mirror/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git synced 2026-02-12 20:42:37 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
5dff6e439db455fcf745dc24e88ace996f7d0aaa
haproxy/src/proxy.c
Amaury Denoyelle 5dff6e439d BUG/MINOR: proxy: fix clang build error on "add backend" handler 
This patch fixes the following compilation error :
  src/proxy.c:4954:12: error: format string is not a string literal
        (potentially insecure) [-Werror,-Wformat-security]
   4954 |         ha_notice(msg);
        |                   ^~~

No need to backport.
2026-02-06 21:17:18 +01:00

5314 lines
166 KiB
C
Raw Blame History

/*
* Proxy variables and functions.
*
* Copyright 2000-2009 Willy Tarreau <w@1wt.eu>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*
*/
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <import/cebis_tree.h>
#include <import/eb32tree.h>
#include <haproxy/acl.h>
#include <haproxy/api.h>
#include <haproxy/applet.h>
#include <haproxy/backend.h>
#include <haproxy/capture-t.h>
#include <haproxy/cfgparse.h>
#include <haproxy/cli.h>
#include <haproxy/counters.h>
#include <haproxy/errors.h>
#include <haproxy/fd.h>
#include <haproxy/filters.h>
#include <haproxy/frontend.h>
#include <haproxy/global.h>
#include <haproxy/guid.h>
#include <haproxy/http_ana.h>
#include <haproxy/http_htx.h>
#include <haproxy/http_ext.h>
#include <haproxy/http_rules.h>
#include <haproxy/mailers.h>
#include <haproxy/listener.h>
#include <haproxy/lb_chash.h>
#include <haproxy/lb_fas.h>
#include <haproxy/lb_fwlc.h>
#include <haproxy/lb_fwrr.h>
#include <haproxy/lb_map.h>
#include <haproxy/lb_ss.h>
#include <haproxy/log.h>
#include <haproxy/obj_type-t.h>
#include <haproxy/peers.h>
#include <haproxy/pool.h>
#include <haproxy/protocol.h>
#include <haproxy/proto_tcp.h>
#include <haproxy/proxy.h>
#include <haproxy/sc_strm.h>
#include <haproxy/quic_tp.h>
#include <haproxy/quic_tune.h>
#include <haproxy/server-t.h>
#include <haproxy/signal.h>
#include <haproxy/stats.h>
#include <haproxy/stconn.h>
#include <haproxy/stream.h>
#include <haproxy/task.h>
#include <haproxy/tcpcheck.h>
#include <haproxy/thread.h>
#include <haproxy/time.h>
#include <haproxy/tools.h>
#include <haproxy/uri_auth.h>
int listeners; /* # of proxy listeners, set by cfgparse */
struct proxy *proxies_list = NULL; /* list of main proxies */
struct list proxies = LIST_HEAD_INIT(proxies); /* list of all proxies */
struct ceb_root *used_proxy_id = NULL; /* list of proxy IDs in use */
struct ceb_root *proxy_by_name = NULL; /* tree of proxies sorted by name */
struct ceb_root *defproxy_by_name = NULL; /* tree of default proxies sorted by name (dups possible) */
struct list defaults_list = LIST_HEAD_INIT(defaults_list); /* list of all defaults proxies */
unsigned int error_snapshot_id = 0; /* global ID assigned to each error then incremented */
unsigned int dynpx_next_id = 0; /* lowest ID assigned to dynamic proxies */
/* CLI context used during "show servers {state|conn}" */
struct show_srv_ctx {
struct proxy *px; /* current proxy to dump or NULL */
struct server *sv; /* current server to dump or NULL */
uint only_pxid; /* dump only this proxy ID when explicit */
int show_conn; /* non-zero = "conn" otherwise "state" */
enum {
SHOW_SRV_HEAD = 0,
SHOW_SRV_LIST,
} state;
};
/* proxy->options */
const struct cfg_opt cfg_opts[] =
{
{ "abortonclose", PR_O_ABRT_CLOSE, PR_CAP_BE|PR_CAP_FE, 0, 0 },
{ "allbackups", PR_O_USE_ALL_BK, PR_CAP_BE, 0, 0 },
{ "checkcache", PR_O_CHK_CACHE, PR_CAP_BE, 0, PR_MODE_HTTP },
{ "clitcpka", PR_O_TCP_CLI_KA, PR_CAP_FE, 0, 0 },
{ "contstats", PR_O_CONTSTATS, PR_CAP_FE, 0, 0 },
{ "dontlognull", PR_O_NULLNOLOG, PR_CAP_FE, 0, 0 },
{ "http-buffer-request", PR_O_WREQ_BODY, PR_CAP_FE | PR_CAP_BE, 0, PR_MODE_HTTP },
{ "http-drop-request-trailers", PR_O_HTTP_DROP_REQ_TRLS, PR_CAP_BE, 0, PR_MODE_HTTP },
{ "http-drop-response-trailers", PR_O_HTTP_DROP_RES_TRLS, PR_CAP_FE, 0, PR_MODE_HTTP },
{ "http-ignore-probes", PR_O_IGNORE_PRB, PR_CAP_FE, 0, PR_MODE_HTTP },
{ "idle-close-on-response", PR_O_IDLE_CLOSE_RESP, PR_CAP_FE, 0, PR_MODE_HTTP },
{ "prefer-last-server", PR_O_PREF_LAST, PR_CAP_BE, 0, PR_MODE_HTTP },
{ "logasap", PR_O_LOGASAP, PR_CAP_FE, 0, 0 },
{ "nolinger", PR_O_TCP_NOLING, PR_CAP_FE | PR_CAP_BE, 0, 0 },
{ "persist", PR_O_PERSIST, PR_CAP_BE, 0, 0 },
{ "srvtcpka", PR_O_TCP_SRV_KA, PR_CAP_BE, 0, 0 },
#ifdef USE_TPROXY
{ "transparent", PR_O_TRANSP, PR_CAP_BE, 0, 0 },
#else
{ "transparent", 0, 0, 0, 0 },
#endif
{ NULL, 0, 0, 0, 0 }
};
/* proxy->options2 */
const struct cfg_opt cfg_opts2[] =
{
#ifdef USE_LINUX_SPLICE
{ "splice-request", PR_O2_SPLIC_REQ, PR_CAP_FE|PR_CAP_BE, 0, 0 },
{ "splice-response", PR_O2_SPLIC_RTR, PR_CAP_FE|PR_CAP_BE, 0, 0 },
{ "splice-auto", PR_O2_SPLIC_AUT, PR_CAP_FE|PR_CAP_BE, 0, 0 },
#else
{ "splice-request", 0, 0, 0, 0 },
{ "splice-response", 0, 0, 0, 0 },
{ "splice-auto", 0, 0, 0, 0 },
#endif
{ "accept-unsafe-violations-in-http-request", PR_O2_REQBUG_OK, PR_CAP_FE, 0, PR_MODE_HTTP },
{ "accept-unsafe-violations-in-http-response", PR_O2_RSPBUG_OK, PR_CAP_BE, 0, PR_MODE_HTTP },
{ "dontlog-normal", PR_O2_NOLOGNORM, PR_CAP_FE, 0, 0 },
{ "log-separate-errors", PR_O2_LOGERRORS, PR_CAP_FE, 0, 0 },
{ "log-health-checks", PR_O2_LOGHCHKS, PR_CAP_BE, 0, 0 },
{ "socket-stats", PR_O2_SOCKSTAT, PR_CAP_FE, 0, 0 },
{ "tcp-smart-accept", PR_O2_SMARTACC, PR_CAP_FE, 0, 0 },
{ "tcp-smart-connect", PR_O2_SMARTCON, PR_CAP_BE, 0, 0 },
{ "independent-streams", PR_O2_INDEPSTR, PR_CAP_FE|PR_CAP_BE, 0, 0 },
{ "http-use-proxy-header", PR_O2_USE_PXHDR, PR_CAP_FE, 0, PR_MODE_HTTP },
{ "http-pretend-keepalive", PR_O2_FAKE_KA, PR_CAP_BE, 0, PR_MODE_HTTP },
{ "http-no-delay", PR_O2_NODELAY, PR_CAP_FE|PR_CAP_BE, 0, PR_MODE_HTTP },
{"h1-case-adjust-bogus-client", PR_O2_H1_ADJ_BUGCLI, PR_CAP_FE, 0, 0 },
{"h1-case-adjust-bogus-server", PR_O2_H1_ADJ_BUGSRV, PR_CAP_BE, 0, 0 },
{"disable-h2-upgrade", PR_O2_NO_H2_UPGRADE, PR_CAP_FE, 0, PR_MODE_HTTP },
{ NULL, 0, 0, 0 }
};
/* proxy->options3 */
const struct cfg_opt cfg_opts3[] =
{
{"assume-rfc6587-ntf", PR_O3_ASSUME_RFC6587_NTF, PR_CAP_FE, 0, PR_MODE_SYSLOG },
{"dont-parse-log", PR_O3_DONTPARSELOG, PR_CAP_FE, 0, PR_MODE_SYSLOG },
{ NULL, 0, 0, 0 }
};
/* Helper function to resolve a single sticking rule after config parsing.
* Returns 1 for success and 0 for failure
*/
int resolve_stick_rule(struct proxy *curproxy, struct sticking_rule *mrule)
{
struct stktable *target;
if (mrule->table.name)
target = stktable_find_by_name(mrule->table.name);
else
target = curproxy->table;
if (!target) {
ha_alert("Proxy '%s': unable to find stick-table '%s'.\n",
curproxy->id, mrule->table.name ? mrule->table.name : curproxy->id);
return 0;
}
else if (!stktable_compatible_sample(mrule->expr, target->type)) {
ha_alert("Proxy '%s': type of fetch not usable with type of stick-table '%s'.\n",
curproxy->id, mrule->table.name ? mrule->table.name : curproxy->id);
return 0;
}
/* success */
ha_free(&mrule->table.name);
mrule->table.t = target;
stktable_alloc_data_type(target, STKTABLE_DT_SERVER_ID, NULL, NULL);
stktable_alloc_data_type(target, STKTABLE_DT_SERVER_KEY, NULL, NULL);
if (!in_proxies_list(target->proxies_list, curproxy)) {
curproxy->next_stkt_ref = target->proxies_list;
target->proxies_list = curproxy;
}
return 1;
}
void free_stick_rules(struct list *rules)
{
struct sticking_rule *rule, *ruleb;
list_for_each_entry_safe(rule, ruleb, rules, list) {
LIST_DELETE(&rule->list);
free_acl_cond(rule->cond);
release_sample_expr(rule->expr);
free(rule);
}
}
void free_server_rules(struct list *srules)
{
struct server_rule *srule, *sruleb;
list_for_each_entry_safe(srule, sruleb, srules, list) {
LIST_DELETE(&srule->list);
free_acl_cond(srule->cond);
lf_expr_deinit(&srule->expr);
free(srule->file);
free(srule);
}
}
/* Frees proxy members that are common to all proxy types (either regular or
* default ones) for a proxy that's about to be destroyed.
* This is a subset of the complete proxy or default proxy deinit code.
*/
static inline void proxy_free_common(struct proxy *px)
{
struct acl *acl, *aclb;
struct logger *log, *logb;
struct lf_expr *lf, *lfb;
/* note that the node's key points to p->id */
cebis_item_delete((px->cap & PR_CAP_DEF) ? &defproxy_by_name : &proxy_by_name, conf.name_node, id, px);
ha_free(&px->id);
LIST_DEL_INIT(&px->global_list);
drop_file_name(&px->conf.file);
counters_fe_shared_drop(&px->fe_counters.shared);
counters_be_shared_drop(&px->be_counters.shared);
ha_free(&px->check_command);
ha_free(&px->check_path);
ha_free(&px->cookie_name);
ha_free(&px->rdp_cookie_name);
ha_free(&px->dyncookie_key);
ha_free(&px->cookie_domain);
ha_free(&px->cookie_attrs);
ha_free(&px->lbprm.arg_str);
ha_free(&px->capture_name);
istfree(&px->monitor_uri);
ha_free(&px->conn_src.iface_name);
#if defined(CONFIG_HAP_TRANSPARENT)
ha_free(&px->conn_src.bind_hdr_name);
#endif
istfree(&px->server_id_hdr_name);
istfree(&px->header_unique_id);
http_ext_clean(px);
list_for_each_entry_safe(acl, aclb, &px->acl, list) {
LIST_DELETE(&acl->list);
prune_acl(acl);
free(acl);
}
free_act_rules(&px->tcp_req.inspect_rules);
free_act_rules(&px->tcp_rep.inspect_rules);
free_act_rules(&px->tcp_req.l4_rules);
free_act_rules(&px->tcp_req.l5_rules);
free_act_rules(&px->http_req_rules);
free_act_rules(&px->http_res_rules);
free_act_rules(&px->http_after_res_rules);
#ifdef USE_QUIC
free_act_rules(&px->quic_init_rules);
#endif
lf_expr_deinit(&px->logformat);
lf_expr_deinit(&px->logformat_sd);
lf_expr_deinit(&px->logformat_error);
lf_expr_deinit(&px->format_unique_id);
list_for_each_entry_safe(log, logb, &px->loggers, list) {
LIST_DEL_INIT(&log->list);
free_logger(log);
}
/* ensure that remaining lf_expr that were not postchecked (ie: disabled
* proxy) don't keep a reference on the proxy which is about to be freed.
*/
list_for_each_entry_safe(lf, lfb, &px->conf.lf_checks, list)
LIST_DEL_INIT(&lf->list);
chunk_destroy(&px->log_tag);
free_email_alert(px);
stats_uri_auth_drop(px->uri_auth);
px->uri_auth = NULL;
}
/* deinit all <p> proxy members, but doesn't touch to the parent pointer
* itself
*/
void deinit_proxy(struct proxy *p)
{
struct server *s;
struct cap_hdr *h,*h_next;
struct listener *l,*l_next;
struct bind_conf *bind_conf, *bind_back;
struct acl_cond *cond, *condb;
struct switching_rule *rule, *ruleb;
struct redirect_rule *rdr, *rdrb;
struct proxy_deinit_fct *pxdf;
struct server_deinit_fct *srvdf;
if (!p)
return;
proxy_free_common(p);
/* regular proxy specific cleanup */
release_sample_expr(p->lbprm.expr);
free(p->server_state_file_name);
free(p->invalid_rep);
free(p->invalid_req);
if ((p->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_MAP)
free(p->lbprm.map.srv);
list_for_each_entry_safe(cond, condb, &p->mon_fail_cond, list) {
LIST_DELETE(&cond->list);
free_acl_cond(cond);
}
guid_remove(&p->guid);
EXTRA_COUNTERS_FREE(p->extra_counters_fe);
EXTRA_COUNTERS_FREE(p->extra_counters_be);
list_for_each_entry_safe(rule, ruleb, &p->persist_rules, list) {
LIST_DELETE(&rule->list);
free_acl_cond(rule->cond);
free(rule);
}
free_server_rules(&p->server_rules);
list_for_each_entry_safe(rule, ruleb, &p->switching_rules, list) {
LIST_DELETE(&rule->list);
free_acl_cond(rule->cond);
if (rule->dynamic)
lf_expr_deinit(&rule->be.expr);
free(rule->file);
free(rule);
}
list_for_each_entry_safe(rdr, rdrb, &p->redirect_rules, list) {
LIST_DELETE(&rdr->list);
http_free_redirect_rule(rdr);
}
free_stick_rules(&p->storersp_rules);
free_stick_rules(&p->sticking_rules);
h = p->req_cap;
while (h) {
if (p->defpx && h == p->defpx->req_cap)
break;
h_next = h->next;
free(h->name);
pool_destroy(h->pool);
free(h);
h = h_next;
}/* end while(h) */
h = p->rsp_cap;
while (h) {
if (p->defpx && h == p->defpx->rsp_cap)
break;
h_next = h->next;
free(h->name);
pool_destroy(h->pool);
free(h);
h = h_next;
}/* end while(h) */
s = p->srv;
while (s) {
list_for_each_entry(srvdf, &server_deinit_list, list)
srvdf->fct(s);
if (p->lbprm.server_deinit)
p->lbprm.server_deinit(s);
s = srv_drop(s);
}/* end while(s) */
/* also free default-server parameters since some of them might have
* been dynamically allocated (e.g.: config hints, cookies, ssl..)
*/
if (p->defsrv) {
srv_free_params(p->defsrv);
srv_free(&p->defsrv);
}
if (p->lbprm.proxy_deinit)
p->lbprm.proxy_deinit(p);
list_for_each_entry_safe(l, l_next, &p->conf.listeners, by_fe) {
guid_remove(&l->guid);
LIST_DELETE(&l->by_fe);
LIST_DELETE(&l->by_bind);
free(l->name);
free(l->label);
free(l->per_thr);
if (l->counters) {
counters_fe_shared_drop(&l->counters->shared);
free(l->counters);
}
task_destroy(l->rx.rhttp.task);
EXTRA_COUNTERS_FREE(l->extra_counters);
free(l);
}
/* Release unused SSL configs. */
list_for_each_entry_safe(bind_conf, bind_back, &p->conf.bind, by_fe) {
if (bind_conf->xprt->destroy_bind_conf)
bind_conf->xprt->destroy_bind_conf(bind_conf);
free(bind_conf->file);
free(bind_conf->arg);
free(bind_conf->settings.interface);
LIST_DELETE(&bind_conf->by_fe);
free(bind_conf->guid_prefix);
free(bind_conf->rhttp_srvname);
free(bind_conf->tcp_md5sig);
free(bind_conf->cc_algo);
free(bind_conf);
}
flt_deinit(p);
list_for_each_entry(pxdf, &proxy_deinit_list, list)
pxdf->fct(p);
free(p->desc);
task_destroy(p->task);
pool_destroy(p->req_cap_pool);
pool_destroy(p->rsp_cap_pool);
stktable_deinit(p->table);
ha_free(&p->table);
ha_free(&p->per_tgrp);
HA_RWLOCK_DESTROY(&p->lbprm.lock);
HA_RWLOCK_DESTROY(&p->lock);
proxy_unref_defaults(p);
}
/* deinit and free <p> proxy */
void free_proxy(struct proxy *p)
{
deinit_proxy(p);
ha_free(&p);
}
/*
* This function returns a string containing a name describing capabilities to
* report comprehensible error messages. Specifically, it will return the words
* "frontend", "backend" when appropriate, "defaults" if it corresponds to a
* defaults section, or "proxy" for all other cases including the proxies
* declared in "listen" mode.
*/
const char *proxy_cap_str(int cap)
{
if (cap & PR_CAP_DEF)
return "defaults";
if ((cap & PR_CAP_LISTEN) != PR_CAP_LISTEN) {
if (cap & PR_CAP_FE)
return "frontend";
else if (cap & PR_CAP_BE)
return "backend";
}
return "proxy";
}
/*
* This function returns a string containing the mode of the proxy in a format
* suitable for error messages.
*/
const char *proxy_mode_str(int mode) {
if (mode == PR_MODE_TCP)
return "tcp";
else if (mode == PR_MODE_HTTP)
return "http";
else if (mode == PR_MODE_CLI)
return "cli";
else if (mode == PR_MODE_SYSLOG)
return "syslog";
else if (mode == PR_MODE_PEERS)
return "peers";
else if (mode == PR_MODE_SPOP)
return "spop";
else
return "unknown";
}
/* Convert <mode> string into proxy mode type. PR_MODES is returned for unknown values. */
enum pr_mode str_to_proxy_mode(const char *mode)
{
if (strcmp(mode, "http") == 0)
return PR_MODE_HTTP;
else if (strcmp(mode, "tcp") == 0)
return PR_MODE_TCP;
else if (strcmp(mode, "log") == 0)
return PR_MODE_SYSLOG;
else if (strcmp(mode, "spop") == 0)
return PR_MODE_SPOP;
return PR_MODES;
}
/* try to find among known options the one that looks closest to <word> by
* counting transitions between letters, digits and other characters. Will
* return the best matching word if found, otherwise NULL. An optional array
* of extra words to compare may be passed in <extra>, but it must then be
* terminated by a NULL entry. If unused it may be NULL.
*/
const char *proxy_find_best_option(const char *word, const char **extra)
{
uint8_t word_sig[1024];
uint8_t list_sig[1024];
const char *best_ptr = NULL;
int dist, best_dist = INT_MAX;
int index;
make_word_fingerprint(word_sig, word);
for (index = 0; cfg_opts[index].name; index++) {
make_word_fingerprint(list_sig, cfg_opts[index].name);
dist = word_fingerprint_distance(word_sig, list_sig);
if (dist < best_dist) {
best_dist = dist;
best_ptr = cfg_opts[index].name;
}
}
for (index = 0; cfg_opts2[index].name; index++) {
make_word_fingerprint(list_sig, cfg_opts2[index].name);
dist = word_fingerprint_distance(word_sig, list_sig);
if (dist < best_dist) {
best_dist = dist;
best_ptr = cfg_opts2[index].name;
}
}
while (extra && *extra) {
make_word_fingerprint(list_sig, *extra);
dist = word_fingerprint_distance(word_sig, list_sig);
if (dist < best_dist) {
best_dist = dist;
best_ptr = *extra;
}
extra++;
}
if (best_dist > 2 * strlen(word) || (best_ptr && best_dist > 2 * strlen(best_ptr)))
best_ptr = NULL;
return best_ptr;
}
/* This function returns the first unused proxy ID greater than or equal to
* <from> in used_proxy_id. Zero is returned if no spare one is found (should
* never happen).
*/
uint proxy_get_next_id(uint from)
{
const struct proxy *px;
do {
px = ceb32_item_lookup_ge(&used_proxy_id, conf.uuid_node, uuid, from, struct proxy);
if (!px || px->uuid > from)
return from; /* available */
from++;
} while (from);
return from;
}
/* This function parses a "timeout" statement in a proxy section. It returns
* -1 if there is any error, 1 for a warning, otherwise zero. If it does not
* return zero, it will write an error or warning message into a preallocated
* buffer returned at <err>. The trailing is not be written. The function must
* be called with <args> pointing to the first command line word, with <proxy>
* pointing to the proxy being parsed, and <defpx> to the default proxy or NULL.
* As a special case for compatibility with older configs, it also accepts
* "{cli|srv|con}timeout" in args[0].
