Browse Source

haproxy: upgrade to version 1.5.1

Bugs from 1.5.0 can cause file descriptor leak, results in the
impossibility to accept new connections after some time.

Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
Thomas Heil 10 years ago
parent
commit
11bf9384ed

+ 3
- 3
net/haproxy/Makefile View File

@@ -9,11 +9,11 @@
9 9
 include $(TOPDIR)/rules.mk
10 10
 
11 11
 PKG_NAME:=haproxy
12
-PKG_VERSION:=1.5.0
13
-PKG_RELEASE:=06
12
+PKG_VERSION:=1.5.1
13
+PKG_RELEASE:=01
14 14
 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
15 15
 PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/
16
-PKG_MD5SUM:=e33bb97e644e98af948090f1ecebbda9
16
+PKG_MD5SUM:=49640cf3ddd793a05fbd3394481a1ed4
17 17
 PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de>
18 18
 PKG_LICENSE:=GPL-2.0
19 19
 

+ 0
- 30
net/haproxy/patches/0001-BUG-MEDIUM-Consistently-use-check-in-process_chk.patch View File

@@ -1,31 +0,0 @@
1
-From 9ac7cabaf9945fb92c96cb92f5ea85235f54f7d6 Mon Sep 17 00:00:00 2001
2
-From: Simon Horman <horms@verge.net.au>
3
-Date: Fri, 20 Jun 2014 12:29:47 +0900
4
-Subject: [PATCH] BUG/MEDIUM: Consistently use 'check' in process_chk
5
-
6
-I am not entirely sure that this is a bug, but it seems
7
-to me that it may cause a problem if there agent-check is
8
-configured and there is some kind of error making a connection for it.
9
-
10
-Signed-off-by: Simon Horman <horms@verge.net.au>
11
-(cherry picked from commit ccaabcdfca23851af6fd83f4f3265284d283e2ab)
12
----
13
- src/checks.c | 2 +-
14
- 1 file changed, 1 insertion(+), 1 deletion(-)
15
-
16
-diff --git a/src/checks.c b/src/checks.c
17
-index cba0018..f3b2b54 100644
18
---- a/src/checks.c
19
-+++ b/src/checks.c
20
-@@ -1541,7 +1541,7 @@ static struct task *process_chk(struct task *t)
21
- 		 * First, let's check whether there was an uncaught error,
22
- 		 * which can happen on connect timeout or error.
23
- 		 */
24
--		if (s->check.result == CHK_RES_UNKNOWN) {
25
-+		if (check->result == CHK_RES_UNKNOWN) {
26
- 			/* good connection is enough for pure TCP check */
27
- 			if ((conn->flags & CO_FL_CONNECTED) && !check->type) {
28
- 				if (check->use_ssl)
29
-1.8.5.5
30
-

+ 45
- 0
net/haproxy/patches/0001-BUG-MEDIUM-http-fetch-base-is-not-compatible-with-se.patch View File

@@ -0,0 +1,45 @@
1
+From c1fbbd4a3dd480b4eebbd8b32ca6cdf08791477a Mon Sep 17 00:00:00 2001
2
+From: Willy Tarreau <w@1wt.eu>
3
+Date: Tue, 24 Jun 2014 17:27:02 +0200
4
+Subject: [PATCH] BUG/MEDIUM: http: fetch "base" is not compatible with
5
+ set-header
6
+
7
+The sample fetch function "base" makes use of the trash which is also
8
+used by set-header/add-header etc... everything which builds a formated
9
+line. So we end up with some junk in the header if base is in use. Let's
10
+fix this as all other fetches by using a trash chunk instead.
11
+
12
+This bug was reported by Baptiste Assmann, and also affects 1.5.
13
+(cherry picked from commit 3caf2afabe89fb0ef0886cd1d8ea99ef21ec3491)
14
+---
15
+ src/proto_http.c | 6 ++++--
16
+ 1 file changed, 4 insertions(+), 2 deletions(-)
17
+
18
+diff --git a/src/proto_http.c b/src/proto_http.c
19
+index 231d49a..5321f7d 100644
20
+--- a/src/proto_http.c
21
++++ b/src/proto_http.c
22
+@@ -10247,6 +10247,7 @@ smp_fetch_base(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
23
+ 	struct http_txn *txn = l7;
24
+ 	char *ptr, *end, *beg;
25
+ 	struct hdr_ctx ctx;
26
++	struct chunk *temp;
27
+ 
28
+ 	CHECK_HTTP_MESSAGE_FIRST();
29
+ 
30
+@@ -10255,9 +10256,10 @@ smp_fetch_base(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
31
+ 		return smp_fetch_path(px, l4, l7, opt, args, smp, kw);
32
+ 
33
+ 	/* OK we have the header value in ctx.line+ctx.val for ctx.vlen bytes */
34
+-	memcpy(trash.str, ctx.line + ctx.val, ctx.vlen);
35
++	temp = get_trash_chunk();
36
++	memcpy(temp->str, ctx.line + ctx.val, ctx.vlen);
37
+ 	smp->type = SMP_T_STR;
38
+-	smp->data.str.str = trash.str;
39
++	smp->data.str.str = temp->str;
40
+ 	smp->data.str.len = ctx.vlen;
41
+ 
42
+ 	/* now retrieve the path */
43
+-- 
44
+1.8.5.5
45
+

