LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3276 Commits
1 Branch
46 MiB
Tree: 480fab541a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '480fab541a'
${ noResults }
openwrt-packages-dist/net/haproxy/patches/0002-BUG-MEDIUM-http-don-t-...

82 lines
3.5 KiB
Raw Normal View History

haproxy: add patches from upstream - [PATCH 1/2] BUG/MEDIUM: stats: properly initialize the scope before - [PATCH 2/2] BUG/MEDIUM: http: don't forward client shutdown without - [PATCH 3/8] BUG/MINOR: check: fix tcpcheck error message - [PATCH 4/8] CLEANUP: checks: fix double usage of cur / current_step - [PATCH 5/8] BUG/MEDIUM: checks: do not dereference head of a - [PATCH 6/8] CLEANUP: checks: simplify the loop processing of - [PATCH 7/8] BUG/MAJOR: checks: always check for end of list before - [PATCH 8/8] BUG/MEDIUM: checks: do not dereference a list as a - [PATCH 09/10] BUG/MEDIUM: peers: apply a random reconnection timeout - [PATCH 10/10] DOC: Update doc about weight, act and bck fields in the - [PATCH 11/14] MINOR: ssl: add a destructor to free allocated SSL - [PATCH 12/14] BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value - [PATCH 13/14] BUG/MINOR: cfgparse: fix typo in 'option httplog' error - [PATCH 14/14] BUG/MEDIUM: cfgparse: segfault when userlist is misused Signed-off-by: heil <heil@terminal-consulting.de>
10 years ago
 
  1. From 294e4676a3b775a7accb50eb8428f293c218b5e2 Mon Sep 17 00:00:00 2001
  2. From: Willy Tarreau <w@1wt.eu>
  3. Date: Mon, 11 May 2015 18:30:33 +0200
  4. Subject: [PATCH 2/2] BUG/MEDIUM: http: don't forward client shutdown without
  5.  NOLINGER except for tunnels
  6. 

  7. There's an issue related with shutting down POST transfers or closing the
  8. connection after the end of the upload : the shutdown is forwarded to the
  9. server regardless of the abortonclose option. The problem it causes is that
  10. during a scan, brute force or whatever, it becomes possible that all source
  11. ports are exhausted with all sockets in TIME_WAIT state.
  12. 

  13. There are multiple issues at once in fact :
  14.   - no action is done for the close, it automatically happens at the lower
  15.     layers thanks for channel_auto_close(), so we cannot act on NOLINGER ;
  16. 

  17.   - we *do* want to continue to send a clean shutdown in tunnel mode because
  18.     some protocols transported over HTTP may need this, regardless of option
  19.     abortonclose, thus we can't set the option inconditionally
  20. 

  21.   - for all other modes, we do want to close the dirty way because we're
  22.     certain whether we've sent everything or not, and we don't want to eat
  23.     all source ports.
  24. 

  25. The solution is a bit complex and applies to DONE/TUNNEL states :
  26. 

  27.   1) disable automatic close for everything not a tunnel and not just
  28.      keep-alive / server-close. Force-close is now covered, as is HTTP/1.0
  29.      which implicitly works in force-close mode ;
  30. 

  31.   2) when processing option abortonclose, we know we can disable lingering
  32.      if the client has closed and the connection is not in tunnel mode.
  33. 

  34. Since the last case above leads to a situation where the client side reports
  35. an error, we know the connection will not be reused, so leaving the flag on
  36. the stream-interface is safe. A client closing in the middle of the data
  37. transmission already aborts the transaction so this case is not a problem.
  38. 

  39. This fix must be backported to 1.5 where the problem was detected.
  40. (cherry picked from commit bbfb6c40854925367ae5f9e8b22c5c9a18dc69d5)
  41. ---

  42.  src/proto_http.c | 14 ++++++++++----
  43.  1 file changed, 10 insertions(+), 4 deletions(-)
  44. 

  45. diff --git a/src/proto_http.c b/src/proto_http.c

  46. index 0ac3a47..5db64b5 100644

  47. --- a/src/proto_http.c

  48. +++ b/src/proto_http.c

  49. @@ -5452,9 +5452,10 @@ int http_request_forward_body(struct session *s, struct channel *req, int an_bit

  50.  				msg->sov -= msg->next;
  51.  			msg->next = 0;
  52.  
  53. -			/* for keep-alive we don't want to forward closes on DONE */

  54. -			if ((txn->flags & TX_CON_WANT_MSK) == TX_CON_WANT_KAL ||

  55. -			    (txn->flags & TX_CON_WANT_MSK) == TX_CON_WANT_SCL)

  56. +			/* we don't want to forward closes on DONE except in

  57. +			 * tunnel mode.

  58. +			 */

  59. +			if ((txn->flags & TX_CON_WANT_MSK) != TX_CON_WANT_TUN)

  60.  				channel_dont_close(req);
  61.  			if (http_resync_states(s)) {
  62.  				/* some state changes occurred, maybe the analyser
  63. @@ -5478,10 +5479,15 @@ int http_request_forward_body(struct session *s, struct channel *req, int an_bit

  64.  			 * want to monitor the client's connection and forward
  65.  			 * any shutdown notification to the server, which will
  66.  			 * decide whether to close or to go on processing the
  67. -			 * request.

  68. +			 * request. We only do that in tunnel mode, and not in

  69. +			 * other modes since it can be abused to exhaust source

  70. +			 * ports.

  71.  			 */
  72.  			if (s->be->options & PR_O_ABRT_CLOSE) {
  73.  				channel_auto_read(req);
  74. +				if ((req->flags & (CF_SHUTR|CF_READ_NULL)) &&

  75. +				    ((txn->flags & TX_CON_WANT_MSK) != TX_CON_WANT_TUN))

  76. +					s->si[1].flags |= SI_FL_NOLINGER;

  77.  				channel_auto_close(req);
  78.  			}
  79.  			else if (s->txn.meth == HTTP_METH_POST) {
  80. -- 

  81. 2.0.5
  82.