*/
static int proxy_parse_timeout(char **args, int section, struct proxy *proxy,
const struct proxy *defpx, const char *file, int line,
char **err)
{
unsigned timeout;
int retval, cap;
const char *res, *name;
int *tv = NULL;
const int *td = NULL;
retval = 0;
/* simply skip "timeout" but remain compatible with old form */
if (strcmp(args[0], "timeout") == 0)
args++;
name = args[0];
if (strcmp(args[0], "client") == 0) {
name = "client";
tv = &proxy->timeout.client;
td = &defpx->timeout.client;
cap = PR_CAP_FE;
} else if (strcmp(args[0], "tarpit") == 0) {
tv = &proxy->timeout.tarpit;
td = &defpx->timeout.tarpit;
cap = PR_CAP_FE | PR_CAP_BE;
} else if (strcmp(args[0], "client-hs") == 0) {
tv = &proxy->timeout.client_hs;
td = &defpx->timeout.client_hs;
cap = PR_CAP_FE;
} else if (strcmp(args[0], "http-keep-alive") == 0) {
tv = &proxy->timeout.httpka;
td = &defpx->timeout.httpka;
cap = PR_CAP_FE | PR_CAP_BE;
} else if (strcmp(args[0], "http-request") == 0) {
tv = &proxy->timeout.httpreq;
td = &defpx->timeout.httpreq;
cap = PR_CAP_FE | PR_CAP_BE;
} else if (strcmp(args[0], "server") == 0) {
name = "server";
tv = &proxy->timeout.server;
td = &defpx->timeout.server;
cap = PR_CAP_BE;
} else if (strcmp(args[0], "connect") == 0) {
name = "connect";
tv = &proxy->timeout.connect;
td = &defpx->timeout.connect;
cap = PR_CAP_BE;
} else if (strcmp(args[0], "check") == 0) {
tv = &proxy->timeout.check;
td = &defpx->timeout.check;
cap = PR_CAP_BE;
} else if (strcmp(args[0], "queue") == 0) {
tv = &proxy->timeout.queue;
td = &defpx->timeout.queue;
cap = PR_CAP_BE;
} else if (strcmp(args[0], "tunnel") == 0) {
tv = &proxy->timeout.tunnel;
td = &defpx->timeout.tunnel;
cap = PR_CAP_BE;
} else if (strcmp(args[0], "client-fin") == 0) {
tv = &proxy->timeout.clientfin;
td = &defpx->timeout.clientfin;
cap = PR_CAP_FE;
} else if (strcmp(args[0], "server-fin") == 0) {
tv = &proxy->timeout.serverfin;
td = &defpx->timeout.serverfin;
cap = PR_CAP_BE;
} else if (strcmp(args[0], "clitimeout") == 0) {
memprintf(err, "the '%s' directive is not supported anymore since HAProxy 2.1. Use 'timeout client'.", args[0]);
return -1;
} else if (strcmp(args[0], "srvtimeout") == 0) {
memprintf(err, "the '%s' directive is not supported anymore since HAProxy 2.1. Use 'timeout server'.", args[0]);
return -1;
} else if (strcmp(args[0], "contimeout") == 0) {
memprintf(err, "the '%s' directive is not supported anymore since HAProxy 2.1. Use 'timeout connect'.", args[0]);
return -1;
} else {
memprintf(err,
"'timeout' supports 'client', 'server', 'connect', 'check', "
"'queue', 'handshake', 'http-keep-alive', 'http-request', 'tunnel', 'tarpit', "
"'client-fin' and 'server-fin' (got '%s')",
args[0]);
return -1;
}
if (*args[1] == 0) {
memprintf(err, "'timeout %s' expects an integer value (in milliseconds)", name);
return -1;
}
res = parse_time_err(args[1], &timeout, TIME_UNIT_MS);
if (res == PARSE_TIME_OVER) {
memprintf(err, "timer overflow in argument '%s' to 'timeout %s' (maximum value is 2147483647 ms or ~24.8 days)",
args[1], name);
return -1;
}
else if (res == PARSE_TIME_UNDER) {
memprintf(err, "timer underflow in argument '%s' to 'timeout %s' (minimum non-null value is 1 ms)",
args[1], name);
return -1;
}
else if (res) {
memprintf(err, "unexpected character '%c' in 'timeout %s'", *res, name);
return -1;
}
if (warn_if_lower(args[1], 100)) {
memprintf(err, "'timeout %s %u' in %s '%s' is suspiciously small for a value in milliseconds. Please use an explicit unit ('%ums') if that was the intent.",
name, timeout, proxy_type_str(proxy), proxy->id, timeout);
retval = 1;
}
if (!(proxy->cap & cap)) {
memprintf(err, "'timeout %s' will be ignored because %s '%s' has no %s capability",
name, proxy_type_str(proxy), proxy->id,
(cap & PR_CAP_BE) ? "backend" : "frontend");
retval = 1;
}
else if (defpx && *tv != *td) {
memprintf(err, "overwriting 'timeout %s' which was already specified", name);
retval = 1;
}
if (*args[2] != 0) {
memprintf(err, "'timeout %s' : unexpected extra argument '%s' after value '%s'.", name, args[2], args[1]);
retval = -1;
}
*tv = MS_TO_TICKS(timeout);
return retval;
}
/* This function parses a "rate-limit" statement in a proxy section. It returns
* -1 if there is any error, 1 for a warning, otherwise zero. If it does not
* return zero, it will write an error or warning message into a preallocated
* buffer returned at <err>. The function must be called with <args> pointing
* to the first command line word, with <proxy> pointing to the proxy being
* parsed, and <defpx> to the default proxy or NULL.
*/
static int proxy_parse_rate_limit(char **args, int section, struct proxy *proxy,
const struct proxy *defpx, const char *file, int line,
char **err)
{
int retval;
char *res;
unsigned int *tv = NULL;
const unsigned int *td = NULL;
unsigned int val;
retval = 0;
if (strcmp(args[1], "sessions") == 0) {
tv = &proxy->fe_sps_lim;
td = &defpx->fe_sps_lim;
}
else {
memprintf(err, "'%s' only supports 'sessions' (got '%s')", args[0], args[1]);
return -1;
}
if (*args[2] == 0) {
memprintf(err, "'%s %s' expects expects an integer value (in sessions/second)", args[0], args[1]);
return -1;
}
val = strtoul(args[2], &res, 0);
if (*res) {
memprintf(err, "'%s %s' : unexpected character '%c' in integer value '%s'", args[0], args[1], *res, args[2]);
return -1;
}
if (!(proxy->cap & PR_CAP_FE)) {
memprintf(err, "%s %s will be ignored because %s '%s' has no frontend capability",
args[0], args[1], proxy_type_str(proxy), proxy->id);
retval = 1;
}
else if (defpx && *tv != *td) {
memprintf(err, "overwriting %s %s which was already specified", args[0], args[1]);
retval = 1;
}
*tv = val;
return retval;
}
/* This function parses a "max-keep-alive-queue" statement in a proxy section.
* It returns -1 if there is any error, 1 for a warning, otherwise zero. If it
* does not return zero, it will write an error or warning message into a
* preallocated buffer returned at <err>. The function must be called with
* <args> pointing to the first command line word, with <proxy> pointing to
* the proxy being parsed, and <defpx> to the default proxy or NULL.
*/
static int proxy_parse_max_ka_queue(char **args, int section, struct proxy *proxy,
const struct proxy *defpx, const char *file, int line,
char **err)
{
int retval;
char *res;
unsigned int val;
retval = 0;
if (*args[1] == 0) {
memprintf(err, "'%s' expects expects an integer value (or -1 to disable)", args[0]);
return -1;
}
val = strtol(args[1], &res, 0);
if (*res) {
memprintf(err, "'%s' : unexpected character '%c' in integer value '%s'", args[0], *res, args[1]);
return -1;
}
if (!(proxy->cap & PR_CAP_BE)) {
memprintf(err, "%s will be ignored because %s '%s' has no backend capability",
args[0], proxy_type_str(proxy), proxy->id);
retval = 1;
}
/* we store <val+1> so that a user-facing value of -1 is stored as zero (default) */
proxy->max_ka_queue = val + 1;
return retval;
}
/* This function parses a "declare" statement in a proxy section. It returns -1
* if there is any error, 1 for warning, otherwise 0. If it does not return zero,
* it will write an error or warning message into a preallocated buffer returned
* at <err>. The function must be called with <args> pointing to the first command
* line word, with <proxy> pointing to the proxy being parsed, and <defpx> to the
* default proxy or NULL.
*/
static int proxy_parse_declare(char **args, int section, struct proxy *curpx,
const struct proxy *defpx, const char *file, int line,
char **err)
{
/* Capture keyword wannot be declared in a default proxy. */
if (curpx == defpx) {
memprintf(err, "'%s' not available in default section", args[0]);
return -1;
}
/* Capture keyword is only available in frontend. */
if (!(curpx->cap & PR_CAP_FE)) {
memprintf(err, "'%s' only available in frontend or listen section", args[0]);
return -1;
}
/* Check mandatory second keyword. */
if (!args[1] || !*args[1]) {
memprintf(err, "'%s' needs a second keyword that specify the type of declaration ('capture')", args[0]);
return -1;
}
/* Actually, declare is only available for declaring capture
* slot, but in the future it can declare maps or variables.
* So, this section permits to check and switch according with
* the second keyword.
*/
if (strcmp(args[1], "capture") == 0) {
char *error = NULL;
long len;
struct cap_hdr *hdr;
/* Check the next keyword. */
if (!args[2] || !*args[2] ||
(strcmp(args[2], "response") != 0 &&
strcmp(args[2], "request") != 0)) {
memprintf(err, "'%s %s' requires a direction ('request' or 'response')", args[0], args[1]);
return -1;
}
/* Check the 'len' keyword. */
if (!args[3] || !*args[3] || strcmp(args[3], "len") != 0) {
memprintf(err, "'%s %s' requires a capture length ('len')", args[0], args[1]);
return -1;
}
/* Check the length value. */
if (!args[4] || !*args[4]) {
memprintf(err, "'%s %s': 'len' requires a numeric value that represents the "
"capture length",
args[0], args[1]);
return -1;
}
/* convert the length value. */
len = strtol(args[4], &error, 10);
if (*error != '\0') {
memprintf(err, "'%s %s': cannot parse the length '%s'.",
args[0], args[1], args[3]);
return -1;
}
/* check length. */
if (len <= 0) {
memprintf(err, "length must be > 0");
return -1;
}
/* register the capture. */
hdr = calloc(1, sizeof(*hdr));
if (!hdr) {
memprintf(err, "proxy '%s': out of memory while registering a capture", curpx->id);
return -1;
}
hdr->name = NULL; /* not a header capture */
hdr->namelen = 0;
hdr->len = len;
hdr->pool = create_pool("caphdr", hdr->len + 1, MEM_F_SHARED);
if (!hdr->pool) {
memprintf(err, "out of memory");
free(hdr);
return -1;
}
if (strcmp(args[2], "request") == 0) {
hdr->next = curpx->req_cap;
hdr->index = curpx->nb_req_cap++;
curpx->req_cap = hdr;
}
if (strcmp(args[2], "response") == 0) {
hdr->next = curpx->rsp_cap;
hdr->index = curpx->nb_rsp_cap++;
curpx->rsp_cap = hdr;
}
return 0;
}
else {
memprintf(err, "unknown declaration type '%s' (supports 'capture')", args[1]);
return -1;
}
}
/* This function parses a "retry-on" statement */
static int
proxy_parse_retry_on(char **args, int section, struct proxy *curpx,
const struct proxy *defpx, const char *file, int line,
char **err)
{
int i;
if (!(*args[1])) {
memprintf(err, "'%s' needs at least one keyword to specify when to retry", args[0]);
return -1;
}
if (!(curpx->cap & PR_CAP_BE)) {
memprintf(err, "'%s' only available in backend or listen section", args[0]);
return -1;
}
curpx->retry_type = 0;
for (i = 1; *(args[i]); i++) {
if (strcmp(args[i], "conn-failure") == 0)
curpx->retry_type |= PR_RE_CONN_FAILED;
else if (strcmp(args[i], "empty-response") == 0)
curpx->retry_type |= PR_RE_DISCONNECTED;
else if (strcmp(args[i], "response-timeout") == 0)
curpx->retry_type |= PR_RE_TIMEOUT;
else if (strcmp(args[i], "401") == 0)
curpx->retry_type |= PR_RE_401;
else if (strcmp(args[i], "403") == 0)
curpx->retry_type |= PR_RE_403;
else if (strcmp(args[i], "404") == 0)
curpx->retry_type |= PR_RE_404;
else if (strcmp(args[i], "408") == 0)
curpx->retry_type |= PR_RE_408;
else if (strcmp(args[i], "421") == 0)
curpx->retry_type |= PR_RE_421;
else if (strcmp(args[i], "425") == 0)
curpx->retry_type |= PR_RE_425;
else if (strcmp(args[i], "429") == 0)
curpx->retry_type |= PR_RE_429;
else if (strcmp(args[i], "500") == 0)
curpx->retry_type |= PR_RE_500;
else if (strcmp(args[i], "501") == 0)
curpx->retry_type |= PR_RE_501;
else if (strcmp(args[i], "502") == 0)
curpx->retry_type |= PR_RE_502;
else if (strcmp(args[i], "503") == 0)
curpx->retry_type |= PR_RE_503;
else if (strcmp(args[i], "504") == 0)
curpx->retry_type |= PR_RE_504;
else if (strcmp(args[i], "0rtt-rejected") == 0)
curpx->retry_type |= PR_RE_EARLY_ERROR;
else if (strcmp(args[i], "junk-response") == 0)
curpx->retry_type |= PR_RE_JUNK_REQUEST;
else if (!(strcmp(args[i], "all-retryable-errors")))
curpx->retry_type |= PR_RE_CONN_FAILED | PR_RE_DISCONNECTED |
PR_RE_TIMEOUT | PR_RE_500 | PR_RE_502 |
PR_RE_503 | PR_RE_504 | PR_RE_EARLY_ERROR |
PR_RE_JUNK_REQUEST;
else if (strcmp(args[i], "none") == 0) {
if (i != 1 || *args[i + 1]) {
memprintf(err, "'%s' 'none' keyworld only usable alone", args[0]);
return -1;
}
} else {
memprintf(err, "'%s': unknown keyword '%s'", args[0], args[i]);
return -1;
}
}
return 0;
}
/* This function parses a "hash-preserve-affinity" statement */
static int
proxy_parse_hash_preserve_affinity(char **args, int section, struct proxy *curpx,
const struct proxy *defpx, const char *file, int line,
char **err)
{
if (!(*args[1])) {
memprintf(err, "'%s' needs a keyword to specify when to preserve hash affinity", args[0]);
return -1;
}
if (!(curpx->cap & PR_CAP_BE)) {
memprintf(err, "'%s' only available in backend or listen section", args[0]);
return -1;
}
curpx->options3 &= ~PR_O3_HASHAFNTY_MASK;
if (strcmp(args[1], "always") == 0)
curpx->options3 |= PR_O3_HASHAFNTY_ALWS;
else if (strcmp(args[1], "maxconn") == 0)
curpx->options3 |= PR_O3_HASHAFNTY_MAXCONN;
else if (strcmp(args[1], "maxqueue") == 0)
curpx->options3 |= PR_O3_HASHAFNTY_MAXQUEUE;
else {
memprintf(err, "'%s': unknown keyword '%s'", args[0], args[1]);
return -1;
}
return 0;
}
#ifdef TCP_KEEPCNT
/* This function parses "{cli|srv}tcpka-cnt" statements */
static int proxy_parse_tcpka_cnt(char **args, int section, struct proxy *proxy,
const struct proxy *defpx, const char *file, int line,
char **err)
{
int retval;
char *res;
unsigned int tcpka_cnt;
retval = 0;
if (*args[1] == 0) {
memprintf(err, "'%s' expects an integer value", args[0]);
return -1;
}
tcpka_cnt = strtol(args[1], &res, 0);
if (*res) {
memprintf(err, "'%s' : unexpected character '%c' in integer value '%s'", args[0], *res, args[1]);
return -1;
}
if (strcmp(args[0], "clitcpka-cnt") == 0) {
if (!(proxy->cap & PR_CAP_FE)) {
memprintf(err, "%s will be ignored because %s '%s' has no frontend capability",
args[0], proxy_type_str(proxy), proxy->id);
retval = 1;
}
proxy->clitcpka_cnt = tcpka_cnt;
} else if (strcmp(args[0], "srvtcpka-cnt") == 0) {
if (!(proxy->cap & PR_CAP_BE)) {
memprintf(err, "%s will be ignored because %s '%s' has no backend capability",
args[0], proxy_type_str(proxy), proxy->id);
retval = 1;
}
proxy->srvtcpka_cnt = tcpka_cnt;
} else {
/* unreachable */
memprintf(err, "'%s': unknown keyword", args[0]);
return -1;
}
return retval;
}
#endif
#ifdef TCP_KEEPIDLE
/* This function parses "{cli|srv}tcpka-idle" statements */
static int proxy_parse_tcpka_idle(char **args, int section, struct proxy *proxy,
const struct proxy *defpx, const char *file, int line,
char **err)
{
int retval;
const char *res;
unsigned int tcpka_idle;
retval = 0;
if (*args[1] == 0) {
memprintf(err, "'%s' expects an integer value", args[0]);
return -1;
}
res = parse_time_err(args[1], &tcpka_idle, TIME_UNIT_S);
if (res == PARSE_TIME_OVER) {
memprintf(err, "timer overflow in argument '%s' to '%s' (maximum value is 2147483647 ms or ~24.8 days)",
args[1], args[0]);
return -1;
}
else if (res == PARSE_TIME_UNDER) {
memprintf(err, "timer underflow in argument '%s' to '%s' (minimum non-null value is 1 ms)",
args[1], args[0]);
return -1;
}
else if (res) {
memprintf(err, "unexpected character '%c' in argument to <%s>.\n", *res, args[0]);
return -1;
}
if (strcmp(args[0], "clitcpka-idle") == 0) {
if (!(proxy->cap & PR_CAP_FE)) {
memprintf(err, "%s will be ignored because %s '%s' has no frontend capability",
args[0], proxy_type_str(proxy), proxy->id);
retval = 1;
}
proxy->clitcpka_idle = tcpka_idle;
} else if (strcmp(args[0], "srvtcpka-idle") == 0) {
if (!(proxy->cap & PR_CAP_BE)) {
memprintf(err, "%s will be ignored because %s '%s' has no backend capability",
args[0], proxy_type_str(proxy), proxy->id);
retval = 1;
}
proxy->srvtcpka_idle = tcpka_idle;
} else {
/* unreachable */
memprintf(err, "'%s': unknown keyword", args[0]);
return -1;
}
return retval;
}
#endif
#ifdef TCP_KEEPINTVL
/* This function parses "{cli|srv}tcpka-intvl" statements */
static int proxy_parse_tcpka_intvl(char **args, int section, struct proxy *proxy,
const struct proxy *defpx, const char *file, int line,
char **err)
{
int retval;
const char *res;
unsigned int tcpka_intvl;
retval = 0;
if (*args[1] == 0) {
memprintf(err, "'%s' expects an integer value", args[0]);
return -1;
}
res = parse_time_err(args[1], &tcpka_intvl, TIME_UNIT_S);
if (res == PARSE_TIME_OVER) {
memprintf(err, "timer overflow in argument '%s' to '%s' (maximum value is 2147483647 ms or ~24.8 days)",
args[1], args[0]);
return -1;
}
else if (res == PARSE_TIME_UNDER) {
memprintf(err, "timer underflow in argument '%s' to '%s' (minimum non-null value is 1 ms)",
args[1], args[0]);
return -1;
}
else if (res) {
memprintf(err, "unexpected character '%c' in argument to <%s>.\n", *res, args[0]);
return -1;
}
if (strcmp(args[0], "clitcpka-intvl") == 0) {
if (!(proxy->cap & PR_CAP_FE)) {
memprintf(err, "%s will be ignored because %s '%s' has no frontend capability",
args[0], proxy_type_str(proxy), proxy->id);
retval = 1;
}
proxy->clitcpka_intvl = tcpka_intvl;
} else if (strcmp(args[0], "srvtcpka-intvl") == 0) {
if (!(proxy->cap & PR_CAP_BE)) {
memprintf(err, "%s will be ignored because %s '%s' has no backend capability",
args[0], proxy_type_str(proxy), proxy->id);
retval = 1;
}
proxy->srvtcpka_intvl = tcpka_intvl;
} else {
/* unreachable */
memprintf(err, "'%s': unknown keyword", args[0]);
return -1;
}
return retval;
}
#endif
static int proxy_parse_force_be_switch(char **args, int section_type, struct proxy *curpx,
const struct proxy *defpx, const char *file, int line,
char **err)
{
struct acl_cond *cond = NULL;
struct persist_rule *rule;
if (curpx->cap & PR_CAP_DEF) {
memprintf(err, "'%s' not allowed in 'defaults' section.", args[0]);
goto err;
}
if (!(curpx->cap & PR_CAP_FE)) {
memprintf(err, "'%s' only available in frontend or listen section.", args[0]);
goto err;
}
if (strcmp(args[1], "if") != 0 && strcmp(args[1], "unless") != 0) {
memprintf(err, "'%s' requires either 'if' or 'unless' followed by a condition.", args[0]);
goto err;
}
if (!(cond = build_acl_cond(file, line, &curpx->acl, curpx, (const char **)args + 1, err))) {
memprintf(err, "'%s' : %s.", args[0], *err);
goto err;
}
if (warnif_cond_conflicts(cond, SMP_VAL_FE_REQ_CNT, err)) {
memprintf(err, "'%s' : %s.", args[0], *err);
goto err;
}
rule = calloc(1, sizeof(*rule));
if (!rule) {
memprintf(err, "'%s' : out of memory.", args[0]);
goto err;
}
rule->cond = cond;
rule->type = PERSIST_TYPE_BE_SWITCH;
LIST_INIT(&rule->list);
LIST_APPEND(&curpx->persist_rules, &rule->list);
return 0;
err:
free_acl_cond(cond);
return -1;
}
static int proxy_parse_guid(char **args, int section_type, struct proxy *curpx,
const struct proxy *defpx, const char *file, int line,
char **err)
{
const char *guid;
char *guid_err = NULL;
if (curpx->cap & PR_CAP_DEF) {
ha_alert("parsing [%s:%d] : '%s' not allowed in 'defaults' section.\n", file, line, args[0]);
return -1;
}
if (!*args[1]) {
memprintf(err, "'%s' : expects an argument", args[0]);
return -1;
}
guid = args[1];
if (guid_insert(&curpx->obj_type, guid, &guid_err)) {
memprintf(err, "'%s': %s", args[0], guid_err);
ha_free(&guid_err);
return -1;
}
return 0;
}
/* This function inserts proxy <px> into the tree of known proxies (regular
* ones or defaults depending on px->cap & PR_CAP_DEF). The proxy's name is
* used as the storing key so it must already have been initialized.
*/
void proxy_store_name(struct proxy *px)
{
struct ceb_root **root = (px->cap & PR_CAP_DEF) ? &defproxy_by_name : &proxy_by_name;
cebis_item_insert(root, conf.name_node, id, px);
}
/* Returns a pointer to the first proxy matching capabilities <cap> and id
* <id>. NULL is returned if no match is found. If <table> is non-zero, it
* only considers proxies having a table.
*/
struct proxy *proxy_find_by_id(int id, int cap, int table)
{
struct proxy *px;
for (px = ceb32_item_lookup(&used_proxy_id, conf.uuid_node, uuid, id, struct proxy);
px ; px = ceb32_item_next_dup(&used_proxy_id, conf.uuid_node, uuid, px)) {
if ((px->cap & cap) != cap)
continue;
if (table && (!px->table || !px->table->size))
continue;
return px;
}
return NULL;
}
/* Returns a pointer to the first proxy matching either name <name>, or id
* <name> if <name> begins with a '#'. NULL is returned if no match is found.
* If <table> is non-zero, it only considers proxies having a table. The search
* is made into the regular proxies, unless <cap> has PR_CAP_DEF set in which
* case it's searched into the defproxy tree.
*/
struct proxy *proxy_find_by_name(const char *name, int cap, int table)
{
struct proxy *curproxy;
if (*name == '#' && !(cap & PR_CAP_DEF)) {
curproxy = proxy_find_by_id(atoi(name + 1), cap, table);
if (curproxy)
return curproxy;
}
else {
struct ceb_root **root;
root = (cap & PR_CAP_DEF) ? &defproxy_by_name : &proxy_by_name;
for (curproxy = cebis_item_lookup(root, conf.name_node, id, name, struct proxy);
curproxy; curproxy = cebis_item_next_dup(root, conf.name_node, id, curproxy)) {
if ((curproxy->cap & cap) != cap)
continue;
if (table && (!curproxy->table || !curproxy->table->size))
continue;
return curproxy;
}
}
return NULL;
}
/* Finds the best match for a proxy with capabilities <cap>, name <name> and id
* <id>. At most one of <id> or <name> may be different provided that <cap> is
* valid. Either <id> or <name> may be left unspecified (0). The purpose is to
* find a proxy based on some information from a previous configuration, across
* reloads or during information exchange between peers.