+ 0
- 38
net/haproxy/patches/0002-BUG-MINOR-ssl-rejects-OCSP-response-without-nextupda.patch View File

@@ -1,39 +0,0 @@
1
-From 1135ea40b0ae5e5a98ee0cb9e13491664356adfc Mon Sep 17 00:00:00 2001
2
-From: Emeric Brun <ebrun@haproxy.com>
3
-Date: Fri, 20 Jun 2014 15:44:34 +0200
4
-Subject: [PATCH 2/5] BUG/MINOR: ssl: rejects OCSP response without nextupdate.
5
-
6
-To cache an OCSP Response without expiration time is not safe.
7
-(cherry picked from commit 13a6b48e241c0a50b501446992ab4fda2529f317)
8
----
9
- src/ssl_sock.c | 7 ++++++-
10
- 1 file changed, 6 insertions(+), 1 deletion(-)
11
-
12
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
13
-index ad4b1ca..278af8b 100644
14
---- a/src/ssl_sock.c
15
-+++ b/src/ssl_sock.c
16
-@@ -139,7 +139,7 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
17
- 	OCSP_SINGLERESP *sr;
18
- 	unsigned char *p = (unsigned char *)ocsp_response->str;
19
- 	int rc , count_sr;
20
--	ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd;
21
-+	ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd = NULL;
22
- 	int reason;
23
- 	int ret = 1;
24
- 
25
-@@ -179,6 +179,11 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
26
- 		goto out;
27
- 	}
28
- 
29
-+	if (!nextupd) {
30
-+		memprintf(err, "OCSP single response: missing nextupdate");
31
-+		goto out;
32
-+	}
33
-+
34
- 	rc = OCSP_check_validity(thisupd, nextupd, OCSP_MAX_RESPONSE_TIME_SKEW, -1);
35
- 	if (!rc) {
36
- 		memprintf(err, "OCSP single response: no longer valid.");
37
-1.8.5.5
38
-

+ 0
- 133
net/haproxy/patches/0003-BUG-MEDIUM-ssl-Fix-to-not-serve-expired-OCSP-respons.patch View File

