIT_HTTP | AN_RES_HTTP_PROCESS_BE;
[MEDIUM] set rep->analysers from fe and be analysers sess_establish() used to resort to protocol-specific guesses in order to set rep->analysers. This is no longer needed as it gets set from the frontend and the backend as a copy of what was defined in the configuration.
2009-08-16 16:57:50 -04:00
}
[MINOR] cleanup set_session_backend by using pre-computed analysers Analyser bitmaps are now stored in the frontend and backend, and combined at configuration time. That way, set_session_backend() does not need to perform any protocol-specific combinations.
2009-08-16 16:37:44 -04:00
/* If the backend does requires RDP cookie persistence, we have to
* enable the corresponding analyser.
*/
if (curproxy->options2 & PR_O2_RDPC_PRST)
curproxy->be_req_ana |= AN_REQ_PRST_RDP_COOKIE;
MAJOR: filters: Add filters support This patch adds the support of filters in HAProxy. The main idea is to have a way to "easely" extend HAProxy by adding some "modules", called filters, that will be able to change HAProxy behavior in a programmatic way. To do so, many entry points has been added in code to let filters to hook up to different steps of the processing. A filter must define a flt_ops sutrctures (see include/types/filters.h for details). This structure contains all available callbacks that a filter can define: struct flt_ops { /* * Callbacks to manage the filter lifecycle */ int (*init) (struct proxy *p); void (*deinit)(struct proxy *p); int (*check) (struct proxy *p); /* * Stream callbacks */ void (*stream_start) (struct stream *s); void (*stream_accept) (struct stream *s); void (*session_establish)(struct stream *s); void (*stream_stop) (struct stream *s); /* * HTTP callbacks */ int (*http_start) (struct stream *s, struct http_msg *msg); int (*http_start_body) (struct stream *s, struct http_msg *msg); int (*http_start_chunk) (struct stream *s, struct http_msg *msg); int (*http_data) (struct stream *s, struct http_msg *msg); int (*http_last_chunk) (struct stream *s, struct http_msg *msg); int (*http_end_chunk) (struct stream *s, struct http_msg *msg); int (*http_chunk_trailers)(struct stream *s, struct http_msg *msg); int (*http_end_body) (struct stream *s, struct http_msg *msg); void (*http_end) (struct stream *s, struct http_msg *msg); void (*http_reset) (struct stream *s, struct http_msg *msg); int (*http_pre_process) (struct stream *s, struct http_msg *msg); int (*http_post_process) (struct stream *s, struct http_msg *msg); void (*http_reply) (struct stream *s, short status, const struct chunk *msg); }; To declare and use a filter, in the configuration, the "filter" keyword must be used in a listener/frontend section: frontend test ... filter <FILTER-NAME> [OPTIONS...] The filter referenced by the <FILTER-NAME> must declare a configuration parser on its own name to fill flt_ops and filter_conf field in the proxy's structure. An exemple will be provided later to make it perfectly clear. For now, filters cannot be used in backend section. But this is only a matter of time. Documentation will also be added later. This is the first commit of a long list about filters. It is possible to have several filters on the same listener/frontend. These filters are stored in an array of at most MAX_FILTERS elements (define in include/types/filters.h). Again, this will be replaced later by a list of filters. The filter API has been highly refactored. Main changes are: * Now, HA supports an infinite number of filters per proxy. To do so, filters are stored in list. * Because filters are stored in list, filters state has been moved from the channel structure to the filter structure. This is cleaner because there is no more info about filters in channel structure. * It is possible to defined filters on backends only. For such filters, stream_start/stream_stop callbacks are not called. Of course, it is possible to mix frontend and backend filters. * Now, TCP streams are also filtered. All callbacks without the 'http_' prefix are called for all kind of streams. In addition, 2 new callbacks were added to filter data exchanged through a TCP stream: - tcp_data: it is called when new data are available or when old unprocessed data are still waiting. - tcp_forward_data: it is called when some data can be consumed. * New callbacks attached to channel were added: - channel_start_analyze: it is called when a filter is ready to process data exchanged through a channel. 2 new analyzers (a frontend and a backend) are attached to channels to call this callback. For a frontend filter, it is called before any other analyzer. For a backend filter, it is called when a backend is attached to a stream. So some processing cannot be filtered in that case. - channel_analyze: it is called before each analyzer attached to a channel, expects analyzers responsible for data sending. - channel_end_analyze: it is called when all other analyzers have finished their processing. A new analyzers is attached to channels to call this callback. For a TCP stream, this is always the last one called. For a HTTP one, the callback is called when a request/response ends, so it is called one time for each request/response. * 'session_established' callback has been removed. Everything that is done in this callback can be handled by 'channel_start_analyze' on the response channel. * 'http_pre_process' and 'http_post_process' callbacks have been replaced by 'channel_analyze'. * 'http_start' callback has been replaced by 'http_headers'. This new one is called just before headers sending and parsing of the body. * 'http_end' callback has been replaced by 'channel_end_analyze'. * It is possible to set a forwarder for TCP channels. It was already possible to do it for HTTP ones. * Forwarders can partially consumed forwardable data. For this reason a new HTTP message state was added before HTTP_MSG_DONE : HTTP_MSG_ENDING. Now all filters can define corresponding callbacks (http_forward_data and tcp_forward_data). Each filter owns 2 offsets relative to buf->p, next and forward, to track, respectively, input data already parsed but not forwarded yet by the filter and parsed data considered as forwarded by the filter. A any time, we have the warranty that a filter cannot parse or forward more input than previous ones. And, of course, it cannot forward more input than it has parsed. 2 macros has been added to retrieve these offets: FLT_NXT and FLT_FWD. In addition, 2 functions has been added to change the 'next size' and the 'forward size' of a filter. When a filter parses input data, it can alter these data, so the size of these data can vary. This action has an effet on all previous filters that must be handled. To do so, the function 'filter_change_next_size' must be called, passing the size variation. In the same spirit, if a filter alter forwarded data, it must call the function 'filter_change_forward_size'. 'filter_change_next_size' can be called in 'http_data' and 'tcp_data' callbacks and only these ones. And 'filter_change_forward_size' can be called in 'http_forward_data' and 'tcp_forward_data' callbacks and only these ones. The data changes are the filter responsability, but with some limitation. It must not change already parsed/forwarded data or data that previous filters have not parsed/forwarded yet. Because filters can be used on backends, when we the backend is set for a stream, we add filters defined for this backend in the filter list of the stream. But we must only do that when the backend and the frontend of the stream are not the same. Else same filters are added a second time leading to undefined behavior. The HTTP compression code had to be moved. So it simplifies http_response_forward_body function. To do so, the way the data are forwarded has changed. Now, a filter (and only one) can forward data. In a commit to come, this limitation will be removed to let all filters take part to data forwarding. There are 2 new functions that filters should use to deal with this feature: * flt_set_http_data_forwarder: This function sets the filter (using its id) that will forward data for the specified HTTP message. It is possible if it was not already set by another filter _AND_ if no data was yet forwarded (msg->msg_state <= HTTP_MSG_BODY). It returns -1 if an error occurs. * flt_http_data_forwarder: This function returns the filter id that will forward data for the specified HTTP message. If there is no forwarder set, it returns -1. When an HTTP data forwarder is set for the response, the HTTP compression is disabled. Of course, this is not definitive.
2015-04-30 05:48:27 -04:00
/* Add filters analyzers if needed */
MINOR: filters: Extract proxy stuff from the struct filter Now, filter's configuration (.id, .conf and .ops fields) is stored in the structure 'flt_conf'. So proxies own a flt_conf list instead of a filter list. When a filter is attached to a stream, it gets a pointer on its configuration. This avoids mixing the filter's context (owns by a stream) and its configuration (owns by a proxy). It also saves 2 pointers per filter instance.
2016-02-04 07:40:26 -05:00
if (!LIST_ISEMPTY(&curproxy->filter_configs)) {
BUG/MAJOR: channel: Fix the definition order of channel analyzers It is important to defined analyzers (AN_REQ_* and AN_RES_*) in the same order they are evaluated in process_stream. This order is really important because during analyzers evaluation, we run them in the order of the lower bit to the higher one. This way, when an analyzer adds/removes another one during its evaluation, we know if it is located before or after it. So, when it adds an analyzer which is located before it, we can switch to it immediately, even if it has already been called once but removed since. With the time, and introduction of new analyzers, this order was broken up. the main problems come from the filter analyzers. We used values not related with their evaluation order. Furthermore, we used same values for request and response analyzers. So, to fix the bug, filter analyzers have been splitted in 2 distinct lists to have different analyzers for the request channel than those for the response channel. And of course, we have moved them to the right place. Some other analyzers have been reordered to respect the evaluation order: * AN_REQ_HTTP_TARPIT has been moved just before AN_REQ_SRV_RULES * AN_REQ_PRST_RDP_COOKIE has been moved just before AN_REQ_STICKING_RULES * AN_RES_STORE_RULES has been moved just after AN_RES_WAIT_HTTP Note today we have 29 analyzers, all stored into a 32 bits bitfield. So we can still add 4 more analyzers before having a problem. A good way to fend off the problem for a while could be to have a different bitfield for request and response analyzers. [wt: all of this must be backported to 1.7, and part of it must be backported to 1.6 and 1.5]
2017-01-05 08:06:34 -05:00
curproxy->be_req_ana |= AN_REQ_FLT_START_BE | AN_REQ_FLT_XFER_DATA | AN_REQ_FLT_END;
curproxy->be_rsp_ana |= AN_RES_FLT_START_BE | AN_RES_FLT_XFER_DATA | AN_RES_FLT_END;
MAJOR: filters: Add filters support This patch adds the support of filters in HAProxy. The main idea is to have a way to "easely" extend HAProxy by adding some "modules", called filters, that will be able to change HAProxy behavior in a programmatic way. To do so, many entry points has been added in code to let filters to hook up to different steps of the processing. A filter must define a flt_ops sutrctures (see include/types/filters.h for details). This structure contains all available callbacks that a filter can define: struct flt_ops { /* * Callbacks to manage the filter lifecycle */ int (*init) (struct proxy *p); void (*deinit)(struct proxy *p); int (*check) (struct proxy *p); /* * Stream callbacks */ void (*stream_start) (struct stream *s); void (*stream_accept) (struct stream *s); void (*session_establish)(struct stream *s); void (*stream_stop) (struct stream *s); /* * HTTP callbacks */ int (*http_start) (struct stream *s, struct http_msg *msg); int (*http_start_body) (struct stream *s, struct http_msg *msg); int (*http_start_chunk) (struct stream *s, struct http_msg *msg); int (*http_data) (struct stream *s, struct http_msg *msg); int (*http_last_chunk) (struct stream *s, struct http_msg *msg); int (*http_end_chunk) (struct stream *s, struct http_msg *msg); int (*http_chunk_trailers)(struct stream *s, struct http_msg *msg); int (*http_end_body) (struct stream *s, struct http_msg *msg); void (*http_end) (struct stream *s, struct http_msg *msg); void (*http_reset) (struct stream *s, struct http_msg *msg); int (*http_pre_process) (struct stream *s, struct http_msg *msg); int (*http_post_process) (struct stream *s, struct http_msg *msg); void (*http_reply) (struct stream *s, short status, const struct chunk *msg); }; To declare and use a filter, in the configuration, the "filter" keyword must be used in a listener/frontend section: frontend test ... filter <FILTER-NAME> [OPTIONS...] The filter referenced by the <FILTER-NAME> must declare a configuration parser on its own name to fill flt_ops and filter_conf field in the proxy's structure. An exemple will be provided later to make it perfectly clear. For now, filters cannot be used in backend section. But this is only a matter of time. Documentation will also be added later. This is the first commit of a long list about filters. It is possible to have several filters on the same listener/frontend. These filters are stored in an array of at most MAX_FILTERS elements (define in include/types/filters.h). Again, this will be replaced later by a list of filters. The filter API has been highly refactored. Main changes are: * Now, HA supports an infinite number of filters per proxy. To do so, filters are stored in list. * Because filters are stored in list, filters state has been moved from the channel structure to the filter structure. This is cleaner because there is no more info about filters in channel structure. * It is possible to defined filters on backends only. For such filters, stream_start/stream_stop callbacks are not called. Of course, it is possible to mix frontend and backend filters. * Now, TCP streams are also filtered. All callbacks without the 'http_' prefix are called for all kind of streams. In addition, 2 new callbacks were added to filter data exchanged through a TCP stream: - tcp_data: it is called when new data are available or when old unprocessed data are still waiting. - tcp_forward_data: it is called when some data can be consumed. * New callbacks attached to channel were added: - channel_start_analyze: it is called when a filter is ready to process data exchanged through a channel. 2 new analyzers (a frontend and a backend) are attached to channels to call this callback. For a frontend filter, it is called before any other analyzer. For a backend filter, it is called when a backend is attached to a stream. So some processing cannot be filtered in that case. - channel_analyze: it is called before each analyzer attached to a channel, expects analyzers responsible for data sending. - channel_end_analyze: it is called when all other analyzers have finished their processing. A new analyzers is attached to channels to call this callback. For a TCP stream, this is always the last one called. For a HTTP one, the callback is called when a request/response ends, so it is called one time for each request/response. * 'session_established' callback has been removed. Everything that is done in this callback can be handled by 'channel_start_analyze' on the response channel. * 'http_pre_process' and 'http_post_process' callbacks have been replaced by 'channel_analyze'. * 'http_start' callback has been replaced by 'http_headers'. This new one is called just before headers sending and parsing of the body. * 'http_end' callback has been replaced by 'channel_end_analyze'. * It is possible to set a forwarder for TCP channels. It was already possible to do it for HTTP ones. * Forwarders can partially consumed forwardable data. For this reason a new HTTP message state was added before HTTP_MSG_DONE : HTTP_MSG_ENDING. Now all filters can define corresponding callbacks (http_forward_data and tcp_forward_data). Each filter owns 2 offsets relative to buf->p, next and forward, to track, respectively, input data already parsed but not forwarded yet by the filter and parsed data considered as forwarded by the filter. A any time, we have the warranty that a filter cannot parse or forward more input than previous ones. And, of course, it cannot forward more input than it has parsed. 2 macros has been added to retrieve these offets: FLT_NXT and FLT_FWD. In addition, 2 functions has been added to change the 'next size' and the 'forward size' of a filter. When a filter parses input data, it can alter these data, so the size of these data can vary. This action has an effet on all previous filters that must be handled. To do so, the function 'filter_change_next_size' must be called, passing the size variation. In the same spirit, if a filter alter forwarded data, it must call the function 'filter_change_forward_size'. 'filter_change_next_size' can be called in 'http_data' and 'tcp_data' callbacks and only these ones. And 'filter_change_forward_size' can be called in 'http_forward_data' and 'tcp_forward_data' callbacks and only these ones. The data changes are the filter responsability, but with some limitation. It must not change already parsed/forwarded data or data that previous filters have not parsed/forwarded yet. Because filters can be used on backends, when we the backend is set for a stream, we add filters defined for this backend in the filter list of the stream. But we must only do that when the backend and the frontend of the stream are not the same. Else same filters are added a second time leading to undefined behavior. The HTTP compression code had to be moved. So it simplifies http_response_forward_body function. To do so, the way the data are forwarded has changed. Now, a filter (and only one) can forward data. In a commit to come, this limitation will be removed to let all filters take part to data forwarding. There are 2 new functions that filters should use to deal with this feature: * flt_set_http_data_forwarder: This function sets the filter (using its id) that will forward data for the specified HTTP message. It is possible if it was not already set by another filter _AND_ if no data was yet forwarded (msg->msg_state <= HTTP_MSG_BODY). It returns -1 if an error occurs. * flt_http_data_forwarder: This function returns the filter id that will forward data for the specified HTTP message. If there is no forwarder set, it returns -1. When an HTTP data forwarder is set for the response, the HTTP compression is disabled. Of course, this is not definitive.
2015-04-30 05:48:27 -04:00
}
[MINOR] cleanup set_session_backend by using pre-computed analysers Analyser bitmaps are now stored in the frontend and backend, and combined at configuration time. That way, set_session_backend() does not need to perform any protocol-specific combinations.
2009-08-16 16:37:44 -04:00
}
MINOR: mux/frontend: Add 'proto' keyword to force the mux protocol For now, it is parsed but not used. Tests are done on it to check if the side and the mode are compatible with the proxy's definition.
2018-04-10 08:43:00 -04:00
MINOR: mux/server: Add 'proto' keyword to force the multiplexer's protocol For now, it is parsed but not used. Tests are done on it to check if the side and the mode are compatible with the server's definition.
2018-04-10 08:45:45 -04:00
/* Check the mux protocols, if any, for each listener and server
MINOR: mux/frontend: Add 'proto' keyword to force the mux protocol For now, it is parsed but not used. Tests are done on it to check if the side and the mode are compatible with the proxy's definition.
2018-04-10 08:43:00 -04:00
* attached to the current proxy */
list_for_each_entry(bind_conf, &curproxy->conf.bind, by_fe) {
MINOR: connection: add conn_pr_mode_to_proto_mode() helper func This function allows to safely map proxy mode to corresponding proto_mode This will allow for easier code maintenance and prevent mixups between proxy mode and proto mode.
2023-10-19 10:06:03 -04:00
int mode = conn_pr_mode_to_proto_mode(curproxy->mode);
MINOR: config: make sure to associate the proper mux to bind and servers Currently a mux may be forced on a bind or server line by specifying the "proto" keyword. The problem is that the mux may depend on the proxy's mode, which is not known when parsing this keyword, so a wrong mux could be picked. Let's simply update the mux entry while checking its validity. We do have the name and the side, we only need to see if a better mux fits based on the proxy's mode. It also requires to remove the side check while parsing the "proto" keyword since a wrong mux could be picked. This way it becomes possible to declare multiple muxes with the same protocol names and different sides or modes.
2018-12-02 07:09:09 -05:00
const struct mux_proto_list *mux_ent;
MINOR: mux/frontend: Add 'proto' keyword to force the mux protocol For now, it is parsed but not used. Tests are done on it to check if the side and the mode are compatible with the proxy's definition.
2018-04-10 08:43:00 -04:00
BUG/MINOR: config/quic: Alert about PROXY protocol use on a QUIC listener PROXY procotol is not supported on QUIC for now. Thus return an error during configuration parsing if 'accept-proxy' option is used for a QUIC listener. This patch should fix the issue #2186. It should be backport as far as 2.6.
2024-02-29 08:27:45 -05:00
if (bind_conf->xprt && bind_conf->xprt == xprt_get(XPRT_QUIC)) {
if (!bind_conf->mux_proto) {
/* No protocol was specified. If we're using QUIC at the transport
* layer, we'll instantiate it as a mux as well. If QUIC is not
* compiled in, this will remain NULL.
*/
MINOR: listener: automatically select a QUIC mux with a QUIC transport When no mux protocol is configured on a bind line with "proto", and the transport layer is QUIC, right now mux_h1 is being used, leading to a crash. Now when the transport layer of the bind line is already known as being QUIC, let's automatically try to configure the QUIC mux, so that users do not have to enter "proto quic" all the time while it's the only supported option. this means that the following line now works: bind quic4@:4449 ssl crt rsa+dh2048.pem alpn h3 allow-0rtt
2022-05-20 12:07:06 -04:00
bind_conf->mux_proto = get_mux_proto(ist("quic"));
BUG/MINOR: config/quic: Alert about PROXY protocol use on a QUIC listener PROXY procotol is not supported on QUIC for now. Thus return an error during configuration parsing if 'accept-proxy' option is used for a QUIC listener. This patch should fix the issue #2186. It should be backport as far as 2.6.
2024-02-29 08:27:45 -05:00
}
if (bind_conf->options & BC_O_ACC_PROXY) {
ha_alert("Binding [%s:%d] for %s %s: QUIC protocol does not support PROXY protocol yet."
" 'accept-proxy' option cannot be used with a QUIC listener.\n",
bind_conf->file, bind_conf->line,
proxy_type_str(curproxy), curproxy->id);
cfgerr++;
}
MINOR: listener: automatically select a QUIC mux with a QUIC transport When no mux protocol is configured on a bind line with "proto", and the transport layer is QUIC, right now mux_h1 is being used, leading to a crash. Now when the transport layer of the bind line is already known as being QUIC, let's automatically try to configure the QUIC mux, so that users do not have to enter "proto quic" all the time while it's the only supported option. this means that the following line now works: bind quic4@:4449 ssl crt rsa+dh2048.pem alpn h3 allow-0rtt
2022-05-20 12:07:06 -04:00
}
MINOR: mux/frontend: Add 'proto' keyword to force the mux protocol For now, it is parsed but not used. Tests are done on it to check if the side and the mode are compatible with the proxy's definition.
2018-04-10 08:43:00 -04:00
if (!bind_conf->mux_proto)
continue;
MINOR: config: make sure to associate the proper mux to bind and servers Currently a mux may be forced on a bind or server line by specifying the "proto" keyword. The problem is that the mux may depend on the proxy's mode, which is not known when parsing this keyword, so a wrong mux could be picked. Let's simply update the mux entry while checking its validity. We do have the name and the side, we only need to see if a better mux fits based on the proxy's mode. It also requires to remove the side check while parsing the "proto" keyword since a wrong mux could be picked. This way it becomes possible to declare multiple muxes with the same protocol names and different sides or modes.
2018-12-02 07:09:09 -05:00
/* it is possible that an incorrect mux was referenced
* due to the proxy's mode not being taken into account
* on first pass. Let's adjust it now.
*/
mux_ent = conn_get_best_mux_entry(bind_conf->mux_proto->token, PROTO_SIDE_FE, mode);
if (!mux_ent || !isteq(mux_ent->token, bind_conf->mux_proto->token)) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_alert("%s '%s' : MUX protocol '%.*s' is not usable for 'bind %s' at [%s:%d].\n",
MINOR: mux/frontend: Add 'proto' keyword to force the mux protocol For now, it is parsed but not used. Tests are done on it to check if the side and the mode are compatible with the proxy's definition.
2018-04-10 08:43:00 -04:00
proxy_type_str(curproxy), curproxy->id,
(int)bind_conf->mux_proto->token.len,
bind_conf->mux_proto->token.ptr,
bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr++;
MINOR: config: detect and report mux and transport incompatibilities Till now, placing "proto h1" or "proto h2" on a "quic" bind or placing "proto quic" on a TCP line would parse fine but would crash when traffic arrived. The reason is that there's a strong binding between the QUIC mux and QUIC transport and that they're not expected to be called with other types at all. Now that we have the mux's type and we know the type of the protocol used on the bind conf, we can perform such checks. This now returns: [ALERT] (16978) : config : frontend 'decrypt' : stream-based MUX protocol 'h2' is incompatible with framed transport of 'bind quic4@:4448' at [quic-mini.cfg:27]. [ALERT] (16978) : config : frontend 'decrypt' : frame-based MUX protocol 'quic' is incompatible with stream transport of 'bind :4448' at [quic-mini.cfg:29]. This config tightening is only tagged MINOR since while such a config, despite not reporting error, cannot work at all so even if it breaks experimental configs, they were just waiting for a single connection to crash.
2022-05-20 11:53:32 -04:00
} else {
if ((mux_ent->mux->flags & MX_FL_FRAMED) && !(bind_conf->options & BC_O_USE_SOCK_DGRAM)) {
ha_alert("%s '%s' : frame-based MUX protocol '%.*s' is incompatible with stream transport of 'bind %s' at [%s:%d].\n",
proxy_type_str(curproxy), curproxy->id,
(int)bind_conf->mux_proto->token.len,
bind_conf->mux_proto->token.ptr,
bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr++;
}
else if (!(mux_ent->mux->flags & MX_FL_FRAMED) && !(bind_conf->options & BC_O_USE_SOCK_STREAM)) {
ha_alert("%s '%s' : stream-based MUX protocol '%.*s' is incompatible with framed transport of 'bind %s' at [%s:%d].\n",
proxy_type_str(curproxy), curproxy->id,
(int)bind_conf->mux_proto->token.len,
bind_conf->mux_proto->token.ptr,
bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr++;
}
MINOR: mux/frontend: Add 'proto' keyword to force the mux protocol For now, it is parsed but not used. Tests are done on it to check if the side and the mode are compatible with the proxy's definition.
2018-04-10 08:43:00 -04:00
}
MINOR: config: make sure to associate the proper mux to bind and servers Currently a mux may be forced on a bind or server line by specifying the "proto" keyword. The problem is that the mux may depend on the proxy's mode, which is not known when parsing this keyword, so a wrong mux could be picked. Let's simply update the mux entry while checking its validity. We do have the name and the side, we only need to see if a better mux fits based on the proxy's mode. It also requires to remove the side check while parsing the "proto" keyword since a wrong mux could be picked. This way it becomes possible to declare multiple muxes with the same protocol names and different sides or modes.