*
* Names are looked up first if present, then IDs are compared if present. In
* case of an inexact match whatever is forced in the configuration has
* precedence in the following order :
* - 1) forced ID (proves a renaming / change of proxy type)
* - 2) proxy name+type (may indicate a move if ID differs)
* - 3) automatic ID+type (may indicate a renaming)
*
* Depending on what is found, we can end up in the following situations :
*
* name id cap | possible causes
* -------------+-----------------
* -- -- -- | nothing found
* -- -- ok | nothing found
* -- ok -- | proxy deleted, ID points to next one
* -- ok ok | proxy renamed, or deleted with ID pointing to next one
* ok -- -- | proxy deleted, but other half with same name still here (before)
* ok -- ok | proxy's ID changed (proxy moved in the config file)
* ok ok -- | proxy deleted, but other half with same name still here (after)
* ok ok ok | perfect match
*
* Upon return if <diff> is not NULL, it is zeroed then filled with up to 3 bits :
* - PR_FBM_MISMATCH_ID : proxy was found but ID differs
* (and ID was not zero)
* - PR_FBM_MISMATCH_NAME : proxy was found by ID but name differs
* (and name was not NULL)
* - PR_FBM_MISMATCH_PROXYTYPE : a proxy of different type was found with
* the same name and/or id
*
* Only a valid proxy is returned. If capabilities do not match, NULL is
* returned. The caller can check <diff> to report detailed warnings / errors,
* and decide whether or not to use what was found.
*/
struct proxy *proxy_find_best_match(int cap, const char *name, int id, int *diff)
{
struct proxy *byname;
struct proxy *byid;
if (!name && !id)
return NULL;
if (diff)
*diff = 0;
byname = byid = NULL;
if (name) {
byname = proxy_find_by_name(name, cap, 0);
if (byname && (!id || byname->uuid == id))
return byname;
}
/* remaining possibilities :
* - name not set
* - name set but not found
* - name found, but ID doesn't match.
*/
if (id) {
byid = proxy_find_by_id(id, cap, 0);
if (byid) {
if (byname) {
/* id+type found, name+type found, but not all 3.
* ID wins only if forced, otherwise name wins.
*/
if (byid->options & PR_O_FORCED_ID) {
if (diff)
*diff |= PR_FBM_MISMATCH_NAME;
return byid;
}
else {
if (diff)
*diff |= PR_FBM_MISMATCH_ID;
return byname;
}
}
/* remaining possibilities :
* - name not set
* - name set but not found
*/
if (name && diff)
*diff |= PR_FBM_MISMATCH_NAME;
return byid;
}
/* ID not found */
if (byname) {
if (diff)
*diff |= PR_FBM_MISMATCH_ID;
return byname;
}
}
/* All remaining possibilities will lead to NULL. If we can report more
* detailed information to the caller about changed types and/or name,
* we'll do it. For example, we could detect that "listen foo" was
* split into "frontend foo_ft" and "backend foo_bk" if IDs are forced.
* - name not set, ID not found
* - name not found, ID not set
* - name not found, ID not found
*/
if (!diff)
return NULL;
if (name) {
byname = proxy_find_by_name(name, 0, 0);
if (byname && (!id || byname->uuid == id))
*diff |= PR_FBM_MISMATCH_PROXYTYPE;
}
if (id) {
byid = proxy_find_by_id(id, 0, 0);
if (byid) {
if (!name)
*diff |= PR_FBM_MISMATCH_PROXYTYPE; /* only type changed */
else if (byid->options & PR_O_FORCED_ID)
*diff |= PR_FBM_MISMATCH_NAME | PR_FBM_MISMATCH_PROXYTYPE; /* name and type changed */
/* otherwise it's a different proxy that was returned */
}
}
return NULL;
}
/* This function checks that the designated proxy has no http directives
* enabled. It will output a warning if there are, and will fix some of them.
* It returns the number of fatal errors encountered. This should be called
* at the end of the configuration parsing if the proxy is not in http mode.
* The <file> argument is used to construct the error message.
*/
int proxy_cfg_ensure_no_http(struct proxy *curproxy)
{
if (curproxy->cookie_name != NULL) {
ha_warning("cookie will be ignored for %s '%s' (needs 'mode http').\n",
proxy_type_str(curproxy), curproxy->id);
}
if (curproxy->lbprm.algo & BE_LB_NEED_HTTP) {
curproxy->lbprm.algo &= ~BE_LB_ALGO;
curproxy->lbprm.algo |= BE_LB_ALGO_RR;
ha_warning("Layer 7 hash not possible for %s '%s' (needs 'mode http'). Falling back to round robin.\n",
proxy_type_str(curproxy), curproxy->id);
}
if (curproxy->logformat.str == default_http_log_format) {
/* Note: we don't change the directive's file:line number */
curproxy->logformat.str = default_tcp_log_format;
ha_warning("parsing [%s:%d] : 'option httplog' not usable with %s '%s' (needs 'mode http'). Falling back to 'option tcplog'.\n",
curproxy->logformat.conf.file, curproxy->logformat.conf.line,
proxy_type_str(curproxy), curproxy->id);
}
else if (curproxy->logformat.str == clf_http_log_format) {
/* Note: we don't change the directive's file:line number */
curproxy->logformat.str = clf_tcp_log_format;
ha_warning("parsing [%s:%d] : 'option httplog clf' not usable with %s '%s' (needs 'mode http'). Falling back to 'option tcplog clf'.\n",
curproxy->logformat.conf.file, curproxy->logformat.conf.line,
proxy_type_str(curproxy), curproxy->id);
}
else if (curproxy->logformat.str == default_https_log_format) {
/* Note: we don't change the directive's file:line number */
curproxy->logformat.str = default_tcp_log_format;
ha_warning("parsing [%s:%d] : 'option httpslog' not usable with %s '%s' (needs 'mode http'). Falling back to 'option tcplog'.\n",
curproxy->logformat.conf.file, curproxy->logformat.conf.line,
proxy_type_str(curproxy), curproxy->id);
}
return 0;
}
/* This function checks that the designated proxy has no log directives
* enabled. It will output a warning if there are, and will fix some of them.
* It returns the number of fatal errors encountered. This should be called
* at the end of the configuration parsing if the proxy is not in log mode.
* The <file> argument is used to construct the error message.
*/
int proxy_cfg_ensure_no_log(struct proxy *curproxy)
{
if (curproxy->lbprm.algo & BE_LB_NEED_LOG) {
curproxy->lbprm.algo &= ~BE_LB_ALGO;
curproxy->lbprm.algo |= BE_LB_ALGO_RR;
ha_warning("Unusable balance algorithm for %s '%s' (needs 'mode log'). Falling back to round robin.\n",
proxy_type_str(curproxy), curproxy->id);
}
return 0;
}
/* Perform the most basic initialization of <p> proxy and define some common
* default parameters values. Any new proxy or peer should be initialized via
* this function.
*/
void init_new_proxy(struct proxy *p)
{
memset(p, 0, sizeof(struct proxy));
p->obj_type = OBJ_TYPE_PROXY;
LIST_INIT(&p->global_list);
LIST_INIT(&p->el);
LIST_INIT(&p->acl);
LIST_INIT(&p->http_req_rules);
LIST_INIT(&p->http_res_rules);
LIST_INIT(&p->http_after_res_rules);
LIST_INIT(&p->redirect_rules);
LIST_INIT(&p->mon_fail_cond);
LIST_INIT(&p->switching_rules);
LIST_INIT(&p->server_rules);
LIST_INIT(&p->persist_rules);
LIST_INIT(&p->sticking_rules);
LIST_INIT(&p->storersp_rules);
LIST_INIT(&p->tcp_req.inspect_rules);
LIST_INIT(&p->tcp_rep.inspect_rules);
LIST_INIT(&p->tcp_req.l4_rules);
LIST_INIT(&p->tcp_req.l5_rules);
#ifdef USE_QUIC
LIST_INIT(&p->quic_init_rules);
#endif
MT_LIST_INIT(&p->listener_queue);
LIST_INIT(&p->loggers);
LIST_INIT(&p->conf.bind);
LIST_INIT(&p->conf.listeners);
LIST_INIT(&p->conf.errors);
LIST_INIT(&p->conf.args.list);
LIST_INIT(&p->conf.lf_checks);
LIST_INIT(&p->filter_configs);
LIST_INIT(&p->tcpcheck_rules.preset_vars);
MT_LIST_INIT(&p->lbprm.lb_free_list);
p->conf.used_listener_id = NULL;
p->conf.used_server_id = NULL;
p->used_server_addr = NULL;
/* Timeouts are defined as -1 */
proxy_reset_timeouts(p);
p->tcp_rep.inspect_delay = TICK_ETERNITY;
/* initial uuid is unassigned (-1) */
p->uuid = -1;
/* Default to only allow L4 retries */
p->retry_type = PR_RE_CONN_FAILED;
guid_init(&p->guid);
p->extra_counters_fe = NULL;
p->extra_counters_be = NULL;
HA_RWLOCK_INIT(&p->lock);
lf_expr_init(&p->logformat);
lf_expr_init(&p->logformat_sd);
lf_expr_init(&p->format_unique_id);
lf_expr_init(&p->logformat_error);
/* initialize parameters to common default values */
p->mode = PR_MODE_TCP;
p->options |= PR_O_REUSE_SAFE;
p->max_out_conns = MAX_SRV_LIST;
p->email_alert.level = LOG_ALERT;
p->load_server_state_from_file = PR_SRV_STATE_FILE_UNSPEC;
if (!(p->cap & PR_CAP_INT)) {
p->maxconn = cfg_maxpconn;
p->conn_retries = CONN_RETRIES;
}
else {
p->options2 |= PR_O2_INDEPSTR;
p->timeout.connect = 5000;
}
}
/* Initialize per-thread proxy fields */
int proxy_init_per_thr(struct proxy *px)
{
int i;
px->per_tgrp = ha_aligned_zalloc_typed(global.nbtgroups, typeof(*px->per_tgrp));
for (i = 0; i < global.nbtgroups; i++)
queue_init(&px->per_tgrp[i].queue, px, NULL);
return 0;
}
int proxy_finalize(struct proxy *px, int *err_code)
{
struct bind_conf *bind_conf;
struct server *newsrv;
struct switching_rule *rule;
struct server_rule *srule;
struct sticking_rule *mrule;
struct logger *tmplogger;
unsigned int next_id;
int cfgerr = 0;
char *err = NULL;
int i;
/* check and reduce the bind-proc of each listener */
list_for_each_entry(bind_conf, &px->conf.bind, by_fe) {
int mode = conn_pr_mode_to_proto_mode(px->mode);
const struct mux_proto_list *mux_ent;
int ret;
/* Check the mux protocols, if any; before the check the ALPN */
if (bind_conf->xprt && bind_conf->xprt == xprt_get(XPRT_QUIC)) {
if (!bind_conf->mux_proto) {
/* No protocol was specified. If we're using QUIC at the transport
* layer, we'll instantiate it as a mux as well. If QUIC is not
* compiled in, this will remain NULL.
*/
bind_conf->mux_proto = get_mux_proto(ist("quic"));
}
if (bind_conf->options & BC_O_ACC_PROXY) {
ha_alert("Binding [%s:%d] for %s %s: QUIC protocol does not support PROXY protocol yet."
" 'accept-proxy' option cannot be used with a QUIC listener.\n",
bind_conf->file, bind_conf->line,
proxy_type_str(px), px->id);
cfgerr++;
}
}
if (bind_conf->mux_proto) {
/* it is possible that an incorrect mux was referenced
* due to the proxy's mode not being taken into account
* on first pass. Let's adjust it now.
*/
mux_ent = conn_get_best_mux_entry(bind_conf->mux_proto->token, PROTO_SIDE_FE, mode);
if (!mux_ent || !isteq(mux_ent->token, bind_conf->mux_proto->token)) {
ha_alert("%s '%s' : MUX protocol '%.*s' is not usable for 'bind %s' at [%s:%d].\n",
proxy_type_str(px), px->id,
(int)bind_conf->mux_proto->token.len,
bind_conf->mux_proto->token.ptr,
bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr++;
}
else {
if ((mux_ent->mux->flags & MX_FL_FRAMED) && !(bind_conf->options & BC_O_USE_SOCK_DGRAM)) {
ha_alert("%s '%s' : frame-based MUX protocol '%.*s' is incompatible with stream transport of 'bind %s' at [%s:%d].\n",
proxy_type_str(px), px->id,
(int)bind_conf->mux_proto->token.len,
bind_conf->mux_proto->token.ptr,
bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr++;
}
else if (!(mux_ent->mux->flags & MX_FL_FRAMED) && !(bind_conf->options & BC_O_USE_SOCK_STREAM)) {
ha_alert("%s '%s' : stream-based MUX protocol '%.*s' is incompatible with framed transport of 'bind %s' at [%s:%d].\n",
proxy_type_str(px), px->id,
(int)bind_conf->mux_proto->token.len,
bind_conf->mux_proto->token.ptr,
bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr++;
}
}
/* update the mux */
bind_conf->mux_proto = mux_ent;
}
/* HTTP frontends with "h2" as ALPN/NPN will work in
* HTTP/2 and absolutely require buffers 16kB or larger.
*/
#ifdef USE_OPENSSL
/* no-alpn ? If so, it's the right moment to remove it */
if (bind_conf->ssl_conf.alpn_str && !bind_conf->ssl_conf.alpn_len) {
ha_free(&bind_conf->ssl_conf.alpn_str);
}
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
else if (!bind_conf->ssl_conf.alpn_str && !bind_conf->ssl_conf.npn_str &&
((bind_conf->options & BC_O_USE_SSL) || bind_conf->xprt == xprt_get(XPRT_QUIC)) &&
px->mode == PR_MODE_HTTP && global.tune.bufsize >= 16384) {
/* Neither ALPN nor NPN were explicitly set nor disabled, we're
* in HTTP mode with an SSL or QUIC listener, we can enable ALPN.
* Note that it's in binary form. First we try to set the ALPN from
* mux proto if set. Otherwise rely on the default ALPN.
*/
if (bind_conf->mux_proto && bind_conf->mux_proto->alpn)
bind_conf->ssl_conf.alpn_str = strdup(bind_conf->mux_proto->alpn);
else if (bind_conf->xprt == xprt_get(XPRT_QUIC))
bind_conf->ssl_conf.alpn_str = strdup("\002h3");
else
bind_conf->ssl_conf.alpn_str = strdup("\002h2\010http/1.1");
if (!bind_conf->ssl_conf.alpn_str) {
ha_alert("Proxy '%s': out of memory while trying to allocate a default alpn string in 'bind %s' at [%s:%d].\n",
px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr++;
*err_code |= ERR_FATAL | ERR_ALERT;
goto out;
}
bind_conf->ssl_conf.alpn_len = strlen(bind_conf->ssl_conf.alpn_str);
}
#endif /* TLSEXT_TYPE_application_layer_protocol_negotiation */
if (px->mode == PR_MODE_HTTP && global.tune.bufsize < 16384) {
#ifdef OPENSSL_NPN_NEGOTIATED
/* check NPN */
if (bind_conf->ssl_conf.npn_str && strstr(bind_conf->ssl_conf.npn_str, "\002h2")) {
ha_alert("HTTP frontend '%s' enables HTTP/2 via NPN at [%s:%d], so global.tune.bufsize must be at least 16384 bytes (%d now).\n",
px->id, bind_conf->file, bind_conf->line, global.tune.bufsize);
cfgerr++;
}
#endif /* OPENSSL_NPN_NEGOTIATED */
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
/* check ALPN */
if (bind_conf->ssl_conf.alpn_str && strstr(bind_conf->ssl_conf.alpn_str, "\002h2")) {
ha_alert("HTTP frontend '%s' enables HTTP/2 via ALPN at [%s:%d], so global.tune.bufsize must be at least 16384 bytes (%d now).\n",
px->id, bind_conf->file, bind_conf->line, global.tune.bufsize);
cfgerr++;
}
#endif /* TLSEXT_TYPE_application_layer_protocol_negotiation */
} /* HTTP && bufsize < 16384 */
#endif /* USE_OPENSSL */
#ifdef USE_QUIC
if (bind_conf->xprt == xprt_get(XPRT_QUIC)) {
const struct quic_cc_algo *cc_algo = bind_conf->quic_cc_algo ?
bind_conf->quic_cc_algo : default_quic_cc_algo;
if (!(cc_algo->flags & QUIC_CC_ALGO_FL_OPT_PACING) &&
!(quic_tune.fe.fb_opts & QUIC_TUNE_FB_TX_PACING)) {
ha_warning("Binding [%s:%d] for %s %s: using the selected congestion algorithm without pacing may cause slowdowns or high loss rates during transfers.\n",
bind_conf->file, bind_conf->line,
proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
}
}
#endif /* USE_QUIC */
/* finish the bind setup */
ret = bind_complete_thread_setup(bind_conf, err_code);
if (ret != 0) {
cfgerr += ret;
if (*err_code & ERR_FATAL)
goto out;
}
if (bind_generate_guid(bind_conf)) {
cfgerr++;
*err_code |= ERR_FATAL | ERR_ALERT;
goto out;
}
}
switch (px->mode) {
case PR_MODE_TCP:
cfgerr += proxy_cfg_ensure_no_http(px);
cfgerr += proxy_cfg_ensure_no_log(px);
break;
case PR_MODE_HTTP:
cfgerr += proxy_cfg_ensure_no_log(px);
px->http_needed = 1;
break;
case PR_MODE_CLI:
cfgerr += proxy_cfg_ensure_no_http(px);
cfgerr += proxy_cfg_ensure_no_log(px);
break;
case PR_MODE_SYSLOG:
/* this mode is initialized as the classic tcp proxy */
cfgerr += proxy_cfg_ensure_no_http(px);
break;
case PR_MODE_SPOP:
cfgerr += proxy_cfg_ensure_no_http(px);
cfgerr += proxy_cfg_ensure_no_log(px);
break;
case PR_MODE_PEERS:
case PR_MODES:
/* should not happen, bug gcc warn missing switch statement */
ha_alert("%s '%s' cannot initialize this proxy mode (peers) in this way. NOTE: PLEASE REPORT THIS TO DEVELOPERS AS YOU'RE NOT SUPPOSED TO BE ABLE TO CREATE A CONFIGURATION TRIGGERING THIS!\n",
proxy_type_str(px), px->id);
cfgerr++;
break;
}
if (!(px->cap & PR_CAP_INT) && (px->cap & PR_CAP_FE) && LIST_ISEMPTY(&px->conf.listeners)) {
ha_warning("%s '%s' has no 'bind' directive. Please declare it as a backend if this was intended.\n",
proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
}
if (px->cap & PR_CAP_BE) {
if (px->lbprm.algo & BE_LB_KIND) {
if (px->options & PR_O_TRANSP) {
ha_alert("%s '%s' cannot use both transparent and balance mode.\n",
proxy_type_str(px), px->id);
cfgerr++;
}
else if (px->options & PR_O_DISPATCH) {
ha_warning("dispatch address of %s '%s' will be ignored in balance mode.\n",
proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
}
}
else if (!(px->options & (PR_O_TRANSP | PR_O_DISPATCH))) {
/* If no LB algo is set in a backend, and we're not in
* transparent mode, dispatch mode nor proxy mode, we
* want to use balance random by default.
*/
px->lbprm.algo &= ~BE_LB_ALGO;
px->lbprm.algo |= BE_LB_ALGO_RND;
}
}
if (px->options & PR_O_DISPATCH)
px->options &= ~PR_O_TRANSP;
else if (px->options & PR_O_TRANSP)
px->options &= ~PR_O_DISPATCH;
if ((px->tcpcheck_rules.flags & TCPCHK_RULES_UNUSED_HTTP_RS)) {
ha_warning("%s '%s' uses http-check rules without 'option httpchk', so the rules are ignored.\n",
proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
}
if ((px->options2 & PR_O2_CHK_ANY) == PR_O2_TCPCHK_CHK &&
(px->tcpcheck_rules.flags & TCPCHK_RULES_PROTO_CHK) != TCPCHK_RULES_HTTP_CHK) {
if (px->options & PR_O_DISABLE404) {
ha_warning("'%s' will be ignored for %s '%s' (requires 'option httpchk').\n",
"disable-on-404", proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
px->options &= ~PR_O_DISABLE404;
}
if (px->options2 & PR_O2_CHK_SNDST) {
ha_warning("'%s' will be ignored for %s '%s' (requires 'option httpchk').\n",
"send-state", proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
px->options2 &= ~PR_O2_CHK_SNDST;
}
}
if ((px->options2 & PR_O2_CHK_ANY) == PR_O2_EXT_CHK) {
if (!global.external_check) {
ha_alert("Proxy '%s' : '%s' unable to find required 'global.external-check'.\n",
px->id, "option external-check");
cfgerr++;
}
if (!px->check_command) {
ha_alert("Proxy '%s' : '%s' unable to find required 'external-check command'.\n",
px->id, "option external-check");
cfgerr++;
}
if (!(global.tune.options & GTUNE_INSECURE_FORK)) {
ha_warning("Proxy '%s' : 'insecure-fork-wanted' not enabled in the global section, '%s' will likely fail.\n",
px->id, "option external-check");
*err_code |= ERR_WARN;
}
}
if (px->email_alert.flags & PR_EMAIL_ALERT_SET) {
if (!(px->email_alert.mailers.name && px->email_alert.from && px->email_alert.to)) {
ha_warning("'email-alert' will be ignored for %s '%s' (the presence any of "
"'email-alert from', 'email-alert level' 'email-alert mailers', "
"'email-alert myhostname', or 'email-alert to' "
"requires each of 'email-alert from', 'email-alert mailers' and 'email-alert to' "
"to be present).\n",
proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
free_email_alert(px);
}
if (!px->email_alert.myhostname)
px->email_alert.myhostname = strdup(hostname);
}
if (px->check_command) {
int clear = 0;
if ((px->options2 & PR_O2_CHK_ANY) != PR_O2_EXT_CHK) {
ha_warning("'%s' will be ignored for %s '%s' (requires 'option external-check').\n",
"external-check command", proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
clear = 1;
}
if (px->check_command[0] != '/' && !px->check_path) {
ha_alert("Proxy '%s': '%s' does not have a leading '/' and 'external-check path' is not set.\n",
px->id, "external-check command");
cfgerr++;
}
if (clear) {
ha_free(&px->check_command);
}
}
if (px->check_path) {
if ((px->options2 & PR_O2_CHK_ANY) != PR_O2_EXT_CHK) {
ha_warning("'%s' will be ignored for %s '%s' (requires 'option external-check').\n",
"external-check path", proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
ha_free(&px->check_path);
}
}
/* if a default backend was specified, let's find it */
if (px->defbe.name) {
struct proxy *target;
target = proxy_be_by_name(px->defbe.name);
if (!target) {
ha_alert("Proxy '%s': unable to find required default_backend: '%s'.\n",
px->id, px->defbe.name);
cfgerr++;
} else if (target == px) {
ha_alert("Proxy '%s': loop detected for default_backend: '%s'.\n",
px->id, px->defbe.name);
cfgerr++;
} else if (target->mode != px->mode &&
!(px->mode == PR_MODE_TCP && target->mode == PR_MODE_HTTP)) {
ha_alert("%s %s '%s' (%s:%d) tries to use incompatible %s %s '%s' (%s:%d) as its default backend (see 'mode').\n",
proxy_mode_str(px->mode), proxy_type_str(px), px->id,
px->conf.file, px->conf.line,
proxy_mode_str(target->mode), proxy_type_str(target), target->id,
target->conf.file, target->conf.line);
cfgerr++;
} else {
free(px->defbe.name);
px->defbe.be = target;
/* Emit a warning if this proxy also has some servers */
if (px->srv) {
ha_warning("In proxy '%s', the 'default_backend' rule always has precedence over the servers, which will never be used.\n",
px->id);
*err_code |= ERR_WARN;
}
if (target->mode == PR_MODE_HTTP) {
/* at least one of the used backends will provoke an
* HTTP upgrade
*/
px->options |= PR_O_HTTP_UPG;
}
}
}
/* find the target proxy for 'use_backend' rules */
list_for_each_entry(rule, &px->switching_rules, list) {
struct proxy *target;
struct logformat_node *node;
char *pxname;
/* Try to parse the string as a log format expression. If the result
* of the parsing is only one entry containing a simple string, then
* it's a standard string corresponding to a static rule, thus the
* parsing is cancelled and be.name is restored to be resolved.