@@ -1,134 +0,0 @@
1
-From 5848437fa171c593f777226306b146d02a09f70e Mon Sep 17 00:00:00 2001
2
-From: Emeric Brun <ebrun@haproxy.com>
3
-Date: Fri, 20 Jun 2014 15:46:13 +0200
4
-Subject: [PATCH 3/5] BUG/MEDIUM: ssl: Fix to not serve expired OCSP responses.
5
-
6
-For some browsers (firefox), an expired OCSP Response causes unwanted behavior.
7
-
8
-Haproxy stops serving OCSP response if nextupdate date minus
9
-the supported time skew (#define OCSP_MAX_RESPONSE_TIME_SKEW) is
10
-in the past.
11
-(cherry picked from commit 4f3c87a5d942d4d0649c35805ff4e335970b87d4)
12
----
13
- src/ssl_sock.c | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
14
- 1 file changed, 87 insertions(+), 2 deletions(-)
15
-
16
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
17
-index 278af8b..9eacf9f 100644
18
---- a/src/ssl_sock.c
19
-+++ b/src/ssl_sock.c
20
-@@ -110,9 +110,91 @@ struct certificate_ocsp {
21
- 	struct ebmb_node key;
22
- 	unsigned char key_data[OCSP_MAX_CERTID_ASN1_LENGTH];
23
- 	struct chunk response;
24
--
25
-+	long expire;
26
- };
27
- 
28
-+/*
29
-+ *  This function returns the number of seconds  elapsed
30
-+ *  since the Epoch, 1970-01-01 00:00:00 +0000 (UTC) and the
31
-+ *  date presented un ASN1_GENERALIZEDTIME.
32
-+ *
33
-+ *  In parsing error case, it returns -1.
34
-+ */
35
-+static long asn1_generalizedtime_to_epoch(ASN1_GENERALIZEDTIME *d)
36
-+{
37
-+	long epoch;
38
-+	char *p, *end;
39
-+	const unsigned short month_offset[12] = {
40
-+		0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334
41
-+	};
42
-+	int year, month;
43
-+
44
-+	if (!d || (d->type != V_ASN1_GENERALIZEDTIME)) return -1;
45
-+
46
-+	p = (char *)d->data;
47
-+	end = p + d->length;
48
-+
49
-+	if (end - p < 4) return -1;
50
-+	year = 1000 * (p[0] - '0') + 100 * (p[1] - '0') + 10 * (p[2] - '0') + p[3] - '0';
51
-+	p += 4;
52
-+	if (end - p < 2) return -1;
53
-+	month = 10 * (p[0] - '0') + p[1] - '0';
54
-+	if (month < 1 || month > 12) return -1;
55
-+	/* Compute the number of seconds since 1 jan 1970 and the beginning of current month
56
-+	   We consider leap years and the current month (<marsh or not) */
57
-+	epoch = (  ((year - 1970) * 365)
58
-+		 + ((year - (month < 3)) / 4 - (year - (month < 3)) / 100 + (year - (month < 3)) / 400)
59
-+		 - ((1970 - 1) / 4 - (1970 - 1) / 100 + (1970 - 1) / 400)
60
-+		 + month_offset[month-1]
61
-+		) * 24 * 60 * 60;
62
-+	p += 2;
63
-+	if (end - p < 2) return -1;
64
-+	/* Add the number of seconds of completed days of current month */
65
-+	epoch += (10 * (p[0] - '0') + p[1] - '0' - 1) * 24 * 60 * 60;
66
-+	p += 2;
67
-+	if (end - p < 2) return -1;
68
-+	/* Add the completed hours of the current day */
69
-+	epoch += (10 * (p[0] - '0') + p[1] - '0') * 60 * 60;
70
-+	p += 2;
71
-+	if (end - p < 2) return -1;
72
-+	/* Add the completed minutes of the current hour */
73
-+	epoch += (10 * (p[0] - '0') + p[1] - '0') * 60;
74
-+	p += 2;
75
-+	if (p == end) return -1;
76
-+	/* Test if there is available seconds */
77
-+	if (p[0] < '0' || p[0] > '9')
78
-+		goto nosec;
79
-+	if (end - p < 2) return -1;
80
-+	/* Add the seconds of the current minute */
81
-+	epoch += 10 * (p[0] - '0') + p[1] - '0';
82
-+	p += 2;
83
-+	if (p == end) return -1;
84
-+	/* Ignore seconds float part if present */
85
-+	if (p[0] == '.') {
86
-+		do {
87
-+			if (++p == end) return -1;
88
-+		} while (p[0] >= '0' && p[0] <= '9');
89
-+	}
90
-+
91
-+nosec:
92
-+	if (p[0] == 'Z') {
93
-+		if (end - p != 1) return -1;
94
-+		return epoch;
95
-+	}
96
-+	else if (p[0] == '+') {
97
-+		if (end - p != 5) return -1;
98
-+		/* Apply timezone offset */
99
-+		return epoch - ((10 * (p[1] - '0') + p[2] - '0') * 60 + (10 * (p[3] - '0') + p[4] - '0')) * 60;
100
-+	}
101
-+	else if (p[0] == '-') {
102
-+		if (end - p != 5) return -1;
103
-+		/* Apply timezone offset */
104
-+		return epoch + ((10 * (p[1] - '0') + p[2] - '0') * 60 + (10 * (p[3] - '0') + p[4] - '0')) * 60;
105
-+	}
106
-+
107
-+	return -1;
108
-+}
109
-+
110
- static struct eb_root cert_ocsp_tree;
111
- 
112
- /* This function starts to check if the OCSP response (in DER format) contained
113
-@@ -229,6 +311,8 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
114
- 		goto out;
115
- 	}
116
- 
117
-+	ocsp->expire = asn1_generalizedtime_to_epoch(nextupd) - OCSP_MAX_RESPONSE_TIME_SKEW;
118
-+
119
- 	ret = 0;
120
- out:
121
- 	if (bs)
122
-@@ -306,7 +390,8 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
123
- 
124
- 	if (!ocsp ||
125
- 	    !ocsp->response.str ||
126
--            !ocsp->response.len)
127
-+	    !ocsp->response.len ||
128
-+	    (ocsp->expire < now.tv_sec))
129
- 		return SSL_TLSEXT_ERR_NOACK;
130
- 
131
- 	ssl_buf = OPENSSL_malloc(ocsp->response.len);
132
-1.8.5.5
133
-

+ 0
- 26
net/haproxy/patches/0004-BUG-MINOR-ssl-Fix-OCSP-resp-update-fails-with-the-sa.patch View File