2018-12-02 07:09:09 -05:00
/* update the mux */
bind_conf->mux_proto = mux_ent;
MINOR: mux/frontend: Add 'proto' keyword to force the mux protocol For now, it is parsed but not used. Tests are done on it to check if the side and the mode are compatible with the proxy's definition.
2018-04-10 08:43:00 -04:00
}
MINOR: mux/server: Add 'proto' keyword to force the multiplexer's protocol For now, it is parsed but not used. Tests are done on it to check if the side and the mode are compatible with the server's definition.
2018-04-10 08:45:45 -04:00
for (newsrv = curproxy->srv; newsrv; newsrv = newsrv->next) {
MINOR: connection: add conn_pr_mode_to_proto_mode() helper func This function allows to safely map proxy mode to corresponding proto_mode This will allow for easier code maintenance and prevent mixups between proxy mode and proto mode.
2023-10-19 10:06:03 -04:00
int mode = conn_pr_mode_to_proto_mode(curproxy->mode);
MINOR: config: make sure to associate the proper mux to bind and servers Currently a mux may be forced on a bind or server line by specifying the "proto" keyword. The problem is that the mux may depend on the proxy's mode, which is not known when parsing this keyword, so a wrong mux could be picked. Let's simply update the mux entry while checking its validity. We do have the name and the side, we only need to see if a better mux fits based on the proxy's mode. It also requires to remove the side check while parsing the "proto" keyword since a wrong mux could be picked. This way it becomes possible to declare multiple muxes with the same protocol names and different sides or modes.
2018-12-02 07:09:09 -05:00
const struct mux_proto_list *mux_ent;
MINOR: mux/server: Add 'proto' keyword to force the multiplexer's protocol For now, it is parsed but not used. Tests are done on it to check if the side and the mode are compatible with the server's definition.
2018-04-10 08:45:45 -04:00
if (!newsrv->mux_proto)
continue;
MINOR: config: make sure to associate the proper mux to bind and servers Currently a mux may be forced on a bind or server line by specifying the "proto" keyword. The problem is that the mux may depend on the proxy's mode, which is not known when parsing this keyword, so a wrong mux could be picked. Let's simply update the mux entry while checking its validity. We do have the name and the side, we only need to see if a better mux fits based on the proxy's mode. It also requires to remove the side check while parsing the "proto" keyword since a wrong mux could be picked. This way it becomes possible to declare multiple muxes with the same protocol names and different sides or modes.
2018-12-02 07:09:09 -05:00
/* it is possible that an incorrect mux was referenced
* due to the proxy's mode not being taken into account
* on first pass. Let's adjust it now.
*/
mux_ent = conn_get_best_mux_entry(newsrv->mux_proto->token, PROTO_SIDE_BE, mode);
if (!mux_ent || !isteq(mux_ent->token, newsrv->mux_proto->token)) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_alert("%s '%s' : MUX protocol '%.*s' is not usable for server '%s' at [%s:%d].\n",
MINOR: mux/server: Add 'proto' keyword to force the multiplexer's protocol For now, it is parsed but not used. Tests are done on it to check if the side and the mode are compatible with the server's definition.
2018-04-10 08:45:45 -04:00
proxy_type_str(curproxy), curproxy->id,
(int)newsrv->mux_proto->token.len,
newsrv->mux_proto->token.ptr,
newsrv->id, newsrv->conf.file, newsrv->conf.line);
cfgerr++;
}
MINOR: config: make sure to associate the proper mux to bind and servers Currently a mux may be forced on a bind or server line by specifying the "proto" keyword. The problem is that the mux may depend on the proxy's mode, which is not known when parsing this keyword, so a wrong mux could be picked. Let's simply update the mux entry while checking its validity. We do have the name and the side, we only need to see if a better mux fits based on the proxy's mode. It also requires to remove the side check while parsing the "proto" keyword since a wrong mux could be picked. This way it becomes possible to declare multiple muxes with the same protocol names and different sides or modes.
2018-12-02 07:09:09 -05:00
/* update the mux */
newsrv->mux_proto = mux_ent;
MINOR: mux/server: Add 'proto' keyword to force the multiplexer's protocol For now, it is parsed but not used. Tests are done on it to check if the side and the mode are compatible with the server's definition.
2018-04-10 08:45:45 -04:00
}
MINOR: check: allocate default check ruleset for every backends Allocate default tcp ruleset for every backend without explicit rules defined, even if no server in the backend use check. This change is required to implement checks for dynamic servers. This allocation is done on check_config_validity. It must absolutely be called before check_proxy_tcpcheck (called via post proxy check) which allocate the implicit tcp connect rule.
2021-07-23 09:46:46 -04:00
/* Allocate default tcp-check rules for proxies without
* explicit rules.
*/
if (curproxy->cap & PR_CAP_BE) {
if (!(curproxy->options2 & PR_O2_CHK_ANY)) {
struct tcpcheck_ruleset *rs = NULL;
struct tcpcheck_rules *rules = &curproxy->tcpcheck_rules;
curproxy->options2 |= PR_O2_TCPCHK_CHK;
rs = find_tcpcheck_ruleset("*tcp-check");
if (!rs) {
rs = create_tcpcheck_ruleset("*tcp-check");
if (rs == NULL) {
ha_alert("config: %s '%s': out of memory.\n",
proxy_type_str(curproxy), curproxy->id);
cfgerr++;
}
}
free_tcpcheck_vars(&rules->preset_vars);
rules->list = &rs->rules;
rules->flags = 0;
}
}
MINOR: cfgparse: finish to set up servers outside of the proxy setup loop Till now servers were only initialized as part of the proxy setup loop, which doesn't cover peers, tcp log, dns, lua etc. Let's move this part out of this loop and instead iterate over all registered servers. This way we're certain to visit them all. The patch looks big but it's just a move of a large block with the corresponding reindent (as can be checked with diff -b). It relies on the two previous ones ("MINOR: server: add a global list of all known servers and" and "CLEANUP: lua: set a dummy file name and line number on the dummy servers").
2021-03-05 04:48:42 -05:00
}
BUG/MEDIUM: server: initialize the idle conns list after parsing the config The idle conns lists are sized according to the number of threads. As such they cannot be initialized during the parsing since nbthread can be set later, as revealed by this simple config which randomly crashes when used. Let's do this at the end instead. listen proxy bind :4445 mode http timeout client 10s timeout server 10s timeout connect 10s http-reuse always server s1 127.0.0.1:8000 global nbthread 8 This fix must be backported to 1.9 and 1.8.
2019-02-07 08:46:29 -05:00
BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized Some initialisation for log forward proxies was missing such as ssl configuration on 'log-forward's 'bind' lines. After the loop on the proxy initialization code for proxies present in the main proxies list, this patch force to loop again on this code for proxies present in the log forward proxies list. Those two lists should be merged. This will be part of a global re-work of proxy initialization including peers proxies and resolver proxies. This patch was made in first attempt to fix the bug and to facilitate the backport on older branches waiting for a cleaner re-work on proxies initialization on the dev branch. This patch should be backported as far as 2.3.
2022-08-18 09:53:21 -04:00
/*
* We have just initialized the main proxies list
* we must also configure the log-forward proxies list
*/
if (init_proxies_list == proxies_list) {
init_proxies_list = cfg_log_forward;
BUG/MAJOR: mworker: fix infinite loop on master with no proxies. The master is re-exec with an empty proxies list if no master CLI is configured. This results in infinite loop since last patch: 3b68b602 ("BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized") This patch avoid to loop again on log-forward proxies list if empty. This patch should be backported until v2.3
2022-08-22 04:25:11 -04:00
/* check if list is not null to avoid infinite loop */
BUG/MEDIUM: sink: bad init sequence on tcp sink from a ring. The init of tcp sink, particularly for SSL, was done too early in the code, during parsing, and this can cause a crash specially if nbthread was not configured. This was detected by William using ASAN on a new regtest on log forward. This patch adds the 'struct proxy' created for a sink to a list and this list is now submitted to the same init code than the main proxies list or the log_forward's proxies list. Doing this, we are assured to use the right init sequence. It also removes the ini code for ssl from post section parsing. This patch should be backported as far as v2.2 Note: this fix uses 'goto' labels created by commit 'BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized' but this code didn't exist before v2.3 so this patch needs to be adapted for v2.2.
2022-09-13 10:16:30 -04:00
if (init_proxies_list)
goto init_proxies_list_stage1;
}
if (init_proxies_list == cfg_log_forward) {
init_proxies_list = sink_proxies_list;
/* check if list is not null to avoid infinite loop */
BUG/MAJOR: mworker: fix infinite loop on master with no proxies. The master is re-exec with an empty proxies list if no master CLI is configured. This results in infinite loop since last patch: 3b68b602 ("BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized") This patch avoid to loop again on log-forward proxies list if empty. This patch should be backported until v2.3
2022-08-22 04:25:11 -04:00
if (init_proxies_list)
goto init_proxies_list_stage1;
BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized Some initialisation for log forward proxies was missing such as ssl configuration on 'log-forward's 'bind' lines. After the loop on the proxy initialization code for proxies present in the main proxies list, this patch force to loop again on this code for proxies present in the log forward proxies list. Those two lists should be merged. This will be part of a global re-work of proxy initialization including peers proxies and resolver proxies. This patch was made in first attempt to fix the bug and to facilitate the backport on older branches waiting for a cleaner re-work on proxies initialization on the dev branch. This patch should be backported as far as 2.3.
2022-08-18 09:53:21 -04:00
}
MINOR: cfgparse: finish to set up servers outside of the proxy setup loop Till now servers were only initialized as part of the proxy setup loop, which doesn't cover peers, tcp log, dns, lua etc. Let's move this part out of this loop and instead iterate over all registered servers. This way we're certain to visit them all. The patch looks big but it's just a move of a large block with the corresponding reindent (as can be checked with diff -b). It relies on the two previous ones ("MINOR: server: add a global list of all known servers and" and "CLEANUP: lua: set a dummy file name and line number on the dummy servers").
2021-03-05 04:48:42 -05:00
/***********************************************************/
/* At this point, target names have already been resolved. */
/***********************************************************/
BUG/MEDIUM: server: initialize the idle conns list after parsing the config The idle conns lists are sized according to the number of threads. As such they cannot be initialized during the parsing since nbthread can be set later, as revealed by this simple config which randomly crashes when used. Let's do this at the end instead. listen proxy bind :4445 mode http timeout client 10s timeout server 10s timeout connect 10s http-reuse always server s1 127.0.0.1:8000 global nbthread 8 This fix must be backported to 1.9 and 1.8.
2019-02-07 08:46:29 -05:00
MINOR: task: provide 3 task_new_* wrappers to simplify the API We'll need to improve the API to pass other arguments in the future, so let's start to adapt better to the current use cases. task_new() is used: - 18 times as task_new(tid_bit) - 18 times as task_new(MAX_THREADS_MASK) - 2 times with a single bit (in a loop) - 1 in the debug code that uses a mask This patch provides 3 new functions to achieve this: - task_new_here() to create a task on the calling thread - task_new_anywhere() to create a task to be run anywhere - task_new_on() to create a task to run on a specific thread The change is trivial and will allow us to later concentrate the required adaptations to these 3 functions only. It's still possible to call task_new() if needed but a comment was added to encourage the use of the new ones instead. The debug code was not changed and still uses it.
2021-10-01 12:23:30 -04:00
idle_conn_task = task_new_anywhere();
MINOR: cfgparse: always alloc idle conns task The idle conn task is is a global task used to cleanup backend connections marked for deletion. Previously, it was only only allocated if at least one server in the configuration has idle connections. This assumption won't be valid anymore when new servers can be created at runtime with idle connections. Always allocate the global idle conn task.
2021-03-08 11:31:39 -05:00
if (!idle_conn_task) {
ha_alert("parsing : failed to allocate global idle connection task.\n");
cfgerr++;
}
else {
idle_conn_task->process = srv_cleanup_idle_conns;
idle_conn_task->context = NULL;
for (i = 0; i < global.nbthread; i++) {
MINOR: task: provide 3 task_new_* wrappers to simplify the API We'll need to improve the API to pass other arguments in the future, so let's start to adapt better to the current use cases. task_new() is used: - 18 times as task_new(tid_bit) - 18 times as task_new(MAX_THREADS_MASK) - 2 times with a single bit (in a loop) - 1 in the debug code that uses a mask This patch provides 3 new functions to achieve this: - task_new_here() to create a task on the calling thread - task_new_anywhere() to create a task to be run anywhere - task_new_on() to create a task to run on a specific thread The change is trivial and will allow us to later concentrate the required adaptations to these 3 functions only. It's still possible to call task_new() if needed but a comment was added to encourage the use of the new ones instead. The debug code was not changed and still uses it.
2021-10-01 12:23:30 -04:00
idle_conns[i].cleanup_task = task_new_on(i);
MINOR: cfgparse: always alloc idle conns task The idle conn task is is a global task used to cleanup backend connections marked for deletion. Previously, it was only only allocated if at least one server in the configuration has idle connections. This assumption won't be valid anymore when new servers can be created at runtime with idle connections. Always allocate the global idle conn task.
2021-03-08 11:31:39 -05:00
if (!idle_conns[i].cleanup_task) {
ha_alert("parsing : failed to allocate idle connection tasks for thread '%d'.\n", i);
cfgerr++;
break;
MINOR: cfgparse: finish to set up servers outside of the proxy setup loop Till now servers were only initialized as part of the proxy setup loop, which doesn't cover peers, tcp log, dns, lua etc. Let's move this part out of this loop and instead iterate over all registered servers. This way we're certain to visit them all. The patch looks big but it's just a move of a large block with the corresponding reindent (as can be checked with diff -b). It relies on the two previous ones ("MINOR: server: add a global list of all known servers and" and "CLEANUP: lua: set a dummy file name and line number on the dummy servers").
2021-03-05 04:48:42 -05:00
}
MEDIUM: servers: Split the connections into idle, safe, and available. Revamp the server connection lists. We know have 3 lists : - idle_conns, which contains idling connections - safe_conns, which contains idling connections that are safe to use even for the first request - available_conns, which contains connections that are not idling, but can still accept new streams (those are HTTP/2 or fastcgi, and are always considered safe).
2020-02-13 13:12:07 -05:00
MINOR: cfgparse: always alloc idle conns task The idle conn task is is a global task used to cleanup backend connections marked for deletion. Previously, it was only only allocated if at least one server in the configuration has idle connections. This assumption won't be valid anymore when new servers can be created at runtime with idle connections. Always allocate the global idle conn task.
2021-03-08 11:31:39 -05:00
idle_conns[i].cleanup_task->process = srv_cleanup_toremove_conns;
idle_conns[i].cleanup_task->context = NULL;
HA_SPIN_INIT(&idle_conns[i].idle_conns_lock);
MT_LIST_INIT(&idle_conns[i].toremove_conns);
BUG/MEDIUM: server: initialize the idle conns list after parsing the config The idle conns lists are sized according to the number of threads. As such they cannot be initialized during the parsing since nbthread can be set later, as revealed by this simple config which randomly crashes when used. Let's do this at the end instead. listen proxy bind :4445 mode http timeout client 10s timeout server 10s timeout connect 10s http-reuse always server s1 127.0.0.1:8000 global nbthread 8 This fix must be backported to 1.9 and 1.8.
2019-02-07 08:46:29 -05:00
}
MEDIUM: config: compute the exact bind-process before listener's maxaccept This is a continuation of previous patch, the listener's maxaccept is divided by the number of processes, so it's best if we can swap the two blocks so that the number of processes is already known when computing the maxaccept value.
2014-09-16 07:41:21 -04:00
}
/* perform the final checks before creating tasks */
BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized Some initialisation for log forward proxies was missing such as ssl configuration on 'log-forward's 'bind' lines. After the loop on the proxy initialization code for proxies present in the main proxies list, this patch force to loop again on this code for proxies present in the log forward proxies list. Those two lists should be merged. This will be part of a global re-work of proxy initialization including peers proxies and resolver proxies. This patch was made in first attempt to fix the bug and to facilitate the backport on older branches waiting for a cleaner re-work on proxies initialization on the dev branch. This patch should be backported as far as 2.3.
2022-08-18 09:53:21 -04:00
/* starting to initialize the main proxies list */
init_proxies_list = proxies_list;
init_proxies_list_stage2:
for (curproxy = init_proxies_list; curproxy; curproxy = curproxy->next) {
MEDIUM: config: compute the exact bind-process before listener's maxaccept This is a continuation of previous patch, the listener's maxaccept is divided by the number of processes, so it's best if we can swap the two blocks so that the number of processes is already known when computing the maxaccept value.
2014-09-16 07:41:21 -04:00
struct listener *listener;
unsigned int next_id;
[MINOR] cleanup set_session_backend by using pre-computed analysers Analyser bitmaps are now stored in the frontend and backend, and combined at configuration time. That way, set_session_backend() does not need to perform any protocol-specific combinations.
2009-08-16 16:37:44 -04:00
MEDIUM: config: centralize handling of SSL config per bind line SSL config holds many parameters which are per bind line and not per listener. Let's use a per-bind line config instead of having it replicated for each listener. At the moment we only do this for the SSL part but this should probably evolved to handle more of the configuration and maybe even the state per bind line.
2012-09-07 10:58:00 -04:00
/* Configure SSL for each bind line.
* Note: if configuration fails at some point, the ->ctx member
* remains NULL so that listeners can later detach.
*/
MEDIUM: config: replace ssl_conf by bind_conf Some settings need to be merged per-bind config line and are not necessarily SSL-specific. It becomes quite inconvenient to have this ssl_conf SSL-specific, so let's replace it with something more generic.
2012-09-13 11:54:29 -04:00
list_for_each_entry(bind_conf, &curproxy->conf.bind, by_fe) {
MEDIUM: ssl_sock: implement ssl_sock_prepare_bind_conf() Instead of hard-coding all SSL preparation in cfgparse.c, we now register this new function as the transport layer's prepare_bind_conf() and call it only when definied. This removes some non-obvious SSL-specific code from cfgparse.c as well as a #ifdef.
2016-12-21 17:38:39 -05:00
if (bind_conf->xprt->prepare_bind_conf &&
bind_conf->xprt->prepare_bind_conf(bind_conf) < 0)
MEDIUM: config: centralize handling of SSL config per bind line SSL config holds many parameters which are per bind line and not per listener. Let's use a per-bind line config instead of having it replicated for each listener. At the moment we only do this for the SSL part but this should probably evolved to handle more of the configuration and maybe even the state per bind line.
2012-09-07 10:58:00 -04:00
cfgerr++;
MEDIUM: listener: move the analysers mask to the bind_conf When bind_conf were created, some elements such as the analysers mask ought to have moved there but that wasn't the case. Now that it's getting clearer that bind_conf provides all binding parameters and the listener is essentially a listener on an address, it's starting to get really confusing to keep such parameters in the listener, so let's move the mask to the bind_conf. We also take this opportunity for pre-setting the mask to the frontend's upon initalization. Now several loops have one less argument to take care of.
2023-01-12 12:39:42 -05:00
bind_conf->analysers |= curproxy->fe_req_ana;
MINOR: listener: move maxaccept from listener to bind_conf Like for previous values, maxaccept is really per-bind_conf, so let's move it there. Some frontends (peers, log) set it to 1 so the assignment was slightly moved.
2023-01-12 12:52:23 -05:00
if (!bind_conf->maxaccept)
bind_conf->maxaccept = global.tune.maxaccept ? global.tune.maxaccept : MAX_ACCEPT;
MINOR: listener: move the ->accept callback to the bind_conf The accept callback directly derives from the upper layer, generally it's session_accept_fd(). As such it's also defined per bind line so it makes sense to move it there.
2023-01-12 13:10:17 -05:00
bind_conf->accept = session_accept_fd;
MINOR: listener: move the NOLINGER option to the bind_conf It's currently declared per-frontend, though it would make sense to support it per-line but in no case per-listener. Let's move the option to a bind_conf option BC_O_NOLINGER.
2023-01-12 13:37:07 -05:00
if (curproxy->options & PR_O_TCP_NOLING)
bind_conf->options |= BC_O_NOLINGER;
MINOR: listener: move the NOQUICKACK option to the bind_conf It solely depends on the bind line so let's move it there under the name BC_O_NOQUICKACK.
2023-01-12 13:40:42 -05:00
/* smart accept mode is automatic in HTTP mode */
if ((curproxy->options2 & PR_O2_SMARTACC) ||
((curproxy->mode == PR_MODE_HTTP || (bind_conf->options & BC_O_USE_SSL)) &&
!(curproxy->no_options2 & PR_O2_SMARTACC)))
bind_conf->options |= BC_O_NOQUICKACK;
MEDIUM: config: replace ssl_conf by bind_conf Some settings need to be merged per-bind config line and are not necessarily SSL-specific. It becomes quite inconvenient to have this ssl_conf SSL-specific, so let's replace it with something more generic.
2012-09-13 11:54:29 -04:00
}
MEDIUM: config: centralize handling of SSL config per bind line SSL config holds many parameters which are per bind line and not per listener. Let's use a per-bind line config instead of having it replicated for each listener. At the moment we only do this for the SSL part but this should probably evolved to handle more of the configuration and maybe even the state per bind line.
2012-09-07 10:58:00 -04:00
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-28 20:09:36 -04:00
/* adjust this proxy's listeners */
MINOR: quic+openssl_compat: Do not start without "limited-quic" Add a check for limited-quic in check_config_validity() when compiled with USE_QUIC_OPENSSL_COMPAT so that we prevent a config from starting accidentally with limited QUIC support. If a QUIC listener is found when using the compatibility mode and limited-quic is not set, an error message is reported explaining that the SSL library is not compatible and proposing the user to enable limited-quic if that's what they want, and the startup fails. This partially reverts commit 7c730803d ("MINOR: quic: Warning for OpenSSL wrapper QUIC bindings without "limited-quic"") since a warning was not sufficient.
2023-08-17 04:15:09 -04:00
bind_conf = NULL;
[MEDIUM] config: automatically find unused IDs for proxies, servers and listeners Until now it was required that every custom ID was above 1000 in order to avoid conflicts. Now we have the list of all assigned IDs and can automatically pick the first unused one. This means that it is perfectly possible to interleave automatic IDs with persistent IDs and the parser will automatically allocate unused values starting with 1.
2009-10-04 17:04:08 -04:00
next_id = 1;
MAJOR: listeners: use dual-linked lists to chain listeners with frontends Navigating through listeners was very inconvenient and error-prone. Not to mention that listeners were linked in reverse order and reverted afterwards. In order to definitely get rid of these issues, we now do the following : - frontends have a dual-linked list of bind_conf - frontends have a dual-linked list of listeners - bind_conf have a dual-linked list of listeners - listeners have a pointer to their bind_conf This way we can now navigate from anywhere to anywhere and always find the proper bind_conf for a given listener, as well as find the list of listeners for a current bind_conf.
2012-09-20 10:48:07 -04:00
list_for_each_entry(listener, &curproxy->conf.listeners, by_fe) {
[MEDIUM] config: automatically find unused IDs for proxies, servers and listeners Until now it was required that every custom ID was above 1000 in order to avoid conflicts. Now we have the list of all assigned IDs and can automatically pick the first unused one. This means that it is perfectly possible to interleave automatic IDs with persistent IDs and the parser will automatically allocate unused values starting with 1.
2009-10-04 17:04:08 -04:00
if (!listener->luid) {
/* listener ID not set, use automatic numbering with first
* spare entry starting with next_luid.
*/
BUG/MINOR: listener: always assign distinct IDs to shards When sharded listeners were introdcued in 2.5 with commit 6dfbef4145 ("MEDIUM: listener: add the "shards" bind keyword"), a point was overlooked regarding how IDs are assigned to listeners: they are just duplicated! This means that if a "option socket-stats" is set and a shard is configured, or multiple thread groups are enabled, then a stats dump will produce several lines with exactly the same socket name and ID. This patch tries to address this by trying to assign consecutive numbers to these sockets. The usual algo is maintained, but with a preference for the next number in a shard. This will help users reserve ranges for each socket, for example by using multiples of 100 or 1000 on each bind line, leaving enough room for all shards to be assigned. The mechanism however is quite tricky, because the configured listener currently ends up being the last one of the shard. This helps insert them before the current position without having to revisit them. But here it causes a difficulty which is that we'd like to restart from the current ID and assign new ones on top of it. What is done is that the number is passed between shards and the current one is cleared (and removed from the tree) so that we instead insert the new one. It's tricky because of the situation which depends whether it's the listener that was already assigned on the bind line or not. But overall, always removing the entry, always adding the new one when the ID is not zero, and passing them from the reference to the next one does the trick. This may be backported to all versions till 2.6.