*/
pxname = rule->be.name;
lf_expr_init(&rule->be.expr);
px->conf.args.ctx = ARGC_UBK;
px->conf.args.file = rule->file;
px->conf.args.line = rule->line;
err = NULL;
if (!parse_logformat_string(pxname, px, &rule->be.expr, 0, SMP_VAL_FE_HRQ_HDR, &err)) {
ha_alert("Parsing [%s:%d]: failed to parse use_backend rule '%s' : %s.\n",
rule->file, rule->line, pxname, err);
free(err);
cfgerr++;
continue;
}
node = LIST_NEXT(&rule->be.expr.nodes.list, struct logformat_node *, list);
if (!lf_expr_isempty(&rule->be.expr)) {
if (node->type != LOG_FMT_TEXT || node->list.n != &rule->be.expr.nodes.list) {
rule->dynamic = 1;
free(pxname);
/* backend is not yet known so we cannot assume its type,
* thus we should consider that at least one of the used
* backends may provoke HTTP upgrade
*/
px->options |= PR_O_HTTP_UPG;
continue;
}
/* Only one element in the list, a simple string: free the expression and
* fall back to static rule
*/
lf_expr_deinit(&rule->be.expr);
}
rule->dynamic = 0;
rule->be.name = pxname;
target = proxy_be_by_name(rule->be.name);
if (!target) {
ha_alert("Proxy '%s': unable to find required use_backend: '%s'.\n",
px->id, rule->be.name);
cfgerr++;
} else if (target == px) {
ha_alert("Proxy '%s': loop detected for use_backend: '%s'.\n",
px->id, rule->be.name);
cfgerr++;
} else if (target->mode != px->mode &&
!(px->mode == PR_MODE_TCP && target->mode == PR_MODE_HTTP)) {
ha_alert("%s %s '%s' (%s:%d) tries to use incompatible %s %s '%s' (%s:%d) in a 'use_backend' rule (see 'mode').\n",
proxy_mode_str(px->mode), proxy_type_str(px), px->id,
px->conf.file, px->conf.line,
proxy_mode_str(target->mode), proxy_type_str(target), target->id,
target->conf.file, target->conf.line);
cfgerr++;
} else {
ha_free(&rule->be.name);
rule->be.backend = target;
if (target->mode == PR_MODE_HTTP) {
/* at least one of the used backends will provoke an
* HTTP upgrade
*/
px->options |= PR_O_HTTP_UPG;
}
}
*err_code |= warnif_tcp_http_cond(px, rule->cond);
}
/* find the target server for 'use_server' rules */
list_for_each_entry(srule, &px->server_rules, list) {
struct server *target;
struct logformat_node *node;
char *server_name;
/* We try to parse the string as a log format expression. If the result of the parsing
* is only one entry containing a single string, then it's a standard string corresponding
* to a static rule, thus the parsing is cancelled and we fall back to setting srv.ptr.
*/
server_name = srule->srv.name;
lf_expr_init(&srule->expr);
px->conf.args.ctx = ARGC_USRV;
err = NULL;
if (!parse_logformat_string(server_name, px, &srule->expr, 0, SMP_VAL_FE_HRQ_HDR, &err)) {
ha_alert("Parsing [%s:%d]; use-server rule failed to parse log-format '%s' : %s.\n",
srule->file, srule->line, server_name, err);
free(err);
cfgerr++;
continue;
}
node = LIST_NEXT(&srule->expr.nodes.list, struct logformat_node *, list);
if (!lf_expr_isempty(&srule->expr)) {
if (node->type != LOG_FMT_TEXT || node->list.n != &srule->expr.nodes.list) {
srule->dynamic = 1;
free(server_name);
continue;
}
/* Only one element in the list, a simple string: free the expression and
* fall back to static rule
*/
lf_expr_deinit(&srule->expr);
}
srule->dynamic = 0;
srule->srv.name = server_name;
target = server_find_by_name(px, srule->srv.name);
*err_code |= warnif_tcp_http_cond(px, srule->cond);
if (!target) {
ha_alert("%s '%s' : unable to find server '%s' referenced in a 'use-server' rule.\n",
proxy_type_str(px), px->id, srule->srv.name);
cfgerr++;
continue;
}
ha_free(&srule->srv.name);
srule->srv.ptr = target;
target->flags |= SRV_F_NON_PURGEABLE;
}
/* find the target table for 'stick' rules */
list_for_each_entry(mrule, &px->sticking_rules, list) {
px->be_req_ana |= AN_REQ_STICKING_RULES;
if (mrule->flags & STK_IS_STORE)
px->be_rsp_ana |= AN_RES_STORE_RULES;
if (!resolve_stick_rule(px, mrule))
cfgerr++;
*err_code |= warnif_tcp_http_cond(px, mrule->cond);
}
/* find the target table for 'store response' rules */
list_for_each_entry(mrule, &px->storersp_rules, list) {
px->be_rsp_ana |= AN_RES_STORE_RULES;
if (!resolve_stick_rule(px, mrule))
cfgerr++;
}
/* check validity for 'tcp-request' layer 4/5/6/7 rules */
cfgerr += check_action_rules(&px->tcp_req.l4_rules, px, err_code);
cfgerr += check_action_rules(&px->tcp_req.l5_rules, px, err_code);
cfgerr += check_action_rules(&px->tcp_req.inspect_rules, px, err_code);
cfgerr += check_action_rules(&px->tcp_rep.inspect_rules, px, err_code);
cfgerr += check_action_rules(&px->http_req_rules, px, err_code);
cfgerr += check_action_rules(&px->http_res_rules, px, err_code);
cfgerr += check_action_rules(&px->http_after_res_rules, px, err_code);
/* Warn is a switch-mode http is used on a TCP listener with servers but no backend */
if (!px->defbe.name && LIST_ISEMPTY(&px->switching_rules) && px->srv) {
if ((px->options & PR_O_HTTP_UPG) && px->mode == PR_MODE_TCP)
ha_warning("Proxy '%s' : 'switch-mode http' configured for a %s %s with no backend. "
"Incoming connections upgraded to HTTP cannot be routed to TCP servers\n",
px->id, proxy_mode_str(px->mode), proxy_type_str(px));
}
if (px->table && px->table->peers.name) {
struct peers *curpeers;
for (curpeers = cfg_peers; curpeers; curpeers = curpeers->next) {
if (strcmp(curpeers->id, px->table->peers.name) == 0) {
ha_free(&px->table->peers.name);
px->table->peers.p = curpeers;
break;
}
}
if (!curpeers) {
ha_alert("Proxy '%s': unable to find sync peers '%s'.\n",
px->id, px->table->peers.name);
ha_free(&px->table->peers.name);
px->table->peers.p = NULL;
cfgerr++;
}
else if (curpeers->disabled) {
/* silently disable this peers section */
px->table->peers.p = NULL;
}
else if (!curpeers->peers_fe) {
ha_alert("Proxy '%s': unable to find local peer '%s' in peers section '%s'.\n",
px->id, localpeer, curpeers->id);
px->table->peers.p = NULL;
cfgerr++;
}
}
if (px->email_alert.mailers.name) {
struct mailers *curmailers = mailers;
for (curmailers = mailers; curmailers; curmailers = curmailers->next) {
if (strcmp(curmailers->id, px->email_alert.mailers.name) == 0)
break;
}
if (!curmailers) {
ha_alert("Proxy '%s': unable to find mailers '%s'.\n",
px->id, px->email_alert.mailers.name);
free_email_alert(px);
cfgerr++;
}
else {
err = NULL;
if (init_email_alert(curmailers, px, &err)) {
ha_alert("Proxy '%s': %s.\n", px->id, err);
free(err);
cfgerr++;
}
}
}
if (px->uri_auth && !(px->uri_auth->flags & STAT_F_CONVDONE) &&
!LIST_ISEMPTY(&px->uri_auth->http_req_rules) &&
(px->uri_auth->userlist || px->uri_auth->auth_realm )) {
ha_alert("%s '%s': stats 'auth'/'realm' and 'http-request' can't be used at the same time.\n",
"proxy", px->id);
cfgerr++;
goto out_uri_auth_compat;
}
if (px->uri_auth && px->uri_auth->userlist &&
(!(px->uri_auth->flags & STAT_F_CONVDONE) ||
LIST_ISEMPTY(&px->uri_auth->http_req_rules))) {
const char *uri_auth_compat_req[10];
struct act_rule *rule;
i = 0;
/* build the ACL condition from scratch. We're relying on anonymous ACLs for that */
uri_auth_compat_req[i++] = "auth";
if (px->uri_auth->auth_realm) {
uri_auth_compat_req[i++] = "realm";
uri_auth_compat_req[i++] = px->uri_auth->auth_realm;
}
uri_auth_compat_req[i++] = "unless";
uri_auth_compat_req[i++] = "{";
uri_auth_compat_req[i++] = "http_auth(.internal-stats-userlist)";
uri_auth_compat_req[i++] = "}";
uri_auth_compat_req[i++] = "";
rule = parse_http_req_cond(uri_auth_compat_req, "internal-stats-auth-compat", 0, px);
if (!rule) {
cfgerr++;
goto out;
}
LIST_APPEND(&px->uri_auth->http_req_rules, &rule->list);
if (px->uri_auth->auth_realm) {
ha_free(&px->uri_auth->auth_realm);
}
px->uri_auth->flags |= STAT_F_CONVDONE;
}
out_uri_auth_compat:
/* check whether we have a logger that uses RFC5424 log format */
list_for_each_entry(tmplogger, &px->loggers, list) {
if (tmplogger->format == LOG_FORMAT_RFC5424) {
if (!px->logformat_sd.str) {
/* set the default logformat_sd_string */
px->logformat_sd.str = default_rfc5424_sd_log_format;
}
break;
}
}
/* compile the log format */
if (!(px->cap & PR_CAP_FE)) {
lf_expr_deinit(&px->logformat);
lf_expr_deinit(&px->logformat_sd);
}
if (px->logformat.str) {
px->conf.args.ctx = ARGC_LOG;
px->conf.args.file = px->logformat.conf.file;
px->conf.args.line = px->logformat.conf.line;
err = NULL;
if (!lf_expr_compile(&px->logformat, &px->conf.args,
LOG_OPT_MANDATORY|LOG_OPT_MERGE_SPACES,
SMP_VAL_FE_LOG_END, &err) ||
!lf_expr_postcheck(&px->logformat, px, &err)) {
ha_alert("Parsing [%s:%d]: failed to parse log-format : %s.\n",
px->logformat.conf.file, px->logformat.conf.line, err);
free(err);
cfgerr++;
}
px->conf.args.file = NULL;
px->conf.args.line = 0;
}
if (px->logformat_sd.str) {
px->conf.args.ctx = ARGC_LOGSD;
px->conf.args.file = px->logformat_sd.conf.file;
px->conf.args.line = px->logformat_sd.conf.line;
err = NULL;
if (!lf_expr_compile(&px->logformat_sd, &px->conf.args,
LOG_OPT_MANDATORY|LOG_OPT_MERGE_SPACES,
SMP_VAL_FE_LOG_END, &err) ||
!add_to_logformat_list(NULL, NULL, LF_SEPARATOR, &px->logformat_sd, &err) ||
!lf_expr_postcheck(&px->logformat_sd, px, &err)) {
ha_alert("Parsing [%s:%d]: failed to parse log-format-sd : %s.\n",
px->logformat_sd.conf.file, px->logformat_sd.conf.line, err);
free(err);
cfgerr++;
}
px->conf.args.file = NULL;
px->conf.args.line = 0;
}
if (px->format_unique_id.str) {
int where = 0;
px->conf.args.ctx = ARGC_UIF;
px->conf.args.file = px->format_unique_id.conf.file;
px->conf.args.line = px->format_unique_id.conf.line;
err = NULL;
if (px->cap & PR_CAP_FE)
where |= SMP_VAL_FE_HRQ_HDR;
if (px->cap & PR_CAP_BE)
where |= SMP_VAL_BE_HRQ_HDR;
if (!lf_expr_compile(&px->format_unique_id, &px->conf.args,
LOG_OPT_HTTP|LOG_OPT_MERGE_SPACES, where, &err) ||
!lf_expr_postcheck(&px->format_unique_id, px, &err)) {
ha_alert("Parsing [%s:%d]: failed to parse unique-id : %s.\n",
px->format_unique_id.conf.file, px->format_unique_id.conf.line, err);
free(err);
cfgerr++;
}
px->conf.args.file = NULL;
px->conf.args.line = 0;
}
if (px->logformat_error.str) {
px->conf.args.ctx = ARGC_LOG;
px->conf.args.file = px->logformat_error.conf.file;
px->conf.args.line = px->logformat_error.conf.line;
err = NULL;
if (!lf_expr_compile(&px->logformat_error, &px->conf.args,
LOG_OPT_MANDATORY|LOG_OPT_MERGE_SPACES,
SMP_VAL_FE_LOG_END, &err) ||
!lf_expr_postcheck(&px->logformat_error, px, &err)) {
ha_alert("Parsing [%s:%d]: failed to parse error-log-format : %s.\n",
px->logformat_error.conf.file, px->logformat_error.conf.line, err);
free(err);
cfgerr++;
}
px->conf.args.file = NULL;
px->conf.args.line = 0;
}
/* "balance hash" needs to compile its expression
* (log backends will handle this in proxy log postcheck)
*/
if (px->mode != PR_MODE_SYSLOG &&
(px->lbprm.algo & BE_LB_ALGO) == BE_LB_ALGO_SMP) {
int idx = 0;
const char *args[] = {
px->lbprm.arg_str,
NULL,
};
err = NULL;
px->conf.args.ctx = ARGC_USRV; // same context as use_server.
px->lbprm.expr =
sample_parse_expr((char **)args, &idx,
px->conf.file, px->conf.line,
&err, &px->conf.args, NULL);
if (!px->lbprm.expr) {
ha_alert("%s '%s' [%s:%d]: failed to parse 'balance hash' expression '%s' in : %s.\n",
proxy_type_str(px), px->id,
px->conf.file, px->conf.line,
px->lbprm.arg_str, err);
ha_free(&err);
cfgerr++;
}
else if (!(px->lbprm.expr->fetch->val & SMP_VAL_BE_SET_SRV)) {
ha_alert("%s '%s' [%s:%d]: error detected while parsing 'balance hash' expression '%s' "
"which requires information from %s, which is not available here.\n",
proxy_type_str(px), px->id,
px->conf.file, px->conf.line,
px->lbprm.arg_str, sample_src_names(px->lbprm.expr->fetch->use));
cfgerr++;
}
else if (px->mode == PR_MODE_HTTP && (px->lbprm.expr->fetch->use & SMP_USE_L6REQ)) {
ha_warning("%s '%s' [%s:%d]: L6 sample fetch <%s> will be ignored in 'balance hash' expression in HTTP mode.\n",
proxy_type_str(px), px->id,
px->conf.file, px->conf.line,
px->lbprm.arg_str);
}
else
px->http_needed |= !!(px->lbprm.expr->fetch->use & SMP_USE_HTTP_ANY);
}
/* only now we can check if some args remain unresolved.
* This must be done after the users and groups resolution.
*/
err = NULL;
i = smp_resolve_args(px, &err);
cfgerr += i;
if (i) {
indent_msg(&err, 8);
ha_alert("%s%s\n", i > 1 ? "multiple argument resolution errors:" : "", err);
ha_free(&err);
} else
cfgerr += acl_find_targets(px);
if (!(px->cap & PR_CAP_INT) && (px->mode == PR_MODE_TCP || px->mode == PR_MODE_HTTP) &&
(((px->cap & PR_CAP_FE) && !px->timeout.client) ||
((px->cap & PR_CAP_BE) && (px->srv) &&
(!px->timeout.connect ||
(!px->timeout.server && (px->mode == PR_MODE_HTTP || !px->timeout.tunnel)))))) {
ha_warning("missing timeouts for %s '%s'.\n"
" | While not properly invalid, you will certainly encounter various problems\n"
" | with such a configuration. To fix this, please ensure that all following\n"
" | timeouts are set to a non-zero value: 'client', 'connect', 'server'.\n",
proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
}
/* Historically, the tarpit and queue timeouts were inherited from contimeout.
* We must still support older configurations, so let's find out whether those
* parameters have been set or must be copied from contimeouts.
*/
if (!px->timeout.tarpit)
px->timeout.tarpit = px->timeout.connect;
if ((px->cap & PR_CAP_BE) && !px->timeout.queue)
px->timeout.queue = px->timeout.connect;
if ((px->tcpcheck_rules.flags & TCPCHK_RULES_UNUSED_TCP_RS)) {
ha_warning("%s '%s' uses tcp-check rules without 'option tcp-check', so the rules are ignored.\n",
proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
}
/* ensure that cookie capture length is not too large */
if (px->capture_len >= global.tune.cookie_len) {
ha_warning("truncating capture length to %d bytes for %s '%s'.\n",
global.tune.cookie_len - 1, proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
px->capture_len = global.tune.cookie_len - 1;
}
/* The small pools required for the capture lists */
if (px->nb_req_cap) {
px->req_cap_pool = create_pool("ptrcap",
px->nb_req_cap * sizeof(char *),
MEM_F_SHARED);
}
if (px->nb_rsp_cap) {
px->rsp_cap_pool = create_pool("ptrcap",
px->nb_rsp_cap * sizeof(char *),
MEM_F_SHARED);
}
switch (px->load_server_state_from_file) {
case PR_SRV_STATE_FILE_UNSPEC:
px->load_server_state_from_file = PR_SRV_STATE_FILE_NONE;
break;
case PR_SRV_STATE_FILE_GLOBAL:
if (!global.server_state_file) {
ha_warning("backend '%s' configured to load server state file from global section 'server-state-file' directive. Unfortunately, 'server-state-file' is not set!\n",
px->id);
*err_code |= ERR_WARN;
}
break;
}
/* first, we will invert the servers list order */
newsrv = NULL;
while (px->srv) {
struct server *next;
next = px->srv->next;
px->srv->next = newsrv;
newsrv = px->srv;
if (!next)
break;
px->srv = next;
}
/* Check that no server name conflicts. This causes trouble in the stats.
* We only emit an error for the first conflict affecting each server,
* in order to avoid combinatory explosion if all servers have the same
* name. Since servers names are stored in a tree before landing here,
* we simply have to check for the current server's duplicates to spot
* conflicts.
*/
for (newsrv = px->srv; newsrv; newsrv = newsrv->next) {
struct server *other_srv;
/* Note: internal servers are not always registered and
* they do not conflict.
*/
if (!ceb_intree(&newsrv->conf.name_node))
continue;
for (other_srv = newsrv;
(other_srv = cebis_item_prev_dup(&px->conf.used_server_name, conf.name_node, id, other_srv)); ) {
ha_alert("parsing [%s:%d] : %s '%s', another server named '%s' was already defined at line %d, please use distinct names.\n",
newsrv->conf.file, newsrv->conf.line,
proxy_type_str(px), px->id,
newsrv->id, other_srv->conf.line);
cfgerr++;
break;
}
}
/* assign automatic UIDs to servers which don't have one yet */
next_id = 1;
newsrv = px->srv;
while (newsrv != NULL) {
if (!newsrv->puid) {
/* server ID not set, use automatic numbering with first
* spare entry starting with next_svid.
*/
next_id = server_get_next_id(px, next_id);
newsrv->puid = next_id;
server_index_id(px, newsrv);
}
next_id++;
newsrv = newsrv->next;
}
px->lbprm.wmult = 1; /* default weight multiplier */
px->lbprm.wdiv = 1; /* default weight divider */
/*
* If this server supports a maxconn parameter, it needs a dedicated
* tasks to fill the emptied slots when a connection leaves.
* Also, resolve deferred tracking dependency if needed.
*/
newsrv = px->srv;
while (newsrv != NULL) {
set_usermsgs_ctx(newsrv->conf.file, newsrv->conf.line, &newsrv->obj_type);
srv_minmax_conn_apply(newsrv);
/* this will also properly set the transport layer for
* prod and checks
* if default-server have use_ssl, prerare ssl init
* without activating it */
if (newsrv->use_ssl == 1 || newsrv->check.use_ssl == 1 ||
(newsrv->proxy->options & PR_O_TCPCHK_SSL) ||
((newsrv->flags & SRV_F_DEFSRV_USE_SSL) && newsrv->use_ssl != 1)) {
if (xprt_get(XPRT_SSL) && xprt_get(XPRT_SSL)->prepare_srv)
cfgerr += xprt_get(XPRT_SSL)->prepare_srv(newsrv);
else if (xprt_get(XPRT_QUIC) && xprt_get(XPRT_QUIC)->prepare_srv)
cfgerr += xprt_get(XPRT_QUIC)->prepare_srv(newsrv);
}
if (newsrv->use_ssl == 1 || ((newsrv->flags & SRV_F_DEFSRV_USE_SSL) && newsrv->use_ssl != 1)) {
/* In HTTP only, if the SNI is not set and we can rely on the host
* header value, fill the sni expression accordingly
*/
if (!newsrv->sni_expr && newsrv->proxy->mode == PR_MODE_HTTP &&
!(newsrv->ssl_ctx.options & SRV_SSL_O_NO_AUTO_SNI)) {
newsrv->sni_expr = strdup("req.hdr(host),field(1,:)");
err = NULL;
if (server_parse_exprs(newsrv, px, &err)) {
ha_alert("parsing [%s:%d]: failed to parse auto SNI expression: %s\n",
newsrv->conf.file, newsrv->conf.line, err);
free(err);
++cfgerr;
goto next_srv;
}
}
}
if ((newsrv->flags & SRV_F_FASTOPEN) &&
((px->retry_type & (PR_RE_DISCONNECTED | PR_RE_TIMEOUT)) !=
(PR_RE_DISCONNECTED | PR_RE_TIMEOUT)))
ha_warning("server has tfo activated, the backend should be configured with at least 'conn-failure', 'empty-response' and 'response-timeout' or we wouldn't be able to retry the connection on failure.\n");
if (newsrv->trackit) {
if (srv_apply_track(newsrv, px)) {
++cfgerr;
goto next_srv;
}
}
next_srv:
reset_usermsgs_ctx();
newsrv = newsrv->next;
}
/*
* Try to generate dynamic cookies for servers now.
* It couldn't be done earlier, since at the time we parsed
* the server line, we may not have known yet that we
* should use dynamic cookies, or the secret key may not
* have been provided yet.
*/
if (px->ck_opts & PR_CK_DYNAMIC) {
newsrv = px->srv;
while (newsrv != NULL) {
srv_set_dyncookie(newsrv);
newsrv = newsrv->next;
}
}
/* We have to initialize the server lookup mechanism depending
* on what LB algorithm was chosen.