@@ -1,27 +0,0 @@
1
-From 8d914d1c9c069fada5f34b0c5e27afa4ba6b9920 Mon Sep 17 00:00:00 2001
2
-From: Emeric Brun <ebrun@haproxy.com>
3
-Date: Fri, 20 Jun 2014 15:37:32 +0200
4
-Subject: [PATCH 4/5] BUG/MINOR: ssl: Fix OCSP resp update fails with the same
5
- certificate configured twice. (cherry picked from commit
6
- 1d3865b096b43b9a6d6a564ffb424ffa6f1ef79f)
7
-
8
----
9
- src/ssl_sock.c | 2 +-
10
- 1 file changed, 1 insertion(+), 1 deletion(-)
11
-
12
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
13
-index 9eacf9f..328b978 100644
14
---- a/src/ssl_sock.c
15
-+++ b/src/ssl_sock.c
16
-@@ -195,7 +195,7 @@ nosec:
17
- 	return -1;
18
- }
19
- 
20
--static struct eb_root cert_ocsp_tree;
21
-+static struct eb_root cert_ocsp_tree = EB_ROOT_UNIQUE;
22
- 
23
- /* This function starts to check if the OCSP response (in DER format) contained
24
-  * in chunk 'ocsp_response' is valid (else exits on error).
25
-1.8.5.5
26
-

+ 0
- 292
net/haproxy/patches/0005-BUG-MAJOR-session-revert-all-the-crappy-client-side-.patch View File