2024-04-09 02:41:06 -04:00
if (listener->by_fe.p != &curproxy->conf.listeners) {
struct listener *prev_li = LIST_PREV(&listener->by_fe, typeof(prev_li), by_fe);
if (prev_li->luid)
next_id = prev_li->luid + 1;
}
[MEDIUM] config: automatically find unused IDs for proxies, servers and listeners Until now it was required that every custom ID was above 1000 in order to avoid conflicts. Now we have the list of all assigned IDs and can automatically pick the first unused one. This means that it is perfectly possible to interleave automatic IDs with persistent IDs and the parser will automatically allocate unused values starting with 1.
2009-10-04 17:04:08 -04:00
next_id = get_next_id(&curproxy->conf.used_listener_id, next_id);
listener->conf.id.key = listener->luid = next_id;
eb32_insert(&curproxy->conf.used_listener_id, &listener->conf.id);
}
[BUG] pxid/puid/luid: don't shift IDs when some of them are forced [WT: it was not a bug, I did it on purpose to leave no hole between IDs, though it's not very practical when admins want to force some entries after they have been used, because they'd rather leave a hole than renumber everything ] Forcing some of IDs should not shift others. Regression introduced in 53fb4ae261b6e0e33e618f5cabbacc1657c19cc5 ---cut here--- global stats socket /home/ole/haproxy.stat user ole group ole mode 660 frontend F1 bind 127.0.0.1:9999 mode http backend B1 mode http backend B2 mode http id 9999 backend B3 mode http backend B4 mode http ---cut here--- Before 53fb4ae261b6e0e33e618f5cabbacc1657c19cc5: $ echo "show stat" | socat unix-connect:/home/ole/haproxy.stat stdio|cut -d , -f 28 iid 1 2 9999 4 5 After 53fb4ae261b6e0e33e618f5cabbacc1657c19cc5: $ echo "show stat" | socat unix-connect:/home/ole/haproxy.stat stdio|cut -d , -f 28 iid 1 2 9999 3 4 With this patch: $ echo "show stat" | socat unix-connect:/home/ole/haproxy.stat stdio|cut -d , -f 28 iid 1 2 9999 4 5
2010-02-05 14:58:27 -05:00
next_id++;
[MEDIUM] config: automatically find unused IDs for proxies, servers and listeners Until now it was required that every custom ID was above 1000 in order to avoid conflicts. Now we have the list of all assigned IDs and can automatically pick the first unused one. This means that it is perfectly possible to interleave automatic IDs with persistent IDs and the parser will automatically allocate unused values starting with 1.
2009-10-04 17:04:08 -04:00
[MEDIUM] Collect & provide separate statistics for sockets, v2 This patch allows to collect & provide separate statistics for each socket. It can be very useful if you would like to distinguish between traffic generate by local and remote users or between different types of remote clients (peerings, domestic, foreign). Currently no "Session rate" is supported, but adding it should be possible if we found it useful.
2009-10-04 09:43:17 -04:00
/* enable separate counters */
if (curproxy->options2 & PR_O2_SOCKSTAT) {
CLEANUP: counters: move from 3 types to 2 types We used to have 3 types of counters with a huge overlap : - listener counters : stats collected for each bind line - proxy counters : union of the frontend and backend counters - server counters : stats collected per server It happens that quite a good part was common between listeners and proxies due to the frontend counters being updated at the two locations, and that similarly the server and proxy counters were overlapping and being updated together. This patch cleans this up to propose only two types of counters : - fe_counters: used by frontends and listeners, related to incoming connections activity - be_counters: used by backends and servers, related to outgoing connections activity This allowed to remove some non-sensical counters from both parts. For frontends, the following entries were removed : cum_lbconn, last_sess, nbpend_max, failed_conns, failed_resp, retries, redispatches, q_time, c_time, d_time, t_time For backends, this ones was removed : intercepted_req. While doing this it was discovered that we used to incorrectly report intercepted_req for backends in the HTML stats, which was always zero since it's never updated. Also it revealed a few inconsistencies (which were not fixed as they are harmless). For example, backends count connections (cum_conn) instead of sessions while servers count sessions and not connections. Over the long term, some extra cleanups may be performed by having some counters update functions touching both the server and backend at the same time, as well as both the frontend and listener, to ensure that all sides have all their stats properly filled. The stats dump will also be able to factor the dump functions by counter types.
2016-11-25 08:44:52 -05:00
listener->counters = calloc(1, sizeof(*listener->counters));
MAJOR: counters: add shared counters base infrastructure Shareable counters are not tagged as shared counters and are dynamically allocated in separate memory area as a prerequisite for being stored in shared memory area. For now, GUID and threads groups are not taken into account, this is only a first step. also we ensure all counters are now manipulated using atomic operations, namely, "last_change" counter is now read from and written to using atomic ops. Despite the numerous changes caused by the counters being moved away from counters struct, no change of behavior should be expected.
2025-04-08 12:16:38 -04:00
if (listener->counters) {
MEDIUM: counters: manage shared counters using dedicated helpers proxies, listeners and server shared counters are now managed via helpers added in one of the previous commits. When guid is not set (ie: when not yet assigned), shared counters pointer is allocated using calloc() (local memory) and a flag is set on the shared counters struct to know how to manipulate (and free it). Else if guid is set, then it means that the counters may be shared so while for now we don't actually use a shared memory location the API is ready for that. The way it works, for proxies and servers (for which guid is not known during creation), we first call counters_{fe,be}_shared_get with guid not set, which results in local pointer being retrieved (as if we just manually called calloc() to retrieve a pointer). Later (during postparsing) if guid is set we try to upgrade the pointer from local to shared. Lastly, since the memory location for some objects (proxies and servers counters) may change from creation to postparsing, let's update counters->last_change member directly under counters_{fe,be}_shared_get() so we don't miss it. No change of behavior is expected, this is only preparation work.
2025-05-07 17:42:04 -04:00
listener->counters->shared = counters_fe_shared_get(&listener->guid);
MAJOR: counters: add shared counters base infrastructure Shareable counters are not tagged as shared counters and are dynamically allocated in separate memory area as a prerequisite for being stored in shared memory area. For now, GUID and threads groups are not taken into account, this is only a first step. also we ensure all counters are now manipulated using atomic operations, namely, "last_change" counter is now read from and written to using atomic ops. Despite the numerous changes caused by the counters being moved away from counters struct, no change of behavior should be expected.
2025-04-08 12:16:38 -04:00
if (!listener->counters->shared) {
ha_free(&listener->counters);
ha_alert("config: %s '%s': out of memory.\n",
proxy_type_str(curproxy), curproxy->id);
}
}
MEDIUM: make the trash be a chunk instead of a char * The trash is used everywhere to store the results of temporary strings built out of s(n)printf, or as a storage for a chunk when chunks are needed. Using global.tune.bufsize is not the most convenient thing either. So let's replace trash with a chunk and directly use it as such. We can then use trash.size as the natural way to get its size, and get rid of many intermediary chunks that were previously used. The patch is huge because it touches many areas but it makes the code a lot more clear and even outlines places where trash was used without being that obvious.
2012-10-29 11:51:55 -04:00
if (!listener->name)
memprintf(&listener->name, "sock-%d", listener->luid);
[MEDIUM] Collect & provide separate statistics for sockets, v2 This patch allows to collect & provide separate statistics for each socket. It can be very useful if you would like to distinguish between traffic generate by local and remote users or between different types of remote clients (peerings, domestic, foreign). Currently no "Session rate" is supported, but adding it should be possible if we found it useful.
2009-10-04 09:43:17 -04:00
}
MINOR: ssl: set the listeners' data layer to ssl during parsing It's better to set all listeners to ssl_sock when seeing the "ssl" keyword that to loop on all of them afterwards just for this. This also removes some #ifdefs.
2012-09-22 13:11:47 -04:00
MINOR: quic: define QUIC flag on listener Mark QUIC listeners with the flag LI_F_QUIC_LISTENER. It is set by the proto-quic layer on the add listener callback. This allows to override more clearly the accept callback on quic_session_accept.
2022-01-25 11:48:47 -05:00
#ifdef USE_QUIC
MINOR: listener: remove the now useless LI_F_QUIC_LISTENER flag This flag is only used to tag a QUIC listener, which we now know by its bind_conf's xprt as well. It's only used to decide whether or not to perform an extra initialization step on the listener. Let's drop it as well as the flags field. With the various fields and options moved, the listener struct reduced by 48 bytes total.
2023-01-12 14:20:57 -05:00
if (listener->bind_conf->xprt == xprt_get(XPRT_QUIC)) {
MEDIUM: quic: count quic_conn instance for maxconn Increment actconn and check maxconn limit when a quic_conn is instantiated. This is necessary because prior to this patch, quic_conn instances where not counted. Global actconn was only incremented after the handshake has been completed and the connection structure is allocated. The increment is done using increment_actconn() on INITIAL packet parsing if a new connection is about to be created. If the limit is reached, the allocation is cancelled and the INITIAL packet is dropped. The decrement is done under quic_conn_release(). This means that quic_cc_conn instances are not taken into account. This seems safe enough because quic_cc_conn are only used for minimal usage. The counterpart of this change is that maxconn must not be checked a second time when listener_accept() is done over a QUIC connection. For this, a new bind_conf flag BC_O_XPRT_MAXCONN is set for listeners when maxconn is already counted by the lower layer. For the moment, it is positionned only for QUIC listeners. Without this patch, haproxy process could suffer from heavy memory/CPU load if the number of concurrent handshake is high. This patch is not considered a bug fix per-se. However, it has a major benefit to protect against too many QUIC handshakes. As such, it should be backported up to 2.6. For this, it relies on the following patch : "MINOR: frontend: implement a dedicated actconn increment function"
2023-10-25 04:52:23 -04:00
/* quic_conn are counted against maxconn. */
listener->bind_conf->options |= BC_O_XPRT_MAXCONN;
MEDIUM: quic: limit handshake per listener Implement a limit per listener for concurrent number of QUIC connections. When reached, INITIAL packets for new connections are automatically dropped until the number of handshakes is reduced. The limit value is automatically based on listener backlog, which itself defaults to maxconn. This feature is important to ensure CPU and memory resources are not consume if too many handshakes attempt are started in parallel. Special care is taken if a connection is released before handshake completion. In this case, counter must be decremented. This forces to ensure that member <qc.state> is set early in qc_new_conn() before any quic_conn_release() invocation.
2023-11-06 10:34:38 -05:00
listener->rx.quic_curr_handshake = 0;
MEDIUM: quic: define an accept queue limit QUIC connections are pushed manually into a dedicated listener queue when they are ready to be accepted. This happens after handshake finalization or on 0-RTT packet reception. Listener is then woken up to dequeue them with listener_accept(). This patch comptabilizes the number of connections currently stored in the accept queue. If reaching a certain limit, INITIAL packets are dropped on reception to prevent further QUIC connections allocation. This should help to preserve system resources. This limit is automatically derived from the listener backlog. Half of its value is reserved for handshakes and the other half for accept queues. By default, backlog is equal to maxconn which guarantee that there can't be no more than maxconn connections in handshake or waiting to be accepted.
2023-11-08 08:29:31 -05:00
listener->rx.quic_curr_accept = 0;
MEDIUM: quic: count quic_conn instance for maxconn Increment actconn and check maxconn limit when a quic_conn is instantiated. This is necessary because prior to this patch, quic_conn instances where not counted. Global actconn was only incremented after the handshake has been completed and the connection structure is allocated. The increment is done using increment_actconn() on INITIAL packet parsing if a new connection is about to be created. If the limit is reached, the allocation is cancelled and the INITIAL packet is dropped. The decrement is done under quic_conn_release(). This means that quic_cc_conn instances are not taken into account. This seems safe enough because quic_cc_conn are only used for minimal usage. The counterpart of this change is that maxconn must not be checked a second time when listener_accept() is done over a QUIC connection. For this, a new bind_conf flag BC_O_XPRT_MAXCONN is set for listeners when maxconn is already counted by the lower layer. For the moment, it is positionned only for QUIC listeners. Without this patch, haproxy process could suffer from heavy memory/CPU load if the number of concurrent handshake is high. This patch is not considered a bug fix per-se. However, it has a major benefit to protect against too many QUIC handshakes. As such, it should be backported up to 2.6. For this, it relies on the following patch : "MINOR: frontend: implement a dedicated actconn increment function"
2023-10-25 04:52:23 -04:00
MINOR: quic+openssl_compat: Do not start without "limited-quic" Add a check for limited-quic in check_config_validity() when compiled with USE_QUIC_OPENSSL_COMPAT so that we prevent a config from starting accidentally with limited QUIC support. If a QUIC listener is found when using the compatibility mode and limited-quic is not set, an error message is reported explaining that the SSL library is not compatible and proposing the user to enable limited-quic if that's what they want, and the startup fails. This partially reverts commit 7c730803d ("MINOR: quic: Warning for OpenSSL wrapper QUIC bindings without "limited-quic"") since a warning was not sufficient.
2023-08-17 04:15:09 -04:00
# ifdef USE_QUIC_OPENSSL_COMPAT
/* store the last checked bind_conf in bind_conf */
if (!(global.tune.options & GTUNE_NO_QUIC) &&
!(global.tune.options & GTUNE_LIMITED_QUIC) &&
listener->bind_conf != bind_conf) {
bind_conf = listener->bind_conf;
ha_alert("Binding [%s:%d] for %s %s: this SSL library does not support the "
"QUIC protocol. A limited compatibility layer may be enabled using "
"the \"limited-quic\" global option if desired.\n",
listener->bind_conf->file, listener->bind_conf->line,
proxy_type_str(curproxy), curproxy->id);
cfgerr++;
}
# endif
MINOR: quic: remove unnecessary quic_session_accept() A specialized listener accept was previously used for QUIC. This is now unneeded and we can revert to the default one session_accept_fd(). One change of importance is that the call order between conn_xprt_start() and conn_complete_session() is now reverted to the default one. This means that MUX instance is now NULL during qc_xprt_start() and its app-ops layer cannot be set here. This operation has been delayed to qc_init() to prevent a segfault. This should be backported up to 2.6.
2022-09-29 12:31:24 -04:00
MINOR: listener: define per-thr struct Create a new structure li_per_thread. This is uses as an array in the listener structure, with an entry allocated per thread. The new function li_init_per_thr is responsible of the allocation. For now, li_per_thread contains fields only useful for QUIC listeners. As such, it is only allocated for QUIC listeners.
2022-01-25 10:21:47 -05:00
li_init_per_thr(listener);
}
MINOR: quic: define QUIC flag on listener Mark QUIC listeners with the flag LI_F_QUIC_LISTENER. It is set by the proto-quic layer on the add listener callback. This allows to override more clearly the accept callback on quic_session_accept.
2022-01-25 11:48:47 -05:00
#endif
[MAJOR] create proto_tcp and move initialization of proxy listeners Proxy listeners were very special and not very easy to manipulate. A proto_tcp file has been created with all that is required to manage TCPv4/TCPv6 as raw protocols, and provide generic listeners. The code of start_proxies() and maintain_proxies() now looks less like spaghetti. Also, event_accept will need a serious lifting in order to use more of the information provided by the listener.
2007-10-28 20:09:36 -04:00
}
MEDIUM: config: replace ssl_conf by bind_conf Some settings need to be merged per-bind config line and are not necessarily SSL-specific. It becomes quite inconvenient to have this ssl_conf SSL-specific, so let's replace it with something more generic.
2012-09-13 11:54:29 -04:00
/* Release unused SSL configs */
list_for_each_entry(bind_conf, &curproxy->conf.bind, by_fe) {
CLEANUP: listener: replace all uses of bind_conf->is_ssl with BC_O_USE_SSL The new flag will now replace this boolean variable that was only set and tested.
2022-05-20 09:56:32 -04:00
if (!(bind_conf->options & BC_O_USE_SSL) && bind_conf->xprt->destroy_bind_conf)
MINOR: ssl_sock: implement ssl_sock_destroy_bind_conf() Instead of hard-coding all SSL destruction in cfgparse.c and haproxy.c, we now register this new function as the transport layer's destroy_bind_conf() and call it only when defined. This removes some non-obvious SSL-specific code and #ifdefs from cfgparse.c and haproxy.c
2016-12-22 11:30:54 -05:00
bind_conf->xprt->destroy_bind_conf(bind_conf);
MEDIUM: config: replace ssl_conf by bind_conf Some settings need to be merged per-bind config line and are not necessarily SSL-specific. It becomes quite inconvenient to have this ssl_conf SSL-specific, so let's replace it with something more generic.
2012-09-13 11:54:29 -04:00
}
MEDIUM: config: centralize handling of SSL config per bind line SSL config holds many parameters which are per bind line and not per listener. Let's use a per-bind line config instead of having it replicated for each listener. At the moment we only do this for the SSL part but this should probably evolved to handle more of the configuration and maybe even the state per bind line.
2012-09-07 10:58:00 -04:00
[MAJOR] proxy: finally get rid of maintain_proxies() This function is finally not needed anymore, as it has been replaced with a per-proxy task that is scheduled when some limits are encountered on incoming connections or when the process is stopping. The savings should be noticeable on configs with a large number of proxies. The most important point is that the rate limiting is now enforced in a clean and solid way.
2011-07-25 10:33:49 -04:00
/* create the task associated with the proxy */
MINOR: task: provide 3 task_new_* wrappers to simplify the API We'll need to improve the API to pass other arguments in the future, so let's start to adapt better to the current use cases. task_new() is used: - 18 times as task_new(tid_bit) - 18 times as task_new(MAX_THREADS_MASK) - 2 times with a single bit (in a loop) - 1 in the debug code that uses a mask This patch provides 3 new functions to achieve this: - task_new_here() to create a task on the calling thread - task_new_anywhere() to create a task to be run anywhere - task_new_on() to create a task to run on a specific thread The change is trivial and will allow us to later concentrate the required adaptations to these 3 functions only. It's still possible to call task_new() if needed but a comment was added to encourage the use of the new ones instead. The debug code was not changed and still uses it.
2021-10-01 12:23:30 -04:00
curproxy->task = task_new_anywhere();
[MAJOR] proxy: finally get rid of maintain_proxies() This function is finally not needed anymore, as it has been replaced with a per-proxy task that is scheduled when some limits are encountered on incoming connections or when the process is stopping. The savings should be noticeable on configs with a large number of proxies. The most important point is that the rate limiting is now enforced in a clean and solid way.
2011-07-25 10:33:49 -04:00
if (curproxy->task) {
curproxy->task->context = curproxy;
curproxy->task->process = manage_proxy;
MINOR: proxy: Add PR_FL_READY flag on fully configured and usable proxies The PR_FL_READY flags must now be set on a proxy at the end of the configuration validity check to notify it is fully configured and may be safely used. For now there is no real usage of this flag. But it will be usefull for referenced default proxies to finish their configuration only once. This patch is mandatory to support TCP/HTTP rules in defaults sections.
2021-10-13 04:10:09 -04:00
curproxy->flags |= PR_FL_READY;
[MAJOR] proxy: finally get rid of maintain_proxies() This function is finally not needed anymore, as it has been replaced with a per-proxy task that is scheduled when some limits are encountered on incoming connections or when the process is stopping. The savings should be noticeable on configs with a large number of proxies. The most important point is that the rate limiting is now enforced in a clean and solid way.
2011-07-25 10:33:49 -04:00
} else {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': no more memory when trying to allocate the management task\n",
curproxy->id);
[MAJOR] proxy: finally get rid of maintain_proxies() This function is finally not needed anymore, as it has been replaced with a per-proxy task that is scheduled when some limits are encountered on incoming connections or when the process is stopping. The savings should be noticeable on configs with a large number of proxies. The most important point is that the rate limiting is now enforced in a clean and solid way.
2011-07-25 10:33:49 -04:00
cfgerr++;
}
MEDIUM: config: make the frontends automatically bind to the listeners' processes When a frontend does not have any bind-process directive, make it automatically bind to the union of all of its listeners' processes instead of binding to all processes. That will make it possible to have the expected behaviour without having to explicitly specify a bind-process directive. Note that if the listeners are not bound to a specific process, the default is still to bind to all processes. This change could be backported to 1.5 as it simplifies process management, and was planned to be done during the 1.5 development phase.
2014-09-16 07:21:03 -04:00
}
BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized Some initialisation for log forward proxies was missing such as ssl configuration on 'log-forward's 'bind' lines. After the loop on the proxy initialization code for proxies present in the main proxies list, this patch force to loop again on this code for proxies present in the log forward proxies list. Those two lists should be merged. This will be part of a global re-work of proxy initialization including peers proxies and resolver proxies. This patch was made in first attempt to fix the bug and to facilitate the backport on older branches waiting for a cleaner re-work on proxies initialization on the dev branch. This patch should be backported as far as 2.3.
2022-08-18 09:53:21 -04:00
/*
* We have just initialized the main proxies list
* we must also configure the log-forward proxies list
*/
if (init_proxies_list == proxies_list) {
init_proxies_list = cfg_log_forward;
BUG/MAJOR: mworker: fix infinite loop on master with no proxies. The master is re-exec with an empty proxies list if no master CLI is configured. This results in infinite loop since last patch: 3b68b602 ("BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized") This patch avoid to loop again on log-forward proxies list if empty. This patch should be backported until v2.3
2022-08-22 04:25:11 -04:00
/* check if list is not null to avoid infinite loop */
if (init_proxies_list)
goto init_proxies_list_stage2;
BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized Some initialisation for log forward proxies was missing such as ssl configuration on 'log-forward's 'bind' lines. After the loop on the proxy initialization code for proxies present in the main proxies list, this patch force to loop again on this code for proxies present in the log forward proxies list. Those two lists should be merged. This will be part of a global re-work of proxy initialization including peers proxies and resolver proxies. This patch was made in first attempt to fix the bug and to facilitate the backport on older branches waiting for a cleaner re-work on proxies initialization on the dev branch. This patch should be backported as far as 2.3.
2022-08-18 09:53:21 -04:00
}
MINOR: proxies: Do stage2 initialization for sinks too In check_config_validity(), we initialize the proxy in several stages. We do so for the sink list for stage1, but not for stage2. It may not be needed right now, but it may become needed in the future, so do it anyway.
2025-04-17 11:16:44 -04:00
if (init_proxies_list == cfg_log_forward) {
init_proxies_list = sink_proxies_list;
/* check if list is not null to avoid infinite loop */
if (init_proxies_list)
goto init_proxies_list_stage2;
}
[MEDIUM]: Inversion for options This patch adds a possibility to invert most of available options by introducing the "no" keyword, available as an additional prefix. If it is found arguments are shifted left and an additional flag (inv) is set. It allows to use all options from a current defaults section, except the selected ones, for example: -- cut here -- defaults contimeout 4200 clitimeout 50000 srvtimeout 40000 option contstats listen stats 1.2.3.4:80 no option contstats -- cut here -- Currenly inversion works only with the "option" keyword. The patch also moves last_checks calculation at the end of the readcfgfile() function and changes "PR_O_FORCE_CLO | PR_O_HTTP_CLOSE" into "PR_O_FORCE_CLO" in cfg_opts so it is possible to invert forceclose without breaking httpclose (and vice versa) and to invert tcpsplice in one proxy but to keep a proper last_checks value when tcpsplice is used in another proxy. Now, the code checks for PR_O_FORCE_CLO everywhere it checks for PR_O_HTTP_CLOSE. I also decided to depreciate "redisp" and "redispatch" keywords as it is IMHO better to use "option redispatch" which can be inverted. Some useful documentation were added and at the same time I sorted (alfabetically) all valid options both in the code and the documentation.
2007-12-24 20:40:22 -05:00
/*
* Recount currently required checks.
*/
MINOR/CLEANUP: proxy: rename "proxy" to "proxies_list" Rename the global variable "proxy" to "proxies_list". There's been multiple proxies in haproxy for quite some time, and "proxy" is a potential source of bugs, a number of functions have a "proxy" argument, and some code used "proxy" when it really meant "px" or "curproxy". It worked by pure luck, because it usually happened while parsing the config, and thus "proxy" pointed to the currently parsed proxy, but we should probably not rely on this. [wt: some of these are definitely fixes that are worth backporting]
2017-11-24 10:54:05 -05:00
for (curproxy=proxies_list; curproxy; curproxy=curproxy->next) {
[MEDIUM]: Inversion for options This patch adds a possibility to invert most of available options by introducing the "no" keyword, available as an additional prefix. If it is found arguments are shifted left and an additional flag (inv) is set. It allows to use all options from a current defaults section, except the selected ones, for example: -- cut here -- defaults contimeout 4200 clitimeout 50000 srvtimeout 40000 option contstats listen stats 1.2.3.4:80 no option contstats -- cut here -- Currenly inversion works only with the "option" keyword. The patch also moves last_checks calculation at the end of the readcfgfile() function and changes "PR_O_FORCE_CLO | PR_O_HTTP_CLOSE" into "PR_O_FORCE_CLO" in cfg_opts so it is possible to invert forceclose without breaking httpclose (and vice versa) and to invert tcpsplice in one proxy but to keep a proper last_checks value when tcpsplice is used in another proxy. Now, the code checks for PR_O_FORCE_CLO everywhere it checks for PR_O_HTTP_CLOSE. I also decided to depreciate "redisp" and "redispatch" keywords as it is IMHO better to use "option redispatch" which can be inverted. Some useful documentation were added and at the same time I sorted (alfabetically) all valid options both in the code and the documentation.
