delta/haproxy.git/include/haproxy, branch master github.com: haproxy/haproxy.git MINOR: clock: provide a function to automatically adjust now_offset 2023-05-17T07:33:54+00:00 Willy Tarreau w@1wt.eu 2023-05-16T17:01:55+00:00 5345490b8e0a3c82587fd1ccf30244035cf0b1d5 Right now there's no way to enforce a specific value of now_ms upon startup in order to compensate for the time it takes to load a config, specifically when dealing with the health check startup. For this we'd need to force the now_offset value to compensate for the last known value of the current date. This patch exposes a function to do exactly this. 
Right now there's no way to enforce a specific value of now_ms upon
startup in order to compensate for the time it takes to load a config,
specifically when dealing with the health check startup. For this we'd
need to force the now_offset value to compensate for the last known
value of the current date. This patch exposes a function to do exactly
this.
MINOR: stats: report the boot time in "show info" 2023-05-17T07:33:54+00:00 Willy Tarreau w@1wt.eu 2023-05-17T07:05:20+00:00 5723b382ed57f9d7b09ddfc449ed4d3072f17e6c Just like we have the uptime in "show info", let's add the boot time. It's trivial to collect as it's just the difference between the ready date and the start date, and will allow users to monitor this element in order to take action before it starts becoming problematic. Here the boot time is reported in milliseconds, so this allows to even observe sub-second anomalies in startup delays. 
Just like we have the uptime in "show info", let's add the boot time.
It's trivial to collect as it's just the difference between the ready
date and the start date, and will allow users to monitor this element
in order to take action before it starts becoming problematic. Here
the boot time is reported in milliseconds, so this allows to even
observe sub-second anomalies in startup delays.
MINOR: clock: measure the total boot time 2023-05-17T07:33:54+00:00 Willy Tarreau w@1wt.eu 2023-05-17T07:02:21+00:00 da4aa6905c5524a30709eb4cdf25e22fc63eb86e Some huge configs take a significant amount of time to start and this can cause some trouble (e.g. health checks getting delayed and grouped, process not responding to the CLI etc). For example, some configs might start fast in certain environments and slowly in other ones just due to the use of a wrong DNS server that delays all libc's resolutions. Let's first start by measuring it by keeping a copy of the most recently known ready date, once before calling check_config_validity() and then refine it when leaving this function. A last call is finally performed just before deciding to split between master and worker processes, and it covers the whole boot. It's trivial to collect and even allows to get rid of a call to clock_update_date() in function check_config_validity() that was used in hope to better schedule future events. 
Some huge configs take a significant amount of time to start and this
can cause some trouble (e.g. health checks getting delayed and grouped,
process not responding to the CLI etc). For example, some configs might
start fast in certain environments and slowly in other ones just due to
the use of a wrong DNS server that delays all libc's resolutions. Let's
first start by measuring it by keeping a copy of the most recently known
ready date, once before calling check_config_validity() and then refine
it when leaving this function. A last call is finally performed just
before deciding to split between master and worker processes, and it covers
the whole boot. It's trivial to collect and even allows to get rid of a
call to clock_update_date() in function check_config_validity() that was
used in hope to better schedule future events.
MINOR: mux-quic: uninline qc_attach_sc() 2023-05-16T15:53:45+00:00 Amaury Denoyelle adenoyelle@haproxy.com 2023-05-15T13:17:28+00:00 1a2faef92fab683b240b6dc2ff7bf9eae2520320 Uninline and move qc_attach_sc() function to implementation source file. This will be useful for next commit to add traces in it. This should be backported up to 2.7. 
Uninline and move qc_attach_sc() function to implementation source file.
This will be useful for next commit to add traces in it.

This should be backported up to 2.7.
MINOR: mux-quic: properly report end-of-stream on recv 2023-05-16T15:53:45+00:00 Amaury Denoyelle adenoyelle@haproxy.com 2023-05-15T09:31:20+00:00 3cb78140cf35faa19fd6fecaac27efc0f86b7e35 MUX is responsible to put EOS on stream when read channel is closed. This happens if underlying connection is closed or a RESET_STREAM is received. FIN STREAM is ignored in this case. For connection closure, simply check for CO_FL_SOCK_RD_SH. For RESET_STREAM reception, a new flag QC_CF_RECV_RESET has been introduced. It is set when RESET_STREAM is received, unless we already received all data. This is conform to QUIC RFC which allows to ignore a RESET_STREAM in this case. During RESET_STREAM processing, input buffer is emptied so EOS can be reported right away on recv_buf operation. This should be backported up to 2.7. 
MUX is responsible to put EOS on stream when read channel is closed.
This happens if underlying connection is closed or a RESET_STREAM is
received. FIN STREAM is ignored in this case.

For connection closure, simply check for CO_FL_SOCK_RD_SH.