@@ -1,293 +0,0 @@
1
-From 2a4f511b33958b5a09cee2913f1ed9d3210f98f5 Mon Sep 17 00:00:00 2001
2
-From: Willy Tarreau <w@1wt.eu>
3
-Date: Mon, 23 Jun 2014 15:22:31 +0200
4
-Subject: [PATCH 5/5] BUG/MAJOR: session: revert all the crappy client-side
5
- timeout changes
6
-
7
-This is the 3rd regression caused by the changes below. The latest to
8
-date was reported by Finn Arne Gangstad. If a server responds with no
9
-content-length and the client's FIN is never received, either we leak
10
-the client-side FD or we spin at 100% CPU if timeout client-fin is set.
11
-
12
-Enough is enough. The amount of tricks needed to cover these side-effects
13
-starts to look like used toilet paper stacked over a chocolate cake. I
14
-don't want to eat that cake anymore!
15
-
16
-All this to avoid reporting a server-side timeout when a client stops
17
-uploading data and haproxy expires faster than the server... A lot of
18
-"ifs" resulting in a technically valid log that doesn't always please
19
-users, and whose alternative causes that many issues for all others
20
-users.
21
-
22
-So let's revert this crap merged since 1.5-dev25 :
23
-  Revert "CLEANUP: http: don't clear CF_READ_NOEXP twice"
24
-    This reverts commit 1592d1e72a4a2d25a554c299ae95a3e6cad80bf1.
25
-  Revert "BUG/MEDIUM: http: clear CF_READ_NOEXP when preparing a new transaction"
26
-    This reverts commit 77d29029af1c44216b190dd7442964b9d8f45257.
27
-  Revert "BUG/MEDIUM: session: don't clear CF_READ_NOEXP if analysers are not called"
28
-    This reverts commit 0943757a2144761c60e416b5ed07baa76934f5a4.
29
-  Revert "BUG/MEDIUM: http: disable server-side expiration until client has sent the body"
30
-    This reverts commit 3bed5e9337fd6eeab0f0006ebefcbe98ee5c4f9f.
31
-  Revert "BUG/MEDIUM: http: correctly report request body timeouts"
32
-    This reverts commit b9edf8fbecc9d1b5c82794735adcc367a80a4ae2.
33
-  Revert "BUG/MEDIUM: http/session: disable client-side expiration only after body"
34
-    This reverts commit b1982e27aaff2a92a389a9f1bc847e3bb8fdb4f2.
35
-
36
-If a cleaner AND SAFER way to do something equivalent in 1.6-dev, we *might*
37
-consider backporting it to 1.5, but given the vicious bugs that have surfaced
38
-since, I doubt it will happen any time soon.
39
-
40
-Fortunately, that crap never made it into 1.4 so no backport is needed.
41
-(cherry picked from commit 6f0a7bac282c9b2082dc763977b7721b6b002089)
42
----
43
- src/proto_http.c | 95 ++------------------------------------------------------
44
- src/session.c    | 41 ++++++++++++------------
45
- 2 files changed, 23 insertions(+), 113 deletions(-)
46
-
47
-diff --git a/src/proto_http.c b/src/proto_http.c
48
-index 52319a9..878951f 100644
49
---- a/src/proto_http.c
50
-+++ b/src/proto_http.c
51
-@@ -4884,7 +4884,7 @@ void http_end_txn_clean_session(struct session *s)
52
- 	s->req->cons->conn_retries = 0;  /* used for logging too */
53
- 	s->req->cons->exp       = TICK_ETERNITY;
54
- 	s->req->cons->flags    &= SI_FL_DONT_WAKE; /* we're in the context of process_session */
55
--	s->req->flags &= ~(CF_SHUTW|CF_SHUTW_NOW|CF_AUTO_CONNECT|CF_WRITE_ERROR|CF_STREAMER|CF_STREAMER_FAST|CF_NEVER_WAIT|CF_WAKE_CONNECT|CF_READ_NOEXP);
56
-+	s->req->flags &= ~(CF_SHUTW|CF_SHUTW_NOW|CF_AUTO_CONNECT|CF_WRITE_ERROR|CF_STREAMER|CF_STREAMER_FAST|CF_NEVER_WAIT|CF_WAKE_CONNECT);
57
- 	s->rep->flags &= ~(CF_SHUTR|CF_SHUTR_NOW|CF_READ_ATTACHED|CF_READ_ERROR|CF_READ_NOEXP|CF_STREAMER|CF_STREAMER_FAST|CF_WRITE_PARTIAL|CF_NEVER_WAIT);
58
- 	s->flags &= ~(SN_DIRECT|SN_ASSIGNED|SN_ADDR_SET|SN_BE_ASSIGNED|SN_FORCE_PRST|SN_IGNORE_PRST);
59
- 	s->flags &= ~(SN_CURR_SESS|SN_REDIRECTABLE|SN_SRV_REUSED);
60
-@@ -5305,13 +5305,6 @@ int http_request_forward_body(struct session *s, struct channel *req, int an_bit
61
- 		 */
62
- 		msg->msg_state = HTTP_MSG_ERROR;
63
- 		http_resync_states(s);
64
--
65
--		if (req->flags & CF_READ_TIMEOUT)
66
--			goto cli_timeout;
67
--
68
--		if (req->flags & CF_WRITE_TIMEOUT)
69
--			goto srv_timeout;
70
--
71
- 		return 1;
72
- 	}
73
- 
74
-@@ -5478,11 +5471,6 @@ int http_request_forward_body(struct session *s, struct channel *req, int an_bit
75
- 				channel_auto_read(req);
76
- 			}
77
- 
78