2007-12-24 20:40:22 -05:00
int optnum;
[MEDIUM] splice: add configuration options and set global.maxpipes Three new options have been added when CONFIG_HAP_LINUX_SPLICE is set : - splice-request - splice-response - splice-auto They are used to enable splicing per frontend/backend. They are also supported in defaults sections. The "splice-auto" option is meant to automatically turn splice on for buffers marked as fast streamers. This should save quite a bunch of file descriptors. It was required to add a new "options2" field to the proxy structure because the original "options" is full. When global.maxpipes is not set, it is automatically adjusted to the max of the sums of all frontend's and backend's maxconns for those which have at least one splice option enabled.
2009-01-18 15:44:07 -05:00
for (optnum = 0; cfg_opts[optnum].name; optnum++)
if (curproxy->options & cfg_opts[optnum].val)
global.last_checks |= cfg_opts[optnum].checks;
[MEDIUM]: Inversion for options This patch adds a possibility to invert most of available options by introducing the "no" keyword, available as an additional prefix. If it is found arguments are shifted left and an additional flag (inv) is set. It allows to use all options from a current defaults section, except the selected ones, for example: -- cut here -- defaults contimeout 4200 clitimeout 50000 srvtimeout 40000 option contstats listen stats 1.2.3.4:80 no option contstats -- cut here -- Currenly inversion works only with the "option" keyword. The patch also moves last_checks calculation at the end of the readcfgfile() function and changes "PR_O_FORCE_CLO | PR_O_HTTP_CLOSE" into "PR_O_FORCE_CLO" in cfg_opts so it is possible to invert forceclose without breaking httpclose (and vice versa) and to invert tcpsplice in one proxy but to keep a proper last_checks value when tcpsplice is used in another proxy. Now, the code checks for PR_O_FORCE_CLO everywhere it checks for PR_O_HTTP_CLOSE. I also decided to depreciate "redisp" and "redispatch" keywords as it is IMHO better to use "option redispatch" which can be inverted. Some useful documentation were added and at the same time I sorted (alfabetically) all valid options both in the code and the documentation.
2007-12-24 20:40:22 -05:00
[MEDIUM] splice: add configuration options and set global.maxpipes Three new options have been added when CONFIG_HAP_LINUX_SPLICE is set : - splice-request - splice-response - splice-auto They are used to enable splicing per frontend/backend. They are also supported in defaults sections. The "splice-auto" option is meant to automatically turn splice on for buffers marked as fast streamers. This should save quite a bunch of file descriptors. It was required to add a new "options2" field to the proxy structure because the original "options" is full. When global.maxpipes is not set, it is automatically adjusted to the max of the sums of all frontend's and backend's maxconns for those which have at least one splice option enabled.
2009-01-18 15:44:07 -05:00
for (optnum = 0; cfg_opts2[optnum].name; optnum++)
if (curproxy->options2 & cfg_opts2[optnum].val)
global.last_checks |= cfg_opts2[optnum].checks;
[MEDIUM]: Inversion for options This patch adds a possibility to invert most of available options by introducing the "no" keyword, available as an additional prefix. If it is found arguments are shifted left and an additional flag (inv) is set. It allows to use all options from a current defaults section, except the selected ones, for example: -- cut here -- defaults contimeout 4200 clitimeout 50000 srvtimeout 40000 option contstats listen stats 1.2.3.4:80 no option contstats -- cut here -- Currenly inversion works only with the "option" keyword. The patch also moves last_checks calculation at the end of the readcfgfile() function and changes "PR_O_FORCE_CLO | PR_O_HTTP_CLOSE" into "PR_O_FORCE_CLO" in cfg_opts so it is possible to invert forceclose without breaking httpclose (and vice versa) and to invert tcpsplice in one proxy but to keep a proper last_checks value when tcpsplice is used in another proxy. Now, the code checks for PR_O_FORCE_CLO everywhere it checks for PR_O_HTTP_CLOSE. I also decided to depreciate "redisp" and "redispatch" keywords as it is IMHO better to use "option redispatch" which can be inverted. Some useful documentation were added and at the same time I sorted (alfabetically) all valid options both in the code and the documentation.
2007-12-24 20:40:22 -05:00
}
BUG/MINOR: peers: peer synchronization issue (with several peers sections). When several stick-tables were configured with several peers sections, only a part of them could be synchronized: the ones attached to the last parsed 'peers' section. This was due to the fact that, at least, the peer I/O handler refered to the wrong peer section list, in fact always the same: the last one parsed. The fact that the global peer section list was named "struct peers *peers" lead to this issue. This variable name is dangerous ;). So this patch renames global 'peers' variable to 'cfg_peers' to ensure that no such wrong references are still in use, then all the functions wich used old 'peers' variable have been modified to refer to the correct peer list. Must be backported to 1.6 and 1.7.
2017-07-13 03:07:09 -04:00
if (cfg_peers) {
struct peers *curpeers = cfg_peers, **last;
[BUG] peers: don't keep a peers section which has a NULL frontend If a peers section has no peer named as the local peer, we must destroy it, otherwise a NULL peer frontend remains in the lists and a segfault can happen upon a soft restart. We also now report the missing peer name in order to help troubleshooting.
2011-09-07 15:24:49 -04:00
struct peer *p, *pb;
MEDIUM: config: validate that peers sections are bound to exactly one process If a peers section is bound to no process, it's silently discarded. If its bound to multiple processes, an error is emitted and the process will not start.
2015-05-01 13:15:17 -04:00
/* Remove all peers sections which don't have a valid listener,
* which are not used by any table, or which are bound to more
* than one process.
[BUG] peers: don't keep a peers section which has a NULL frontend If a peers section has no peer named as the local peer, we must destroy it, otherwise a NULL peer frontend remains in the lists and a segfault can happen upon a soft restart. We also now report the missing peer name in order to help troubleshooting.
2011-09-07 15:24:49 -04:00
*/
BUG/MINOR: peers: peer synchronization issue (with several peers sections). When several stick-tables were configured with several peers sections, only a part of them could be synchronized: the ones attached to the last parsed 'peers' section. This was due to the fact that, at least, the peer I/O handler refered to the wrong peer section list, in fact always the same: the last one parsed. The fact that the global peer section list was named "struct peers *peers" lead to this issue. This variable name is dangerous ;). So this patch renames global 'peers' variable to 'cfg_peers' to ensure that no such wrong references are still in use, then all the functions wich used old 'peers' variable have been modified to refer to the correct peer list. Must be backported to 1.6 and 1.7.
2017-07-13 03:07:09 -04:00
last = &cfg_peers;
[BUG] peers: don't keep a peers section which has a NULL frontend If a peers section has no peer named as the local peer, we must destroy it, otherwise a NULL peer frontend remains in the lists and a segfault can happen upon a soft restart. We also now report the missing peer name in order to help troubleshooting.
2011-09-07 15:24:49 -04:00
while (*last) {
MINOR: peers: Support for peer shards Add "shards" new keyword for "peers" section to configure the number of peer shards attached to such secions. This impact all the stick-tables attached to the section. Add "shard" new "server" parameter to configure the peers which participate to all the stick-tables contents distribution. Each peer receive the stick-tables updates only for keys with this shard value as distribution hash. The "shard" value is stored in ->shard new server struct member. cfg_parse_peers() which is the function which is called to parse all the lines of a "peers" section is modified to parse the "shards" parameter stored in ->nb_shards new peers struct member. Add srv_parse_shard() new callback into server.c to pare the "shard" parameter. Implement stksess_getkey_hash() to compute the distribution hash for a stick-table key as the 64-bits xxhash of the key concatenated to the stick-table name. This function is called by stksess_setkey_shard(), itself called by the already implemented function which create a new stick-table key (stksess_new()). Add ->idlen new stktable struct member to store the stick-table name length to not have to compute it each time a stick-table key hash is computed.
2022-10-17 08:58:19 -04:00
struct peer *peer;
BUG/MINOR: peers: Use after free of "peers" section. When a "peers" section has not any local peer, it is removed of the list of "peers" sections by check_config_validity(). But a stick-table which refers to a "peers" section stores a pointer to this peers section. These pointer must be reset to NULL value for each stick-table refering to such a "peers" section to prevent stktable_init() to start the peers frontend attached to the peers section dereferencing the invalid pointer. Furthemore this patch stops the peers frontend as this is done for other configurations invalidated by check_config_validity(). Thank you to Olivier D for having reported this issue with such a simple configuration file which made haproxy crash when started with -c option for configuration file validation. defaults mode http peers mypeers peer toto 127.0.0.1:1024 backend test stick-table type ip size 10k expire 1h store http_req_rate(1h) peers mypeers Must be backported to 2.1 and 2.0.
2020-03-24 15:08:30 -04:00
struct stktable *t;
[BUG] peers: don't keep a peers section which has a NULL frontend If a peers section has no peer named as the local peer, we must destroy it, otherwise a NULL peer frontend remains in the lists and a segfault can happen upon a soft restart. We also now report the missing peer name in order to help troubleshooting.
2011-09-07 15:24:49 -04:00
curpeers = *last;
MEDIUM: peers: add the ability to disable a peers section Sometimes it's very hard to disable the use of peers because an empty section is not valid, so it is necessary to comment out all references to the section, and not to forget to restore them in the same state after the operation. Let's add a "disabled" keyword just like for proxies. A ->state member in the peers struct is even present for this purpose but was never used at all. Maybe it would make sense to backport this to 1.5 as it's really cumbersome there.
2015-05-01 14:02:17 -04:00
CLEANUP: peers: don't use the PR_ST* states to mark enabled/disabled The enabled/disabled config options were stored into a "state" field that is an integer but contained only PR_STNEW or PR_STSTOPPED, which is a bit confusing, and causes a dependency with proxies. This was renamed to "disabled" and is used as a boolean. The field was also moved to the end of the struct to stop creating a hole and fill another one.
2020-09-24 02:48:08 -04:00
if (curpeers->disabled) {
MEDIUM: peers: add the ability to disable a peers section Sometimes it's very hard to disable the use of peers because an empty section is not valid, so it is necessary to comment out all references to the section, and not to forget to restore them in the same state after the operation. Let's add a "disabled" keyword just like for proxies. A ->state member in the peers struct is even present for this purpose but was never used at all. Maybe it would make sense to backport this to 1.5 as it's really cumbersome there.
2015-05-01 14:02:17 -04:00
/* the "disabled" keyword was present */
if (curpeers->peers_fe)
stop_proxy(curpeers->peers_fe);
curpeers->peers_fe = NULL;
}
BUG/MINOR: peers: crash on reload without local peer. When we configure a "peers" section without local peer, this makes haproxy old process crash on reload. Such a configuration file allows to reproduce this issue: global stats socket /tmp/sock1 mode 666 level admin stats timeout 10s peers peers peer localhost 127.0.0.1:1024 This bug was introduced by this commit: "MINOR: cfgparse: Make "peer" lines be parsed as "server" lines" This commit introduced a new condition to detect a "peers" section without local peer. This is a "peers" section with a frontend struct which has no ->id initialized member. Such a "peers" section must be removed. This patch adds this new condition to remove such peers sections without local peer as this was always done before. Must be backported to 2.0.
2019-10-04 02:30:04 -04:00
else if (!curpeers->peers_fe || !curpeers->peers_fe->id) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("Removing incomplete section 'peers %s' (no peer named '%s').\n",
curpeers->id, localpeer);
BUG/MINOR: peers: Use after free of "peers" section. When a "peers" section has not any local peer, it is removed of the list of "peers" sections by check_config_validity(). But a stick-table which refers to a "peers" section stores a pointer to this peers section. These pointer must be reset to NULL value for each stick-table refering to such a "peers" section to prevent stktable_init() to start the peers frontend attached to the peers section dereferencing the invalid pointer. Furthemore this patch stops the peers frontend as this is done for other configurations invalidated by check_config_validity(). Thank you to Olivier D for having reported this issue with such a simple configuration file which made haproxy crash when started with -c option for configuration file validation. defaults mode http peers mypeers peer toto 127.0.0.1:1024 backend test stick-table type ip size 10k expire 1h store http_req_rate(1h) peers mypeers Must be backported to 2.1 and 2.0.
2020-03-24 15:08:30 -04:00
if (curpeers->peers_fe)
stop_proxy(curpeers->peers_fe);
curpeers->peers_fe = NULL;
MEDIUM: peers: add the ability to disable a peers section Sometimes it's very hard to disable the use of peers because an empty section is not valid, so it is necessary to comment out all references to the section, and not to forget to restore them in the same state after the operation. Let's add a "disabled" keyword just like for proxies. A ->state member in the peers struct is even present for this purpose but was never used at all. Maybe it would make sense to backport this to 1.5 as it's really cumbersome there.
2015-05-01 14:02:17 -04:00
}
else {
BUG/MEDIUM: peers: Missing peer initializations. Initialize ->srv peer field for all the peers, the local peer included. Indeed, a haproxy process needs to connect to the local peer of a remote process. Furthermore, when a "peer" or "server" line is parsed by parse_server() the address must be copied to ->addr field of the peer object only if this address has been also parsed by parse_server(). This is not the case if this address belongs to the local peer and is provided on a "server" line. After having parsed the "peer" or "server" lines of a peer sections, the ->srv part of all the peer must be initialized for SSL, if enabled. Same thing for the binding part. Revert 1417f0b commit which is no more required. No backport is needed, this is purely 2.0.
2019-02-12 13:12:32 -05:00
/* Initializes the transport layer of the server part of all the peers belonging to
* <curpeers> section if required.
* Note that ->srv is used by the local peer of a new process to connect to the local peer
* of an old process.
*/
MINOR: proxy: Add PR_FL_READY flag on fully configured and usable proxies The PR_FL_READY flags must now be set on a proxy at the end of the configuration validity check to notify it is fully configured and may be safely used. For now there is no real usage of this flag. But it will be usefull for referenced default proxies to finish their configuration only once. This patch is mandatory to support TCP/HTTP rules in defaults sections.
2021-10-13 04:10:09 -04:00
curpeers->peers_fe->flags |= PR_FL_READY;
MINOR: peers: Make outgoing connection to SSL/TLS peers work. This patch adds pointer to a struct server to peer structure which is initialized after having parsed a remote "peer" line. After having parsed all peers section we run ->prepare_srv to initialize all SSL/TLS stuff of remote perr (or server). Remaining thing to do to completely support peer protocol over SSL/TLS: make "bind" keyword be supported in "peers" sections to make SSL/TLS incoming connections to local peers work. May be backported to 1.5 and newer.
2018-04-26 08:35:21 -04:00
p = curpeers->remote;
while (p) {
BUG/MINOR: peers: Improve detection of config errors in peers sections There are several misuses in peers sections that are not detected during the configuration parsing and that could lead to undefined behaviors or crashes. First, only one listener is expected for a peers section. If several bind lines or local peer definitions are used, an error is triggered. However, if multiple addresses are set on the same bind line, there is no error while only the last listener is properly configured. On the 2.8, there is no crash but side effects are hardly predictable. On older version, HAProxy crashes if an unconfigured listener is used. Then, there is no check on remote peers name. It is unexpected to have same name for several remote peers. There is now a test, performed during the post-parsing, to verify all remote peer names are unique. Finally, server parsing options for the peers sections are changed to be sure a port is always defined, and not a port range or a port offset. This patch fixes the issue #2066. It could be backported to all stable versions.
2023-06-02 08:10:36 -04:00
struct peer *other_peer;
for (other_peer = curpeers->remote; other_peer && other_peer != p; other_peer = other_peer->next) {
if (strcmp(other_peer->id, p->id) == 0) {
ha_alert("Peer section '%s' [%s:%d]: another peer named '%s' was already defined at line %s:%d, please use distinct names.\n",
curpeers->peers_fe->id,
p->conf.file, p->conf.line,
other_peer->id, other_peer->conf.file, other_peer->conf.line);
cfgerr++;
break;
}
}
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
if (p->srv) {
BUG/MINOR: checks: Respect the no-check-ssl option This options is used to force a non-SSL connection to check a SSL server or to invert a check-ssl option inherited from the default section. The use_ssl field in the check structure is used to know if a SSL connection must be used (use_ssl=1) or not (use_ssl=0). The server configuration is used by default. The problem is that we cannot distinguish the default case (no specific SSL check option) and the case of an explicit non-SSL check. In both, use_ssl is set to 0. So the server configuration is always used. For a SSL server, when no-check-ssl option is set, the check is still performed using a SSL configuration. To fix the bug, instead of a boolean value (0=TCP, 1=SSL), we use a ternary value : * 0 = use server config * 1 = force SSL * -1 = force non-SSL The same is done for the server parameter. It is not really necessary for now. But it is a good way to know is the server no-ssl option is set. In addition, the PR_O_TCPCHK_SSL proxy option is no longer used to set use_ssl to 1 for a check. Instead the flag is directly tested to prepare or destroy the server SSL context. This patch should be backported as far as 1.8.
2020-03-27 13:55:49 -04:00
if (p->srv->use_ssl == 1 && xprt_get(XPRT_SSL) && xprt_get(XPRT_SSL)->prepare_srv)
MINOR: cfgparse: SSL/TLS binding in "peers" sections. Make "bind" keywork be supported in "peers" sections. All "bind" settings are supported on this line. Add "default-bind" option to parse the binding options excepted the bind address. Do not parse anymore the bind address for local peers on "server" lines. Do not use anymore list_for_each_entry() to set the "peers" section listener parameters because there is only one listener by "peers" section. May be backported to 1.5 and newer.
2019-01-11 08:06:12 -05:00
cfgerr += xprt_get(XPRT_SSL)->prepare_srv(p->srv);
}
MINOR: peers: Make outgoing connection to SSL/TLS peers work. This patch adds pointer to a struct server to peer structure which is initialized after having parsed a remote "peer" line. After having parsed all peers section we run ->prepare_srv to initialize all SSL/TLS stuff of remote perr (or server). Remaining thing to do to completely support peer protocol over SSL/TLS: make "bind" keyword be supported in "peers" sections to make SSL/TLS incoming connections to local peers work. May be backported to 1.5 and newer.
2018-04-26 08:35:21 -04:00
p = p->next;
}
BUG/MEDIUM: peers: Missing peer initializations. Initialize ->srv peer field for all the peers, the local peer included. Indeed, a haproxy process needs to connect to the local peer of a remote process. Furthermore, when a "peer" or "server" line is parsed by parse_server() the address must be copied to ->addr field of the peer object only if this address has been also parsed by parse_server(). This is not the case if this address belongs to the local peer and is provided on a "server" line. After having parsed the "peer" or "server" lines of a peer sections, the ->srv part of all the peer must be initialized for SSL, if enabled. Same thing for the binding part. Revert 1417f0b commit which is no more required. No backport is needed, this is purely 2.0.
2019-02-12 13:12:32 -05:00
/* Configure the SSL bindings of the local peer if required. */
if (!LIST_ISEMPTY(&curpeers->peers_fe->conf.bind)) {
struct list *l;
struct bind_conf *bind_conf;
MEDIUM: peers: call bind_complete_thread_setup() to finish the config The listeners in peers sections were still not handing the thread groups fine. Shards were silently ignored and if a listener was bound to more than one group, it would simply fail. Now we can call the dedicated function to resolve all this and possibly create the missing extra listeners. bind_complete_thread_setup() was adjusted to use the proxy_type_str() instead of writing "proxy" at the only place where this word was still hard-coded so that we continue to speak about peers sections when relevant.
2023-04-22 17:52:17 -04:00
int ret;
BUG/MEDIUM: peers: Missing peer initializations. Initialize ->srv peer field for all the peers, the local peer included. Indeed, a haproxy process needs to connect to the local peer of a remote process. Furthermore, when a "peer" or "server" line is parsed by parse_server() the address must be copied to ->addr field of the peer object only if this address has been also parsed by parse_server(). This is not the case if this address belongs to the local peer and is provided on a "server" line. After having parsed the "peer" or "server" lines of a peer sections, the ->srv part of all the peer must be initialized for SSL, if enabled. Same thing for the binding part. Revert 1417f0b commit which is no more required. No backport is needed, this is purely 2.0.
2019-02-12 13:12:32 -05:00
l = &curpeers->peers_fe->conf.bind;
bind_conf = LIST_ELEM(l->n, typeof(bind_conf), by_fe);
BUG/MEDIUM: peers/config: properly set the thread mask The peers didn't have their bind_conf thread mask nor group set, because they're still not part of the global proxy list. Till 2.6 it seems it does not have any visible impact, since most listener-oriented operations pass through thread_mask() which detects null masks and turns them to all_threads_mask. But starting with 2.7 it becomes a problem as won't permit these null masks anymore. This patch duplicates (yes, sorry) the loop that applies to the frontend's bind_conf, though it is simplified (no sharding, etc). As the code is right now, it simply seems impossible to trigger the second (and largest) part of the check when leaving thread_resolve_group_mask() on success, so it looks like it might be removed. No backport is needed, unless a report in 2.6 or earlier mentions an issue with a null thread_mask.
2022-07-05 10:00:56 -04:00
MINOR: peers: Add a warning about incompatible SSL config for the local peer In peers section, it is possible to enable SSL for the local peer. In this case, the bind line and the server line should both be configured. A "default-server" directive may also be used to configure the SSL on the server side. However there is no test to be sure the SSL is enabled on both sides. It is an problem because the local resync performed during a reload will be impossible and it is probably not the expected behavior. So, it is now checked during the configuration validation. A warning message is displayed if the SSL is not properly configured for the local peer. This patch is related to issue #1799. It should probably be backported to 2.6.
2022-07-26 13:03:51 -04:00
if (curpeers->local->srv) {
if (curpeers->local->srv->use_ssl == 1 && !(bind_conf->options & BC_O_USE_SSL)) {
ha_warning("Peers section '%s': local peer have a non-SSL listener and a SSL server configured at line %s:%d.\n",
curpeers->peers_fe->id, curpeers->local->conf.file, curpeers->local->conf.line);
}
else if (curpeers->local->srv->use_ssl != 1 && (bind_conf->options & BC_O_USE_SSL)) {
ha_warning("Peers section '%s': local peer have a SSL listener and a non-SSL server configured at line %s:%d.\n",
curpeers->peers_fe->id, curpeers->local->conf.file, curpeers->local->conf.line);
}
}
MEDIUM: peers: call bind_complete_thread_setup() to finish the config The listeners in peers sections were still not handing the thread groups fine. Shards were silently ignored and if a listener was bound to more than one group, it would simply fail. Now we can call the dedicated function to resolve all this and possibly create the missing extra listeners. bind_complete_thread_setup() was adjusted to use the proxy_type_str() instead of writing "proxy" at the only place where this word was still hard-coded so that we continue to speak about peers sections when relevant.
2023-04-22 17:52:17 -04:00
/* finish the bind setup */
ret = bind_complete_thread_setup(bind_conf, &err_code);
if (ret != 0) {
cfgerr += ret;
if (err_code & ERR_FATAL)
goto out;
BUG/MEDIUM: peers/config: properly set the thread mask The peers didn't have their bind_conf thread mask nor group set, because they're still not part of the global proxy list. Till 2.6 it seems it does not have any visible impact, since most listener-oriented operations pass through thread_mask() which detects null masks and turns them to all_threads_mask. But starting with 2.7 it becomes a problem as won't permit these null masks anymore. This patch duplicates (yes, sorry) the loop that applies to the frontend's bind_conf, though it is simplified (no sharding, etc). As the code is right now, it simply seems impossible to trigger the second (and largest) part of the check when leaving thread_resolve_group_mask() on success, so it looks like it might be removed. No backport is needed, unless a report in 2.6 or earlier mentions an issue with a null thread_mask.
2022-07-05 10:00:56 -04:00
}
BUG/MEDIUM: peers: Missing peer initializations. Initialize ->srv peer field for all the peers, the local peer included. Indeed, a haproxy process needs to connect to the local peer of a remote process. Furthermore, when a "peer" or "server" line is parsed by parse_server() the address must be copied to ->addr field of the peer object only if this address has been also parsed by parse_server(). This is not the case if this address belongs to the local peer and is provided on a "server" line. After having parsed the "peer" or "server" lines of a peer sections, the ->srv part of all the peer must be initialized for SSL, if enabled. Same thing for the binding part. Revert 1417f0b commit which is no more required. No backport is needed, this is purely 2.0.
