LILiK
/
openwrt-packages-dist


								commit 7b728d616e417f0a8cd25375f70b8a332ad23a71

								Author: Lukas Tribus <lukas@ltri.eu>

								Date:   Sat Oct 27 20:06:59 2018 +0200


								    BUG/MINOR: only mark connections private if NTLM is detected


								    Instead of marking all connections that see a 401/407 response private

								    (for connection reuse), this patch detects a RFC4559/NTLM authentication

								    scheme and restricts the private setting to those connections.


								    This is so we can reuse connections with 401/407 responses with

								    deterministic load balancing algorithms later (which requires another fix).


								    This fixes the problem reported here by Elliot Barlas :


								      https://discourse.haproxy.org/t/unable-to-configure-load-balancing-per-request-over-persistent-connection/3144


								    Should be backported to 1.8.


								    (cherry picked from commit fd9b68c48ecdba5e7971899f4eec315c8e3a3cfe)

								    Signed-off-by: Willy Tarreau <w@1wt.eu>


								diff --git a/doc/configuration.txt b/doc/configuration.txt

								index 09980248..43b1b822 100644

								--- a/doc/configuration.txt

								+++ b/doc/configuration.txt

								@@ -4798,10 +4798,8 @@ http-reuse { never | safe | aggressive | always }

								     - connections sent to a server with a TLS SNI extension are marked private

								       and are never shared;


								-    - connections receiving a status code 401 or 407 expect some authentication

								-      to be sent in return. Due to certain bogus authentication schemes (such

								-      as NTLM) relying on the connection, these connections are marked private

								-      and are never shared;

								+    - connections with certain bogus authentication schemes (relying on the

								+      connection) like NTLM are detected, marked private and are never shared;


								   No connection pool is involved, once a session dies, the last idle connection

								   it was attached to is deleted at the same time. This ensures that connections

								diff --git a/src/proto_http.c b/src/proto_http.c

								index 8f86422d..cde2dbf7 100644

								--- a/src/proto_http.c

								+++ b/src/proto_http.c

								@@ -4388,8 +4388,6 @@ void http_end_txn_clean_session(struct stream *s)

								 		 * it's better to do it (at least it helps with debugging).

								 		 */

								 		s->txn->flags |= TX_PREFER_LAST;

								-		if (srv_conn)

								-			srv_conn->flags |= CO_FL_PRIVATE;

								 	}


								 	/* Never ever allow to reuse a connection from a non-reuse backend */

								@@ -5053,10 +5051,13 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)

								 	struct http_txn *txn = s->txn;

								 	struct http_msg *msg = &txn->rsp;

								 	struct hdr_ctx ctx;

								+	struct connection *srv_conn;

								 	int use_close_only;

								 	int cur_idx;

								 	int n;


								+	srv_conn = cs_conn(objt_cs(s->si[1].end));

								+

								 	DPRINTF(stderr,"[%u] %s: stream=%p b=%p, exp(r,w)=%u,%u bf=%08x bh=%d analysers=%02x\n",

								 		now_ms, __FUNCTION__,

								 		s,

								@@ -5588,6 +5589,27 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)

								 		msg->body_len = msg->chunk_len = cl;

								 	}


								+	/* check for NTML authentication headers in 401 (WWW-Authenticate) and

								+	 * 407 (Proxy-Authenticate) responses and set the connection to private

								+	 */

								+	if (srv_conn && txn->status == 401) {

								+	    /* check for Negotiate/NTLM WWW-Authenticate headers */

								+	    ctx.idx = 0;

								+	    while (http_find_header2("WWW-Authenticate", 16, rep->buf->p, &txn->hdr_idx, &ctx)) {

								+	            if ((ctx.vlen >= 9 && word_match(ctx.line + ctx.val, ctx.vlen, "Negotiate", 9)) ||

								+	                  (ctx.vlen >= 4 && word_match(ctx.line + ctx.val, ctx.vlen, "NTLM", 4)))

								+				srv_conn->flags |= CO_FL_PRIVATE;

								+	    }

								+	} else if (srv_conn && txn->status == 407) {

								+	    /* check for Negotiate/NTLM Proxy-Authenticate headers */

								+	    ctx.idx = 0;

								+	    while (http_find_header2("Proxy-Authenticate", 18, rep->buf->p, &txn->hdr_idx, &ctx)) {

								+	            if ((ctx.vlen >= 9 && word_match(ctx.line + ctx.val, ctx.vlen, "Negotiate", 9)) ||

								+	                  (ctx.vlen >= 4 && word_match(ctx.line + ctx.val, ctx.vlen, "NTLM", 4)))

								+				srv_conn->flags |= CO_FL_PRIVATE;

								+	    }

								+	}

								+

								  skip_content_length:

								 	/* Now we have to check if we need to modify the Connection header.

								 	 * This is more difficult on the response than it is on the request,