--			/* if we received everything, we don't want to expire anymore */
79
--			if (msg->msg_state == HTTP_MSG_DONE) {
80
--				req->flags |= CF_READ_NOEXP;
81
--				req->rex = TICK_ETERNITY;
82
--			}
83
- 			return 0;
84
- 		}
85
- 	}
86
-@@ -5592,68 +5580,6 @@ int http_request_forward_body(struct session *s, struct channel *req, int an_bit
87
- 			s->flags |= SN_FINST_D;
88
- 	}
89
- 	return 0;
90
--
91
-- cli_timeout:
92
--	if (!(s->flags & SN_ERR_MASK))
93
--		s->flags |= SN_ERR_CLITO;
94
--
95
--	if (!(s->flags & SN_FINST_MASK)) {
96
--		if (txn->rsp.msg_state < HTTP_MSG_ERROR)
97
--			s->flags |= SN_FINST_H;
98
--		else
99
--			s->flags |= SN_FINST_D;
100
--	}
101
--
102
--	if (txn->status > 0) {
103
--		/* Don't send any error message if something was already sent */
104
--		stream_int_retnclose(req->prod, NULL);
105
--	}
106
--	else {
107
--		txn->status = 408;
108
--		stream_int_retnclose(req->prod, http_error_message(s, HTTP_ERR_408));
109
--	}
110
--
111
--	msg->msg_state = HTTP_MSG_ERROR;
112
--	req->analysers = 0;
113
--	s->rep->analysers = 0; /* we're in data phase, we want to abort both directions */
114
--
115
--	session_inc_http_err_ctr(s);
116
--	s->fe->fe_counters.failed_req++;
117
--	s->be->be_counters.failed_req++;
118
--	if (s->listener->counters)
119
--		s->listener->counters->failed_req++;
120
--	return 0;
121
--
122
-- srv_timeout:
123
--	if (!(s->flags & SN_ERR_MASK))
124
--		s->flags |= SN_ERR_SRVTO;
125
--
126
--	if (!(s->flags & SN_FINST_MASK)) {
127
--		if (txn->rsp.msg_state < HTTP_MSG_ERROR)
128
--			s->flags |= SN_FINST_H;
129
--		else
130
--			s->flags |= SN_FINST_D;
131
--	}
132
--
133
--	if (txn->status > 0) {
134
--		/* Don't send any error message if something was already sent */
135
--		stream_int_retnclose(req->prod, NULL);
136
--	}
137
--	else {
138
--		txn->status = 504;
139
--		stream_int_retnclose(req->prod, http_error_message(s, HTTP_ERR_504));
140
--	}
141
--
142
--	msg->msg_state = HTTP_MSG_ERROR;
143
--	req->analysers = 0;
144
--	s->rep->analysers = 0; /* we're in data phase, we want to abort both directions */
145
--
146
--	s->be->be_counters.failed_resp++;
147
--	if (objt_server(s->target)) {
148
--		objt_server(s->target)->counters.failed_resp++;
149
--		health_adjust(objt_server(s->target), HANA_STATUS_HTTP_READ_TIMEOUT);
150
--	}
151
--	return 0;
152
- }
153
- 
154
- /* This stream analyser waits for a complete HTTP response. It returns 1 if the
155
-@@ -5821,11 +5747,8 @@ int http_wait_for_response(struct session *s, struct channel *rep, int an_bit)
156
- 			return 0;
157
- 		}
158
- 
159
--		/* read/write timeout : return a 504 to the client.
160
--		 * The write timeout may happen when we're uploading POST
161
--		 * data that the server is not consuming fast enough.
162
--		 */
163
--		else if (rep->flags & (CF_READ_TIMEOUT|CF_WRITE_TIMEOUT)) {
164
-+		/* read timeout : return a 504 to the client. */
165
-+		else if (rep->flags & CF_READ_TIMEOUT) {
166
- 			if (msg->err_pos >= 0)
167
- 				http_capture_bad_message(&s->be->invalid_rep, s, msg, msg->msg_state, s->fe);
168
- 			else if (txn->flags & TX_NOT_FIRST)
169
-@@ -5921,12 +5844,6 @@ int http_wait_for_response(struct session *s, struct channel *rep, int an_bit)
170
- 			return 0;
171
- 		}
172
- 
173
--		/* we don't want to expire on the server side first until the client
174
--		 * has sent all the expected message body.
175
--		 */
176
--		if (txn->req.msg_state >= HTTP_MSG_BODY && txn->req.msg_state < HTTP_MSG_DONE)
177
--			rep->flags |= CF_READ_NOEXP;
178
--
179
- 		channel_dont_close(rep);
180
- 		rep->flags |= CF_READ_DONTWAIT; /* try to get back here ASAP */
181
- 		return 0;
182
-@@ -6742,12 +6659,6 @@ int http_response_forward_body(struct session *s, struct channel *res, int an_bi
183
- 				}
184
- 				return 1;
185
- 			}
186
--
187
--			/* if we received everything, we don't want to expire anymore */
188
--			if (msg->msg_state == HTTP_MSG_DONE) {
189
--				res->flags |= CF_READ_NOEXP;
190
--				res->rex = TICK_ETERNITY;
191
--			}
192
- 			return 0;
193
- 		}
194
- 	}
195
-diff --git a/src/session.c b/src/session.c
196
-index f828d9c..e26f5ad 100644
197
---- a/src/session.c
198
-+++ b/src/session.c
199
-@@ -1636,7 +1636,6 @@ struct task *process_session(struct task *t)