2019-02-12 13:12:32 -05:00
if (bind_conf->xprt->prepare_bind_conf &&
bind_conf->xprt->prepare_bind_conf(bind_conf) < 0)
cfgerr++;
}
MINOR: peers: Make peers protocol support new "server_name" data type. Make usage of the APIs implemented for dictionaries (dict.c) and their LRU caches (struct dcache) so that to send/receive server names used for the server by name stickiness. These names are sent over the network as follows: - in every case we send the encode length of the data (STD_T_DICT), then - if the server names is not present in the cache used upon transmission (struct dcache_tx) we cache it and we the ID of this TX cache entry followed the encode length of the server name, and finally the sever name itseft (non NULL terminated string). - if the server name is present, we repead these operations but we only send the TX cache entry ID. Upon receipt, the couple of (cache IDs, server name) are stored the LRU cache used only upon receipt (struct dcache_rx). As the peers protocol is symetrical, the fact that the server name is present in the received data (resp. or not) denotes if the entry is absent (resp. or not).
2019-05-20 12:22:52 -04:00
if (!peers_init_sync(curpeers) || !peers_alloc_dcache(curpeers)) {
BUILD: peers: check allocation error during peers_init_sync() peers_init_sync() doesn't check task_new()'s return value and doesn't return any result to indicate success or failure. Let's make it return an int and check it from the caller. This can be backported as far as 1.6.
2018-10-15 05:18:03 -04:00
ha_alert("Peers section '%s': out of memory, giving up on peers.\n",
curpeers->id);
cfgerr++;
break;
}
[BUG] peers: don't keep a peers section which has a NULL frontend If a peers section has no peer named as the local peer, we must destroy it, otherwise a NULL peer frontend remains in the lists and a segfault can happen upon a soft restart. We also now report the missing peer name in order to help troubleshooting.
2011-09-07 15:24:49 -04:00
last = &curpeers->next;
MINOR: peers: Support for peer shards Add "shards" new keyword for "peers" section to configure the number of peer shards attached to such secions. This impact all the stick-tables attached to the section. Add "shard" new "server" parameter to configure the peers which participate to all the stick-tables contents distribution. Each peer receive the stick-tables updates only for keys with this shard value as distribution hash. The "shard" value is stored in ->shard new server struct member. cfg_parse_peers() which is the function which is called to parse all the lines of a "peers" section is modified to parse the "shards" parameter stored in ->nb_shards new peers struct member. Add srv_parse_shard() new callback into server.c to pare the "shard" parameter. Implement stksess_getkey_hash() to compute the distribution hash for a stick-table key as the 64-bits xxhash of the key concatenated to the stick-table name. This function is called by stksess_setkey_shard(), itself called by the already implemented function which create a new stick-table key (stksess_new()). Add ->idlen new stktable struct member to store the stick-table name length to not have to compute it each time a stick-table key hash is computed.
2022-10-17 08:58:19 -04:00
/* Ignore the peer shard greater than the number of peer shard for this section.
* Also ignore the peer shard of the local peer.
*/
for (peer = curpeers->remote; peer; peer = peer->next) {
if (peer == curpeers->local) {
if (peer->srv->shard) {
ha_warning("Peers section '%s': shard ignored for '%s' local peer\n",
curpeers->id, peer->id);
peer->srv->shard = 0;
}
}
else if (peer->srv->shard > curpeers->nb_shards) {
ha_warning("Peers section '%s': shard ignored for '%s' local peer because "
"%d shard value is greater than the section number of shards (%d)\n",
curpeers->id, peer->id, peer->srv->shard, curpeers->nb_shards);
peer->srv->shard = 0;
}
}
[BUG] peers: don't keep a peers section which has a NULL frontend If a peers section has no peer named as the local peer, we must destroy it, otherwise a NULL peer frontend remains in the lists and a segfault can happen upon a soft restart. We also now report the missing peer name in order to help troubleshooting.
2011-09-07 15:24:49 -04:00
continue;
}
MEDIUM: peers: add the ability to disable a peers section Sometimes it's very hard to disable the use of peers because an empty section is not valid, so it is necessary to comment out all references to the section, and not to forget to restore them in the same state after the operation. Let's add a "disabled" keyword just like for proxies. A ->state member in the peers struct is even present for this purpose but was never used at all. Maybe it would make sense to backport this to 1.5 as it's really cumbersome there.
2015-05-01 14:02:17 -04:00
/* clean what has been detected above */
[BUG] peers: don't keep a peers section which has a NULL frontend If a peers section has no peer named as the local peer, we must destroy it, otherwise a NULL peer frontend remains in the lists and a segfault can happen upon a soft restart. We also now report the missing peer name in order to help troubleshooting.
2011-09-07 15:24:49 -04:00
p = curpeers->remote;
while (p) {
pb = p->next;
free(p->id);
free(p);
p = pb;
}
/* Destroy and unlink this curpeers section.
* Note: curpeers is backed up into *last.
*/
free(curpeers->id);
curpeers = curpeers->next;
BUG/MINOR: peers: Use after free of "peers" section. When a "peers" section has not any local peer, it is removed of the list of "peers" sections by check_config_validity(). But a stick-table which refers to a "peers" section stores a pointer to this peers section. These pointer must be reset to NULL value for each stick-table refering to such a "peers" section to prevent stktable_init() to start the peers frontend attached to the peers section dereferencing the invalid pointer. Furthemore this patch stops the peers frontend as this is done for other configurations invalidated by check_config_validity(). Thank you to Olivier D for having reported this issue with such a simple configuration file which made haproxy crash when started with -c option for configuration file validation. defaults mode http peers mypeers peer toto 127.0.0.1:1024 backend test stick-table type ip size 10k expire 1h store http_req_rate(1h) peers mypeers Must be backported to 2.1 and 2.0.
2020-03-24 15:08:30 -04:00
/* Reset any refereance to this peers section in the list of stick-tables */
for (t = stktables_list; t; t = t->next) {
if (t->peers.p && t->peers.p == *last)
t->peers.p = NULL;
}
[BUG] peers: don't keep a peers section which has a NULL frontend If a peers section has no peer named as the local peer, we must destroy it, otherwise a NULL peer frontend remains in the lists and a segfault can happen upon a soft restart. We also now report the missing peer name in order to help troubleshooting.
2011-09-07 15:24:49 -04:00
free(*last);
*last = curpeers;
}
}
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
for (t = stktables_list; t; t = t->next) {
if (t->proxy)
continue;
MINOR: stktable: stktable_init() sets err_msg on error stktable_init() now sets err_msg when error occurs so that caller is able to precisely report the cause of the failure.
2023-11-02 13:34:51 -04:00
err = NULL;
if (!stktable_init(t, &err)) {
ha_alert("Parsing [%s:%d]: failed to initialize '%s' stick-table: %s.\n", t->conf.file, t->conf.line, t->id, err);
ha_free(&err);
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
cfgerr++;
}
}
MEDIUM: config: initialize stick-tables after peers, not before It's dangerous to initialize stick-tables before peers because they start a task that cannot be stopped before we know if the peers need to be disabled and destroyed. Move this after.
2015-05-01 13:09:08 -04:00
/* initialize stick-tables on backend capable proxies. This must not
* be done earlier because the data size may be discovered while parsing
* other proxies.
*/
MINOR/CLEANUP: proxy: rename "proxy" to "proxies_list" Rename the global variable "proxy" to "proxies_list". There's been multiple proxies in haproxy for quite some time, and "proxy" is a potential source of bugs, a number of functions have a "proxy" argument, and some code used "proxy" when it really meant "px" or "curproxy". It worked by pure luck, because it usually happened while parsing the config, and thus "proxy" pointed to the currently parsed proxy, but we should probably not rely on this. [wt: some of these are definitely fixes that are worth backporting]
2017-11-24 10:54:05 -05:00
for (curproxy = proxies_list; curproxy; curproxy = curproxy->next) {
MINOR: proxy: Introduce proxy flags to replace disabled bitfield This change is required to support TCP/HTTP rules in defaults sections. The 'disabled' bitfield in the proxy structure, used to know if a proxy is disabled or stopped, is replaced a generic bitfield named 'flags'. PR_DISABLED and PR_STOPPED flags are renamed to PR_FL_DISABLED and PR_FL_STOPPED respectively. In addition, everywhere there is a test to know if a proxy is disabled or stopped, there is now a bitwise AND operation on PR_FL_DISABLED and/or PR_FL_STOPPED flags.
2021-10-06 08:24:19 -04:00
if ((curproxy->flags & PR_FL_DISABLED) || !curproxy->table)
MEDIUM: config: initialize stick-tables after peers, not before It's dangerous to initialize stick-tables before peers because they start a task that cannot be stopped before we know if the peers need to be disabled and destroyed. Move this after.
2015-05-01 13:09:08 -04:00
continue;
MINOR: stktable: stktable_init() sets err_msg on error stktable_init() now sets err_msg when error occurs so that caller is able to precisely report the cause of the failure.
2023-11-02 13:34:51 -04:00
err = NULL;
if (!stktable_init(curproxy->table, &err)) {
ha_alert("Proxy '%s': failed to initialize stick-table: %s.\n", curproxy->id, err);
ha_free(&err);
MEDIUM: config: initialize stick-tables after peers, not before It's dangerous to initialize stick-tables before peers because they start a task that cannot be stopped before we know if the peers need to be disabled and destroyed. Move this after.
2015-05-01 13:09:08 -04:00
cfgerr++;
}
}
MEDIUM: Add parsing of mailers section As mailer and mailers structures and allow parsing of a mailers section into those structures. These structures will subsequently be freed as it is not yet possible to use reference them in the configuration. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:58 -05:00
if (mailers) {
struct mailers *curmailers = mailers, **last;
struct mailer *m, *mb;
/* Remove all mailers sections which don't have a valid listener.
* This can happen when a mailers section is never referenced.
*/
last = &mailers;
while (*last) {
curmailers = *last;
if (curmailers->users) {
last = &curmailers->next;
continue;
}
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("Removing incomplete section 'mailers %s'.\n",
curmailers->id);
MEDIUM: Add parsing of mailers section As mailer and mailers structures and allow parsing of a mailers section into those structures. These structures will subsequently be freed as it is not yet possible to use reference them in the configuration. Signed-off-by: Simon Horman <horms@verge.net.au>
2015-01-29 21:22:58 -05:00
m = curmailers->mailer_list;
while (m) {
mb = m->next;
free(m->id);
free(m);
m = mb;
}
/* Destroy and unlink this curmailers section.
* Note: curmailers is backed up into *last.
*/
free(curmailers->id);
curmailers = curmailers->next;
free(*last);
*last = curmailers;
}
}
MINOR: config: new backend directives: load-server-state-from-file and server-state-file-name This directive gives HAProxy the ability to use the either the global server-state-file directive or a local one using server-state-file-name to load server states. The state can be saved right before the reload by the init script, using the "show servers state" command on the stats socket redirecting output into a file.
2015-08-19 10:44:03 -04:00
/* Update server_state_file_name to backend name if backend is supposed to use
* a server-state file locally defined and none has been provided */
MINOR/CLEANUP: proxy: rename "proxy" to "proxies_list" Rename the global variable "proxy" to "proxies_list". There's been multiple proxies in haproxy for quite some time, and "proxy" is a potential source of bugs, a number of functions have a "proxy" argument, and some code used "proxy" when it really meant "px" or "curproxy". It worked by pure luck, because it usually happened while parsing the config, and thus "proxy" pointed to the currently parsed proxy, but we should probably not rely on this. [wt: some of these are definitely fixes that are worth backporting]
2017-11-24 10:54:05 -05:00
for (curproxy = proxies_list; curproxy; curproxy = curproxy->next) {
MINOR: config: new backend directives: load-server-state-from-file and server-state-file-name This directive gives HAProxy the ability to use the either the global server-state-file directive or a local one using server-state-file-name to load server states. The state can be saved right before the reload by the init script, using the "show servers state" command on the stats socket redirecting output into a file.
2015-08-19 10:44:03 -04:00
if (curproxy->load_server_state_from_file == PR_SRV_STATE_FILE_LOCAL &&
curproxy->server_state_file_name == NULL)
curproxy->server_state_file_name = strdup(curproxy->id);
}
MINOR: resolvers: renames type dns_resolvers to resolvers. It also renames 'dns_resolvers' head list to sec_resolvers to avoid conflicts with local variables 'resolvers'.
2020-12-23 10:51:12 -05:00
list_for_each_entry(curr_resolvers, &sec_resolvers, list) {
MINOR: config: Warn if resolvers has no nameservers Today, a `resolvers` section may be configured without any `nameserver` directives, which is useless. This implements a warning when such sections are detected. [List thread][1]. [1]: https://www.mail-archive.com/haproxy@formilux.org/msg29600.html
2018-04-13 17:43:04 -04:00
if (LIST_ISEMPTY(&curr_resolvers->nameservers)) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("resolvers '%s' [%s:%d] has no nameservers configured!\n",
MINOR: config: Warn if resolvers has no nameservers Today, a `resolvers` section may be configured without any `nameserver` directives, which is useless. This implements a warning when such sections are detected. [List thread][1]. [1]: https://www.mail-archive.com/haproxy@formilux.org/msg29600.html
2018-04-13 17:43:04 -04:00
curr_resolvers->id, curr_resolvers->conf.file,
curr_resolvers->conf.line);
err_code |= ERR_WARN;
}
}
MEDIUM: cfgparse: post parsing registration Allow to register a function which will be called after the configuration file parsing, at the end of the check_config_validity(). It's useful fo checking dependencies between sections or for resolving keywords, pointers or values.
2017-10-23 08:36:34 -04:00
list_for_each_entry(postparser, &postparsers, list) {
if (postparser->func)
cfgerr += postparser->func();
}
[MINOR] config: improve error reporting when checking configuration Do not exit early at the first error found while checking configuration validity. This particularly helps spotting multiple wrong tracked server names at once.
2009-07-23 07:36:36 -04:00
if (cfgerr > 0)
err_code |= ERR_ALERT | ERR_FATAL;
out:
return err_code;
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
}
[MEDIUM] add support for configuration keyword registration Any module which needs configuration keywords may now dynamically register a keyword in a given section, and associate it with a configuration parsing function using cfg_register_keywords() from a constructor function. This makes the configuration parser more modular because it is not required anymore to touch cfg_parse.c. Example : static int parse_global_blah(char **args, int section_type, struct proxy *curpx, struct proxy *defpx, char *err, int errlen) { printf("parsing blah in global section\n"); return 0; } static int parse_listen_blah(char **args, int section_type, struct proxy *curpx, struct proxy *defpx, char *err, int errlen) { printf("parsing blah in listen section\n"); if (*args[1]) { snprintf(err, errlen, "missing arg for listen_blah!!!"); return -1; } return 0; } static struct cfg_kw_list cfg_kws = {{ },{ { CFG_GLOBAL, "blah", parse_global_blah }, { CFG_LISTEN, "blah", parse_listen_blah }, { 0, NULL, NULL }, }}; __attribute__((constructor)) static void __module_init(void) { cfg_register_keywords(&cfg_kws); }
2008-07-09 13:39:06 -04:00
/*
* Registers the CFG keyword list <kwl> as a list of valid keywords for next
* parsing sessions.
*/
void cfg_register_keywords(struct cfg_kw_list *kwl)
{
CLEANUP: lists/tree-wide: rename some list operations to avoid some confusion The current "ADD" vs "ADDQ" is confusing because when thinking in terms of appending at the end of a list, "ADD" naturally comes to mind, but here it does the opposite, it inserts. Several times already it's been incorrectly used where ADDQ was expected, the latest of which was a fortunate accident explained in 6fa922562 ("CLEANUP: stream: explain why we queue the stream at the head of the server list"). Let's use more explicit (but slightly longer) names now: LIST_ADD -> LIST_INSERT LIST_ADDQ -> LIST_APPEND LIST_ADDED -> LIST_INLIST LIST_DEL -> LIST_DELETE The same is true for MT_LISTs, including their "TRY" variant. LIST_DEL_INIT keeps its short name to encourage to use it instead of the lazier LIST_DELETE which is often less safe. The change is large (~674 non-comment entries) but is mechanical enough to remain safe. No permutation was performed, so any out-of-tree code can easily map older names to new ones. The list doc was updated.
2021-04-21 01:32:39 -04:00
LIST_APPEND(&cfg_keywords.list, &kwl->list);
[MEDIUM] add support for configuration keyword registration Any module which needs configuration keywords may now dynamically register a keyword in a given section, and associate it with a configuration parsing function using cfg_register_keywords() from a constructor function. This makes the configuration parser more modular because it is not required anymore to touch cfg_parse.c. Example : static int parse_global_blah(char **args, int section_type, struct proxy *curpx, struct proxy *defpx, char *err, int errlen) { printf("parsing blah in global section\n"); return 0; } static int parse_listen_blah(char **args, int section_type, struct proxy *curpx, struct proxy *defpx, char *err, int errlen) { printf("parsing blah in listen section\n"); if (*args[1]) { snprintf(err, errlen, "missing arg for listen_blah!!!"); return -1; } return 0; } static struct cfg_kw_list cfg_kws = {{ },{ { CFG_GLOBAL, "blah", parse_global_blah }, { CFG_LISTEN, "blah", parse_listen_blah }, { 0, NULL, NULL }, }}; __attribute__((constructor)) static void __module_init(void) { cfg_register_keywords(&cfg_kws); }
2008-07-09 13:39:06 -04:00
}
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
[MEDIUM] add support for configuration keyword registration Any module which needs configuration keywords may now dynamically register a keyword in a given section, and associate it with a configuration parsing function using cfg_register_keywords() from a constructor function. This makes the configuration parser more modular because it is not required anymore to touch cfg_parse.c. Example : static int parse_global_blah(char **args, int section_type, struct proxy *curpx, struct proxy *defpx, char *err, int errlen) { printf("parsing blah in global section\n"); return 0; } static int parse_listen_blah(char **args, int section_type, struct proxy *curpx, struct proxy *defpx, char *err, int errlen) { printf("parsing blah in listen section\n"); if (*args[1]) { snprintf(err, errlen, "missing arg for listen_blah!!!"); return -1; } return 0; } static struct cfg_kw_list cfg_kws = {{ },{ { CFG_GLOBAL, "blah", parse_global_blah }, { CFG_LISTEN, "blah", parse_listen_blah }, { 0, NULL, NULL }, }}; __attribute__((constructor)) static void __module_init(void) { cfg_register_keywords(&cfg_kws); }
2008-07-09 13:39:06 -04:00
/*
* Unregisters the CFG keyword list <kwl> from the list of valid keywords.
*/
void cfg_unregister_keywords(struct cfg_kw_list *kwl)
{
CLEANUP: lists/tree-wide: rename some list operations to avoid some confusion The current "ADD" vs "ADDQ" is confusing because when thinking in terms of appending at the end of a list, "ADD" naturally comes to mind, but here it does the opposite, it inserts. Several times already it's been incorrectly used where ADDQ was expected, the latest of which was a fortunate accident explained in 6fa922562 ("CLEANUP: stream: explain why we queue the stream at the head of the server list"). Let's use more explicit (but slightly longer) names now: LIST_ADD -> LIST_INSERT LIST_ADDQ -> LIST_APPEND LIST_ADDED -> LIST_INLIST LIST_DEL -> LIST_DELETE The same is true for MT_LISTs, including their "TRY" variant. LIST_DEL_INIT keeps its short name to encourage to use it instead of the lazier LIST_DELETE which is often less safe. The change is large (~674 non-comment entries) but is mechanical enough to remain safe. No permutation was performed, so any out-of-tree code can easily map older names to new ones. The list doc was updated.
2021-04-21 01:32:39 -04:00
LIST_DELETE(&kwl->list);
[MEDIUM] add support for configuration keyword registration Any module which needs configuration keywords may now dynamically register a keyword in a given section, and associate it with a configuration parsing function using cfg_register_keywords() from a constructor function. This makes the configuration parser more modular because it is not required anymore to touch cfg_parse.c. Example : static int parse_global_blah(char **args, int section_type, struct proxy *curpx, struct proxy *defpx, char *err, int errlen) { printf("parsing blah in global section\n"); return 0; } static int parse_listen_blah(char **args, int section_type, struct proxy *curpx, struct proxy *defpx, char *err, int errlen) { printf("parsing blah in listen section\n"); if (*args[1]) { snprintf(err, errlen, "missing arg for listen_blah!!!"); return -1; } return 0; } static struct cfg_kw_list cfg_kws = {{ },{ { CFG_GLOBAL, "blah", parse_global_blah }, { CFG_LISTEN, "blah", parse_listen_blah }, { 0, NULL, NULL }, }}; __attribute__((constructor)) static void __module_init(void) { cfg_register_keywords(&cfg_kws); }
2008-07-09 13:39:06 -04:00
LIST_INIT(&kwl->list);
}
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
MEDIUM: config: Dynamic sections. This patch permit to register new sections in the haproxy's configuration file. This run like all the "keyword" registration, it is used during the haproxy initialization, typically with the "__attribute__((constructor))" functions.
2014-03-18 08:54:18 -04:00
/* this function register new section in the haproxy configuration file.
* <section_name> is the name of this new section and <section_parser>
* is the called parser. If two section declaration have the same name,
* only the first declared is used.
*/
int cfg_register_section(char *section_name,
MEDIUM: cfgparse: post section callback This commit implements a post section callback. This callback will be used at the end of a section parsing. Every call to cfg_register_section must be modified to use the new prototype: int cfg_register_section(char *section_name, int (*section_parser)(const char *, int, char **, int), int (*post_section_parser)());
2017-10-16 05:06:50 -04:00
int (*section_parser)(const char *, int, char **, int),
int (*post_section_parser)())
MEDIUM: config: Dynamic sections. This patch permit to register new sections in the haproxy's configuration file. This run like all the "keyword" registration, it is used during the haproxy initialization, typically with the "__attribute__((constructor))" functions.
2014-03-18 08:54:18 -04:00
{
struct cfg_section *cs;
MEDIUM: initcall: allow to register mutiple post_section_parser per section Before this patch, REGISTER_CONFIG_SECTION() allowed to register one and only one callback (<post>) called after the parsing of a section. It was limitating because you couldn't register a post callback from anywhere else in the code. This patch introduces the new REGISTER_CONFIG_SECTION_POST() macros which allows to register a new post callback for a section keyword from anywhere. This patch introduces the feature by allowing `struct cfg_section` entries that does not have a `section_parser`, and then iterating on all cfg_section with a post_section_parser for a keyword.
2025-02-10 09:07:05 -05:00
if (section_parser) {
/* only checks if we register a section parser, not a post section callback */
list_for_each_entry(cs, &sections, list) {
if (strcmp(cs->section_name, section_name) == 0 && cs->section_parser) {
ha_alert("register section '%s': already registered.\n", section_name);
return 0;
}
CLEANUP: config: detect double registration of a config section In an effort to make the config parser more robust, we should validate that everything we register is not already registered. Most cfg_register_* functions unfortunately return void and just perform a LIST_ADDQ(), so they will have to change for this. At least cfg_register_section() does perform a bit of checks and is easy to check for such errors, so let's start with this one. Future patches will definitely have to focus on the remaining functions and ensure unicity of all config parsers.
2016-05-17 10:16:09 -04:00
}
}
MEDIUM: config: Dynamic sections. This patch permit to register new sections in the haproxy's configuration file. This run like all the "keyword" registration, it is used during the haproxy initialization, typically with the "__attribute__((constructor))" functions.
2014-03-18 08:54:18 -04:00
cs = calloc(1, sizeof(*cs));
if (!cs) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("register section '%s': out of memory.\n", section_name);
MEDIUM: config: Dynamic sections. This patch permit to register new sections in the haproxy's configuration file. This run like all the "keyword" registration, it is used during the haproxy initialization, typically with the "__attribute__((constructor))" functions.
2014-03-18 08:54:18 -04:00
return 0;
}
cs->section_name = section_name;
cs->section_parser = section_parser;
MEDIUM: cfgparse: post section callback This commit implements a post section callback. This callback will be used at the end of a section parsing. Every call to cfg_register_section must be modified to use the new prototype: int cfg_register_section(char *section_name, int (*section_parser)(const char *, int, char **, int), int (*post_section_parser)());
2017-10-16 05:06:50 -04:00
cs->post_section_parser = post_section_parser;
MEDIUM: config: Dynamic sections. This patch permit to register new sections in the haproxy's configuration file. This run like all the "keyword" registration, it is used during the haproxy initialization, typically with the "__attribute__((constructor))" functions.
2014-03-18 08:54:18 -04:00
CLEANUP: lists/tree-wide: rename some list operations to avoid some confusion The current "ADD" vs "ADDQ" is confusing because when thinking in terms of appending at the end of a list, "ADD" naturally comes to mind, but here it does the opposite, it inserts. Several times already it's been incorrectly used where ADDQ was expected, the latest of which was a fortunate accident explained in 6fa922562 ("CLEANUP: stream: explain why we queue the stream at the head of the server list"). Let's use more explicit (but slightly longer) names now: LIST_ADD -> LIST_INSERT LIST_ADDQ -> LIST_APPEND LIST_ADDED -> LIST_INLIST LIST_DEL -> LIST_DELETE The same is true for MT_LISTs, including their "TRY" variant. LIST_DEL_INIT keeps its short name to encourage to use it instead of the lazier LIST_DELETE which is often less safe. The change is large (~674 non-comment entries) but is mechanical enough to remain safe. No permutation was performed, so any out-of-tree code can easily map older names to new ones. The list doc was updated.