*/
px->lbprm.algo &= ~(BE_LB_LKUP | BE_LB_PROP_DYN);
switch (px->lbprm.algo & BE_LB_KIND) {
case BE_LB_KIND_RR:
if ((px->lbprm.algo & BE_LB_PARM) == BE_LB_RR_STATIC) {
px->lbprm.algo |= BE_LB_LKUP_MAP;
init_server_map(px);
} else if ((px->lbprm.algo & BE_LB_PARM) == BE_LB_RR_RANDOM) {
px->lbprm.algo |= BE_LB_LKUP_CHTREE | BE_LB_PROP_DYN;
if (chash_init_server_tree(px) < 0) {
cfgerr++;
}
} else {
px->lbprm.algo |= BE_LB_LKUP_RRTREE | BE_LB_PROP_DYN;
fwrr_init_server_groups(px);
}
break;
case BE_LB_KIND_CB:
if ((px->lbprm.algo & BE_LB_PARM) == BE_LB_CB_LC) {
px->lbprm.algo |= BE_LB_LKUP_LCTREE | BE_LB_PROP_DYN;
fwlc_init_server_tree(px);
} else {
px->lbprm.algo |= BE_LB_LKUP_FSTREE | BE_LB_PROP_DYN;
fas_init_server_tree(px);
}
break;
case BE_LB_KIND_HI:
if ((px->lbprm.algo & BE_LB_HASH_TYPE) == BE_LB_HASH_CONS) {
px->lbprm.algo |= BE_LB_LKUP_CHTREE | BE_LB_PROP_DYN;
if (chash_init_server_tree(px) < 0) {
cfgerr++;
}
} else {
px->lbprm.algo |= BE_LB_LKUP_MAP;
init_server_map(px);
}
break;
case BE_LB_KIND_SA:
if ((px->lbprm.algo & BE_LB_PARM) == BE_LB_SA_SS) {
px->lbprm.algo |= BE_LB_PROP_DYN;
init_server_ss(px);
}
break;
}
HA_RWLOCK_INIT(&px->lbprm.lock);
if (px->options & PR_O_LOGASAP)
px->to_log &= ~LW_BYTES;
if (!(px->cap & PR_CAP_INT) && (px->mode == PR_MODE_TCP || px->mode == PR_MODE_HTTP) &&
(px->cap & PR_CAP_FE) && LIST_ISEMPTY(&px->loggers) &&
(!lf_expr_isempty(&px->logformat) || !lf_expr_isempty(&px->logformat_sd))) {
ha_warning("log format ignored for %s '%s' since it has no log address.\n",
proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
}
if (px->mode != PR_MODE_HTTP && !(px->options & PR_O_HTTP_UPG)) {
int optnum;
if (px->uri_auth) {
ha_warning("'stats' statement ignored for %s '%s' as it requires HTTP mode.\n",
proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
stats_uri_auth_drop(px->uri_auth);
px->uri_auth = NULL;
}
if (px->capture_name) {
ha_warning("'capture' statement ignored for %s '%s' as it requires HTTP mode.\n",
proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
}
if (isttest(px->monitor_uri)) {
ha_warning("'monitor-uri' statement ignored for %s '%s' as it requires HTTP mode.\n",
proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
}
if (!LIST_ISEMPTY(&px->http_req_rules)) {
ha_warning("'http-request' rules ignored for %s '%s' as they require HTTP mode.\n",
proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
}
if (!LIST_ISEMPTY(&px->http_res_rules)) {
ha_warning("'http-response' rules ignored for %s '%s' as they require HTTP mode.\n",
proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
}
if (!LIST_ISEMPTY(&px->http_after_res_rules)) {
ha_warning("'http-after-response' rules ignored for %s '%s' as they require HTTP mode.\n",
proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
}
if (!LIST_ISEMPTY(&px->redirect_rules)) {
ha_warning("'redirect' rules ignored for %s '%s' as they require HTTP mode.\n",
proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
}
for (optnum = 0; cfg_opts[optnum].name; optnum++) {
if (cfg_opts[optnum].mode == PR_MODE_HTTP &&
(px->cap & cfg_opts[optnum].cap) &&
(px->options & cfg_opts[optnum].val)) {
ha_warning("'option %s' ignored for %s '%s' as it requires HTTP mode.\n",
cfg_opts[optnum].name, proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
px->options &= ~cfg_opts[optnum].val;
}
}
for (optnum = 0; cfg_opts2[optnum].name; optnum++) {
if (cfg_opts2[optnum].mode == PR_MODE_HTTP &&
(px->cap & cfg_opts2[optnum].cap) &&
(px->options2 & cfg_opts2[optnum].val)) {
ha_warning("'option %s' ignored for %s '%s' as it requires HTTP mode.\n",
cfg_opts2[optnum].name, proxy_type_str(px), px->id);
*err_code |= ERR_WARN;
px->options2 &= ~cfg_opts2[optnum].val;
}
}
#if defined(CONFIG_HAP_TRANSPARENT)
if (px->conn_src.bind_hdr_occ) {
px->conn_src.bind_hdr_occ = 0;
ha_warning("%s '%s' : ignoring use of header %s as source IP in non-HTTP mode.\n",
proxy_type_str(px), px->id, px->conn_src.bind_hdr_name);
*err_code |= ERR_WARN;
}
#endif /* CONFIG_HAP_TRANSPARENT */
}
/*
* ensure that we're not cross-dressing a TCP server into HTTP.
*/
newsrv = px->srv;
while (newsrv != NULL) {
if ((px->mode != PR_MODE_HTTP) && newsrv->rdr_len) {
ha_alert("%s '%s' : server cannot have cookie or redirect prefix in non-HTTP mode.\n",
proxy_type_str(px), px->id);
cfgerr++;
}
if ((px->mode != PR_MODE_HTTP) && newsrv->cklen) {
ha_warning("%s '%s' : ignoring cookie for server '%s' as HTTP mode is disabled.\n",
proxy_type_str(px), px->id, newsrv->id);
*err_code |= ERR_WARN;
}
if ((newsrv->flags & SRV_F_MAPPORTS) && (px->options2 & PR_O2_RDPC_PRST)) {
ha_warning("%s '%s' : RDP cookie persistence will not work for server '%s' because it lacks an explicit port number.\n",
proxy_type_str(px), px->id, newsrv->id);
*err_code |= ERR_WARN;
}
#if defined(CONFIG_HAP_TRANSPARENT)
if (px->mode != PR_MODE_HTTP && newsrv->conn_src.bind_hdr_occ) {
newsrv->conn_src.bind_hdr_occ = 0;
ha_warning("%s '%s' : server %s cannot use header %s as source IP in non-HTTP mode.\n",
proxy_type_str(px), px->id, newsrv->id, newsrv->conn_src.bind_hdr_name);
*err_code |= ERR_WARN;
}
#endif /* CONFIG_HAP_TRANSPARENT */
if ((px->mode != PR_MODE_HTTP) && (px->options & PR_O_REUSE_MASK) != PR_O_REUSE_NEVR)
px->options &= ~PR_O_REUSE_MASK;
if (px->mode == PR_MODE_SPOP)
px->options |= PR_O_REUSE_ALWS;
if ((px->mode != PR_MODE_HTTP) && newsrv->flags & SRV_F_RHTTP) {
ha_alert("%s '%s' : server %s uses reverse HTTP addressing which can only be used with HTTP mode.\n",
proxy_type_str(px), px->id, newsrv->id);
cfgerr++;
*err_code |= ERR_FATAL | ERR_ALERT;
goto out;
}
newsrv = newsrv->next;
}
/* Check filter configuration, if any */
cfgerr += flt_check(px);
if (px->cap & PR_CAP_FE) {
if (!px->accept)
px->accept = frontend_accept;
if (!LIST_ISEMPTY(&px->tcp_req.inspect_rules) ||
(px->defpx && !LIST_ISEMPTY(&px->defpx->tcp_req.inspect_rules)))
px->fe_req_ana |= AN_REQ_INSPECT_FE;
if (px->mode == PR_MODE_HTTP) {
px->fe_req_ana |= AN_REQ_WAIT_HTTP | AN_REQ_HTTP_PROCESS_FE;
px->fe_rsp_ana |= AN_RES_WAIT_HTTP | AN_RES_HTTP_PROCESS_FE;
}
if (px->mode == PR_MODE_CLI) {
px->fe_req_ana |= AN_REQ_WAIT_CLI;
px->fe_rsp_ana |= AN_RES_WAIT_CLI;
}
/* both TCP and HTTP must check switching rules */
px->fe_req_ana |= AN_REQ_SWITCHING_RULES;
/* Add filters analyzers if needed */
if (!LIST_ISEMPTY(&px->filter_configs)) {
px->fe_req_ana |= AN_REQ_FLT_START_FE | AN_REQ_FLT_XFER_DATA | AN_REQ_FLT_END;
px->fe_rsp_ana |= AN_RES_FLT_START_FE | AN_RES_FLT_XFER_DATA | AN_RES_FLT_END;
}
}
if (px->cap & PR_CAP_BE) {
if (!LIST_ISEMPTY(&px->tcp_req.inspect_rules) ||
(px->defpx && !LIST_ISEMPTY(&px->defpx->tcp_req.inspect_rules)))
px->be_req_ana |= AN_REQ_INSPECT_BE;
if (!LIST_ISEMPTY(&px->tcp_rep.inspect_rules) ||
(px->defpx && !LIST_ISEMPTY(&px->defpx->tcp_rep.inspect_rules)))
px->be_rsp_ana |= AN_RES_INSPECT;
if (px->mode == PR_MODE_HTTP) {
px->be_req_ana |= AN_REQ_WAIT_HTTP | AN_REQ_HTTP_INNER | AN_REQ_HTTP_PROCESS_BE;
px->be_rsp_ana |= AN_RES_WAIT_HTTP | AN_RES_HTTP_PROCESS_BE;
}
/* If the backend does requires RDP cookie persistence, we have to
* enable the corresponding analyser.
*/
if (px->options2 & PR_O2_RDPC_PRST)
px->be_req_ana |= AN_REQ_PRST_RDP_COOKIE;
/* Add filters analyzers if needed */
if (!LIST_ISEMPTY(&px->filter_configs)) {
px->be_req_ana |= AN_REQ_FLT_START_BE | AN_REQ_FLT_XFER_DATA | AN_REQ_FLT_END;
px->be_rsp_ana |= AN_RES_FLT_START_BE | AN_RES_FLT_XFER_DATA | AN_RES_FLT_END;
}
}
/* Check the mux protocols, if any, for each server attached to
* the current proxy */
for (newsrv = px->srv; newsrv; newsrv = newsrv->next) {
int mode = conn_pr_mode_to_proto_mode(px->mode);
const struct mux_proto_list *mux_ent;
if (srv_is_quic(newsrv)) {
if (!newsrv->mux_proto) {
/* Force QUIC as mux-proto on server with quic addresses, similarly to bind on FE side. */
newsrv->mux_proto = get_mux_proto(ist("quic"));
}
}
if (!newsrv->mux_proto)
continue;
/* it is possible that an incorrect mux was referenced
* due to the proxy's mode not being taken into account
* on first pass. Let's adjust it now.
*/
mux_ent = conn_get_best_mux_entry(newsrv->mux_proto->token, PROTO_SIDE_BE, mode);
if (!mux_ent || !isteq(mux_ent->token, newsrv->mux_proto->token)) {
ha_alert("%s '%s' : MUX protocol '%.*s' is not usable for server '%s' at [%s:%d].\n",
proxy_type_str(px), px->id,
(int)newsrv->mux_proto->token.len,
newsrv->mux_proto->token.ptr,
newsrv->id, newsrv->conf.file, newsrv->conf.line);
cfgerr++;
}
else {
if ((mux_ent->mux->flags & MX_FL_FRAMED) && !srv_is_quic(newsrv)) {
ha_alert("%s '%s' : MUX protocol '%.*s' is incompatible with stream transport used by server '%s' at [%s:%d].\n",
proxy_type_str(px), px->id,
(int)newsrv->mux_proto->token.len,
newsrv->mux_proto->token.ptr,
newsrv->id, newsrv->conf.file, newsrv->conf.line);
cfgerr++;
}
else if (!(mux_ent->mux->flags & MX_FL_FRAMED) && srv_is_quic(newsrv)) {
ha_alert("%s '%s' : MUX protocol '%.*s' is incompatible with framed transport used by server '%s' at [%s:%d].\n",
proxy_type_str(px), px->id,
(int)newsrv->mux_proto->token.len,
newsrv->mux_proto->token.ptr,
newsrv->id, newsrv->conf.file, newsrv->conf.line);
cfgerr++;
}
}
/* update the mux */
newsrv->mux_proto = mux_ent;
}
/* Allocate default tcp-check rules for proxies without
* explicit rules.
*/
if (px->cap & PR_CAP_BE) {
if (!(px->options2 & PR_O2_CHK_ANY)) {
struct tcpcheck_ruleset *rs = NULL;
struct tcpcheck_rules *rules = &px->tcpcheck_rules;
px->options2 |= PR_O2_TCPCHK_CHK;
rs = find_tcpcheck_ruleset("*tcp-check");
if (!rs) {
rs = create_tcpcheck_ruleset("*tcp-check");
if (rs == NULL) {
ha_alert("config: %s '%s': out of memory.\n",
proxy_type_str(px), px->id);
cfgerr++;
}
}
free_tcpcheck_vars(&rules->preset_vars);
rules->list = &rs->rules;
rules->flags = 0;
}
}
out:
if (cfgerr)
*err_code |= ERR_ALERT | ERR_FATAL;
return cfgerr;
}
/* Frees all dynamic settings allocated on a default proxy that's about to be
* destroyed. Note that most of the fields are not even reset, so extreme care
* is required here.
*/
static void defaults_px_free(struct proxy *defproxy)
{
struct cap_hdr *h,*h_next;
proxy_free_common(defproxy);
/* default proxy specific cleanup */
if (defproxy->defsrv)
ha_free((char **)&defproxy->defsrv->conf.file);
ha_free(&defproxy->defbe.name);
srv_free(&defproxy->defsrv);
h = defproxy->req_cap;
while (h) {
h_next = h->next;
free(h->name);
pool_destroy(h->pool);
free(h);
h = h_next;
}
h = defproxy->rsp_cap;
while (h) {
h_next = h->next;
free(h->name);
pool_destroy(h->pool);
free(h);
h = h_next;
}
proxy_release_conf_errors(defproxy);
deinit_proxy_tcpcheck(defproxy);
}
/* Removes <px> defaults instance from the name tree, free its content and
* storage. This must only be used if <px> is unreferenced.
*/
void defaults_px_destroy(struct proxy *px)
{
BUG_ON(!(px->cap & PR_CAP_DEF));
BUG_ON(px->conf.refcount != 0);
cebis_item_delete(&defproxy_by_name, conf.name_node, id, px);
LIST_DELETE(&px->el);
defaults_px_free(px);
free(px);
}
/* delete all unreferenced default proxies. A default proxy is unreferenced if
* its refcount is equal to zero.
*/
void defaults_px_destroy_all_unref(void)
{
struct proxy *px, *nx;
for (px = cebis_item_first(&defproxy_by_name, conf.name_node, id, struct proxy); px; px = nx) {
BUG_ON(!(px->cap & PR_CAP_DEF));
nx = cebis_item_next(&defproxy_by_name, conf.name_node, id, px);
if (!px->conf.refcount)
defaults_px_destroy(px);
}
}
/* Removes <px> defaults from the name tree. This operation is useful when a
* section is made invisible by a newer instance with the same name. If <px> is
* not referenced it is freed immediately, else it is kept in defaults_list.
*/
void defaults_px_detach(struct proxy *px)
{
BUG_ON(!(px->cap & PR_CAP_DEF));
cebis_item_delete(&defproxy_by_name, conf.name_node, id, px);
if (!px->conf.refcount)
defaults_px_destroy(px);
/* If not destroyed, <px> can still be accessed in <defaults_list>. */
}
void defaults_px_ref_all(void)
{
struct proxy *px;
for (px = cebis_item_first(&defproxy_by_name, conf.name_node, id, struct proxy);
px;
px = cebis_item_next(&defproxy_by_name, conf.name_node, id, px)) {
++px->conf.refcount;
}
}
void defaults_px_unref_all(void)
{
struct proxy *px, *nx;
for (px = cebis_item_first(&defproxy_by_name, conf.name_node, id, struct proxy); px; px = nx) {
nx = cebis_item_next(&defproxy_by_name, conf.name_node, id, px);
BUG_ON(!px->conf.refcount);
if (!--px->conf.refcount)
defaults_px_destroy(px);
}
}
/* Add a reference on the default proxy <defpx> for the proxy <px> Nothing is
* done if <px> already references <defpx>. Otherwise, the default proxy
* refcount is incremented by one.
*
* This operation is not thread safe. It must only be performed during init
* stage or under thread isolation.
*/
static inline void defaults_px_ref(struct proxy *defpx, struct proxy *px)
{
if (px->defpx == defpx)
return;
/* <px> is already referencing another defaults. */
BUG_ON(px->defpx);
px->defpx = defpx;
defpx->conf.refcount++;
}
/* Check that <px> can inherits from <defpx> default proxy. If some settings
* cannot be copied, refcount of the defaults instance is incremented.
* Inheritance may be impossible due to incompatibility issues. In this case,
* <errmsg> will be allocated to point to a textual description of the error.
*
* Returns ERR_NONE on success and a combination of ERR_CODE on failure
*/
int proxy_ref_defaults(struct proxy *px, struct proxy *defpx, char **errmsg)
{
char defcap = defpx->cap & PR_CAP_LISTEN;
int err_code = ERR_NONE;
if ((px->cap & PR_CAP_BE) && (defpx->nb_req_cap || defpx->nb_rsp_cap)) {
memprintf(errmsg, "backend or defaults sections cannot inherit from a defaults section defining"
" captures (defaults section at %s:%d)",
defpx->conf.file, defpx->conf.line);
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
/* If the current default proxy defines TCP/HTTP rules, the
* current proxy will keep a reference on it. But some sanity
* checks are performed first:
*
* - It cannot be used to init a defaults section
* - It cannot be used to init a listen section
* - It cannot be used to init backend and frontend sections at
* same time. It can be used to init several sections of the
* same type only.
* - It cannot define L4/L5 TCP rules if it is used to init
* backend sections.
* - It cannot define 'tcp-response content' rules if it
* is used to init frontend sections.
*
* If no error is found, refcount of the default proxy is incremented.
*/
if ((!LIST_ISEMPTY(&defpx->http_req_rules) ||
!LIST_ISEMPTY(&defpx->http_res_rules) ||
!LIST_ISEMPTY(&defpx->http_after_res_rules) ||
!LIST_ISEMPTY(&defpx->tcp_req.l4_rules) ||
!LIST_ISEMPTY(&defpx->tcp_req.l5_rules) ||
!LIST_ISEMPTY(&defpx->tcp_req.inspect_rules) ||
!LIST_ISEMPTY(&defpx->tcp_rep.inspect_rules))) {
/* Note: Add tcpcheck_rules too if unresolve args become allowed in defaults section */
if (px->cap & PR_CAP_DEF) {
memprintf(errmsg, "a defaults section cannot inherit from a defaults section defining TCP/HTTP rules (defaults section at %s:%d)",
defpx->conf.file, defpx->conf.line);
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
else if ((px->cap & PR_CAP_LISTEN) == PR_CAP_LISTEN) {
memprintf(errmsg, "a listen section cannot inherit from a defaults section defining TCP/HTTP rules");
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
else if ((defcap == PR_CAP_BE || defcap == PR_CAP_FE) && (px->cap & PR_CAP_LISTEN) != defcap) {
memprintf(errmsg, "frontends and backends cannot inherit from the same defaults section"
" if it defines TCP/HTTP rules (defaults section at %s:%d)",
defpx->conf.file, defpx->conf.line);
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
else if (!(px->cap & PR_CAP_FE) && (!LIST_ISEMPTY(&defpx->tcp_req.l4_rules) ||
!LIST_ISEMPTY(&defpx->tcp_req.l5_rules))) {
memprintf(errmsg, "a backend section cannot inherit from a defaults section defining"
" 'tcp-request connection' or 'tcp-request session' rules (defaults section at %s:%d)",
defpx->conf.file, defpx->conf.line);
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
else if (!(px->cap & PR_CAP_BE) && !LIST_ISEMPTY(&defpx->tcp_rep.inspect_rules)) {
memprintf(errmsg, "a frontend section cannot inherit from a defaults section defining"
" 'tcp-response content' rules (defaults section at %s:%d)",
defpx->conf.file, defpx->conf.line);
err_code |= ERR_ALERT | ERR_ABORT;
goto out;
}
defpx->cap = (defpx->cap & ~PR_CAP_LISTEN) | (px->cap & PR_CAP_LISTEN);
defaults_px_ref(defpx, px);
}
if ((defpx->tcpcheck_rules.flags & TCPCHK_RULES_PROTO_CHK) &&
(px->cap & PR_CAP_LISTEN) == PR_CAP_BE) {
/* If the current default proxy defines tcpcheck rules, the
* current proxy will keep a reference on it. but only if the
* current proxy has the backend capability.
*/
defaults_px_ref(defpx, px);
}
out:
return err_code;
}
/* proxy <px> removes its reference on its default proxy. The default proxy
* refcount is decremented by one. If it was the last reference, the
* corresponding default proxy is destroyed. For now this operation is not
* thread safe and is performed during deinit staged only.
*/
void proxy_unref_defaults(struct proxy *px)
{
if (px->defpx == NULL)
return;
if (!--px->defpx->conf.refcount)
defaults_px_destroy(px->defpx);
px->defpx = NULL;
}
/* prepares a new proxy <name> of type <cap> from the provided <px>
* pointer.
* <px> is assumed to be freshly allocated
* <name> may be NULL: proxy id assignment will be skipped.
*
* Returns a 1 on success or 0 on failure (in which case errmsg must be checked
* then freed).
*/
int setup_new_proxy(struct proxy *px, const char *name, unsigned int cap, char **errmsg)
{
init_new_proxy(px);
if (name) {
px->id = strdup(name);
if (!px->id) {
memprintf(errmsg, "out of memory");
goto fail;
}
}
px->cap = cap;
px->last_change = ns_to_sec(now_ns);
/* Internal proxies or with empty name are not stored in the named tree. */
if (name && name[0] != '\0' && !(cap & PR_CAP_INT))
proxy_store_name(px);
if (!(cap & PR_CAP_DEF))
LIST_APPEND(&proxies, &px->global_list);
return 1;
fail:
if (name)
memprintf(errmsg, "proxy '%s': %s", name, *errmsg);
srv_free(&px->defsrv);
ha_free(&px->id);
counters_fe_shared_drop(&px->fe_counters.shared);
counters_be_shared_drop(&px->be_counters.shared);
return 0;
}
/* Allocates a new proxy <name> of type <cap>.
* Returns the proxy instance on success. On error, NULL is returned.
*/
struct proxy *alloc_new_proxy(const char *name, unsigned int cap, char **errmsg)
{
struct proxy *curproxy;
if ((curproxy = ha_aligned_zalloc_typed(1, typeof(*curproxy))) == NULL) {
memprintf(errmsg, "proxy '%s': out of memory", name);
goto fail;
}
if (!setup_new_proxy(curproxy, name, cap, errmsg))
goto fail;
done:
return curproxy;
fail:
/* Note: in case of fatal error here, we WILL make valgrind unhappy,
* but its not worth trying to unroll everything here just before
* quitting.
