mirror of https://github.com/haproxy/haproxy.git synced 2026-05-14 18:09:14 -04:00

HAProxy - Load balancer

Find a file

Willy Tarreau 4fc1e39371 BUG/MAJOR: http-ana: fix private session retrieval on NTLM During the architectural review leading to commit `90b2154d93` ("MEDIUM: muxes: always set conn->owner to the session that owns the connection"), we wondered whether srv_conn->owner could ever be NULL or even invalid, or if it ought to be changed to sess, and the projections of various use cases, as well as a number of attempts to fool it led us to conclude that it was always valid since the connection is private. So it was considered safer not to start fiddling with the pointer in case it could still match a previous session after a reuse, which would match the scenario described in the session_add_conn() comment. Actually there was exactly one case where a NULL could be met, and that was covered by the preliminary call to conn_set_owner() that was removed in that patch, precisely related to the one that the next patch tried to address: in http-reuse always, after the second request on a connection releases the connection, the owner can now become NULL, so if an NTLM header is seen at this point, it will crash. Interestingly, after the immediately following commit was merged, `d93c53b0df` ("MEDIUM: session: always reset the conn->owner on backend when installing mux"), the problem became immediate as the conn's owner is now null during operation if the connection is not private, and now the first response in NTLM is sufficient to crash the process. On the other hand, thanks to the two patches above, we're now certain never to meet a different session, which was the sought goal: either the session is normal and it has no owner, or it's private and it has <sess> as owner. Also with HTTP/1 (since the code explicitly checks for H1), there may be a single request at a time on a connection so the owner should either be the session or NULL. So this patch finally implements the original plan, to pass <sess> to session_add_conn(). The call is idempotent if the owner is already set, but at least the function performs some preliminary sanity checks which are quite welcome, so better continue to always call it. Note that this is only for 3.4 or any branch that has exactly the two patches above. And if the patches above were to ever be backported (together), this one would be needed as well. Thanks to Omkhar Arasaratnam for reporting this regression.		2026-05-04 18:57:15 +02:00
.github	CI: github: add DEBUG_STRICT=2 to ASAN jobs	2026-04-30 17:46:30 +02:00
addons	DOC: otel: update the filter's status and URL in the docs	2026-05-04 14:38:35 +02:00
admin	CLEANUP: fix typos and spelling in comments and documentation	2026-03-30 09:24:19 +02:00
dev	CLEANUP: fix typos and spelling in comments and documentation	2026-03-30 09:24:19 +02:00
doc	DOC: acme: document missing acme-vars and provider-name keywords	2026-05-04 14:44:53 +02:00
examples	EXAMPLES: ssl: keylog entries are greater than 1024	2026-04-14 16:24:28 +02:00
include	BUG/MINOR: quic: fix buffer overflow with sockaddr_in46	2026-05-04 10:49:49 +02:00
reg-tests	BUG/MEDIUM: cli: fix master CLI connection slot leak on client disconnect	2026-04-30 17:06:19 +02:00
scripts	BUG/MINOR: reg-tests: make shell syntax errors fatal	2026-04-22 15:18:22 +02:00
src	BUG/MAJOR: http-ana: fix private session retrieval on NTLM	2026-05-04 18:57:15 +02:00
tests	TESTS: quic: add unit-tests for QUIC TX part	2025-09-08 14:49:03 +02:00
.cirrus.yml	CI: cirrus-ci: bump FreeBSD image to 14-3	2025-10-09 14:06:48 +02:00
.gitattributes	MINOR: Configure the `cpp` userdiff driver for *.[ch] in .gitattributes	2021-02-22 18:17:57 +01:00
.gitignore	MINOR: tevt/dev: Add term_events tool	2025-01-31 10:41:50 +01:00
.mailmap	DOC: update Tim's address in .mailmap	2021-09-16 09:14:14 +02:00
.travis.yml	MEDIUM: mworker: remove USE_SYSTEMD requirement for -Ws	2024-11-20 12:07:38 +01:00
BRANCHES	DOC: clarify the experimental status for certain features	2025-10-17 18:41:13 +02:00
BSDmakefile	BUILD: makefile: commit the tiny FreeBSD makefile stub	2023-05-24 17:17:36 +02:00
CHANGELOG	[RELEASE] Released version 3.4-dev10	2026-04-29 15:51:32 +02:00
CONTRIBUTING	CLEANUP: assorted typo fixes in the code and comments	2025-04-02 11:12:20 +02:00
INSTALL	MINOR: version: mention that it's development again	2025-11-26 16:11:47 +01:00
LICENSE	LICENSE: add licence exception for OpenSSL	2012-09-07 13:52:26 +02:00
MAINTAINERS	MAJOR: spoe: Let the SPOE back into the game	2024-05-22 09:04:38 +02:00
Makefile	BUILD: otel: removed USE_OTEL, addon is now built via EXTRA_MAKE	2026-05-04 14:15:17 +02:00
README.md	CI: github: add cross-zoo.yml in README.md	2026-04-20 11:47:20 +02:00
SUBVERS	BUILD: use format tags in VERDATE and SUBVERS files	2013-12-10 11:22:49 +01:00
VERDATE	[RELEASE] Released version 3.4-dev10	2026-04-29 15:51:32 +02:00
VERSION	[RELEASE] Released version 3.4-dev10	2026-04-29 15:51:32 +02:00

README.md

HAProxy

HAProxy is a free, very fast and reliable reverse-proxy offering high availability, load balancing, and proxying for TCP and HTTP-based applications.

Installation

The INSTALL file describes how to build HAProxy. A list of packages is also available on the wiki.

Getting help

The discourse and the mailing-list are available for questions or configuration assistance. You can also use the slack or IRC channel. Please don't use the issue tracker for these.

The issue tracker is only for bug reports or feature requests.

Documentation

The HAProxy documentation has been split into a number of different files for ease of use. It is available in text format as well as HTML. The wiki is also meant to replace the old architecture guide.

Please refer to the following files depending on what you're looking for:

INSTALL for instructions on how to build and install HAProxy
BRANCHES to understand the project's life cycle and what version to use
LICENSE for the project's license
CONTRIBUTING for the process to follow to submit contributions

The more detailed documentation is located into the doc/ directory:

doc/intro.txt for a quick introduction on HAProxy
doc/configuration.txt for the configuration's reference manual
doc/lua.txt for the Lua's reference manual
doc/SPOE.txt for how to use the SPOE engine
doc/network-namespaces.txt for how to use network namespaces under Linux
doc/management.txt for the management guide
doc/regression-testing.txt for how to use the regression testing suite
doc/peers.txt for the peers protocol reference
doc/coding-style.txt for how to adopt HAProxy's coding style
doc/internals for developer-specific documentation (not all up to date)

License

HAProxy is licensed under GPL 2 or any later version, the headers under LGPL 2.1. See the LICENSE file for a more detailed explanation.