2021-04-21 01:32:39 -04:00
LIST_APPEND(&sections, &cs->list);
MEDIUM: config: Dynamic sections. This patch permit to register new sections in the haproxy's configuration file. This run like all the "keyword" registration, it is used during the haproxy initialization, typically with the "__attribute__((constructor))" functions.
2014-03-18 08:54:18 -04:00
return 1;
}
MEDIUM: cfgparse: post parsing registration Allow to register a function which will be called after the configuration file parsing, at the end of the check_config_validity(). It's useful fo checking dependencies between sections or for resolving keywords, pointers or values.
2017-10-23 08:36:34 -04:00
/* this function register a new function which will be called once the haproxy
* configuration file has been parsed. It's useful to check dependencies
* between sections or to resolve items once everything is parsed.
*/
int cfg_register_postparser(char *name, int (*func)())
{
struct cfg_postparser *cp;
cp = calloc(1, sizeof(*cp));
if (!cp) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("register postparser '%s': out of memory.\n", name);
MEDIUM: cfgparse: post parsing registration Allow to register a function which will be called after the configuration file parsing, at the end of the check_config_validity(). It's useful fo checking dependencies between sections or for resolving keywords, pointers or values.
2017-10-23 08:36:34 -04:00
return 0;
}
cp->name = name;
cp->func = func;
CLEANUP: lists/tree-wide: rename some list operations to avoid some confusion The current "ADD" vs "ADDQ" is confusing because when thinking in terms of appending at the end of a list, "ADD" naturally comes to mind, but here it does the opposite, it inserts. Several times already it's been incorrectly used where ADDQ was expected, the latest of which was a fortunate accident explained in 6fa922562 ("CLEANUP: stream: explain why we queue the stream at the head of the server list"). Let's use more explicit (but slightly longer) names now: LIST_ADD -> LIST_INSERT LIST_ADDQ -> LIST_APPEND LIST_ADDED -> LIST_INLIST LIST_DEL -> LIST_DELETE The same is true for MT_LISTs, including their "TRY" variant. LIST_DEL_INIT keeps its short name to encourage to use it instead of the lazier LIST_DELETE which is often less safe. The change is large (~674 non-comment entries) but is mechanical enough to remain safe. No permutation was performed, so any out-of-tree code can easily map older names to new ones. The list doc was updated.
2021-04-21 01:32:39 -04:00
LIST_APPEND(&postparsers, &cp->list);
MEDIUM: cfgparse: post parsing registration Allow to register a function which will be called after the configuration file parsing, at the end of the check_config_validity(). It's useful fo checking dependencies between sections or for resolving keywords, pointers or values.
2017-10-23 08:36:34 -04:00
return 1;
}
MINOR: cfgparse: New function cfg_unregister_sections() A new function introduced meant to be called during general deinit phase. During the configuration parsing, the section entries are all allocated. This new function free them.
2015-09-25 06:49:18 -04:00
/*
* free all config section entries
*/
void cfg_unregister_sections(void)
{
struct cfg_section *cs, *ics;
list_for_each_entry_safe(cs, ics, &sections, list) {
CLEANUP: lists/tree-wide: rename some list operations to avoid some confusion The current "ADD" vs "ADDQ" is confusing because when thinking in terms of appending at the end of a list, "ADD" naturally comes to mind, but here it does the opposite, it inserts. Several times already it's been incorrectly used where ADDQ was expected, the latest of which was a fortunate accident explained in 6fa922562 ("CLEANUP: stream: explain why we queue the stream at the head of the server list"). Let's use more explicit (but slightly longer) names now: LIST_ADD -> LIST_INSERT LIST_ADDQ -> LIST_APPEND LIST_ADDED -> LIST_INLIST LIST_DEL -> LIST_DELETE The same is true for MT_LISTs, including their "TRY" variant. LIST_DEL_INIT keeps its short name to encourage to use it instead of the lazier LIST_DELETE which is often less safe. The change is large (~674 non-comment entries) but is mechanical enough to remain safe. No permutation was performed, so any out-of-tree code can easily map older names to new ones. The list doc was updated.
2021-04-21 01:32:39 -04:00
LIST_DELETE(&cs->list);
MINOR: cfgparse: New function cfg_unregister_sections() A new function introduced meant to be called during general deinit phase. During the configuration parsing, the section entries are all allocated. This new function free them.
2015-09-25 06:49:18 -04:00
free(cs);
}
}
MINOR: cfgparse: Add functions to backup and restore registered sections This feature will be used by the stream processing offload engine (SPOE) to parse dedicated configuration files without mixing HAProxy sections with SPOE sections. So, here we can back up all sections known by HAProxy, unregister all of them and add new ones, dedicted to the SPOE. Once the SPOE configuration file parsed, we can roll back all changes by restoring HAProxy sections.
2016-10-26 05:09:44 -04:00
void cfg_backup_sections(struct list *backup_sections)
{
struct cfg_section *cs, *ics;
list_for_each_entry_safe(cs, ics, &sections, list) {
CLEANUP: lists/tree-wide: rename some list operations to avoid some confusion The current "ADD" vs "ADDQ" is confusing because when thinking in terms of appending at the end of a list, "ADD" naturally comes to mind, but here it does the opposite, it inserts. Several times already it's been incorrectly used where ADDQ was expected, the latest of which was a fortunate accident explained in 6fa922562 ("CLEANUP: stream: explain why we queue the stream at the head of the server list"). Let's use more explicit (but slightly longer) names now: LIST_ADD -> LIST_INSERT LIST_ADDQ -> LIST_APPEND LIST_ADDED -> LIST_INLIST LIST_DEL -> LIST_DELETE The same is true for MT_LISTs, including their "TRY" variant. LIST_DEL_INIT keeps its short name to encourage to use it instead of the lazier LIST_DELETE which is often less safe. The change is large (~674 non-comment entries) but is mechanical enough to remain safe. No permutation was performed, so any out-of-tree code can easily map older names to new ones. The list doc was updated.
2021-04-21 01:32:39 -04:00
LIST_DELETE(&cs->list);
LIST_APPEND(backup_sections, &cs->list);
MINOR: cfgparse: Add functions to backup and restore registered sections This feature will be used by the stream processing offload engine (SPOE) to parse dedicated configuration files without mixing HAProxy sections with SPOE sections. So, here we can back up all sections known by HAProxy, unregister all of them and add new ones, dedicted to the SPOE. Once the SPOE configuration file parsed, we can roll back all changes by restoring HAProxy sections.
2016-10-26 05:09:44 -04:00
}
}
void cfg_restore_sections(struct list *backup_sections)
{
struct cfg_section *cs, *ics;
list_for_each_entry_safe(cs, ics, backup_sections, list) {
CLEANUP: lists/tree-wide: rename some list operations to avoid some confusion The current "ADD" vs "ADDQ" is confusing because when thinking in terms of appending at the end of a list, "ADD" naturally comes to mind, but here it does the opposite, it inserts. Several times already it's been incorrectly used where ADDQ was expected, the latest of which was a fortunate accident explained in 6fa922562 ("CLEANUP: stream: explain why we queue the stream at the head of the server list"). Let's use more explicit (but slightly longer) names now: LIST_ADD -> LIST_INSERT LIST_ADDQ -> LIST_APPEND LIST_ADDED -> LIST_INLIST LIST_DEL -> LIST_DELETE The same is true for MT_LISTs, including their "TRY" variant. LIST_DEL_INIT keeps its short name to encourage to use it instead of the lazier LIST_DELETE which is often less safe. The change is large (~674 non-comment entries) but is mechanical enough to remain safe. No permutation was performed, so any out-of-tree code can easily map older names to new ones. The list doc was updated.
2021-04-21 01:32:39 -04:00
LIST_DELETE(&cs->list);
LIST_APPEND(&sections, &cs->list);
MINOR: cfgparse: Add functions to backup and restore registered sections This feature will be used by the stream processing offload engine (SPOE) to parse dedicated configuration files without mixing HAProxy sections with SPOE sections. So, here we can back up all sections known by HAProxy, unregister all of them and add new ones, dedicted to the SPOE. Once the SPOE configuration file parsed, we can roll back all changes by restoring HAProxy sections.
2016-10-26 05:09:44 -04:00
}
}
MINOR: config: add a function to dump all known config keywords All registered config keywords that are valid in the config parser are dumped to stdout organized like the regular sections (global, listen, etc). Some keywords that are known to only be valid in frontends or backends will be suffixed with [FE] or [BE]. All regularly registered "bind" and "server" keywords are also dumped, one per "bind" or "server" line. Those depending on ssl are listed after the "ssl" keyword. Doing so required to export the listener and server keyword lists that were static. The function is called from dump_registered_keywords() for keyword class "cfg".
2022-03-29 09:02:44 -04:00
/* dumps all registered keywords by section on stdout */
void cfg_dump_registered_keywords()
{
MINOR: config: list recently added sections with -dKcfg Newly added sections (crt-store, traces, acme) were not listed in -dKcfg, let's add them. For now they have to be manually enumerated.
2025-05-23 04:49:33 -04:00
/* CFG_GLOBAL, CFG_LISTEN, CFG_USERLIST, CFG_PEERS, CFG_CRTLIST, CFG_CRTSTORE, CFG_TRACES, CFG_ACME */
const char* sect_names[] = { "", "global", "listen", "userlist", "peers", "crt-list", "crt-store", "traces", "acme", 0 };
MINOR: config: add a function to dump all known config keywords All registered config keywords that are valid in the config parser are dumped to stdout organized like the regular sections (global, listen, etc). Some keywords that are known to only be valid in frontends or backends will be suffixed with [FE] or [BE]. All regularly registered "bind" and "server" keywords are also dumped, one per "bind" or "server" line. Those depending on ssl are listed after the "ssl" keyword. Doing so required to export the listener and server keyword lists that were static. The function is called from dump_registered_keywords() for keyword class "cfg".
2022-03-29 09:02:44 -04:00
int section;
int index;
for (section = 1; sect_names[section]; section++) {
struct cfg_kw_list *kwl;
MINOR: config: alphanumerically sort config keywords output The output produced by dump_registered_keywords() really deserves to be sorted in order to ease comparisons. The function now implements a tiny sorting mechanism that's suitable for each two-level list, and makes use of dump_act_rules() to dump rulesets. The code is not significantly more complicated and some parts (e.g options) could even be factored. The output is much more exploitable to detect differences now.
2022-03-30 05:21:32 -04:00
const struct cfg_keyword *kwp, *kwn;
MINOR: config: add a function to dump all known config keywords All registered config keywords that are valid in the config parser are dumped to stdout organized like the regular sections (global, listen, etc). Some keywords that are known to only be valid in frontends or backends will be suffixed with [FE] or [BE]. All regularly registered "bind" and "server" keywords are also dumped, one per "bind" or "server" line. Those depending on ssl are listed after the "ssl" keyword. Doing so required to export the listener and server keyword lists that were static. The function is called from dump_registered_keywords() for keyword class "cfg".
2022-03-29 09:02:44 -04:00
printf("%s\n", sect_names[section]);
MINOR: config: alphanumerically sort config keywords output The output produced by dump_registered_keywords() really deserves to be sorted in order to ease comparisons. The function now implements a tiny sorting mechanism that's suitable for each two-level list, and makes use of dump_act_rules() to dump rulesets. The code is not significantly more complicated and some parts (e.g options) could even be factored. The output is much more exploitable to detect differences now.
2022-03-30 05:21:32 -04:00
for (kwn = kwp = NULL;; kwp = kwn) {
list_for_each_entry(kwl, &cfg_keywords.list, list) {
for (index = 0; kwl->kw[index].kw != NULL; index++)
if (kwl->kw[index].section == section &&
strordered(kwp ? kwp->kw : NULL, kwl->kw[index].kw, kwn != kwp ? kwn->kw : NULL))
kwn = &kwl->kw[index];
}
if (kwn == kwp)
break;
printf("\t%s\n", kwn->kw);
MINOR: config: add a function to dump all known config keywords All registered config keywords that are valid in the config parser are dumped to stdout organized like the regular sections (global, listen, etc). Some keywords that are known to only be valid in frontends or backends will be suffixed with [FE] or [BE]. All regularly registered "bind" and "server" keywords are also dumped, one per "bind" or "server" line. Those depending on ssl are listed after the "ssl" keyword. Doing so required to export the listener and server keyword lists that were static. The function is called from dump_registered_keywords() for keyword class "cfg".
2022-03-29 09:02:44 -04:00
}
if (section == CFG_LISTEN) {
/* there are plenty of other keywords there */
extern struct list tcp_req_conn_keywords, tcp_req_sess_keywords,
tcp_req_cont_keywords, tcp_res_cont_keywords;
extern struct bind_kw_list bind_keywords;
extern struct srv_kw_list srv_keywords;
struct bind_kw_list *bkwl;
struct srv_kw_list *skwl;
MINOR: config: alphanumerically sort config keywords output The output produced by dump_registered_keywords() really deserves to be sorted in order to ease comparisons. The function now implements a tiny sorting mechanism that's suitable for each two-level list, and makes use of dump_act_rules() to dump rulesets. The code is not significantly more complicated and some parts (e.g options) could even be factored. The output is much more exploitable to detect differences now.
2022-03-30 05:21:32 -04:00
const struct bind_kw *bkwp, *bkwn;
const struct srv_kw *skwp, *skwn;
const struct cfg_opt *coptp, *coptn;
BUG/MINOR: config: crt-list keywords mistaken for bind ssl keywords This patch fixes an issue in the "-dK" keywords dumper, which was mistakenly displaying the "crt-list" keywords for "bind ssl" keywords. The patch fixes the issue by dumping the "crt-list" keywords in its own section, and dumping the "bind" keywords which are in the "SSL" scope with a "bind ssl" prefix. This commit depends on the previous "MINOR: ssl: rename confusing ssl_bind_kws" commit. Must be backported in 2.6. Diff of the `./haproxy -dKall -q -c -f /dev/null` output before and after the patch in 2.8-dev4: | @@ -190,30 +190,9 @@ listen | use-fcgi-app | bind <addr> accept-netscaler-cip +1 | bind <addr> accept-proxy | - bind <addr> allow-0rtt | - bind <addr> alpn +1 | bind <addr> backlog +1 | - bind <addr> ca-file +1 | - bind <addr> ca-ignore-err +1 | - bind <addr> ca-sign-file +1 | - bind <addr> ca-sign-pass +1 | - bind <addr> ca-verify-file +1 | - bind <addr> ciphers +1 | - bind <addr> ciphersuites +1 | - bind <addr> crl-file +1 | - bind <addr> crt +1 | - bind <addr> crt-ignore-err +1 | - bind <addr> crt-list +1 | - bind <addr> curves +1 | bind <addr> defer-accept | - bind <addr> ecdhe +1 | bind <addr> expose-fd +1 | - bind <addr> force-sslv3 | - bind <addr> force-tlsv10 | - bind <addr> force-tlsv11 | - bind <addr> force-tlsv12 | - bind <addr> force-tlsv13 | - bind <addr> generate-certificates | bind <addr> gid +1 | bind <addr> group +1 | bind <addr> id +1 | @@ -225,48 +204,52 @@ listen | bind <addr> name +1 | bind <addr> namespace +1 | bind <addr> nice +1 | - bind <addr> no-ca-names | - bind <addr> no-sslv3 | - bind <addr> no-tls-tickets | - bind <addr> no-tlsv10 | - bind <addr> no-tlsv11 | - bind <addr> no-tlsv12 | - bind <addr> no-tlsv13 | - bind <addr> npn +1 | - bind <addr> prefer-client-ciphers | bind <addr> process +1 | bind <addr> proto +1 | bind <addr> severity-output +1 | bind <addr> shards +1 | - bind <addr> ssl | - bind <addr> ssl-max-ver +1 | - bind <addr> ssl-min-ver +1 | - bind <addr> strict-sni | bind <addr> tcp-ut +1 | bind <addr> tfo | bind <addr> thread +1 | - bind <addr> tls-ticket-keys +1 | bind <addr> transparent | bind <addr> uid +1 | bind <addr> user +1 | bind <addr> v4v6 | bind <addr> v6only | - bind <addr> verify +1 | bind <addr> ssl allow-0rtt | bind <addr> ssl alpn +1 | bind <addr> ssl ca-file +1 | + bind <addr> ssl ca-ignore-err +1 | + bind <addr> ssl ca-sign-file +1 | + bind <addr> ssl ca-sign-pass +1 | bind <addr> ssl ca-verify-file +1 | bind <addr> ssl ciphers +1 | bind <addr> ssl ciphersuites +1 | bind <addr> ssl crl-file +1 | + bind <addr> ssl crt +1 | + bind <addr> ssl crt-ignore-err +1 | + bind <addr> ssl crt-list +1 | bind <addr> ssl curves +1 | bind <addr> ssl ecdhe +1 | + bind <addr> ssl force-sslv3 | + bind <addr> ssl force-tlsv10 | + bind <addr> ssl force-tlsv11 | + bind <addr> ssl force-tlsv12 | + bind <addr> ssl force-tlsv13 | + bind <addr> ssl generate-certificates | bind <addr> ssl no-ca-names | + bind <addr> ssl no-sslv3 | + bind <addr> ssl no-tls-tickets | + bind <addr> ssl no-tlsv10 | + bind <addr> ssl no-tlsv11 | + bind <addr> ssl no-tlsv12 | + bind <addr> ssl no-tlsv13 | bind <addr> ssl npn +1 | - bind <addr> ssl ocsp-update +1 | + bind <addr> ssl prefer-client-ciphers | bind <addr> ssl ssl-max-ver +1 | bind <addr> ssl ssl-min-ver +1 | + bind <addr> ssl strict-sni | + bind <addr> ssl tls-ticket-keys +1 | bind <addr> ssl verify +1 | server <name> <addr> addr +1 | server <name> <addr> agent-addr +1 | @@ -591,6 +574,23 @@ listen | http-after-response unset-var* | userlist | peers | +crt-list | + allow-0rtt | + alpn +1 | + ca-file +1 | + ca-verify-file +1 | + ciphers +1 | + ciphersuites +1 | + crl-file +1 | + curves +1 | + ecdhe +1 | + no-ca-names | + npn +1 | + ocsp-update +1 | + ssl-max-ver +1 | + ssl-min-ver +1 | + verify +1 | # List of registered CLI keywords: | @!<pid> [MASTER] | @<relative pid> [MASTER]
2023-02-13 09:24:01 -05:00
/* display the non-ssl keywords */
MINOR: config: alphanumerically sort config keywords output The output produced by dump_registered_keywords() really deserves to be sorted in order to ease comparisons. The function now implements a tiny sorting mechanism that's suitable for each two-level list, and makes use of dump_act_rules() to dump rulesets. The code is not significantly more complicated and some parts (e.g options) could even be factored. The output is much more exploitable to detect differences now.
2022-03-30 05:21:32 -04:00
for (bkwn = bkwp = NULL;; bkwp = bkwn) {
list_for_each_entry(bkwl, &bind_keywords.list, list) {
BUG/MINOR: config: crt-list keywords mistaken for bind ssl keywords This patch fixes an issue in the "-dK" keywords dumper, which was mistakenly displaying the "crt-list" keywords for "bind ssl" keywords. The patch fixes the issue by dumping the "crt-list" keywords in its own section, and dumping the "bind" keywords which are in the "SSL" scope with a "bind ssl" prefix. This commit depends on the previous "MINOR: ssl: rename confusing ssl_bind_kws" commit. Must be backported in 2.6. Diff of the `./haproxy -dKall -q -c -f /dev/null` output before and after the patch in 2.8-dev4: | @@ -190,30 +190,9 @@ listen | use-fcgi-app | bind <addr> accept-netscaler-cip +1 | bind <addr> accept-proxy | - bind <addr> allow-0rtt | - bind <addr> alpn +1 | bind <addr> backlog +1 | - bind <addr> ca-file +1 | - bind <addr> ca-ignore-err +1 | - bind <addr> ca-sign-file +1 | - bind <addr> ca-sign-pass +1 | - bind <addr> ca-verify-file +1 | - bind <addr> ciphers +1 | - bind <addr> ciphersuites +1 | - bind <addr> crl-file +1 | - bind <addr> crt +1 | - bind <addr> crt-ignore-err +1 | - bind <addr> crt-list +1 | - bind <addr> curves +1 | bind <addr> defer-accept | - bind <addr> ecdhe +1 | bind <addr> expose-fd +1 | - bind <addr> force-sslv3 | - bind <addr> force-tlsv10 | - bind <addr> force-tlsv11 | - bind <addr> force-tlsv12 | - bind <addr> force-tlsv13 | - bind <addr> generate-certificates | bind <addr> gid +1 | bind <addr> group +1 | bind <addr> id +1 | @@ -225,48 +204,52 @@ listen | bind <addr> name +1 | bind <addr> namespace +1 | bind <addr> nice +1 | - bind <addr> no-ca-names | - bind <addr> no-sslv3 | - bind <addr> no-tls-tickets | - bind <addr> no-tlsv10 | - bind <addr> no-tlsv11 | - bind <addr> no-tlsv12 | - bind <addr> no-tlsv13 | - bind <addr> npn +1 | - bind <addr> prefer-client-ciphers | bind <addr> process +1 | bind <addr> proto +1 | bind <addr> severity-output +1 | bind <addr> shards +1 | - bind <addr> ssl | - bind <addr> ssl-max-ver +1 | - bind <addr> ssl-min-ver +1 | - bind <addr> strict-sni | bind <addr> tcp-ut +1 | bind <addr> tfo | bind <addr> thread +1 | - bind <addr> tls-ticket-keys +1 | bind <addr> transparent | bind <addr> uid +1 | bind <addr> user +1 | bind <addr> v4v6 | bind <addr> v6only | - bind <addr> verify +1 | bind <addr> ssl allow-0rtt | bind <addr> ssl alpn +1 | bind <addr> ssl ca-file +1 | + bind <addr> ssl ca-ignore-err +1 | + bind <addr> ssl ca-sign-file +1 | + bind <addr> ssl ca-sign-pass +1 | bind <addr> ssl ca-verify-file +1 | bind <addr> ssl ciphers +1 | bind <addr> ssl ciphersuites +1 | bind <addr> ssl crl-file +1 | + bind <addr> ssl crt +1 | + bind <addr> ssl crt-ignore-err +1 | + bind <addr> ssl crt-list +1 | bind <addr> ssl curves +1 | bind <addr> ssl ecdhe +1 | + bind <addr> ssl force-sslv3 | + bind <addr> ssl force-tlsv10 | + bind <addr> ssl force-tlsv11 | + bind <addr> ssl force-tlsv12 | + bind <addr> ssl force-tlsv13 | + bind <addr> ssl generate-certificates | bind <addr> ssl no-ca-names | + bind <addr> ssl no-sslv3 | + bind <addr> ssl no-tls-tickets | + bind <addr> ssl no-tlsv10 | + bind <addr> ssl no-tlsv11 | + bind <addr> ssl no-tlsv12 | + bind <addr> ssl no-tlsv13 | bind <addr> ssl npn +1 | - bind <addr> ssl ocsp-update +1 | + bind <addr> ssl prefer-client-ciphers | bind <addr> ssl ssl-max-ver +1 | bind <addr> ssl ssl-min-ver +1 | + bind <addr> ssl strict-sni | + bind <addr> ssl tls-ticket-keys +1 | bind <addr> ssl verify +1 | server <name> <addr> addr +1 | server <name> <addr> agent-addr +1 | @@ -591,6 +574,23 @@ listen | http-after-response unset-var* | userlist | peers | +crt-list | + allow-0rtt | + alpn +1 | + ca-file +1 | + ca-verify-file +1 | + ciphers +1 | + ciphersuites +1 | + crl-file +1 | + curves +1 | + ecdhe +1 | + no-ca-names | + npn +1 | + ocsp-update +1 | + ssl-max-ver +1 | + ssl-min-ver +1 | + verify +1 | # List of registered CLI keywords: | @!<pid> [MASTER] | @<relative pid> [MASTER]
2023-02-13 09:24:01 -05:00
if (strcmp(bkwl->scope, "SSL") == 0) /* skip SSL keywords */
continue;
for (index = 0; bkwl->kw[index].kw != NULL; index++) {
MINOR: config: alphanumerically sort config keywords output The output produced by dump_registered_keywords() really deserves to be sorted in order to ease comparisons. The function now implements a tiny sorting mechanism that's suitable for each two-level list, and makes use of dump_act_rules() to dump rulesets. The code is not significantly more complicated and some parts (e.g options) could even be factored. The output is much more exploitable to detect differences now.