*/
if (curproxy)
srv_free(&curproxy->defsrv);
free(curproxy);
return NULL;
}
/* post-check for proxies */
static int proxy_postcheck(struct proxy *px)
{
struct listener *listener;
char *errmsg = NULL;
int err_code = ERR_NONE;
/* allocate private memory for shared counters: used as a fallback
* or when sharing is disabled. If sharing is enabled pointers will
* be updated to point to the proper shared memory location during
* proxy postparsing, see proxy_postparse()
*/
if (px->cap & PR_CAP_FE) {
if (!counters_fe_shared_prepare(&px->fe_counters.shared, &px->guid, &errmsg)) {
ha_alert("out of memory while setting up shared counters for %s %s : %s\n",
proxy_type_str(px), px->id, errmsg);
ha_free(&errmsg);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
}
if (px->cap & (PR_CAP_FE|PR_CAP_BE)) {
/* by default stream->be points to stream->fe, thus proxy
* be_counters may be used even if the proxy lacks the backend
* capability
*/
if (!counters_be_shared_prepare(&px->be_counters.shared, &px->guid, &errmsg)) {
ha_alert("out of memory while setting up shared counters for %s %s : %s\n",
proxy_type_str(px), px->id, errmsg);
ha_free(&errmsg);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
}
list_for_each_entry(listener, &px->conf.listeners, by_fe) {
if (listener->counters) {
if (!counters_fe_shared_prepare(&listener->counters->shared, &listener->guid, &errmsg)) {
ha_free(&listener->counters);
ha_alert("out of memory while setting up shared listener counters for %s %s : %s\n",
proxy_type_str(px), px->id, errmsg);
ha_free(&errmsg);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
}
}
out:
return err_code;
}
REGISTER_POST_PROXY_CHECK(proxy_postcheck);
/* Copy the proxy settings from <defproxy> to <curproxy>.
* Returns 0 on success.
* Returns 1 on error. <errmsg> will be allocated with an error description.
*/
static int proxy_defproxy_cpy(struct proxy *curproxy, const struct proxy *defproxy,
char **errmsg)
{
struct logger *tmplogger;
char *tmpmsg = NULL;
/* set default values from the specified default proxy */
if (defproxy->defsrv) {
if (!curproxy->defsrv) {
/* there's a default-server in the defaults proxy but
* none allocated yet in the current proxy so we have
* to allocate and pre-initialize it right now.
*/
curproxy->defsrv = srv_alloc();
if (!curproxy->defsrv) {
memprintf(errmsg, "proxy '%s': out of memory allocating default-server", curproxy->id);
return 1;
}
curproxy->defsrv->id = "default-server";
srv_settings_init(curproxy->defsrv);
}
srv_settings_cpy(curproxy->defsrv, defproxy->defsrv, 0);
}
curproxy->flags = (defproxy->flags & PR_FL_DISABLED); /* Only inherit from disabled flag */
curproxy->options = defproxy->options;
curproxy->options2 = defproxy->options2;
curproxy->no_options = defproxy->no_options;
curproxy->no_options2 = defproxy->no_options2;
curproxy->retry_type = defproxy->retry_type;
curproxy->tcp_req.inspect_delay = defproxy->tcp_req.inspect_delay;
curproxy->tcp_rep.inspect_delay = defproxy->tcp_rep.inspect_delay;
http_ext_clean(curproxy);
http_ext_dup(defproxy, curproxy);
if (isttest(defproxy->server_id_hdr_name))
curproxy->server_id_hdr_name = istdup(defproxy->server_id_hdr_name);
/* initialize error relocations */
if (!proxy_dup_default_conf_errors(curproxy, defproxy, &tmpmsg)) {
memprintf(errmsg, "proxy '%s' : %s", curproxy->id, tmpmsg);
free(tmpmsg);
return 1;
}
if (curproxy->cap & PR_CAP_FE) {
curproxy->maxconn = defproxy->maxconn;
curproxy->backlog = defproxy->backlog;
curproxy->fe_sps_lim = defproxy->fe_sps_lim;
curproxy->to_log = defproxy->to_log & ~LW_COOKIE & ~LW_REQHDR & ~ LW_RSPHDR;
curproxy->max_out_conns = defproxy->max_out_conns;
curproxy->clitcpka_cnt = defproxy->clitcpka_cnt;
curproxy->clitcpka_idle = defproxy->clitcpka_idle;
curproxy->clitcpka_intvl = defproxy->clitcpka_intvl;
}
if (curproxy->cap & PR_CAP_BE) {
curproxy->lbprm.algo = defproxy->lbprm.algo;
curproxy->lbprm.hash_balance_factor = defproxy->lbprm.hash_balance_factor;
curproxy->fullconn = defproxy->fullconn;
curproxy->conn_retries = defproxy->conn_retries;
curproxy->redispatch_after = defproxy->redispatch_after;
curproxy->max_ka_queue = defproxy->max_ka_queue;
curproxy->tcpcheck_rules.flags = (defproxy->tcpcheck_rules.flags & ~TCPCHK_RULES_UNUSED_RS);
curproxy->tcpcheck_rules.list = defproxy->tcpcheck_rules.list;
if (!LIST_ISEMPTY(&defproxy->tcpcheck_rules.preset_vars)) {
if (!dup_tcpcheck_vars(&curproxy->tcpcheck_rules.preset_vars,
&defproxy->tcpcheck_rules.preset_vars)) {
memprintf(errmsg, "proxy '%s': failed to duplicate tcpcheck preset-vars", curproxy->id);
return 1;
}
}
curproxy->ck_opts = defproxy->ck_opts;
if (defproxy->cookie_name)
curproxy->cookie_name = strdup(defproxy->cookie_name);
curproxy->cookie_len = defproxy->cookie_len;
if (defproxy->dyncookie_key)
curproxy->dyncookie_key = strdup(defproxy->dyncookie_key);
if (defproxy->cookie_domain)
curproxy->cookie_domain = strdup(defproxy->cookie_domain);
if (defproxy->cookie_maxidle)
curproxy->cookie_maxidle = defproxy->cookie_maxidle;
if (defproxy->cookie_maxlife)
curproxy->cookie_maxlife = defproxy->cookie_maxlife;
if (defproxy->rdp_cookie_name)
curproxy->rdp_cookie_name = strdup(defproxy->rdp_cookie_name);
curproxy->rdp_cookie_len = defproxy->rdp_cookie_len;
if (defproxy->cookie_attrs)
curproxy->cookie_attrs = strdup(defproxy->cookie_attrs);
if (defproxy->lbprm.arg_str)
curproxy->lbprm.arg_str = strdup(defproxy->lbprm.arg_str);
curproxy->lbprm.arg_len = defproxy->lbprm.arg_len;
curproxy->lbprm.arg_opt1 = defproxy->lbprm.arg_opt1;
curproxy->lbprm.arg_opt2 = defproxy->lbprm.arg_opt2;
curproxy->lbprm.arg_opt3 = defproxy->lbprm.arg_opt3;
if (defproxy->conn_src.iface_name)
curproxy->conn_src.iface_name = strdup(defproxy->conn_src.iface_name);
curproxy->conn_src.iface_len = defproxy->conn_src.iface_len;
curproxy->conn_src.opts = defproxy->conn_src.opts;
#if defined(CONFIG_HAP_TRANSPARENT)
curproxy->conn_src.tproxy_addr = defproxy->conn_src.tproxy_addr;
#endif
curproxy->load_server_state_from_file = defproxy->load_server_state_from_file;
curproxy->srvtcpka_cnt = defproxy->srvtcpka_cnt;
curproxy->srvtcpka_idle = defproxy->srvtcpka_idle;
curproxy->srvtcpka_intvl = defproxy->srvtcpka_intvl;
}
if (curproxy->cap & PR_CAP_FE) {
if (defproxy->capture_name)
curproxy->capture_name = strdup(defproxy->capture_name);
curproxy->capture_namelen = defproxy->capture_namelen;
curproxy->capture_len = defproxy->capture_len;
curproxy->nb_req_cap = defproxy->nb_req_cap;
curproxy->req_cap = defproxy->req_cap;
curproxy->nb_rsp_cap = defproxy->nb_rsp_cap;
curproxy->rsp_cap = defproxy->rsp_cap;
}
if (curproxy->cap & PR_CAP_FE) {
curproxy->timeout.client = defproxy->timeout.client;
curproxy->timeout.client_hs = defproxy->timeout.client_hs;
curproxy->timeout.clientfin = defproxy->timeout.clientfin;
curproxy->timeout.tarpit = defproxy->timeout.tarpit;
curproxy->timeout.httpreq = defproxy->timeout.httpreq;
curproxy->timeout.httpka = defproxy->timeout.httpka;
if (isttest(defproxy->monitor_uri))
curproxy->monitor_uri = istdup(defproxy->monitor_uri);
if (defproxy->defbe.name)
curproxy->defbe.name = strdup(defproxy->defbe.name);
lf_expr_dup(&defproxy->logformat, &curproxy->logformat);
lf_expr_dup(&defproxy->logformat_sd, &curproxy->logformat_sd);
lf_expr_dup(&defproxy->logformat_error, &curproxy->logformat_error);
}
if (curproxy->cap & PR_CAP_BE) {
curproxy->timeout.connect = defproxy->timeout.connect;
curproxy->timeout.server = defproxy->timeout.server;
curproxy->timeout.serverfin = defproxy->timeout.serverfin;
curproxy->timeout.check = defproxy->timeout.check;
curproxy->timeout.queue = defproxy->timeout.queue;
curproxy->timeout.tarpit = defproxy->timeout.tarpit;
curproxy->timeout.httpreq = defproxy->timeout.httpreq;
curproxy->timeout.httpka = defproxy->timeout.httpka;
curproxy->timeout.tunnel = defproxy->timeout.tunnel;
curproxy->conn_src.source_addr = defproxy->conn_src.source_addr;
}
curproxy->mode = defproxy->mode;
/* for stats */
stats_uri_auth_drop(curproxy->uri_auth);
stats_uri_auth_take(defproxy->uri_auth);
curproxy->uri_auth = defproxy->uri_auth;
/* copy default loggers to curproxy */
list_for_each_entry(tmplogger, &defproxy->loggers, list) {
struct logger *node = dup_logger(tmplogger);
if (!node) {
memprintf(errmsg, "proxy '%s': out of memory", curproxy->id);
return 1;
}
LIST_APPEND(&curproxy->loggers, &node->list);
}
lf_expr_dup(&defproxy->format_unique_id, &curproxy->format_unique_id);
chunk_dup(&curproxy->log_tag, &defproxy->log_tag);
/* copy default header unique id */
if (isttest(defproxy->header_unique_id)) {
const struct ist copy = istdup(defproxy->header_unique_id);
if (!isttest(copy)) {
memprintf(errmsg, "proxy '%s': out of memory for unique-id-header", curproxy->id);
return 1;
}
curproxy->header_unique_id = copy;
}
/* default compression options */
if (defproxy->comp != NULL) {
curproxy->comp = calloc(1, sizeof(*curproxy->comp));
if (!curproxy->comp) {
memprintf(errmsg, "proxy '%s': out of memory for default compression options", curproxy->id);
return 1;
}
curproxy->comp->algos_res = defproxy->comp->algos_res;
curproxy->comp->algo_req = defproxy->comp->algo_req;
curproxy->comp->types_res = defproxy->comp->types_res;
curproxy->comp->types_req = defproxy->comp->types_req;
curproxy->comp->minsize_res = defproxy->comp->minsize_res;
curproxy->comp->minsize_req = defproxy->comp->minsize_req;
curproxy->comp->flags = defproxy->comp->flags;
}
if (defproxy->check_path)
curproxy->check_path = strdup(defproxy->check_path);
if (defproxy->check_command)
curproxy->check_command = strdup(defproxy->check_command);
BUG_ON(curproxy->email_alert.flags & PR_EMAIL_ALERT_RESOLVED);
if (defproxy->email_alert.mailers.name)
curproxy->email_alert.mailers.name = strdup(defproxy->email_alert.mailers.name);
if (defproxy->email_alert.from)
curproxy->email_alert.from = strdup(defproxy->email_alert.from);
if (defproxy->email_alert.to)
curproxy->email_alert.to = strdup(defproxy->email_alert.to);
if (defproxy->email_alert.myhostname)
curproxy->email_alert.myhostname = strdup(defproxy->email_alert.myhostname);
curproxy->email_alert.level = defproxy->email_alert.level;
curproxy->email_alert.flags = defproxy->email_alert.flags;
if (curproxy->cap & PR_CAP_FE) // don't inherit on backends
curproxy->conf.log_steps = defproxy->conf.log_steps;
return 0;
}
/* Allocates a new proxy <name> of type <cap> found at position <file:linenum>,
* preset it from the defaults of <defproxy> and returns it. In case of error,
* an alert is printed and NULL is returned.
*/
struct proxy *parse_new_proxy(const char *name, unsigned int cap,
const char *file, int linenum,
const struct proxy *defproxy)
{
struct proxy *curproxy = NULL;
char *errmsg = NULL;
if (!(curproxy = alloc_new_proxy(name, cap, &errmsg))) {
ha_alert("parsing [%s:%d] : %s\n", file, linenum, errmsg);
free(errmsg);
return NULL;
}
if (defproxy) {
if (proxy_defproxy_cpy(curproxy, defproxy, &errmsg)) {
ha_alert("parsing [%s:%d] : %s\n", file, linenum, errmsg);
free(errmsg);
ha_free(&curproxy);
return NULL;
}
}
curproxy->conf.args.file = curproxy->conf.file = copy_file_name(file);
curproxy->conf.args.line = curproxy->conf.line = linenum;
return curproxy;
}
/* to be called under the proxy lock after pausing some listeners. This will
* automatically update the p->flags flag
*/
void proxy_cond_pause(struct proxy *p)
{
if (p->li_ready)
return;
p->flags |= PR_FL_PAUSED;
}
/* to be called under the proxy lock after resuming some listeners. This will
* automatically update the p->flags flag
*/
void proxy_cond_resume(struct proxy *p)
{
if (!p->li_ready)
return;
p->flags &= ~PR_FL_PAUSED;
}
/* to be called under the proxy lock after stopping some listeners. This will
* automatically update the p->flags flag after stopping the last one, and
* will emit a log indicating the proxy's condition. The function is idempotent
* so that it will not emit multiple logs; a proxy will be disabled only once.
*/
void proxy_cond_disable(struct proxy *p)
{
long long cum_conn = 0;
long long cum_sess = 0;
if (p->flags & (PR_FL_DISABLED|PR_FL_STOPPED))
return;
if (p->li_ready + p->li_paused > 0)
return;
p->flags |= PR_FL_STOPPED;
/* Note: syslog proxies use their own loggers so while it's somewhat OK
* to report them being stopped as a warning, we must not spam their log
* servers which are in fact production servers. For other types (CLI,
* peers, etc) we must not report them at all as they're not really on
* the data plane but on the control plane.
*/
if (!(global.mode & MODE_STARTING)) {
if (p->cap & PR_CAP_FE)
cum_conn = COUNTERS_SHARED_TOTAL(p->fe_counters.shared.tg, cum_conn, HA_ATOMIC_LOAD);
if (p->cap & PR_CAP_BE)
cum_sess = COUNTERS_SHARED_TOTAL(p->be_counters.shared.tg, cum_sess, HA_ATOMIC_LOAD);
}
if ((p->mode == PR_MODE_TCP || p->mode == PR_MODE_HTTP || p->mode == PR_MODE_SYSLOG || p->mode == PR_MODE_SPOP) && !(p->cap & PR_CAP_INT))
ha_warning("Proxy %s stopped (cumulated conns: FE: %lld, BE: %lld).\n",
p->id, cum_conn, cum_sess);
if ((p->mode == PR_MODE_TCP || p->mode == PR_MODE_HTTP || p->mode == PR_MODE_SPOP) && !(p->cap & PR_CAP_INT))
send_log(p, LOG_WARNING, "Proxy %s stopped (cumulated conns: FE: %lld, BE: %lld).\n",
p->id, cum_conn, cum_sess);
if (p->table && p->table->size && p->table->sync_task)
task_wakeup(p->table->sync_task, TASK_WOKEN_MSG);
if (p->task)
task_wakeup(p->task, TASK_WOKEN_MSG);
}
/*
* This is the proxy management task. It enables proxies when there are enough
* free streams, or stops them when the table is full. It is designed to be
* called as a task which is woken up upon stopping or when rate limiting must
* be enforced.
*/
struct task *manage_proxy(struct task *t, void *context, unsigned int state)
{
struct proxy *p = context;
int next = TICK_ETERNITY;
unsigned int wait;
/* We should periodically try to enable listeners waiting for a
* global resource here.
*/
/* If the proxy holds a stick table, we need to purge all unused
* entries. These are all the ones in the table with ref_cnt == 0
* and all the ones in the pool used to allocate new entries. Any
* entry attached to an existing stream waiting for a store will
* be in neither list. Any entry being dumped will have ref_cnt > 0.
* However we protect tables that are being synced to peers.
*/
if (unlikely(stopping && (p->flags & (PR_FL_DISABLED|PR_FL_STOPPED)) && p->table && p->table->current)) {
if (!p->table->refcnt) {
/* !table->refcnt means there
* is no more pending full resync
* to push to a new process and
* we are free to flush the table.
*/
int cleaned_up;
/* We purposely enforce a budget limitation since we don't want
* to spend too much time purging old entries
*
* This is known to cause the watchdog to occasionnaly trigger if
* the table is huge and all entries become available for purge
* at the same time
*
* Moreover, we must also anticipate the pool_gc() call which
* will also be much slower if there is too much work at once
*/
cleaned_up = stktable_trash_oldest(p->table);
if (cleaned_up) {
/* immediately release freed memory since we are stopping */
pool_gc(NULL);
if (cleaned_up) {
/* it is very likely that there are still trashable
* entries in the table, reschedule a new cleanup
* attempt ASAP
*/
t->expire = TICK_ETERNITY;
task_wakeup(t, TASK_WOKEN_RES);
return t;
}
}
}
if (p->table->current) {
/* some entries still remain but are not yet available
* for cleanup, let's recheck in one second
*/
next = tick_first(next, tick_add(now_ms, 1000));
}
}
/* the rest below is just for frontends */
if (!(p->cap & PR_CAP_FE))
goto out;
/* check the various reasons we may find to block the frontend */
if (unlikely(p->feconn >= p->maxconn))
goto out;
if (p->fe_sps_lim &&
(wait = COUNTERS_SHARED_TOTAL_ARG2(p->fe_counters.shared.tg, sess_per_sec, next_event_delay, p->fe_sps_lim, 0))) {
/* we're blocking because a limit was reached on the number of
* requests/s on the frontend. We want to re-check ASAP, which
* means in 1 ms before estimated expiration date, because the
* timer will have settled down.
*/
next = tick_first(next, tick_add(now_ms, wait));
goto out;
}
/* The proxy is not limited so we can re-enable any waiting listener */
dequeue_proxy_listeners(p, 0);
out:
t->expire = next;
task_queue(t);
return t;
}
static int proxy_parse_grace(char **args, int section_type, struct proxy *curpx,
const struct proxy *defpx, const char *file, int line,
char **err)
{
const char *res;
if (!*args[1]) {
memprintf(err, "'%s' expects <time> as argument.\n", args[0]);
return -1;
}
res = parse_time_err(args[1], &global.grace_delay, TIME_UNIT_MS);
if (res == PARSE_TIME_OVER) {
memprintf(err, "timer overflow in argument '%s' to '%s' (maximum value is 2147483647 ms or ~24.8 days)",
args[1], args[0]);
return -1;
}
else if (res == PARSE_TIME_UNDER) {
memprintf(err, "timer underflow in argument '%s' to '%s' (minimum non-null value is 1 ms)",
args[1], args[0]);
return -1;
}
else if (res) {
memprintf(err, "unexpected character '%c' in argument to <%s>.\n", *res, args[0]);
return -1;
}
return 0;
}
static int proxy_parse_hard_stop_after(char **args, int section_type, struct proxy *curpx,
const struct proxy *defpx, const char *file, int line,
char **err)
{
const char *res;
if (!*args[1]) {
memprintf(err, "'%s' expects <time> as argument.\n", args[0]);
return -1;
}
res = parse_time_err(args[1], &global.hard_stop_after, TIME_UNIT_MS);
if (res == PARSE_TIME_OVER) {
memprintf(err, "timer overflow in argument '%s' to '%s' (maximum value is 2147483647 ms or ~24.8 days)",
args[1], args[0]);
return -1;
}
else if (res == PARSE_TIME_UNDER) {
memprintf(err, "timer underflow in argument '%s' to '%s' (minimum non-null value is 1 ms)",
args[1], args[0]);
return -1;
}
else if (res) {
memprintf(err, "unexpected character '%c' in argument to <%s>.\n", *res, args[0]);
return -1;
}
return 0;
}
static int proxy_parse_close_spread_time(char **args, int section_type, struct proxy *curpx,
const struct proxy *defpx, const char *file, int line,
char **err)
{
const char *res;
if (!*args[1]) {
memprintf(err, "'%s' expects <time> as argument.\n", args[0]);
return -1;
}
/* If close-spread-time is set to "infinite", disable the active connection
* closing during soft-stop.
*/
if (strcmp(args[1], "infinite") == 0) {
global.tune.options |= GTUNE_DISABLE_ACTIVE_CLOSE;
global.close_spread_time = TICK_ETERNITY;
return 0;
}
res = parse_time_err(args[1], &global.close_spread_time, TIME_UNIT_MS);
if (res == PARSE_TIME_OVER) {
memprintf(err, "timer overflow in argument '%s' to '%s' (maximum value is 2147483647 ms or ~24.8 days)",
args[1], args[0]);
return -1;
}
else if (res == PARSE_TIME_UNDER) {
memprintf(err, "timer underflow in argument '%s' to '%s' (minimum non-null value is 1 ms)",
args[1], args[0]);
return -1;
}
else if (res) {
memprintf(err, "unexpected character '%c' in argument to <%s>.\n", *res, args[0]);
return -1;
}
global.tune.options &= ~GTUNE_DISABLE_ACTIVE_CLOSE;
return 0;
}
struct task *hard_stop(struct task *t, void *context, unsigned int state)
{
struct proxy *p;
struct stream *s;
int thr;
if (killed) {
ha_warning("Some tasks resisted to hard-stop, exiting now.\n");
send_log(NULL, LOG_WARNING, "Some tasks resisted to hard-stop, exiting now.\n");
killed = 2;
for (thr = 0; thr < global.nbthread; thr++)
if (_HA_ATOMIC_LOAD(&ha_thread_info[thr].tg->threads_enabled) & ha_thread_info[thr].ltid_bit)
wake_thread(thr);
t->expire = TICK_ETERNITY;
return t;
}
ha_warning("soft-stop running for too long, performing a hard-stop.\n");
send_log(NULL, LOG_WARNING, "soft-stop running for too long, performing a hard-stop.\n");
p = proxies_list;
while (p) {
if ((p->cap & PR_CAP_FE) && (p->feconn > 0)) {
ha_warning("Proxy %s hard-stopped (%d remaining conns will be closed).\n",
p->id, p->feconn);
send_log(p, LOG_WARNING, "Proxy %s hard-stopped (%d remaining conns will be closed).\n",
p->id, p->feconn);
}
p = p->next;
}
thread_isolate();
for (thr = 0; thr < global.nbthread; thr++) {
list_for_each_entry(s, &ha_thread_ctx[thr].streams, list) {
stream_shutdown(s, SF_ERR_KILLED);
}
}
thread_release();
killed = 1;
t->expire = tick_add(now_ms, MS_TO_TICKS(1000));
return t;
}
/* perform the soft-stop right now (i.e. unbind listeners) */
static void do_soft_stop_now()
{
struct proxy *p;
struct task *task;
/* disable busy polling to avoid cpu eating for the new process */
global.tune.options &= ~GTUNE_BUSY_POLLING;
if (tick_isset(global.close_spread_time)) {
global.close_spread_end = tick_add(now_ms, global.close_spread_time);
}
/* schedule a hard-stop after a delay if needed */
if (tick_isset(global.hard_stop_after)) {
task = task_new_anywhere();
if (task) {
task->process = hard_stop;
task_schedule(task, tick_add(now_ms, global.hard_stop_after));
}
else {
ha_alert("out of memory trying to allocate the hard-stop task.\n");
}
}
/* we isolate so that we have a chance of stopping listeners in other groups */
thread_isolate();
/* stop all stoppable listeners */
protocol_stop_now();
thread_release();
/* Loop on proxies to stop backends */
p = proxies_list;
while (p) {
HA_RWLOCK_WRLOCK(PROXY_LOCK, &p->lock);
proxy_cond_disable(p);
HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &p->lock);
p = p->next;
}
/* signal zero is used to broadcast the "stopping" event */
signal_handler(0);
}
/* triggered by a soft-stop delayed with `grace` */
static struct task *grace_expired(struct task *t, void *context, unsigned int state)
{
ha_notice("Grace period expired, proceeding with soft-stop now.\n");
send_log(NULL, LOG_NOTICE, "Grace period expired, proceeding with soft-stop now.\n");
do_soft_stop_now();
task_destroy(t);
return NULL;
}
/*
* this function disables health-check servers so that the process will quickly be ignored
* by load balancers.