200
- 	unsigned int rq_prod_last, rq_cons_last;
201
- 	unsigned int rp_cons_last, rp_prod_last;
202
- 	unsigned int req_ana_back;
203
--	unsigned int rq_oneshot, rp_oneshot;
204
- 
205
- 	//DPRINTF(stderr, "%s:%d: cs=%d ss=%d(%d) rqf=0x%08x rpf=0x%08x\n", __FUNCTION__, __LINE__,
206
- 	//        s->si[0].state, s->si[1].state, s->si[1].err_type, s->req->flags, s->rep->flags);
207
-@@ -1644,13 +1643,9 @@ struct task *process_session(struct task *t)
208
- 	/* this data may be no longer valid, clear it */
209
- 	memset(&s->txn.auth, 0, sizeof(s->txn.auth));
210
- 
211
--	/* These flags must explicitly be set every time by the analysers who
212
--	 * need them, but we won't always call them (eg: during a connection
213
--	 * retry). So we need to keep them and only clear them if we're sure
214
--	 * to call the analysers.
215
--	 */
216
--	rq_oneshot = s->req->flags & (CF_READ_NOEXP | CF_WAKE_WRITE);
217
--	rp_oneshot = s->rep->flags & (CF_READ_NOEXP | CF_WAKE_WRITE);
218
-+	/* This flag must explicitly be set every time */
219
-+	s->req->flags &= ~(CF_READ_NOEXP|CF_WAKE_WRITE);
220
-+	s->rep->flags &= ~(CF_READ_NOEXP|CF_WAKE_WRITE);
221
- 
222
- 	/* Keep a copy of req/rep flags so that we can detect shutdowns */
223
- 	rqf_last = s->req->flags & ~CF_MASK_ANALYSER;
224
-@@ -1831,8 +1826,6 @@ struct task *process_session(struct task *t)
225
- 	    s->si[1].state != rq_cons_last) {
226
- 		unsigned int flags = s->req->flags;
227
- 
228
--		s->req->flags &= ~rq_oneshot;
229
--		rq_oneshot = 0;
230
- 		if (s->req->prod->state >= SI_ST_EST) {
231
- 			int max_loops = global.tune.maxpollevents;
232
- 			unsigned int ana_list;
233
-@@ -1986,13 +1979,11 @@ struct task *process_session(struct task *t)
234
- 	/* Analyse response */
235
- 
236
- 	if (((s->rep->flags & ~rpf_last) & CF_MASK_ANALYSER) ||
237
--	    ((s->rep->flags ^ rpf_last) & CF_MASK_STATIC) ||
238
--	    s->si[0].state != rp_cons_last ||
239
--	    s->si[1].state != rp_prod_last) {
240
-+		 (s->rep->flags ^ rpf_last) & CF_MASK_STATIC ||
241
-+		 s->si[0].state != rp_cons_last ||
242
-+		 s->si[1].state != rp_prod_last) {
243
- 		unsigned int flags = s->rep->flags;
244
- 
245
--		s->rep->flags &= ~rp_oneshot;
246
--		rp_oneshot = 0;
247
- 		if ((s->rep->flags & CF_MASK_ANALYSER) &&
248
- 		    (s->rep->analysers & AN_REQ_WAIT_HTTP)) {
249
- 			/* Due to HTTP pipelining, the HTTP request analyser might be waiting
250
-@@ -2186,9 +2177,6 @@ struct task *process_session(struct task *t)
251
- 		channel_auto_close(s->req);
252
- 		buffer_flush(s->req->buf);
253
- 
254
--		s->req->flags &= ~rq_oneshot;
255
--		rq_oneshot = 0;
256
--
257
- 		/* We'll let data flow between the producer (if still connected)
258
- 		 * to the consumer (which might possibly not be connected yet).
259
- 		 */
260
-@@ -2344,9 +2332,6 @@ struct task *process_session(struct task *t)
261
- 		channel_auto_close(s->rep);
262
- 		buffer_flush(s->rep->buf);
263
- 
264
--		s->rep->flags &= ~rp_oneshot;
265
--		rp_oneshot = 0;
266
--
267
- 		/* We'll let data flow between the producer (if still connected)
268
- 		 * to the consumer.
269
- 		 */
270
-@@ -2496,6 +2481,20 @@ struct task *process_session(struct task *t)
271
- 		s->si[0].flags &= ~(SI_FL_ERR|SI_FL_EXP);
272
- 		s->si[1].flags &= ~(SI_FL_ERR|SI_FL_EXP);
273
- 
274
-+		/* Trick: if a request is being waiting for the server to respond,
275
-+		 * and if we know the server can timeout, we don't want the timeout
276
-+		 * to expire on the client side first, but we're still interested
277
-+		 * in passing data from the client to the server (eg: POST). Thus,
278
-+		 * we can cancel the client's request timeout if the server's
279
-+		 * request timeout is set and the server has not yet sent a response.
280
-+		 */
281
-+
282
-+		if ((s->rep->flags & (CF_AUTO_CLOSE|CF_SHUTR)) == 0 &&
283
-+		    (tick_isset(s->req->wex) || tick_isset(s->rep->rex))) {
284
-+			s->req->flags |= CF_READ_NOEXP;
285
-+			s->req->rex = TICK_ETERNITY;
286
-+		}
287
-+
288
- 		/* When any of the stream interfaces is attached to an applet,
289
- 		 * we have to call it here. Note that this one may wake the
290
- 		 * task up again. If at least one applet was called, the current
291
-1.8.5.5
292
-