2022-03-30 05:21:32 -04:00
if (strordered(bkwp ? bkwp->kw : NULL,
bkwl->kw[index].kw,
bkwn != bkwp ? bkwn->kw : NULL))
bkwn = &bkwl->kw[index];
BUG/MINOR: config: crt-list keywords mistaken for bind ssl keywords This patch fixes an issue in the "-dK" keywords dumper, which was mistakenly displaying the "crt-list" keywords for "bind ssl" keywords. The patch fixes the issue by dumping the "crt-list" keywords in its own section, and dumping the "bind" keywords which are in the "SSL" scope with a "bind ssl" prefix. This commit depends on the previous "MINOR: ssl: rename confusing ssl_bind_kws" commit. Must be backported in 2.6. Diff of the `./haproxy -dKall -q -c -f /dev/null` output before and after the patch in 2.8-dev4: | @@ -190,30 +190,9 @@ listen | use-fcgi-app | bind <addr> accept-netscaler-cip +1 | bind <addr> accept-proxy | - bind <addr> allow-0rtt | - bind <addr> alpn +1 | bind <addr> backlog +1 | - bind <addr> ca-file +1 | - bind <addr> ca-ignore-err +1 | - bind <addr> ca-sign-file +1 | - bind <addr> ca-sign-pass +1 | - bind <addr> ca-verify-file +1 | - bind <addr> ciphers +1 | - bind <addr> ciphersuites +1 | - bind <addr> crl-file +1 | - bind <addr> crt +1 | - bind <addr> crt-ignore-err +1 | - bind <addr> crt-list +1 | - bind <addr> curves +1 | bind <addr> defer-accept | - bind <addr> ecdhe +1 | bind <addr> expose-fd +1 | - bind <addr> force-sslv3 | - bind <addr> force-tlsv10 | - bind <addr> force-tlsv11 | - bind <addr> force-tlsv12 | - bind <addr> force-tlsv13 | - bind <addr> generate-certificates | bind <addr> gid +1 | bind <addr> group +1 | bind <addr> id +1 | @@ -225,48 +204,52 @@ listen | bind <addr> name +1 | bind <addr> namespace +1 | bind <addr> nice +1 | - bind <addr> no-ca-names | - bind <addr> no-sslv3 | - bind <addr> no-tls-tickets | - bind <addr> no-tlsv10 | - bind <addr> no-tlsv11 | - bind <addr> no-tlsv12 | - bind <addr> no-tlsv13 | - bind <addr> npn +1 | - bind <addr> prefer-client-ciphers | bind <addr> process +1 | bind <addr> proto +1 | bind <addr> severity-output +1 | bind <addr> shards +1 | - bind <addr> ssl | - bind <addr> ssl-max-ver +1 | - bind <addr> ssl-min-ver +1 | - bind <addr> strict-sni | bind <addr> tcp-ut +1 | bind <addr> tfo | bind <addr> thread +1 | - bind <addr> tls-ticket-keys +1 | bind <addr> transparent | bind <addr> uid +1 | bind <addr> user +1 | bind <addr> v4v6 | bind <addr> v6only | - bind <addr> verify +1 | bind <addr> ssl allow-0rtt | bind <addr> ssl alpn +1 | bind <addr> ssl ca-file +1 | + bind <addr> ssl ca-ignore-err +1 | + bind <addr> ssl ca-sign-file +1 | + bind <addr> ssl ca-sign-pass +1 | bind <addr> ssl ca-verify-file +1 | bind <addr> ssl ciphers +1 | bind <addr> ssl ciphersuites +1 | bind <addr> ssl crl-file +1 | + bind <addr> ssl crt +1 | + bind <addr> ssl crt-ignore-err +1 | + bind <addr> ssl crt-list +1 | bind <addr> ssl curves +1 | bind <addr> ssl ecdhe +1 | + bind <addr> ssl force-sslv3 | + bind <addr> ssl force-tlsv10 | + bind <addr> ssl force-tlsv11 | + bind <addr> ssl force-tlsv12 | + bind <addr> ssl force-tlsv13 | + bind <addr> ssl generate-certificates | bind <addr> ssl no-ca-names | + bind <addr> ssl no-sslv3 | + bind <addr> ssl no-tls-tickets | + bind <addr> ssl no-tlsv10 | + bind <addr> ssl no-tlsv11 | + bind <addr> ssl no-tlsv12 | + bind <addr> ssl no-tlsv13 | bind <addr> ssl npn +1 | - bind <addr> ssl ocsp-update +1 | + bind <addr> ssl prefer-client-ciphers | bind <addr> ssl ssl-max-ver +1 | bind <addr> ssl ssl-min-ver +1 | + bind <addr> ssl strict-sni | + bind <addr> ssl tls-ticket-keys +1 | bind <addr> ssl verify +1 | server <name> <addr> addr +1 | server <name> <addr> agent-addr +1 | @@ -591,6 +574,23 @@ listen | http-after-response unset-var* | userlist | peers | +crt-list | + allow-0rtt | + alpn +1 | + ca-file +1 | + ca-verify-file +1 | + ciphers +1 | + ciphersuites +1 | + crl-file +1 | + curves +1 | + ecdhe +1 | + no-ca-names | + npn +1 | + ocsp-update +1 | + ssl-max-ver +1 | + ssl-min-ver +1 | + verify +1 | # List of registered CLI keywords: | @!<pid> [MASTER] | @<relative pid> [MASTER]
2023-02-13 09:24:01 -05:00
}
MINOR: config: add a function to dump all known config keywords All registered config keywords that are valid in the config parser are dumped to stdout organized like the regular sections (global, listen, etc). Some keywords that are known to only be valid in frontends or backends will be suffixed with [FE] or [BE]. All regularly registered "bind" and "server" keywords are also dumped, one per "bind" or "server" line. Those depending on ssl are listed after the "ssl" keyword. Doing so required to export the listener and server keyword lists that were static. The function is called from dump_registered_keywords() for keyword class "cfg".
2022-03-29 09:02:44 -04:00
}
MINOR: config: alphanumerically sort config keywords output The output produced by dump_registered_keywords() really deserves to be sorted in order to ease comparisons. The function now implements a tiny sorting mechanism that's suitable for each two-level list, and makes use of dump_act_rules() to dump rulesets. The code is not significantly more complicated and some parts (e.g options) could even be factored. The output is much more exploitable to detect differences now.
2022-03-30 05:21:32 -04:00
if (bkwn == bkwp)
break;
if (!bkwn->skip)
printf("\tbind <addr> %s\n", bkwn->kw);
else
printf("\tbind <addr> %s +%d\n", bkwn->kw, bkwn->skip);
MINOR: config: add a function to dump all known config keywords All registered config keywords that are valid in the config parser are dumped to stdout organized like the regular sections (global, listen, etc). Some keywords that are known to only be valid in frontends or backends will be suffixed with [FE] or [BE]. All regularly registered "bind" and "server" keywords are also dumped, one per "bind" or "server" line. Those depending on ssl are listed after the "ssl" keyword. Doing so required to export the listener and server keyword lists that were static. The function is called from dump_registered_keywords() for keyword class "cfg".
2022-03-29 09:02:44 -04:00
}
#if defined(USE_OPENSSL)
BUG/MINOR: config: crt-list keywords mistaken for bind ssl keywords This patch fixes an issue in the "-dK" keywords dumper, which was mistakenly displaying the "crt-list" keywords for "bind ssl" keywords. The patch fixes the issue by dumping the "crt-list" keywords in its own section, and dumping the "bind" keywords which are in the "SSL" scope with a "bind ssl" prefix. This commit depends on the previous "MINOR: ssl: rename confusing ssl_bind_kws" commit. Must be backported in 2.6. Diff of the `./haproxy -dKall -q -c -f /dev/null` output before and after the patch in 2.8-dev4: | @@ -190,30 +190,9 @@ listen | use-fcgi-app | bind <addr> accept-netscaler-cip +1 | bind <addr> accept-proxy | - bind <addr> allow-0rtt | - bind <addr> alpn +1 | bind <addr> backlog +1 | - bind <addr> ca-file +1 | - bind <addr> ca-ignore-err +1 | - bind <addr> ca-sign-file +1 | - bind <addr> ca-sign-pass +1 | - bind <addr> ca-verify-file +1 | - bind <addr> ciphers +1 | - bind <addr> ciphersuites +1 | - bind <addr> crl-file +1 | - bind <addr> crt +1 | - bind <addr> crt-ignore-err +1 | - bind <addr> crt-list +1 | - bind <addr> curves +1 | bind <addr> defer-accept | - bind <addr> ecdhe +1 | bind <addr> expose-fd +1 | - bind <addr> force-sslv3 | - bind <addr> force-tlsv10 | - bind <addr> force-tlsv11 | - bind <addr> force-tlsv12 | - bind <addr> force-tlsv13 | - bind <addr> generate-certificates | bind <addr> gid +1 | bind <addr> group +1 | bind <addr> id +1 | @@ -225,48 +204,52 @@ listen | bind <addr> name +1 | bind <addr> namespace +1 | bind <addr> nice +1 | - bind <addr> no-ca-names | - bind <addr> no-sslv3 | - bind <addr> no-tls-tickets | - bind <addr> no-tlsv10 | - bind <addr> no-tlsv11 | - bind <addr> no-tlsv12 | - bind <addr> no-tlsv13 | - bind <addr> npn +1 | - bind <addr> prefer-client-ciphers | bind <addr> process +1 | bind <addr> proto +1 | bind <addr> severity-output +1 | bind <addr> shards +1 | - bind <addr> ssl | - bind <addr> ssl-max-ver +1 | - bind <addr> ssl-min-ver +1 | - bind <addr> strict-sni | bind <addr> tcp-ut +1 | bind <addr> tfo | bind <addr> thread +1 | - bind <addr> tls-ticket-keys +1 | bind <addr> transparent | bind <addr> uid +1 | bind <addr> user +1 | bind <addr> v4v6 | bind <addr> v6only | - bind <addr> verify +1 | bind <addr> ssl allow-0rtt | bind <addr> ssl alpn +1 | bind <addr> ssl ca-file +1 | + bind <addr> ssl ca-ignore-err +1 | + bind <addr> ssl ca-sign-file +1 | + bind <addr> ssl ca-sign-pass +1 | bind <addr> ssl ca-verify-file +1 | bind <addr> ssl ciphers +1 | bind <addr> ssl ciphersuites +1 | bind <addr> ssl crl-file +1 | + bind <addr> ssl crt +1 | + bind <addr> ssl crt-ignore-err +1 | + bind <addr> ssl crt-list +1 | bind <addr> ssl curves +1 | bind <addr> ssl ecdhe +1 | + bind <addr> ssl force-sslv3 | + bind <addr> ssl force-tlsv10 | + bind <addr> ssl force-tlsv11 | + bind <addr> ssl force-tlsv12 | + bind <addr> ssl force-tlsv13 | + bind <addr> ssl generate-certificates | bind <addr> ssl no-ca-names | + bind <addr> ssl no-sslv3 | + bind <addr> ssl no-tls-tickets | + bind <addr> ssl no-tlsv10 | + bind <addr> ssl no-tlsv11 | + bind <addr> ssl no-tlsv12 | + bind <addr> ssl no-tlsv13 | bind <addr> ssl npn +1 | - bind <addr> ssl ocsp-update +1 | + bind <addr> ssl prefer-client-ciphers | bind <addr> ssl ssl-max-ver +1 | bind <addr> ssl ssl-min-ver +1 | + bind <addr> ssl strict-sni | + bind <addr> ssl tls-ticket-keys +1 | bind <addr> ssl verify +1 | server <name> <addr> addr +1 | server <name> <addr> agent-addr +1 | @@ -591,6 +574,23 @@ listen | http-after-response unset-var* | userlist | peers | +crt-list | + allow-0rtt | + alpn +1 | + ca-file +1 | + ca-verify-file +1 | + ciphers +1 | + ciphersuites +1 | + crl-file +1 | + curves +1 | + ecdhe +1 | + no-ca-names | + npn +1 | + ocsp-update +1 | + ssl-max-ver +1 | + ssl-min-ver +1 | + verify +1 | # List of registered CLI keywords: | @!<pid> [MASTER] | @<relative pid> [MASTER]
2023-02-13 09:24:01 -05:00
/* displays the "ssl" keywords */
for (bkwn = bkwp = NULL;; bkwp = bkwn) {
list_for_each_entry(bkwl, &bind_keywords.list, list) {
if (strcmp(bkwl->scope, "SSL") != 0) /* skip non-SSL keywords */
continue;
for (index = 0; bkwl->kw[index].kw != NULL; index++) {
if (strordered(bkwp ? bkwp->kw : NULL,
bkwl->kw[index].kw,
bkwn != bkwp ? bkwn->kw : NULL))
bkwn = &bkwl->kw[index];
}
MINOR: config: alphanumerically sort config keywords output The output produced by dump_registered_keywords() really deserves to be sorted in order to ease comparisons. The function now implements a tiny sorting mechanism that's suitable for each two-level list, and makes use of dump_act_rules() to dump rulesets. The code is not significantly more complicated and some parts (e.g options) could even be factored. The output is much more exploitable to detect differences now.
2022-03-30 05:21:32 -04:00
}
BUG/MINOR: config: crt-list keywords mistaken for bind ssl keywords This patch fixes an issue in the "-dK" keywords dumper, which was mistakenly displaying the "crt-list" keywords for "bind ssl" keywords. The patch fixes the issue by dumping the "crt-list" keywords in its own section, and dumping the "bind" keywords which are in the "SSL" scope with a "bind ssl" prefix. This commit depends on the previous "MINOR: ssl: rename confusing ssl_bind_kws" commit. Must be backported in 2.6. Diff of the `./haproxy -dKall -q -c -f /dev/null` output before and after the patch in 2.8-dev4: | @@ -190,30 +190,9 @@ listen | use-fcgi-app | bind <addr> accept-netscaler-cip +1 | bind <addr> accept-proxy | - bind <addr> allow-0rtt | - bind <addr> alpn +1 | bind <addr> backlog +1 | - bind <addr> ca-file +1 | - bind <addr> ca-ignore-err +1 | - bind <addr> ca-sign-file +1 | - bind <addr> ca-sign-pass +1 | - bind <addr> ca-verify-file +1 | - bind <addr> ciphers +1 | - bind <addr> ciphersuites +1 | - bind <addr> crl-file +1 | - bind <addr> crt +1 | - bind <addr> crt-ignore-err +1 | - bind <addr> crt-list +1 | - bind <addr> curves +1 | bind <addr> defer-accept | - bind <addr> ecdhe +1 | bind <addr> expose-fd +1 | - bind <addr> force-sslv3 | - bind <addr> force-tlsv10 | - bind <addr> force-tlsv11 | - bind <addr> force-tlsv12 | - bind <addr> force-tlsv13 | - bind <addr> generate-certificates | bind <addr> gid +1 | bind <addr> group +1 | bind <addr> id +1 | @@ -225,48 +204,52 @@ listen | bind <addr> name +1 | bind <addr> namespace +1 | bind <addr> nice +1 | - bind <addr> no-ca-names | - bind <addr> no-sslv3 | - bind <addr> no-tls-tickets | - bind <addr> no-tlsv10 | - bind <addr> no-tlsv11 | - bind <addr> no-tlsv12 | - bind <addr> no-tlsv13 | - bind <addr> npn +1 | - bind <addr> prefer-client-ciphers | bind <addr> process +1 | bind <addr> proto +1 | bind <addr> severity-output +1 | bind <addr> shards +1 | - bind <addr> ssl | - bind <addr> ssl-max-ver +1 | - bind <addr> ssl-min-ver +1 | - bind <addr> strict-sni | bind <addr> tcp-ut +1 | bind <addr> tfo | bind <addr> thread +1 | - bind <addr> tls-ticket-keys +1 | bind <addr> transparent | bind <addr> uid +1 | bind <addr> user +1 | bind <addr> v4v6 | bind <addr> v6only | - bind <addr> verify +1 | bind <addr> ssl allow-0rtt | bind <addr> ssl alpn +1 | bind <addr> ssl ca-file +1 | + bind <addr> ssl ca-ignore-err +1 | + bind <addr> ssl ca-sign-file +1 | + bind <addr> ssl ca-sign-pass +1 | bind <addr> ssl ca-verify-file +1 | bind <addr> ssl ciphers +1 | bind <addr> ssl ciphersuites +1 | bind <addr> ssl crl-file +1 | + bind <addr> ssl crt +1 | + bind <addr> ssl crt-ignore-err +1 | + bind <addr> ssl crt-list +1 | bind <addr> ssl curves +1 | bind <addr> ssl ecdhe +1 | + bind <addr> ssl force-sslv3 | + bind <addr> ssl force-tlsv10 | + bind <addr> ssl force-tlsv11 | + bind <addr> ssl force-tlsv12 | + bind <addr> ssl force-tlsv13 | + bind <addr> ssl generate-certificates | bind <addr> ssl no-ca-names | + bind <addr> ssl no-sslv3 | + bind <addr> ssl no-tls-tickets | + bind <addr> ssl no-tlsv10 | + bind <addr> ssl no-tlsv11 | + bind <addr> ssl no-tlsv12 | + bind <addr> ssl no-tlsv13 | bind <addr> ssl npn +1 | - bind <addr> ssl ocsp-update +1 | + bind <addr> ssl prefer-client-ciphers | bind <addr> ssl ssl-max-ver +1 | bind <addr> ssl ssl-min-ver +1 | + bind <addr> ssl strict-sni | + bind <addr> ssl tls-ticket-keys +1 | bind <addr> ssl verify +1 | server <name> <addr> addr +1 | server <name> <addr> agent-addr +1 | @@ -591,6 +574,23 @@ listen | http-after-response unset-var* | userlist | peers | +crt-list | + allow-0rtt | + alpn +1 | + ca-file +1 | + ca-verify-file +1 | + ciphers +1 | + ciphersuites +1 | + crl-file +1 | + curves +1 | + ecdhe +1 | + no-ca-names | + npn +1 | + ocsp-update +1 | + ssl-max-ver +1 | + ssl-min-ver +1 | + verify +1 | # List of registered CLI keywords: | @!<pid> [MASTER] | @<relative pid> [MASTER]
2023-02-13 09:24:01 -05:00
if (bkwn == bkwp)
MINOR: config: alphanumerically sort config keywords output The output produced by dump_registered_keywords() really deserves to be sorted in order to ease comparisons. The function now implements a tiny sorting mechanism that's suitable for each two-level list, and makes use of dump_act_rules() to dump rulesets. The code is not significantly more complicated and some parts (e.g options) could even be factored. The output is much more exploitable to detect differences now.
2022-03-30 05:21:32 -04:00
break;
BUG/MINOR: config: crt-list keywords mistaken for bind ssl keywords This patch fixes an issue in the "-dK" keywords dumper, which was mistakenly displaying the "crt-list" keywords for "bind ssl" keywords. The patch fixes the issue by dumping the "crt-list" keywords in its own section, and dumping the "bind" keywords which are in the "SSL" scope with a "bind ssl" prefix. This commit depends on the previous "MINOR: ssl: rename confusing ssl_bind_kws" commit. Must be backported in 2.6. Diff of the `./haproxy -dKall -q -c -f /dev/null` output before and after the patch in 2.8-dev4: | @@ -190,30 +190,9 @@ listen | use-fcgi-app | bind <addr> accept-netscaler-cip +1 | bind <addr> accept-proxy | - bind <addr> allow-0rtt | - bind <addr> alpn +1 | bind <addr> backlog +1 | - bind <addr> ca-file +1 | - bind <addr> ca-ignore-err +1 | - bind <addr> ca-sign-file +1 | - bind <addr> ca-sign-pass +1 | - bind <addr> ca-verify-file +1 | - bind <addr> ciphers +1 | - bind <addr> ciphersuites +1 | - bind <addr> crl-file +1 | - bind <addr> crt +1 | - bind <addr> crt-ignore-err +1 | - bind <addr> crt-list +1 | - bind <addr> curves +1 | bind <addr> defer-accept | - bind <addr> ecdhe +1 | bind <addr> expose-fd +1 | - bind <addr> force-sslv3 | - bind <addr> force-tlsv10 | - bind <addr> force-tlsv11 | - bind <addr> force-tlsv12 | - bind <addr> force-tlsv13 | - bind <addr> generate-certificates | bind <addr> gid +1 | bind <addr> group +1 | bind <addr> id +1 | @@ -225,48 +204,52 @@ listen | bind <addr> name +1 | bind <addr> namespace +1 | bind <addr> nice +1 | - bind <addr> no-ca-names | - bind <addr> no-sslv3 | - bind <addr> no-tls-tickets | - bind <addr> no-tlsv10 | - bind <addr> no-tlsv11 | - bind <addr> no-tlsv12 | - bind <addr> no-tlsv13 | - bind <addr> npn +1 | - bind <addr> prefer-client-ciphers | bind <addr> process +1 | bind <addr> proto +1 | bind <addr> severity-output +1 | bind <addr> shards +1 | - bind <addr> ssl | - bind <addr> ssl-max-ver +1 | - bind <addr> ssl-min-ver +1 | - bind <addr> strict-sni | bind <addr> tcp-ut +1 | bind <addr> tfo | bind <addr> thread +1 | - bind <addr> tls-ticket-keys +1 | bind <addr> transparent | bind <addr> uid +1 | bind <addr> user +1 | bind <addr> v4v6 | bind <addr> v6only | - bind <addr> verify +1 | bind <addr> ssl allow-0rtt | bind <addr> ssl alpn +1 | bind <addr> ssl ca-file +1 | + bind <addr> ssl ca-ignore-err +1 | + bind <addr> ssl ca-sign-file +1 | + bind <addr> ssl ca-sign-pass +1 | bind <addr> ssl ca-verify-file +1 | bind <addr> ssl ciphers +1 | bind <addr> ssl ciphersuites +1 | bind <addr> ssl crl-file +1 | + bind <addr> ssl crt +1 | + bind <addr> ssl crt-ignore-err +1 | + bind <addr> ssl crt-list +1 | bind <addr> ssl curves +1 | bind <addr> ssl ecdhe +1 | + bind <addr> ssl force-sslv3 | + bind <addr> ssl force-tlsv10 | + bind <addr> ssl force-tlsv11 | + bind <addr> ssl force-tlsv12 | + bind <addr> ssl force-tlsv13 | + bind <addr> ssl generate-certificates | bind <addr> ssl no-ca-names | + bind <addr> ssl no-sslv3 | + bind <addr> ssl no-tls-tickets | + bind <addr> ssl no-tlsv10 | + bind <addr> ssl no-tlsv11 | + bind <addr> ssl no-tlsv12 | + bind <addr> ssl no-tlsv13 | bind <addr> ssl npn +1 | - bind <addr> ssl ocsp-update +1 | + bind <addr> ssl prefer-client-ciphers | bind <addr> ssl ssl-max-ver +1 | bind <addr> ssl ssl-min-ver +1 | + bind <addr> ssl strict-sni | + bind <addr> ssl tls-ticket-keys +1 | bind <addr> ssl verify +1 | server <name> <addr> addr +1 | server <name> <addr> agent-addr +1 | @@ -591,6 +574,23 @@ listen | http-after-response unset-var* | userlist | peers | +crt-list | + allow-0rtt | + alpn +1 | + ca-file +1 | + ca-verify-file +1 | + ciphers +1 | + ciphersuites +1 | + crl-file +1 | + curves +1 | + ecdhe +1 | + no-ca-names | + npn +1 | + ocsp-update +1 | + ssl-max-ver +1 | + ssl-min-ver +1 | + verify +1 | # List of registered CLI keywords: | @!<pid> [MASTER] | @<relative pid> [MASTER]
2023-02-13 09:24:01 -05:00
if (strcmp(bkwn->kw, "ssl") == 0) /* skip "bind <addr> ssl ssl" */
continue;
if (!bkwn->skip)
printf("\tbind <addr> ssl %s\n", bkwn->kw);
MINOR: config: add a function to dump all known config keywords All registered config keywords that are valid in the config parser are dumped to stdout organized like the regular sections (global, listen, etc). Some keywords that are known to only be valid in frontends or backends will be suffixed with [FE] or [BE]. All regularly registered "bind" and "server" keywords are also dumped, one per "bind" or "server" line. Those depending on ssl are listed after the "ssl" keyword. Doing so required to export the listener and server keyword lists that were static. The function is called from dump_registered_keywords() for keyword class "cfg".