*/
void soft_stop(void)
{
struct task *task;
stopping = 1;
if (tick_isset(global.grace_delay)) {
task = task_new_anywhere();
if (task) {
ha_notice("Scheduling a soft-stop in %u ms.\n", global.grace_delay);
send_log(NULL, LOG_WARNING, "Scheduling a soft-stop in %u ms.\n", global.grace_delay);
task->process = grace_expired;
task_schedule(task, tick_add(now_ms, global.grace_delay));
return;
}
else {
ha_alert("out of memory trying to allocate the stop-stop task, stopping now.\n");
}
}
/* no grace (or failure to enforce it): stop now */
do_soft_stop_now();
}
/* Temporarily disables listening on all of the proxy's listeners. Upon
* success, the proxy enters the PR_PAUSED state. The function returns 0
* if it fails, or non-zero on success.
* The function takes the proxy's lock so it's safe to
* call from multiple places.
*/
int pause_proxy(struct proxy *p)
{
struct listener *l;
HA_RWLOCK_WRLOCK(PROXY_LOCK, &p->lock);
if (!(p->cap & PR_CAP_FE) || (p->flags & (PR_FL_DISABLED|PR_FL_STOPPED)) || !p->li_ready)
goto end;
list_for_each_entry(l, &p->conf.listeners, by_fe)
suspend_listener(l, 1, 0);
if (p->li_ready) {
ha_warning("%s %s failed to enter pause mode.\n", proxy_cap_str(p->cap), p->id);
send_log(p, LOG_WARNING, "%s %s failed to enter pause mode.\n", proxy_cap_str(p->cap), p->id);
HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &p->lock);
return 0;
}
end:
HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &p->lock);
return 1;
}
/*
* This function completely stops a proxy and releases its listeners. It has
* to be called when going down in order to release the ports so that another
* process may bind to them. It must also be called on disabled proxies at the
* end of start-up. If all listeners are closed, the proxy is set to the
* PR_STOPPED state.
* The function takes the proxy's lock so it's safe to
* call from multiple places.
*/
void stop_proxy(struct proxy *p)
{
struct listener *l;
HA_RWLOCK_WRLOCK(PROXY_LOCK, &p->lock);
list_for_each_entry(l, &p->conf.listeners, by_fe)
stop_listener(l, 1, 0, 0);
if (!(p->flags & (PR_FL_DISABLED|PR_FL_STOPPED)) && !p->li_ready) {
/* might be just a backend */
p->flags |= PR_FL_STOPPED;
}
HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &p->lock);
}
/* This function resumes listening on the specified proxy. It scans all of its
* listeners and tries to enable them all. If any of them fails, the proxy is
* put back to the paused state. It returns 1 upon success, or zero if an error
* is encountered.
* The function takes the proxy's lock so it's safe to
* call from multiple places.
*/
int resume_proxy(struct proxy *p)
{
struct listener *l;
int fail;
HA_RWLOCK_WRLOCK(PROXY_LOCK, &p->lock);
if ((p->flags & (PR_FL_DISABLED|PR_FL_STOPPED)) || !p->li_paused)
goto end;
fail = 0;
list_for_each_entry(l, &p->conf.listeners, by_fe) {
if (!resume_listener(l, 1, 0)) {
int port;
port = get_host_port(&l->rx.addr);
if (port) {
ha_warning("Port %d busy while trying to enable %s %s.\n",
port, proxy_cap_str(p->cap), p->id);
send_log(p, LOG_WARNING, "Port %d busy while trying to enable %s %s.\n",
port, proxy_cap_str(p->cap), p->id);
}
else {
ha_warning("Bind on socket %d busy while trying to enable %s %s.\n",
l->luid, proxy_cap_str(p->cap), p->id);
send_log(p, LOG_WARNING, "Bind on socket %d busy while trying to enable %s %s.\n",
l->luid, proxy_cap_str(p->cap), p->id);
}
/* Another port might have been enabled. Let's stop everything. */
fail = 1;
break;
}
}
if (fail) {
HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &p->lock);
/* pause_proxy will take PROXY_LOCK */
pause_proxy(p);
return 0;
}
end:
HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &p->lock);
return 1;
}
/* Set current stream's backend to <be>. Nothing is done if the
* stream already had a backend assigned, which is indicated by
* s->flags & SF_BE_ASSIGNED.
* All flags, stats and counters which need be updated are updated.
* Returns 1 if done, 0 in case of internal error, eg: lack of resource.
*/
int stream_set_backend(struct stream *s, struct proxy *be)
{
unsigned int req_ana;
if (s->flags & SF_BE_ASSIGNED)
return 1;
if (flt_set_stream_backend(s, be) < 0)
return 0;
s->be = be;
if (be->be_counters.shared.tg)
s->be_tgcounters = be->be_counters.shared.tg[tgid - 1];
else
s->be_tgcounters = NULL;
HA_ATOMIC_UPDATE_MAX(&be->be_counters.conn_max,
HA_ATOMIC_ADD_FETCH(&be->beconn, 1));
proxy_inc_be_ctr(be);
/* assign new parameters to the stream from the new backend */
s->scb->flags &= ~SC_FL_INDEP_STR;
if (be->options2 & PR_O2_INDEPSTR)
s->scb->flags |= SC_FL_INDEP_STR;
/* We want to enable the backend-specific analysers except those which
* were already run as part of the frontend/listener. Note that it would
* be more reliable to store the list of analysers that have been run,
* but what we do here is OK for now.
*/
req_ana = be->be_req_ana;
if (!(strm_fe(s)->options & PR_O_WREQ_BODY) && be->options & PR_O_WREQ_BODY) {
/* The backend request to parse a request body while it was not
* performed on the frontend, so add the corresponding analyser
*/
req_ana |= AN_REQ_HTTP_BODY;
}
if (IS_HTX_STRM(s) && strm_fe(s)->mode != PR_MODE_HTTP) {
/* The stream was already upgraded to HTTP, so remove analysers
* set during the upgrade
*/
req_ana &= ~(AN_REQ_WAIT_HTTP|AN_REQ_HTTP_PROCESS_FE);
}
s->req.analysers |= req_ana & ~(strm_li(s) ? strm_li(s)->bind_conf->analysers : 0);
if (!IS_HTX_STRM(s) && be->mode == PR_MODE_HTTP) {
/* If we chain a TCP frontend to an HTX backend, we must upgrade
* the client mux */
if (!stream_set_http_mode(s, NULL))
return 0;
}
else if (IS_HTX_STRM(s) && be->mode != PR_MODE_HTTP) {
/* If a TCP backend is assgiend to an HTX stream, return an
* error. It may happens for a new stream on a previously
* upgraded connections. */
if (!(s->flags & SF_ERR_MASK))
s->flags |= SF_ERR_INTERNAL;
return 0;
}
else {
/* If the target backend requires HTTP processing, we have to allocate
* the HTTP transaction if we did not have one.
*/
if (unlikely(!s->txn && be->http_needed && !http_create_txn(s)))
return 0;
}
s->flags |= SF_BE_ASSIGNED;
if (be->options2 & PR_O2_NODELAY) {
s->scf->flags |= SC_FL_SND_NEVERWAIT;
s->scb->flags |= SC_FL_SND_NEVERWAIT;
}
return 1;
}
/* Capture a bad request or response and archive it in the proxy's structure.
* It is relatively protocol-agnostic so it requires that a number of elements
* are passed :
* - <proxy> is the proxy where the error was detected and where the snapshot
* needs to be stored
* - <is_back> indicates that the error happened when receiving the response
* - <other_end> is a pointer to the proxy on the other side when known
* - <target> is the target of the connection, usually a server or a proxy
* - <sess> is the session which experienced the error
* - <ctx> may be NULL or should contain any info relevant to the protocol
* - <buf> is the buffer containing the offending data
* - <buf_ofs> is the position of this buffer's input data in the input
* stream, starting at zero. It may be passed as zero if unknown.
* - <buf_out> is the portion of <buf->data> which was already forwarded and
* which precedes the buffer's input. The buffer's input starts at
* buf->head + buf_out.
* - <err_pos> is the pointer to the faulty byte in the buffer's input.
* - <show> is the callback to use to display <ctx>. It may be NULL.
*/
void proxy_capture_error(struct proxy *proxy, int is_back,
struct proxy *other_end, enum obj_type *target,
const struct session *sess,
const struct buffer *buf, long buf_ofs,
unsigned int buf_out, unsigned int err_pos,
const union error_snapshot_ctx *ctx,
void (*show)(struct buffer *, const struct error_snapshot *))
{
struct error_snapshot *es;
unsigned int buf_len;
int len1, len2;
unsigned int ev_id;
ev_id = HA_ATOMIC_FETCH_ADD(&error_snapshot_id, 1);
buf_len = b_data(buf) - buf_out;
es = malloc(sizeof(*es) + buf_len);
if (!es)
return;
es->buf_len = buf_len;
es->ev_id = ev_id;
len1 = b_size(buf) - b_peek_ofs(buf, buf_out);
if (len1 > buf_len)
len1 = buf_len;
if (len1) {
memcpy(es->buf, b_peek(buf, buf_out), len1);
len2 = buf_len - len1;
if (len2)
memcpy(es->buf + len1, b_orig(buf), len2);
}
es->buf_err = err_pos;
es->when = date; // user-visible date
es->srv = objt_server(target);
es->oe = other_end;
if (sess && objt_conn(sess->origin) && conn_get_src(__objt_conn(sess->origin)))
es->src = *__objt_conn(sess->origin)->src;
else
memset(&es->src, 0, sizeof(es->src));
es->buf_wrap = b_wrap(buf) - b_peek(buf, buf_out);
es->buf_out = buf_out;
es->buf_ofs = buf_ofs;
/* be sure to indicate the offset of the first IN byte */
if (es->buf_ofs >= es->buf_len)
es->buf_ofs -= es->buf_len;
else
es->buf_ofs = 0;
/* protocol-specific part now */
if (ctx)
es->ctx = *ctx;
else
memset(&es->ctx, 0, sizeof(es->ctx));
es->show = show;
/* note: we still lock since we have to be certain that nobody is
* dumping the output while we free.
*/
HA_RWLOCK_WRLOCK(PROXY_LOCK, &proxy->lock);
if (is_back) {
es = HA_ATOMIC_XCHG(&proxy->invalid_rep, es);
} else {
es = HA_ATOMIC_XCHG(&proxy->invalid_req, es);
}
HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &proxy->lock);
ha_free(&es);
}
/* Configure all proxies which lack a maxconn setting to use the global one by
* default. This avoids the common mistake consisting in setting maxconn only
* in the global section and discovering the hard way that it doesn't propagate
* through the frontends. These values are also propagated through the various
* targeted backends, whose fullconn is finally calculated if not yet set.
*/
void proxy_adjust_all_maxconn()
{
struct proxy *curproxy;
struct switching_rule *swrule1, *swrule2;
for (curproxy = proxies_list; curproxy; curproxy = curproxy->next) {
if (curproxy->flags & (PR_FL_DISABLED|PR_FL_STOPPED))
continue;
if (!(curproxy->cap & PR_CAP_FE))
continue;
if (!curproxy->maxconn)
curproxy->maxconn = global.maxconn;
/* update the target backend's fullconn count : default_backend */
if (curproxy->defbe.be)
curproxy->defbe.be->tot_fe_maxconn += curproxy->maxconn;
else if ((curproxy->cap & PR_CAP_LISTEN) == PR_CAP_LISTEN)
curproxy->tot_fe_maxconn += curproxy->maxconn;
list_for_each_entry(swrule1, &curproxy->switching_rules, list) {
/* For each target of switching rules, we update their
* tot_fe_maxconn, except if a previous rule points to
* the same backend or to the default backend.
*/
if (swrule1->be.backend != curproxy->defbe.be) {
/* note: swrule1->be.backend isn't a backend if the rule
* is dynamic, it's an expression instead, so it must not
* be dereferenced as a backend before being certain it is.
*/
list_for_each_entry(swrule2, &curproxy->switching_rules, list) {
if (swrule2 == swrule1) {
if (!swrule1->dynamic)
swrule1->be.backend->tot_fe_maxconn += curproxy->maxconn;
break;
}
else if (!swrule2->dynamic && swrule2->be.backend == swrule1->be.backend) {
/* there are multiple refs of this backend */
break;
}
}
}
}
}
/* automatically compute fullconn if not set. We must not do it in the
* loop above because cross-references are not yet fully resolved.
*/
for (curproxy = proxies_list; curproxy; curproxy = curproxy->next) {
if (curproxy->flags & (PR_FL_DISABLED|PR_FL_STOPPED))
continue;
/* If <fullconn> is not set, let's set it to 10% of the sum of
* the possible incoming frontend's maxconns.
*/
if (!curproxy->fullconn && (curproxy->cap & PR_CAP_BE)) {
/* we have the sum of the maxconns in <total>. We only
* keep 10% of that sum to set the default fullconn, with
* a hard minimum of 1 (to avoid a divide by zero).
*/
curproxy->fullconn = (curproxy->tot_fe_maxconn + 9) / 10;
if (!curproxy->fullconn)
curproxy->fullconn = 1;
}
}
}
/* releases what's no longer needed after a proxy section covering <curproxy>.
* Returns an error code made of ERR_*, or 0 on success.
*/
static int post_section_px_cleanup()
{
if (!curproxy)
return 0; // nothing to do
if ((curproxy->cap & PR_CAP_LISTEN) && !(curproxy->cap & PR_CAP_DEF)) {
/* This is a regular proxy (not defaults). It doesn't need
* to keep a default-server section if it still had one. We
* want to keep it for defaults however, obviously.
*/
if (curproxy->defsrv) {
ha_free((char **)&curproxy->defsrv->conf.file);
srv_free(&curproxy->defsrv);
}
}
return 0;
}
REGISTER_CONFIG_POST_SECTION("frontend", post_section_px_cleanup);
REGISTER_CONFIG_POST_SECTION("backend", post_section_px_cleanup);
REGISTER_CONFIG_POST_SECTION("listen", post_section_px_cleanup);
REGISTER_CONFIG_POST_SECTION("defaults", post_section_px_cleanup);
/* Config keywords below */
static struct cfg_kw_list cfg_kws = {ILH, {
{ CFG_GLOBAL, "grace", proxy_parse_grace },
{ CFG_GLOBAL, "hard-stop-after", proxy_parse_hard_stop_after },
{ CFG_GLOBAL, "close-spread-time", proxy_parse_close_spread_time },
{ CFG_LISTEN, "timeout", proxy_parse_timeout },
{ CFG_LISTEN, "clitimeout", proxy_parse_timeout }, /* This keyword actually fails to parse, this line remains for better error messages. */
{ CFG_LISTEN, "contimeout", proxy_parse_timeout }, /* This keyword actually fails to parse, this line remains for better error messages. */
{ CFG_LISTEN, "srvtimeout", proxy_parse_timeout }, /* This keyword actually fails to parse, this line remains for better error messages. */
{ CFG_LISTEN, "rate-limit", proxy_parse_rate_limit },
{ CFG_LISTEN, "max-keep-alive-queue", proxy_parse_max_ka_queue },
{ CFG_LISTEN, "declare", proxy_parse_declare },
{ CFG_LISTEN, "retry-on", proxy_parse_retry_on },
{ CFG_LISTEN, "hash-preserve-affinity", proxy_parse_hash_preserve_affinity },
#ifdef TCP_KEEPCNT
{ CFG_LISTEN, "clitcpka-cnt", proxy_parse_tcpka_cnt },
{ CFG_LISTEN, "srvtcpka-cnt", proxy_parse_tcpka_cnt },
#endif
#ifdef TCP_KEEPIDLE
{ CFG_LISTEN, "clitcpka-idle", proxy_parse_tcpka_idle },
{ CFG_LISTEN, "srvtcpka-idle", proxy_parse_tcpka_idle },
#endif
#ifdef TCP_KEEPINTVL
{ CFG_LISTEN, "clitcpka-intvl", proxy_parse_tcpka_intvl },
{ CFG_LISTEN, "srvtcpka-intvl", proxy_parse_tcpka_intvl },
#endif
{ CFG_LISTEN, "force-be-switch", proxy_parse_force_be_switch },
{ CFG_LISTEN, "guid", proxy_parse_guid },
{ 0, NULL, NULL },
}};
INITCALL1(STG_REGISTER, cfg_register_keywords, &cfg_kws);
/* Expects to find a frontend named <arg> and returns it, otherwise displays various
* adequate error messages and returns NULL. This function is designed to be used by
* functions requiring a frontend on the CLI.
*/
struct proxy *cli_find_frontend(struct appctx *appctx, const char *arg)
{
struct proxy *px;
if (!*arg) {
cli_err(appctx, "A frontend name is expected.\n");
return NULL;
}
px = proxy_fe_by_name(arg);
if (!px) {
cli_err(appctx, "No such frontend.\n");
return NULL;
}
return px;
}
/* Expects to find a backend named <arg> and returns it, otherwise displays various
* adequate error messages and returns NULL. This function is designed to be used by
* functions requiring a frontend on the CLI.
*/
struct proxy *cli_find_backend(struct appctx *appctx, const char *arg)
{
struct proxy *px;
if (!*arg) {
cli_err(appctx, "A backend name is expected.\n");
return NULL;
}
px = proxy_be_by_name(arg);
if (!px) {
cli_err(appctx, "No such backend.\n");
return NULL;
}
return px;
}
/* parse a "show servers [state|conn]" CLI line, returns 0 if it wants to start
* the dump or 1 if it stops immediately. If an argument is specified, it will
* reserve a show_srv_ctx context and set the proxy pointer into ->px, its ID
* into ->only_pxid, and ->show_conn to 0 for "state", or 1 for "conn".
*/
static int cli_parse_show_servers(char **args, char *payload, struct appctx *appctx, void *private)
{
struct show_srv_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx));
struct proxy *px;
ctx->show_conn = *args[2] == 'c'; // "conn" vs "state"
/* check if a backend name has been provided */
if (*args[3]) {
/* read server state from local file */
px = proxy_be_by_name(args[3]);
if (!px)
return cli_err(appctx, "Can't find backend.\n");
ctx->px = px;
ctx->only_pxid = px->uuid;
}
return 0;
}
/* helper to dump server addr */
static void dump_server_addr(const struct sockaddr_storage *addr, char *addr_str)
{
addr_str[0] = '\0';
switch (addr->ss_family) {
case AF_INET:
case AF_INET6:
addr_to_str(addr, addr_str, INET6_ADDRSTRLEN + 1);
break;
default:
memcpy(addr_str, "-\0", 2);
break;
}
}
/* dumps server state information for all the servers found in backend cli.p0.
* These information are all the parameters which may change during HAProxy runtime.
* By default, we only export to the last known server state file format. These
* information can be used at next startup to recover same level of server
* state. It takes its context from show_srv_ctx, with the proxy pointer from
* ->px, the proxy's id ->only_pxid, the server's pointer from ->sv, and the
* choice of what to dump from ->show_conn.
*/
static int dump_servers_state(struct appctx *appctx)
{
struct show_srv_ctx *ctx = appctx->svcctx;
struct proxy *px = ctx->px;
struct server *srv;
char srv_addr[INET6_ADDRSTRLEN + 1];
char srv_agent_addr[INET6_ADDRSTRLEN + 1];
char srv_check_addr[INET6_ADDRSTRLEN + 1];
time_t srv_time_since_last_change;
int bk_f_forced_id, srv_f_forced_id;
char *srvrecord;
if (!ctx->sv)
ctx->sv = px->srv;
for (; ctx->sv != NULL; ctx->sv = srv->next) {
srv = ctx->sv;
dump_server_addr(&srv->addr, srv_addr);
dump_server_addr(&srv->check.addr, srv_check_addr);
dump_server_addr(&srv->agent.addr, srv_agent_addr);
srv_time_since_last_change = ns_to_sec(now_ns) - srv->last_change;
bk_f_forced_id = px->options & PR_O_FORCED_ID ? 1 : 0;
srv_f_forced_id = srv->flags & SRV_F_FORCED_ID ? 1 : 0;
srvrecord = NULL;
if (srv->srvrq && srv->srvrq->name)
srvrecord = srv->srvrq->name;
if (ctx->show_conn == 0) {
/* show servers state */
chunk_printf(&trash,
"%d %s "
"%d %s %s "
"%d %d %d %d %ld "
"%d %d %d %d %d "
"%d %d %s %u "
"%s %d %d "
"%s %s %d"
"\n",
px->uuid, HA_ANON_CLI(px->id),
srv->puid, HA_ANON_CLI(srv->id),
hash_ipanon(appctx->cli_ctx.anon_key, srv_addr, 0),
srv->cur_state, srv->cur_admin, srv->uweight, srv->iweight,
(long int)srv_time_since_last_change,
srv->check.status, srv->check.result, srv->check.health,
srv->check.state & 0x0F, srv->agent.state & 0x1F,
bk_f_forced_id, srv_f_forced_id,
srv->hostname ? HA_ANON_CLI(srv->hostname) : "-", srv->svc_port,
srvrecord ? srvrecord : "-", srv->use_ssl, srv->check.port,
srv_check_addr, srv_agent_addr, srv->agent.port);
} else {
/* show servers conn */
int thr;
chunk_printf(&trash,
"%s/%s %d/%d %s %u - %u %u %u %u %u %u %u %u %d %u",
HA_ANON_CLI(px->id), HA_ANON_CLI(srv->id),
px->uuid, srv->puid, hash_ipanon(appctx->cli_ctx.anon_key, srv_addr, 0),
srv->svc_port, srv->pool_purge_delay,
srv->served,
srv->curr_used_conns, srv->max_used_conns, srv->est_need_conns,
srv->curr_sess_idle_conns,
srv->curr_idle_nb, srv->curr_safe_nb, (int)srv->max_idle_conns, srv->curr_idle_conns);
for (thr = 0; thr < global.nbthread && srv->curr_idle_thr; thr++)
chunk_appendf(&trash, " %u", srv->curr_idle_thr[thr]);
chunk_appendf(&trash, "\n");
}
if (applet_putchk(appctx, &trash) == -1) {
return 0;
}
}
return 1;
}
/* Parses backend list or simply use backend name provided by the user to return
* states of servers to stdout. It takes its context from show_srv_ctx and dumps
* proxy ->px and stops if ->only_pxid is non-null.
*/
static int cli_io_handler_servers_state(struct appctx *appctx)
{
struct show_srv_ctx *ctx = appctx->svcctx;
struct proxy *curproxy;
if (ctx->state == SHOW_SRV_HEAD) {
if (ctx->show_conn == 0)
chunk_printf(&trash, "%d\n# %s\n", SRV_STATE_FILE_VERSION, SRV_STATE_FILE_FIELD_NAMES);
else
chunk_printf(&trash,
"# bkname/svname bkid/svid addr port - purge_delay served used_cur used_max need_est idle_sess unsafe_nb safe_nb idle_lim idle_cur idle_per_thr[%d]\n",
global.nbthread);
if (applet_putchk(appctx, &trash) == -1)
return 0;
ctx->state = SHOW_SRV_LIST;
if (!ctx->px)
ctx->px = proxies_list;
}
for (; ctx->px != NULL; ctx->px = curproxy->next) {
curproxy = ctx->px;
/* servers are only in backends */
if ((curproxy->cap & PR_CAP_BE) && !(curproxy->cap & PR_CAP_INT)) {
if (!dump_servers_state(appctx))
return 0;
}
/* only the selected proxy is dumped */
if (ctx->only_pxid)
break;
}
return 1;
}
/* Parses backend list and simply report backend names. It keeps the proxy
* pointer in svcctx since there's nothing else to store there.