+ 0
- 109
net/haproxy/patches/0006-BUG-MINOR-logs-properly-initialize-and-count-log-soc.patch View File

@@ -1,110 +0,0 @@
1
-From 53045692e1a106016b84b63b86fbe4822e4ec755 Mon Sep 17 00:00:00 2001
2
-From: Willy Tarreau <w@1wt.eu>
3
-Date: Mon, 23 Jun 2014 18:07:15 +0200
4
-Subject: [PATCH 6/6] BUG/MINOR: logs: properly initialize and count log
5
- sockets
6
-
7
-Commit 81ae195 ("[MEDIUM] add support for logging via a UNIX socket")
8
-merged in 1.3.14 introduced a few minor issues with log sockets. All
9
-of them happen only when a failure is encountered when trying to set
10
-up the logging socket (eg: socket family is not available or is
11
-temporarily short in resources).
12
-
13
-The first socket which experiences an error causes the socket setup
14
-loop to abort, possibly preventing any log from being sent if it was
15
-the first logger. The second issue is that if this socket finally
16
-succeeds after a second attempt, errors are reported for the wrong
17
-logger (eg: logger #1 failed instead of #2).  The last point is that
18
-we now have multiple loggers, and it's a waste of time to walk over
19
-their list for every log while they're almost always properly set up.
20
-
21
-So in order to fix all this, let's merge the two lists. If a logger
22
-experiences an error, it simply sends an alert and skips to the next
23
-one. That way they don't prevent messages from being sent and are
24
-all properly accounted for.
25
-(cherry picked from commit c7c7be21bf6c7e9afd897d4bf451dc450187a77e)
26
----
27
- src/log.c | 49 +++++++++++++++++--------------------------------
28
- 1 file changed, 17 insertions(+), 32 deletions(-)
29
-
30
-diff --git a/src/log.c b/src/log.c
31
-index eb7ccb1..114ab7b 100644
32
---- a/src/log.c
33
-+++ b/src/log.c
34
-@@ -813,37 +813,6 @@ void __send_log(struct proxy *p, int level, char *message, size_t size)
35
- 
36
- 	message[size - 1] = '\n';
37
- 
38
--	/* Lazily set up syslog sockets for protocol families of configured
39
--	 * syslog servers. */
40
--	nblogger = 0;
41
--	list_for_each_entry(tmp, logsrvs, list) {
42
--		const struct logsrv *logsrv = tmp;
43
--		int proto, *plogfd;
44
--
45
--		if (logsrv->addr.ss_family == AF_UNIX) {
46
--			proto = 0;
47
--			plogfd = &logfdunix;
48
--		} else {
49
--			proto = IPPROTO_UDP;
50
--			plogfd = &logfdinet;
51
--		}
52
--		if (*plogfd >= 0) {
53
--			/* socket already created. */
54
--			continue;
55
--		}
56
--		if ((*plogfd = socket(logsrv->addr.ss_family, SOCK_DGRAM,
57
--				proto)) < 0) {
58
--			Alert("socket for logger #%d failed: %s (errno=%d)\n",
59
--				nblogger + 1, strerror(errno), errno);
60
--			return;
61
--		}
62
--		/* we don't want to receive anything on this socket */
63
--		setsockopt(*plogfd, SOL_SOCKET, SO_RCVBUF, &zero, sizeof(zero));
64
--		/* does nothing under Linux, maybe needed for others */
65
--		shutdown(*plogfd, SHUT_RD);
66
--		nblogger++;
67
--	}
68
--
69
- 	/* Send log messages to syslog server. */
70
- 	nblogger = 0;
71
- 	list_for_each_entry(tmp, logsrvs, list) {
72
-@@ -852,10 +821,27 @@ void __send_log(struct proxy *p, int level, char *message, size_t size)
73
- 			&logfdunix : &logfdinet;
74
- 		int sent;
75
- 
76
-+		nblogger++;
77
-+
78
- 		/* we can filter the level of the messages that are sent to each logger */
79
- 		if (level > logsrv->level)
80
- 			continue;
81
- 
82
-+		if (unlikely(*plogfd < 0)) {
83
-+			/* socket not successfully initialized yet */
84
-+			int proto = logsrv->addr.ss_family == AF_UNIX ? 0 : IPPROTO_UDP;
85
-+
86
-+			if ((*plogfd = socket(logsrv->addr.ss_family, SOCK_DGRAM, proto)) < 0) {
87
-+				Alert("socket for logger #%d failed: %s (errno=%d)\n",
88
-+				      nblogger, strerror(errno), errno);
89
-+				continue;
90
-+			}
91
-+			/* we don't want to receive anything on this socket */
92
-+			setsockopt(*plogfd, SOL_SOCKET, SO_RCVBUF, &zero, sizeof(zero));
93
-+			/* does nothing under Linux, maybe needed for others */
94
-+			shutdown(*plogfd, SHUT_RD);
95
-+		}
96
-+
97
- 		/* For each target, we may have a different facility.
98
- 		 * We can also have a different log level for each message.
99
- 		 * This induces variations in the message header length.
100
-@@ -879,7 +865,6 @@ void __send_log(struct proxy *p, int level, char *message, size_t size)
101
- 			Alert("sendto logger #%d failed: %s (errno=%d)\n",
102
- 				nblogger, strerror(errno), errno);
103
- 		}
104
--		nblogger++;
105
- 	}
106
- }
107
- 
108
-1.8.5.5
109
-