For RESET_STREAM reception, a new flag QC_CF_RECV_RESET has been
introduced. It is set when RESET_STREAM is received, unless we already
received all data. This is conform to QUIC RFC which allows to ignore a
RESET_STREAM in this case. During RESET_STREAM processing, input buffer
is emptied so EOS can be reported right away on recv_buf operation.

This should be backported up to 2.7.
BUILD: ssl: get0_verified chain is available on libreSSL 2023-05-15T13:16:15+00:00 William Lallemand wlallemand@haproxy.org 2023-05-15T12:42:28+00:00 d0c363486cb2a9b0d4374fc236ff55f842a2a5e7 Define HAVE_SSL_get0_verified_chain when it's using libreSSL >= 3.3.6. 
Define HAVE_SSL_get0_verified_chain when it's using libreSSL >= 3.3.6.
BUILD: ssl: ssl_c_r_dn fetches uses functiosn only available since 1.1.1 2023-05-15T10:07:52+00:00 William Lallemand wlallemand@haproxy.org 2023-05-15T10:05:55+00:00 6e0c39d7ac3282bc255f742da36402434af0db77 Fix the openssl build with older openssl version by disabling the new ssl_c_r_dn fetch. This also disable the ssl_client_samples.vtc file for OpenSSL version older than 1.1.1 
Fix the openssl build with older openssl version by disabling the new
ssl_c_r_dn fetch.

This also disable the ssl_client_samples.vtc file for OpenSSL version
older than 1.1.1
MINOR: ssl: add new sample ssl_c_r_dn 2023-05-15T08:48:05+00:00 Abhijeet Rastogi abhijeet.1989@gmail.com 2023-05-14T03:04:45+00:00 df97f472fad4ec7c2621d2e13db837a591742d9e This patch addresses #1514, adds the ability to fetch DN of the root ca that was in the chain when client certificate was verified during SSL handshake. 
This patch addresses #1514, adds the ability to fetch DN of the root
ca that was in the chain when client certificate was verified during SSL
handshake.
BUG/MINOR: mux-quic: differentiate failure on qc_stream_desc alloc 2023-05-12T14:26:20+00:00 Amaury Denoyelle adenoyelle@haproxy.com 2023-05-12T14:19:32+00:00 6c501ed23bea953518059117e7dd19e8d6cb6bd8 qc_stream_buf_alloc() can fail for two reasons : * limit of Tx buffer per connection reached * allocation failure The first case is properly treated. A flag QC_CF_CONN_FULL is set on the connection to interrupt emission. It is cleared when a buffer became available after in order ACK reception and the MUX tasklet is woken up. The allocation failure was handled with the same mechanism which in this case is not appropriate and could lead to a connection transfer freeze. Instead, prefer to close the connection with a QUIC internal error code. To differentiate the two causes, qc_stream_buf_alloc() API was changed to return the number of available buffers to the caller. This must be backported up to 2.6. 
qc_stream_buf_alloc() can fail for two reasons :
* limit of Tx buffer per connection reached
* allocation failure

The first case is properly treated. A flag QC_CF_CONN_FULL is set on the
connection to interrupt emission. It is cleared when a buffer became
available after in order ACK reception and the MUX tasklet is woken up.

The allocation failure was handled with the same mechanism which in this
case is not appropriate and could lead to a connection transfer freeze.
Instead, prefer to close the connection with a QUIC internal error code.

To differentiate the two causes, qc_stream_buf_alloc() API was changed
to return the number of available buffers to the caller.

This must be backported up to 2.6.
MINOR: mux-quic: remove dedicated function to handle standalone FIN 2023-05-12T13:50:30+00:00 Amaury Denoyelle adenoyelle@haproxy.com 2023-05-11T14:49:28+00:00 93dd23cab4b0e5c0dde440c98e31c33aa1221f95 Remove QUIC MUX function qcs_http_handle_standalone_fin(). The purpose of this function was only used when receiving an empty STREAM frame with FIN bit. Besides, it was called by each application protocol which could have different approach and render the function purpose unclear. Invocation of qcs_http_handle_standalone_fin() have been replaced by explicit code in both H3 and HTTP/0.9 module. In the process, use htx_set_eom() to reliably put EOM on the HTX message. This should be backported up to 2.7, along with the previous patch which introduced htx_set_eom(). 
Remove QUIC MUX function qcs_http_handle_standalone_fin(). The purpose
of this function was only used when receiving an empty STREAM frame with
FIN bit. Besides, it was called by each application protocol which could
have different approach and render the function purpose unclear.

Invocation of qcs_http_handle_standalone_fin() have been replaced by
explicit code in both H3 and HTTP/0.9 module. In the process, use
htx_set_eom() to reliably put EOM on the HTX message.

This should be backported up to 2.7, along with the previous patch which
introduced htx_set_eom().