*/
static int cli_io_handler_show_backend(struct appctx *appctx)
{
struct proxy *curproxy;
chunk_reset(&trash);
if (!appctx->svcctx) {
chunk_printf(&trash, "# name\n");
if (applet_putchk(appctx, &trash) == -1)
return 0;
appctx->svcctx = proxies_list;
}
for (; appctx->svcctx != NULL; appctx->svcctx = curproxy->next) {
curproxy = appctx->svcctx;
/* looking for non-internal backends only */
if ((curproxy->cap & (PR_CAP_BE|PR_CAP_INT)) != PR_CAP_BE)
continue;
chunk_appendf(&trash, "%s\n", curproxy->id);
if (applet_putchk(appctx, &trash) == -1)
return 0;
}
return 1;
}
/* Parses the "enable dynamic-cookies backend" directive, it always returns 1.
*
* Grabs the proxy lock and each server's lock.
*/
static int cli_parse_enable_dyncookie_backend(char **args, char *payload, struct appctx *appctx, void *private)
{
struct proxy *px;
struct server *s;
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
return 1;
px = cli_find_backend(appctx, args[3]);
if (!px)
return 1;
if (px->mode != PR_MODE_TCP && px->mode != PR_MODE_HTTP)
return cli_err(appctx, "Not available.\n");
/* Note: this lock is to make sure this doesn't change while another
* thread is in srv_set_dyncookie().
*/
HA_RWLOCK_WRLOCK(PROXY_LOCK, &px->lock);
px->ck_opts |= PR_CK_DYNAMIC;
HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &px->lock);
for (s = px->srv; s != NULL; s = s->next) {
HA_SPIN_LOCK(SERVER_LOCK, &s->lock);
srv_set_dyncookie(s);
HA_SPIN_UNLOCK(SERVER_LOCK, &s->lock);
}
return 1;
}
/* Parses the "disable dynamic-cookies backend" directive, it always returns 1.
*
* Grabs the proxy lock and each server's lock.
*/
static int cli_parse_disable_dyncookie_backend(char **args, char *payload, struct appctx *appctx, void *private)
{
struct proxy *px;
struct server *s;
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
return 1;
px = cli_find_backend(appctx, args[3]);
if (!px)
return 1;
if (px->mode != PR_MODE_TCP && px->mode != PR_MODE_HTTP)
return cli_err(appctx, "Not available.\n");
/* Note: this lock is to make sure this doesn't change while another
* thread is in srv_set_dyncookie().
*/
HA_RWLOCK_WRLOCK(PROXY_LOCK, &px->lock);
px->ck_opts &= ~PR_CK_DYNAMIC;
HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &px->lock);
for (s = px->srv; s != NULL; s = s->next) {
HA_SPIN_LOCK(SERVER_LOCK, &s->lock);
if (!(s->flags & SRV_F_COOKIESET))
ha_free(&s->cookie);
HA_SPIN_UNLOCK(SERVER_LOCK, &s->lock);
}
return 1;
}
/* Parses the "set dynamic-cookie-key backend" directive, it always returns 1.
*
* Grabs the proxy lock and each server's lock.
*/
static int cli_parse_set_dyncookie_key_backend(char **args, char *payload, struct appctx *appctx, void *private)
{
struct proxy *px;
struct server *s;
char *newkey;
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
return 1;
px = cli_find_backend(appctx, args[3]);
if (!px)
return 1;
if (px->mode != PR_MODE_TCP && px->mode != PR_MODE_HTTP)
return cli_err(appctx, "Not available.\n");
if (!*args[4])
return cli_err(appctx, "String value expected.\n");
newkey = strdup(args[4]);
if (!newkey)
return cli_err(appctx, "Failed to allocate memory.\n");
/* Note: this lock is to make sure this doesn't change while another
* thread is in srv_set_dyncookie().
*/
HA_RWLOCK_WRLOCK(PROXY_LOCK, &px->lock);
free(px->dyncookie_key);
px->dyncookie_key = newkey;
HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &px->lock);
for (s = px->srv; s != NULL; s = s->next) {
HA_SPIN_LOCK(SERVER_LOCK, &s->lock);
srv_set_dyncookie(s);
HA_SPIN_UNLOCK(SERVER_LOCK, &s->lock);
}
return 1;
}
/* Parses the "set maxconn frontend" directive, it always returns 1.
*
* Grabs the proxy lock.
*/
static int cli_parse_set_maxconn_frontend(char **args, char *payload, struct appctx *appctx, void *private)
{
struct proxy *px;
struct listener *l;
int v;
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
return 1;
px = cli_find_frontend(appctx, args[3]);
if (!px)
return 1;
if (!*args[4])
return cli_err(appctx, "Integer value expected.\n");
v = atoi(args[4]);
if (v < 0)
return cli_err(appctx, "Value out of range.\n");
/* OK, the value is fine, so we assign it to the proxy and to all of
* its listeners. The blocked ones will be dequeued.
*/
HA_RWLOCK_WRLOCK(PROXY_LOCK, &px->lock);
px->maxconn = v;
list_for_each_entry(l, &px->conf.listeners, by_fe) {
if (l->state == LI_FULL)
relax_listener(l, 1, 0);
}
if (px->maxconn > px->feconn)
dequeue_proxy_listeners(px, 1);
HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &px->lock);
return 1;
}
/* Parses the "shutdown frontend" directive, it always returns 1.
*
* Grabs the proxy lock.
*/
static int cli_parse_shutdown_frontend(char **args, char *payload, struct appctx *appctx, void *private)
{
struct proxy *px;
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
return 1;
px = cli_find_frontend(appctx, args[2]);
if (!px)
return 1;
if (px->flags & (PR_FL_DISABLED|PR_FL_STOPPED))
return cli_msg(appctx, LOG_NOTICE, "Frontend was already shut down.\n");
stop_proxy(px);
return 1;
}
/* Parses a "add backend" CLI command to allocate a new backend instance,
* derived from a default proxy instance. This operation is performed under
* thread isolation.
*
* Always returns 1.
*/
static int cli_parse_add_backend(char **args, char *payload, struct appctx *appctx, void *private)
{
struct proxy *px, *defpx, *next;
struct post_proxy_check_fct *ppcf;
const char *be_name, *def_name, *guid = NULL, *err;
char *msg = NULL;
enum pr_mode mode = 0;
int err_code = ERR_NONE;
usermsgs_clr("CLI");
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
return 1;
++args;
be_name = args[1];
if (!*be_name) {
cli_err(appctx, "Require backend name.\n");
return 1;
}
if ((err = invalid_char(be_name))) {
cli_dynerr(appctx, memprintf(&msg, "Invalid character '%c' in backend name.\n", *err));
return 1;
}
++args;
def_name = args[2];
if (!*args[1] || !*def_name || strcmp(args[1], "from") != 0) {
cli_err(appctx, "Usage: add backend <name> from <defproxy>.\n");
return 1;
}
/* Parse optional arguments */
args += 2;
while (*args[1]) {
/* "mode" */
if (*args[2] && !mode && strcmp(args[1], "mode") == 0) {
mode = str_to_proxy_mode(args[2]);
if (mode == PR_MODES) {
cli_err(appctx, "Unknown proxy mode.\n");
return 1;
}
if (mode != PR_MODE_TCP && mode != PR_MODE_HTTP) {
cli_err(appctx, "Dynamic backends are compatible with only TCP or HTTP mode.\n");
return 1;
}
}
/* guid */
else if (*args[2] && !guid && strcmp(args[1], "guid") == 0) {
guid = args[2];
}
/* unknown, malformed or duplicate argument */
else {
cli_err(appctx, "Usage: add backend <name> from <defproxy> [mode <px_mode>] [guid <val>].\n");
return 1;
}
args += 2;
}
defpx = proxy_find_by_name(def_name, PR_CAP_DEF, 0);
if (!defpx) {
cli_dynerr(appctx, memprintf(&msg, "Cannot find default proxy '%s'.\n", def_name));
return 1;
}
if (!(defpx->flags & PR_FL_DEF_EXPLICIT_MODE) && !mode) {
cli_dynerr(appctx, memprintf(&msg, "Mode is required as '%s' default proxy does not explicitely defines it.\n", def_name));
return 1;
}
if (defpx->mode != PR_MODE_TCP && defpx->mode != PR_MODE_HTTP) {
cli_dynerr(appctx, memprintf(&msg, "Dynamic backends only support TCP or HTTP mode, whereas default proxy '%s' uses 'mode %s'.\n",
def_name, proxy_mode_str(defpx->mode)));
return 1;
}
if (!LIST_ISEMPTY(&defpx->conf.errors)) {
cli_dynerr(appctx, memprintf(&msg, "Dynamic backends cannot inherit from default proxy '%s' because it references HTTP errors.\n", def_name));
return 1;
}
thread_isolate();
if ((px = proxy_find_by_name(be_name, PR_CAP_NONE, 0)) ||
(px = proxy_find_by_name(be_name, PR_CAP_DEF, 0))) {
memprintf(&msg,
"name is already used by other proxy '%s %s'",
proxy_cap_str(px->cap), be_name);
px = NULL;
goto err;
}
px = alloc_new_proxy(be_name, PR_CAP_BE, &msg);
if (!px)
goto err;
if (guid && guid_insert(&px->obj_type, guid, &msg)) {
memprintf(&msg, "GUID insertion : %s", msg);
goto err;
}
if (proxy_defproxy_cpy(px, defpx, &msg))
goto err;
/* Override default-proxy mode if defined. */
if (mode)
px->mode = mode;
if (proxy_ref_defaults(px, defpx, &msg))
goto err;
proxy_init_per_thr(px);
if (proxy_finalize(px, &err_code))
goto err;
list_for_each_entry(ppcf, &post_proxy_check_list, list) {
err_code |= ppcf->fct(px);
if (err_code & (ERR_ABORT|ERR_FATAL))
goto err;
}
px->flags |= PR_FL_BE_UNPUBLISHED;
if (!stats_allocate_proxy_counters_internal(&px->extra_counters_be,
COUNTERS_BE,
STATS_PX_CAP_BE)) {
memprintf(&msg, "failed to allocate extra counters");
goto err;
}
/* Assign automatically proxy ID. */
px->uuid = proxy_get_next_id(dynpx_next_id);
if (!px->uuid) {
memprintf(&msg, "no spare proxy ID available");
goto err;
}
dynpx_next_id = px->uuid;
if (!proxies_list) {
proxies_list->next = px;
}
else {
for (next = proxies_list; next->next; next = next->next)
;
next->next = px;
}
px->next = NULL;
thread_release();
if (unlikely(!be_supports_dynamic_srv(px, &msg)))
memprintf(&msg, "New backend registered (no support for dynamic servers: %s)", msg);
else
memprintf(&msg, "New backend registered");
ha_notice("%s.\n", msg);
ha_free(&msg);
cli_umsg(appctx, LOG_INFO);
return 1;
err:
/* free_proxy() ensures any potential refcounting on defpx is decremented. */
free_proxy(px);
thread_release();
if (msg) {
memprintf(&msg, "Error during backend creation : %s.\n", msg);
cli_dynerr(appctx, msg);
}
else {
ha_alert("Error during backend creation.\n");
cli_umsgerr(appctx);
}
return 1;
}
/* Parses the "disable frontend" directive, it always returns 1.
*
* Grabs the proxy lock.
*/
static int cli_parse_disable_frontend(char **args, char *payload, struct appctx *appctx, void *private)
{
struct proxy *px;
int ret;
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
return 1;
px = cli_find_frontend(appctx, args[2]);
if (!px)
return 1;
if (px->flags & (PR_FL_DISABLED|PR_FL_STOPPED))
return cli_msg(appctx, LOG_NOTICE, "Frontend was previously shut down, cannot disable.\n");
if (!px->li_ready)
return cli_msg(appctx, LOG_NOTICE, "All sockets are already disabled.\n");
/* pause_proxy will take PROXY_LOCK */
ret = pause_proxy(px);
if (!ret)
return cli_err(appctx, "Failed to pause frontend, check logs for precise cause.\n");
return 1;
}
/* Parses the "enable frontend" directive, it always returns 1.
*
* Grabs the proxy lock.
*/
static int cli_parse_enable_frontend(char **args, char *payload, struct appctx *appctx, void *private)
{
struct proxy *px;
int ret;
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
return 1;
px = cli_find_frontend(appctx, args[2]);
if (!px)
return 1;
if (px->flags & (PR_FL_DISABLED|PR_FL_STOPPED))
return cli_err(appctx, "Frontend was previously shut down, cannot enable.\n");
if (px->li_ready == px->li_all)
return cli_msg(appctx, LOG_NOTICE, "All sockets are already enabled.\n");
/* resume_proxy will take PROXY_LOCK */
ret = resume_proxy(px);
if (!ret)
return cli_err(appctx, "Failed to resume frontend, check logs for precise cause (port conflict?).\n");
return 1;
}
static int cli_parse_publish_backend(char **args, char *payload, struct appctx *appctx, void *private)
{
struct proxy *px;
usermsgs_clr("CLI");
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
return 1;
px = cli_find_backend(appctx, args[2]);
if (!px)
return cli_err(appctx, "No such backend.\n");
if (px->flags & PR_FL_DISABLED)
return cli_err(appctx, "No effect on a disabled backend.\n");
thread_isolate();
px->flags &= ~PR_FL_BE_UNPUBLISHED;
thread_release();
ha_notice("Backend published.\n");
return cli_umsg(appctx, LOG_INFO);
}
static int cli_parse_unpublish_backend(char **args, char *payload, struct appctx *appctx, void *private)
{
struct proxy *px;
usermsgs_clr("CLI");
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
return 1;
px = cli_find_backend(appctx, args[2]);
if (!px)
return cli_err(appctx, "No such backend.\n");
if (px->flags & PR_FL_DISABLED)
return cli_err(appctx, "No effect on a disabled backend.\n");
thread_isolate();
px->flags |= PR_FL_BE_UNPUBLISHED;
thread_release();
ha_notice("Backend unpublished.\n");
return cli_umsg(appctx, LOG_INFO);
}
/* appctx context used during "show errors" */
struct show_errors_ctx {
struct proxy *px; /* current proxy being dumped, NULL = not started yet. */
unsigned int flag; /* bit0: buffer being dumped, 0 = req, 1 = resp ; bit1=skip req ; bit2=skip resp. */
unsigned int ev_id; /* event ID of error being dumped */
int iid; /* if >= 0, ID of the proxy to filter on */
int ptr; /* <0: headers, >=0 : text pointer to restart from */
int bol; /* pointer to beginning of current line */
};
/* "show errors" handler for the CLI. Returns 0 if wants to continue, 1 to stop
* now.
*/
static int cli_parse_show_errors(char **args, char *payload, struct appctx *appctx, void *private)
{
struct show_errors_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx));
if (!cli_has_level(appctx, ACCESS_LVL_OPER))
return 1;
if (*args[2]) {
struct proxy *px;
px = proxy_find_by_name(args[2], 0, 0);
if (px)
ctx->iid = px->uuid;
else
ctx->iid = atoi(args[2]);
if (!ctx->iid)
return cli_err(appctx, "No such proxy.\n");
}
else
ctx->iid = -1; // dump all proxies
ctx->flag = 0;
if (strcmp(args[3], "request") == 0)
ctx->flag |= 4; // ignore response
else if (strcmp(args[3], "response") == 0)
ctx->flag |= 2; // ignore request
ctx->px = NULL;
return 0;
}
/* This function dumps all captured errors onto the stream connector's
* read buffer. It returns 0 if the output buffer is full and it needs
* to be called again, otherwise non-zero.
*/
static int cli_io_handler_show_errors(struct appctx *appctx)
{
struct show_errors_ctx *ctx = appctx->svcctx;
extern const char *monthname[12];
chunk_reset(&trash);
if (!ctx->px) {
/* the function had not been called yet, let's prepare the
* buffer for a response.
*/
struct tm tm;
get_localtime(date.tv_sec, &tm);
chunk_appendf(&trash, "Total events captured on [%02d/%s/%04d:%02d:%02d:%02d.%03d] : %u\n",
tm.tm_mday, monthname[tm.tm_mon], tm.tm_year+1900,
tm.tm_hour, tm.tm_min, tm.tm_sec, (int)(date.tv_usec/1000),
error_snapshot_id);
if (applet_putchk(appctx, &trash) == -1)
goto cant_send;
ctx->px = proxies_list;
ctx->bol = 0;
ctx->ptr = -1;
}
/* we have two inner loops here, one for the proxy, the other one for
* the buffer.
*/
while (ctx->px) {
struct error_snapshot *es;
HA_RWLOCK_RDLOCK(PROXY_LOCK, &ctx->px->lock);
if ((ctx->flag & 1) == 0) {
es = ctx->px->invalid_req;
if (ctx->flag & 2) // skip req
goto next;
}
else {
es = ctx->px->invalid_rep;
if (ctx->flag & 4) // skip resp
goto next;
}
if (!es)
goto next;
if (ctx->iid >= 0 &&
ctx->px->uuid != ctx->iid &&
(!es->oe || es->oe->uuid != ctx->iid))
goto next;
if (ctx->ptr < 0) {
/* just print headers now */
char pn[INET6_ADDRSTRLEN];
struct tm tm;
int port;
get_localtime(es->when.tv_sec, &tm);
chunk_appendf(&trash, " \n[%02d/%s/%04d:%02d:%02d:%02d.%03d]",
tm.tm_mday, monthname[tm.tm_mon], tm.tm_year+1900,
tm.tm_hour, tm.tm_min, tm.tm_sec, (int)(es->when.tv_usec/1000));
switch (addr_to_str(&es->src, pn, sizeof(pn))) {
case AF_INET:
case AF_INET6:
port = get_host_port(&es->src);
break;
default:
port = 0;
}
switch (ctx->flag & 1) {
case 0:
chunk_appendf(&trash,
" frontend %s (#%d): invalid request\n"
" backend %s (#%d)",
ctx->px->id, ctx->px->uuid,
(es->oe && es->oe->cap & PR_CAP_BE) ? es->oe->id : "<NONE>",
(es->oe && es->oe->cap & PR_CAP_BE) ? es->oe->uuid : -1);
break;
case 1:
chunk_appendf(&trash,
" backend %s (#%d): invalid response\n"
" frontend %s (#%d)",
ctx->px->id, ctx->px->uuid,
es->oe ? es->oe->id : "<NONE>" , es->oe ? es->oe->uuid : -1);
break;
}
chunk_appendf(&trash,
", server %s (#%d), event #%u, src %s:%d\n"
" buffer starts at %llu (including %u out), %u free,\n"
" len %u, wraps at %u, error at position %u\n",
es->srv ? es->srv->id : "<NONE>",
es->srv ? es->srv->puid : -1,
es->ev_id, pn, port,
es->buf_ofs, es->buf_out,
global.tune.bufsize - es->buf_out - es->buf_len,
es->buf_len, es->buf_wrap, es->buf_err);
if (es->show)
es->show(&trash, es);
chunk_appendf(&trash, " \n");
if (applet_putchk(appctx, &trash) == -1)
goto cant_send_unlock;
ctx->ptr = 0;
ctx->ev_id = es->ev_id;
}
if (ctx->ev_id != es->ev_id) {
/* the snapshot changed while we were dumping it */
chunk_appendf(&trash,
" WARNING! update detected on this snapshot, dump interrupted. Please re-check!\n");
if (applet_putchk(appctx, &trash) == -1)
goto cant_send_unlock;
goto next;
}
/* OK, ptr >= 0, so we have to dump the current line */
while (ctx->ptr < es->buf_len && ctx->ptr < global.tune.bufsize) {
int newptr;
int newline;
newline = ctx->bol;
newptr = dump_text_line(&trash, es->buf, global.tune.bufsize, es->buf_len, &newline, ctx->ptr);
if (newptr == ctx->ptr) {
applet_fl_set(appctx, APPCTX_FL_OUTBLK_FULL);
goto cant_send_unlock;
}
if (applet_putchk(appctx, &trash) == -1)
goto cant_send_unlock;
ctx->ptr = newptr;
ctx->bol = newline;
};
next:
HA_RWLOCK_RDUNLOCK(PROXY_LOCK, &ctx->px->lock);
ctx->bol = 0;
ctx->ptr = -1;
ctx->flag ^= 1;
if (!(ctx->flag & 1))
ctx->px = ctx->px->next;
}
/* dump complete */
return 1;
cant_send_unlock:
HA_RWLOCK_RDUNLOCK(PROXY_LOCK, &ctx->px->lock);
cant_send:
return 0;
}
/* register cli keywords */
static struct cli_kw_list cli_kws = {{ },{
{ { "add", "backend", NULL }, "add backend <backend> : add a new backend", cli_parse_add_backend, NULL, NULL, NULL, ACCESS_EXPERIMENTAL },
{ { "disable", "frontend", NULL }, "disable frontend <frontend> : temporarily disable specific frontend", cli_parse_disable_frontend, NULL, NULL },
{ { "enable", "frontend", NULL }, "enable frontend <frontend> : re-enable specific frontend", cli_parse_enable_frontend, NULL, NULL },
{ { "publish", "backend", NULL }, "publish backend <backend> : mark backend as ready for traffic", cli_parse_publish_backend, NULL, NULL },
{ { "set", "maxconn", "frontend", NULL }, "set maxconn frontend <frontend> <value> : change a frontend's maxconn setting", cli_parse_set_maxconn_frontend, NULL },
{ { "show","servers", "conn", NULL }, "show servers conn [<backend>] : dump server connections status (all or for a single backend)", cli_parse_show_servers, cli_io_handler_servers_state },
{ { "show","servers", "state", NULL }, "show servers state [<backend>] : dump volatile server information (all or for a single backend)", cli_parse_show_servers, cli_io_handler_servers_state },
{ { "show", "backend", NULL }, "show backend : list backends in the current running config", NULL, cli_io_handler_show_backend },
{ { "shutdown", "frontend", NULL }, "shutdown frontend <frontend> : stop a specific frontend", cli_parse_shutdown_frontend, NULL, NULL },
{ { "set", "dynamic-cookie-key", "backend", NULL }, "set dynamic-cookie-key backend <bk> <k> : change a backend secret key for dynamic cookies", cli_parse_set_dyncookie_key_backend, NULL },
{ { "unpublish", "backend", NULL }, "unpublish backend <backend> : remove backend for traffic processing", cli_parse_unpublish_backend, NULL, NULL },
{ { "enable", "dynamic-cookie", "backend", NULL }, "enable dynamic-cookie backend <bk> : enable dynamic cookies on a specific backend", cli_parse_enable_dyncookie_backend, NULL },
{ { "disable", "dynamic-cookie", "backend", NULL }, "disable dynamic-cookie backend <bk> : disable dynamic cookies on a specific backend", cli_parse_disable_dyncookie_backend, NULL },
{ { "show", "errors", NULL }, "show errors [<px>] [request|response] : report last request and/or response errors for each proxy", cli_parse_show_errors, cli_io_handler_show_errors, NULL },
{{},}
}};
INITCALL1(STG_REGISTER, cli_register_kw, &cli_kws);
/*
* Local variables:
* c-indent-level: 8
* c-basic-offset: 8
* End:
*/
Reference in New Issue View Git Blame Copy Permalink