2022-03-29 09:02:44 -04:00
else
BUG/MINOR: config: crt-list keywords mistaken for bind ssl keywords This patch fixes an issue in the "-dK" keywords dumper, which was mistakenly displaying the "crt-list" keywords for "bind ssl" keywords. The patch fixes the issue by dumping the "crt-list" keywords in its own section, and dumping the "bind" keywords which are in the "SSL" scope with a "bind ssl" prefix. This commit depends on the previous "MINOR: ssl: rename confusing ssl_bind_kws" commit. Must be backported in 2.6. Diff of the `./haproxy -dKall -q -c -f /dev/null` output before and after the patch in 2.8-dev4: | @@ -190,30 +190,9 @@ listen | use-fcgi-app | bind <addr> accept-netscaler-cip +1 | bind <addr> accept-proxy | - bind <addr> allow-0rtt | - bind <addr> alpn +1 | bind <addr> backlog +1 | - bind <addr> ca-file +1 | - bind <addr> ca-ignore-err +1 | - bind <addr> ca-sign-file +1 | - bind <addr> ca-sign-pass +1 | - bind <addr> ca-verify-file +1 | - bind <addr> ciphers +1 | - bind <addr> ciphersuites +1 | - bind <addr> crl-file +1 | - bind <addr> crt +1 | - bind <addr> crt-ignore-err +1 | - bind <addr> crt-list +1 | - bind <addr> curves +1 | bind <addr> defer-accept | - bind <addr> ecdhe +1 | bind <addr> expose-fd +1 | - bind <addr> force-sslv3 | - bind <addr> force-tlsv10 | - bind <addr> force-tlsv11 | - bind <addr> force-tlsv12 | - bind <addr> force-tlsv13 | - bind <addr> generate-certificates | bind <addr> gid +1 | bind <addr> group +1 | bind <addr> id +1 | @@ -225,48 +204,52 @@ listen | bind <addr> name +1 | bind <addr> namespace +1 | bind <addr> nice +1 | - bind <addr> no-ca-names | - bind <addr> no-sslv3 | - bind <addr> no-tls-tickets | - bind <addr> no-tlsv10 | - bind <addr> no-tlsv11 | - bind <addr> no-tlsv12 | - bind <addr> no-tlsv13 | - bind <addr> npn +1 | - bind <addr> prefer-client-ciphers | bind <addr> process +1 | bind <addr> proto +1 | bind <addr> severity-output +1 | bind <addr> shards +1 | - bind <addr> ssl | - bind <addr> ssl-max-ver +1 | - bind <addr> ssl-min-ver +1 | - bind <addr> strict-sni | bind <addr> tcp-ut +1 | bind <addr> tfo | bind <addr> thread +1 | - bind <addr> tls-ticket-keys +1 | bind <addr> transparent | bind <addr> uid +1 | bind <addr> user +1 | bind <addr> v4v6 | bind <addr> v6only | - bind <addr> verify +1 | bind <addr> ssl allow-0rtt | bind <addr> ssl alpn +1 | bind <addr> ssl ca-file +1 | + bind <addr> ssl ca-ignore-err +1 | + bind <addr> ssl ca-sign-file +1 | + bind <addr> ssl ca-sign-pass +1 | bind <addr> ssl ca-verify-file +1 | bind <addr> ssl ciphers +1 | bind <addr> ssl ciphersuites +1 | bind <addr> ssl crl-file +1 | + bind <addr> ssl crt +1 | + bind <addr> ssl crt-ignore-err +1 | + bind <addr> ssl crt-list +1 | bind <addr> ssl curves +1 | bind <addr> ssl ecdhe +1 | + bind <addr> ssl force-sslv3 | + bind <addr> ssl force-tlsv10 | + bind <addr> ssl force-tlsv11 | + bind <addr> ssl force-tlsv12 | + bind <addr> ssl force-tlsv13 | + bind <addr> ssl generate-certificates | bind <addr> ssl no-ca-names | + bind <addr> ssl no-sslv3 | + bind <addr> ssl no-tls-tickets | + bind <addr> ssl no-tlsv10 | + bind <addr> ssl no-tlsv11 | + bind <addr> ssl no-tlsv12 | + bind <addr> ssl no-tlsv13 | bind <addr> ssl npn +1 | - bind <addr> ssl ocsp-update +1 | + bind <addr> ssl prefer-client-ciphers | bind <addr> ssl ssl-max-ver +1 | bind <addr> ssl ssl-min-ver +1 | + bind <addr> ssl strict-sni | + bind <addr> ssl tls-ticket-keys +1 | bind <addr> ssl verify +1 | server <name> <addr> addr +1 | server <name> <addr> agent-addr +1 | @@ -591,6 +574,23 @@ listen | http-after-response unset-var* | userlist | peers | +crt-list | + allow-0rtt | + alpn +1 | + ca-file +1 | + ca-verify-file +1 | + ciphers +1 | + ciphersuites +1 | + crl-file +1 | + curves +1 | + ecdhe +1 | + no-ca-names | + npn +1 | + ocsp-update +1 | + ssl-max-ver +1 | + ssl-min-ver +1 | + verify +1 | # List of registered CLI keywords: | @!<pid> [MASTER] | @<relative pid> [MASTER]
2023-02-13 09:24:01 -05:00
printf("\tbind <addr> ssl %s +%d\n", bkwn->kw, bkwn->skip);
MINOR: config: add a function to dump all known config keywords All registered config keywords that are valid in the config parser are dumped to stdout organized like the regular sections (global, listen, etc). Some keywords that are known to only be valid in frontends or backends will be suffixed with [FE] or [BE]. All regularly registered "bind" and "server" keywords are also dumped, one per "bind" or "server" line. Those depending on ssl are listed after the "ssl" keyword. Doing so required to export the listener and server keyword lists that were static. The function is called from dump_registered_keywords() for keyword class "cfg".
2022-03-29 09:02:44 -04:00
}
#endif
MINOR: config: alphanumerically sort config keywords output The output produced by dump_registered_keywords() really deserves to be sorted in order to ease comparisons. The function now implements a tiny sorting mechanism that's suitable for each two-level list, and makes use of dump_act_rules() to dump rulesets. The code is not significantly more complicated and some parts (e.g options) could even be factored. The output is much more exploitable to detect differences now.
2022-03-30 05:21:32 -04:00
for (skwn = skwp = NULL;; skwp = skwn) {
list_for_each_entry(skwl, &srv_keywords.list, list) {
for (index = 0; skwl->kw[index].kw != NULL; index++)
if (strordered(skwp ? skwp->kw : NULL,
skwl->kw[index].kw,
skwn != skwp ? skwn->kw : NULL))
skwn = &skwl->kw[index];
MINOR: config: add a function to dump all known config keywords All registered config keywords that are valid in the config parser are dumped to stdout organized like the regular sections (global, listen, etc). Some keywords that are known to only be valid in frontends or backends will be suffixed with [FE] or [BE]. All regularly registered "bind" and "server" keywords are also dumped, one per "bind" or "server" line. Those depending on ssl are listed after the "ssl" keyword. Doing so required to export the listener and server keyword lists that were static. The function is called from dump_registered_keywords() for keyword class "cfg".
2022-03-29 09:02:44 -04:00
}
MINOR: config: alphanumerically sort config keywords output The output produced by dump_registered_keywords() really deserves to be sorted in order to ease comparisons. The function now implements a tiny sorting mechanism that's suitable for each two-level list, and makes use of dump_act_rules() to dump rulesets. The code is not significantly more complicated and some parts (e.g options) could even be factored. The output is much more exploitable to detect differences now.
2022-03-30 05:21:32 -04:00
if (skwn == skwp)
break;
MINOR: config: add a function to dump all known config keywords All registered config keywords that are valid in the config parser are dumped to stdout organized like the regular sections (global, listen, etc). Some keywords that are known to only be valid in frontends or backends will be suffixed with [FE] or [BE]. All regularly registered "bind" and "server" keywords are also dumped, one per "bind" or "server" line. Those depending on ssl are listed after the "ssl" keyword. Doing so required to export the listener and server keyword lists that were static. The function is called from dump_registered_keywords() for keyword class "cfg".
2022-03-29 09:02:44 -04:00
MINOR: config: alphanumerically sort config keywords output The output produced by dump_registered_keywords() really deserves to be sorted in order to ease comparisons. The function now implements a tiny sorting mechanism that's suitable for each two-level list, and makes use of dump_act_rules() to dump rulesets. The code is not significantly more complicated and some parts (e.g options) could even be factored. The output is much more exploitable to detect differences now.
2022-03-30 05:21:32 -04:00
if (!skwn->skip)
printf("\tserver <name> <addr> %s\n", skwn->kw);
else
printf("\tserver <name> <addr> %s +%d\n", skwn->kw, skwn->skip);
}
for (coptn = coptp = NULL;; coptp = coptn) {
for (index = 0; cfg_opts[index].name; index++)
if (strordered(coptp ? coptp->name : NULL,
cfg_opts[index].name,
coptn != coptp ? coptn->name : NULL))
coptn = &cfg_opts[index];
for (index = 0; cfg_opts2[index].name; index++)
if (strordered(coptp ? coptp->name : NULL,
cfg_opts2[index].name,
coptn != coptp ? coptn->name : NULL))
coptn = &cfg_opts2[index];
if (coptn == coptp)
break;
MINOR: config: add a function to dump all known config keywords All registered config keywords that are valid in the config parser are dumped to stdout organized like the regular sections (global, listen, etc). Some keywords that are known to only be valid in frontends or backends will be suffixed with [FE] or [BE]. All regularly registered "bind" and "server" keywords are also dumped, one per "bind" or "server" line. Those depending on ssl are listed after the "ssl" keyword. Doing so required to export the listener and server keyword lists that were static. The function is called from dump_registered_keywords() for keyword class "cfg".
2022-03-29 09:02:44 -04:00
MINOR: config: alphanumerically sort config keywords output The output produced by dump_registered_keywords() really deserves to be sorted in order to ease comparisons. The function now implements a tiny sorting mechanism that's suitable for each two-level list, and makes use of dump_act_rules() to dump rulesets. The code is not significantly more complicated and some parts (e.g options) could even be factored. The output is much more exploitable to detect differences now.
2022-03-30 05:21:32 -04:00
printf("\toption %s [ ", coptn->name);
if (coptn->cap & PR_CAP_FE)
MINOR: config: add a function to dump all known config keywords All registered config keywords that are valid in the config parser are dumped to stdout organized like the regular sections (global, listen, etc). Some keywords that are known to only be valid in frontends or backends will be suffixed with [FE] or [BE]. All regularly registered "bind" and "server" keywords are also dumped, one per "bind" or "server" line. Those depending on ssl are listed after the "ssl" keyword. Doing so required to export the listener and server keyword lists that were static. The function is called from dump_registered_keywords() for keyword class "cfg".
2022-03-29 09:02:44 -04:00
printf("FE ");
MINOR: config: alphanumerically sort config keywords output The output produced by dump_registered_keywords() really deserves to be sorted in order to ease comparisons. The function now implements a tiny sorting mechanism that's suitable for each two-level list, and makes use of dump_act_rules() to dump rulesets. The code is not significantly more complicated and some parts (e.g options) could even be factored. The output is much more exploitable to detect differences now.
2022-03-30 05:21:32 -04:00
if (coptn->cap & PR_CAP_BE)
MINOR: config: add a function to dump all known config keywords All registered config keywords that are valid in the config parser are dumped to stdout organized like the regular sections (global, listen, etc). Some keywords that are known to only be valid in frontends or backends will be suffixed with [FE] or [BE]. All regularly registered "bind" and "server" keywords are also dumped, one per "bind" or "server" line. Those depending on ssl are listed after the "ssl" keyword. Doing so required to export the listener and server keyword lists that were static. The function is called from dump_registered_keywords() for keyword class "cfg".
2022-03-29 09:02:44 -04:00
printf("BE ");
MINOR: config: alphanumerically sort config keywords output The output produced by dump_registered_keywords() really deserves to be sorted in order to ease comparisons. The function now implements a tiny sorting mechanism that's suitable for each two-level list, and makes use of dump_act_rules() to dump rulesets. The code is not significantly more complicated and some parts (e.g options) could even be factored. The output is much more exploitable to detect differences now.
2022-03-30 05:21:32 -04:00
if (coptn->mode == PR_MODE_HTTP)
MINOR: config: add a function to dump all known config keywords All registered config keywords that are valid in the config parser are dumped to stdout organized like the regular sections (global, listen, etc). Some keywords that are known to only be valid in frontends or backends will be suffixed with [FE] or [BE]. All regularly registered "bind" and "server" keywords are also dumped, one per "bind" or "server" line. Those depending on ssl are listed after the "ssl" keyword. Doing so required to export the listener and server keyword lists that were static. The function is called from dump_registered_keywords() for keyword class "cfg".
2022-03-29 09:02:44 -04:00
printf("HTTP ");
printf("]\n");
}
MINOR: config: alphanumerically sort config keywords output The output produced by dump_registered_keywords() really deserves to be sorted in order to ease comparisons. The function now implements a tiny sorting mechanism that's suitable for each two-level list, and makes use of dump_act_rules() to dump rulesets. The code is not significantly more complicated and some parts (e.g options) could even be factored. The output is much more exploitable to detect differences now.
2022-03-30 05:21:32 -04:00
dump_act_rules(&tcp_req_conn_keywords, "\ttcp-request connection ");
dump_act_rules(&tcp_req_sess_keywords, "\ttcp-request session ");
dump_act_rules(&tcp_req_cont_keywords, "\ttcp-request content ");
dump_act_rules(&tcp_res_cont_keywords, "\ttcp-response content ");
dump_act_rules(&http_req_keywords.list, "\thttp-request ");
dump_act_rules(&http_res_keywords.list, "\thttp-response ");
dump_act_rules(&http_after_res_keywords.list, "\thttp-after-response ");
MINOR: config: add a function to dump all known config keywords All registered config keywords that are valid in the config parser are dumped to stdout organized like the regular sections (global, listen, etc). Some keywords that are known to only be valid in frontends or backends will be suffixed with [FE] or [BE]. All regularly registered "bind" and "server" keywords are also dumped, one per "bind" or "server" line. Those depending on ssl are listed after the "ssl" keyword. Doing so required to export the listener and server keyword lists that were static. The function is called from dump_registered_keywords() for keyword class "cfg".
2022-03-29 09:02:44 -04:00
}
MINOR: peers: add peers keyword registration This adds support for registering keywords in the 'peers' section.
2023-06-26 14:43:48 -04:00
if (section == CFG_PEERS) {
struct peers_kw_list *pkwl;
const struct peers_keyword *pkwp, *pkwn;
for (pkwn = pkwp = NULL;; pkwp = pkwn) {
list_for_each_entry(pkwl, &peers_keywords.list, list) {
for (index = 0; pkwl->kw[index].kw != NULL; index++) {
if (strordered(pkwp ? pkwp->kw : NULL,
pkwl->kw[index].kw,
pkwn != pkwp ? pkwn->kw : NULL))
pkwn = &pkwl->kw[index];
}
}
if (pkwn == pkwp)
break;
printf("\t%s\n", pkwn->kw);
}
}
BUG/MINOR: config: crt-list keywords mistaken for bind ssl keywords This patch fixes an issue in the "-dK" keywords dumper, which was mistakenly displaying the "crt-list" keywords for "bind ssl" keywords. The patch fixes the issue by dumping the "crt-list" keywords in its own section, and dumping the "bind" keywords which are in the "SSL" scope with a "bind ssl" prefix. This commit depends on the previous "MINOR: ssl: rename confusing ssl_bind_kws" commit. Must be backported in 2.6. Diff of the `./haproxy -dKall -q -c -f /dev/null` output before and after the patch in 2.8-dev4: | @@ -190,30 +190,9 @@ listen | use-fcgi-app | bind <addr> accept-netscaler-cip +1 | bind <addr> accept-proxy | - bind <addr> allow-0rtt | - bind <addr> alpn +1 | bind <addr> backlog +1 | - bind <addr> ca-file +1 | - bind <addr> ca-ignore-err +1 | - bind <addr> ca-sign-file +1 | - bind <addr> ca-sign-pass +1 | - bind <addr> ca-verify-file +1 | - bind <addr> ciphers +1 | - bind <addr> ciphersuites +1 | - bind <addr> crl-file +1 | - bind <addr> crt +1 | - bind <addr> crt-ignore-err +1 | - bind <addr> crt-list +1 | - bind <addr> curves +1 | bind <addr> defer-accept | - bind <addr> ecdhe +1 | bind <addr> expose-fd +1 | - bind <addr> force-sslv3 | - bind <addr> force-tlsv10 | - bind <addr> force-tlsv11 | - bind <addr> force-tlsv12 | - bind <addr> force-tlsv13 | - bind <addr> generate-certificates | bind <addr> gid +1 | bind <addr> group +1 | bind <addr> id +1 | @@ -225,48 +204,52 @@ listen | bind <addr> name +1 | bind <addr> namespace +1 | bind <addr> nice +1 | - bind <addr> no-ca-names | - bind <addr> no-sslv3 | - bind <addr> no-tls-tickets | - bind <addr> no-tlsv10 | - bind <addr> no-tlsv11 | - bind <addr> no-tlsv12 | - bind <addr> no-tlsv13 | - bind <addr> npn +1 | - bind <addr> prefer-client-ciphers | bind <addr> process +1 | bind <addr> proto +1 | bind <addr> severity-output +1 | bind <addr> shards +1 | - bind <addr> ssl | - bind <addr> ssl-max-ver +1 | - bind <addr> ssl-min-ver +1 | - bind <addr> strict-sni | bind <addr> tcp-ut +1 | bind <addr> tfo | bind <addr> thread +1 | - bind <addr> tls-ticket-keys +1 | bind <addr> transparent | bind <addr> uid +1 | bind <addr> user +1 | bind <addr> v4v6 | bind <addr> v6only | - bind <addr> verify +1 | bind <addr> ssl allow-0rtt | bind <addr> ssl alpn +1 | bind <addr> ssl ca-file +1 | + bind <addr> ssl ca-ignore-err +1 | + bind <addr> ssl ca-sign-file +1 | + bind <addr> ssl ca-sign-pass +1 | bind <addr> ssl ca-verify-file +1 | bind <addr> ssl ciphers +1 | bind <addr> ssl ciphersuites +1 | bind <addr> ssl crl-file +1 | + bind <addr> ssl crt +1 | + bind <addr> ssl crt-ignore-err +1 | + bind <addr> ssl crt-list +1 | bind <addr> ssl curves +1 | bind <addr> ssl ecdhe +1 | + bind <addr> ssl force-sslv3 | + bind <addr> ssl force-tlsv10 | + bind <addr> ssl force-tlsv11 | + bind <addr> ssl force-tlsv12 | + bind <addr> ssl force-tlsv13 | + bind <addr> ssl generate-certificates | bind <addr> ssl no-ca-names | + bind <addr> ssl no-sslv3 | + bind <addr> ssl no-tls-tickets | + bind <addr> ssl no-tlsv10 | + bind <addr> ssl no-tlsv11 | + bind <addr> ssl no-tlsv12 | + bind <addr> ssl no-tlsv13 | bind <addr> ssl npn +1 | - bind <addr> ssl ocsp-update +1 | + bind <addr> ssl prefer-client-ciphers | bind <addr> ssl ssl-max-ver +1 | bind <addr> ssl ssl-min-ver +1 | + bind <addr> ssl strict-sni | + bind <addr> ssl tls-ticket-keys +1 | bind <addr> ssl verify +1 | server <name> <addr> addr +1 | server <name> <addr> agent-addr +1 | @@ -591,6 +574,23 @@ listen | http-after-response unset-var* | userlist | peers | +crt-list | + allow-0rtt | + alpn +1 | + ca-file +1 | + ca-verify-file +1 | + ciphers +1 | + ciphersuites +1 | + crl-file +1 | + curves +1 | + ecdhe +1 | + no-ca-names | + npn +1 | + ocsp-update +1 | + ssl-max-ver +1 | + ssl-min-ver +1 | + verify +1 | # List of registered CLI keywords: | @!<pid> [MASTER] | @<relative pid> [MASTER]
2023-02-13 09:24:01 -05:00
if (section == CFG_CRTLIST) {
/* displays the keyword available for the crt-lists */
extern struct ssl_crtlist_kw ssl_crtlist_kws[] __maybe_unused;
const struct ssl_crtlist_kw *sbkwp __maybe_unused, *sbkwn __maybe_unused;
#if defined(USE_OPENSSL)
for (sbkwn = sbkwp = NULL;; sbkwp = sbkwn) {
for (index = 0; ssl_crtlist_kws[index].kw != NULL; index++) {
if (strordered(sbkwp ? sbkwp->kw : NULL,
ssl_crtlist_kws[index].kw,
sbkwn != sbkwp ? sbkwn->kw : NULL))
sbkwn = &ssl_crtlist_kws[index];
}
if (sbkwn == sbkwp)
break;
if (!sbkwn->skip)
printf("\t%s\n", sbkwn->kw);
else
printf("\t%s +%d\n", sbkwn->kw, sbkwn->skip);
}
#endif
}
MINOR: config: add a function to dump all known config keywords All registered config keywords that are valid in the config parser are dumped to stdout organized like the regular sections (global, listen, etc). Some keywords that are known to only be valid in frontends or backends will be suffixed with [FE] or [BE]. All regularly registered "bind" and "server" keywords are also dumped, one per "bind" or "server" line. Those depending on ssl are listed after the "ssl" keyword. Doing so required to export the listener and server keyword lists that were static. The function is called from dump_registered_keywords() for keyword class "cfg".
2022-03-29 09:02:44 -04:00
}
}
MINOR: initcall: use initcalls for section parsers The two calls to cfg_register_section() and cfg_register_postparser() are now supported by initcalls. This allowed to remove two other constructors.
2018-11-26 05:33:13 -05:00
/* these are the config sections handled by default */
REGISTER_CONFIG_SECTION("listen", cfg_parse_listen, NULL);
REGISTER_CONFIG_SECTION("frontend", cfg_parse_listen, NULL);
REGISTER_CONFIG_SECTION("backend", cfg_parse_listen, NULL);
REGISTER_CONFIG_SECTION("defaults", cfg_parse_listen, NULL);
REGISTER_CONFIG_SECTION("global", cfg_parse_global, NULL);
REGISTER_CONFIG_SECTION("userlist", cfg_parse_users, NULL);
REGISTER_CONFIG_SECTION("peers", cfg_parse_peers, NULL);
REGISTER_CONFIG_SECTION("mailers", cfg_parse_mailers, NULL);
REGISTER_CONFIG_SECTION("namespace_list", cfg_parse_netns, NULL);
MINOR: config/trace: Add a 'traces' section to declare debug traces It is no longer supported to declare debug traces, via 'trace' directive, in a global section. A 'traces' directive must be used instead. The syntax of the 'trace' directive in these sections remains the same. But it is no longer experimental. The main reason for this change is to avoid to have a ring section defined before a global one. Indeed, for now, forward declarations of ring sections are not supported. So to configure traces, you had to add a ring section before the global one defining the traces. Most of time, that meant to have two global sections : global [...] # global settings ring <name> [...] global [...] # trace config In addition, it will be possible to easily extend the traces section by adding some new directives.
2024-10-01 02:48:38 -04:00
REGISTER_CONFIG_SECTION("traces", cfg_parse_traces, NULL);
BUG/MEDIUM: config: fix multiple declaration of section parsers Ben Cabot reported that after commit 5e4261b ("CLEANUP: config: detect double registration of a config section") recently introduced in 1.7-dev, it's not possible anymore to load multiple configuration files. Bryan Talbot provided a simple reproducer to exhibit the issue. It turns out that function readcfgfile() registers new parsers for section keywords for each new file. In addition to being useless, this has the negative effect of wasting memory and slowing down the config parser as the number of configuration files increases. This fix only needs to be backported if/where the commit above is backported.
2016-05-26 11:55:28 -04:00
MINOR: config: add a new "default-path" global directive By default haproxy loads all files designated by a relative path from the location the process is started in. In some circumstances it might be desirable to force all relative paths to start from a different location just as if the process was started from such locations. This is what this directive is made for. Technically it will perform a temporary chdir() to the designated location while processing each configuration file, and will return to the original directory after processing each file. It takes an argument indicating the policy to use when loading files whose path does not start with a slash ('/'). A few options are offered, "current" (the default), "config" (files relative to config file's dir), "parent" (files relative to config file's parent dir), and "origin" with an absolute path. This should address issue #1198.
2021-04-27 14:29:11 -04:00
static struct cfg_kw_list cfg_kws = {{ },{
{ CFG_GLOBAL, "default-path", cfg_parse_global_def_path },
{ /* END */ }
}};
INITCALL1(STG_REGISTER, cfg_register_keywords, &cfg_kws);
[BIGMOVE] exploded the monolithic haproxy.c file into multiple files. The files are now stored under : - include/haproxy for the generic includes - include/types.h for the structures needed within prototypes - include/proto.h for function prototypes and inline functions - src/*.c for the C files Most include files are now covered by LGPL. A last move still needs to be done to put inline functions under GPL and not LGPL. Version has been set to 1.3.0 in the code but some control still needs to be done before releasing.
2006-06-25 20:48:02 -04:00
/*
* Local variables:
* c-indent-level: 8
* c-basic-offset: 8
* End:
*/
Reference in a new issue Copy permalink