- 06 Mar, 2023 16 commits
-
-
Dridi Boukelmoune authored
The square brackets were probably the result of copy-pasta from vcl.load where the initial state is indeed optional.
-
Nils Goroll authored
-
Nils Goroll authored
-
Nils Goroll authored
Before this patch, layered directors needed to be destroyed top to bottom, and whenever that order was missed, we would panic, because a to-be-destroyed director still had references to it. One special case where this issue would always trigger are looped directors. Those should not be used and will cause havoc, which is a separate issue #3899. But we should still be able to unconfigure such a configuration. We solve the destruction order issue by making it a two step process: When a director is destroyed through VRT_DelDirector, a new release function is called, which has to disassociate any backends. The director then loses a reference, and when all references are gone, the destroy function is called. The new callback would not be necessary for the cases in varnish-cache today, directors could simply disassociate any backends before calling VRT_DelDirector. But this would complicate or even make impossible transfer of director ownership, where the code responsible for creating a director is not the same as the one calling VRT_DelDirector(). As a side effect, it also helps clarity. Fixes #3895
-
Nils Goroll authored
The last reference to a director might go away with VRT_DelDirector _or_ VRT_Asssign_Backend, which the former needs to account for. We assert for the VDIR_FLG_NOREFCNT case that there was only one reference such that a single deref yields no reference left. Part one of the fix for #3895
-
Nils Goroll authored
This is in preparation of follow-up commits. Reasoning: - in both call sites, we already use the struct vcldir * - once call site actually used TAKE_OBJ semantics, but those can easily be moved
-
Nils Goroll authored
Use a local vdir variable for clarity like elsewhere in the code. Use the lock in vdir, not the pointer to it in VCL_BACKEND for consistency with VRT_DelDirector() a few lines above.
-
Nils Goroll authored
I noticed that users, apparently, have no way of finding out what their distribution configured?
-
Nils Goroll authored
Now that we broke the VSL format, this is the time to act.
-
Dridi Boukelmoune authored
-
Dridi Boukelmoune authored
-
Dridi Boukelmoune authored
This prevents VUTs from attempting to read incompatible formats, while preserving the current header size, aligning it with the SHMLOG header at the format number 2.
-
Dridi Boukelmoune authored
It will no longer be valid for assignments, and in one case the assignment was superfluous.
-
Dridi Boukelmoune authored
This means an older varnishlog can no longer read logs from a live current varnishd server, and vice versa. It used to be interesting to use a more modern VUT to process logs for example to get better performance or new features like generalized -E.
-
Dridi Boukelmoune authored
-
Geoff Simmons authored
Restructured so that: * 'Upgrading' is limited to work that has to be done to upgrade from a current deployment to the new version. * 'Changes' is a comprehensive, user-level description of changes and new features. Conflicts: doc/sphinx/whats-new/index.rst
-
- 04 Mar, 2023 1 commit
-
-
Poul-Henning Kamp authored
-
- 27 Feb, 2023 10 commits
-
-
Nils Goroll authored
-
Nils Goroll authored
We keep s as a pointer to the start of an unaltered section and move e to be able to call VSB_bcat() when a backslash is encountered or substitution is complete.
-
Poul-Henning Kamp authored
-
Guillaume Quintard authored
-
Poul-Henning Kamp authored
-
Poul-Henning Kamp authored
-
Poul-Henning Kamp authored
-
Poul-Henning Kamp authored
-
Poul-Henning Kamp authored
-
Poul-Henning Kamp authored
-
- 24 Feb, 2023 1 commit
-
-
Nils Goroll authored
With onerror=abort, the request is aborted as with a bad return code. With onerror=continue, the include remains empty This already behaved like I expected it to, this vtc merely adds an explicit test.
-
- 20 Feb, 2023 8 commits
-
-
Nils Goroll authored
suggested by Dridi
-
Nils Goroll authored
-
Nils Goroll authored
Connect to s1 and s2 via v2. Note on the v2 VCL: We use this varnish instance as a PROXY protocol aware forwarder, which takes the address to connect to from the incoming PROXY header (to mimic haproxy instead of requiring it). Previously, we used debug.dyn(), but that does not work with two different backends because it does not create different backend instances, so connection pooling fails on this level, unrelated to the actual test subject. We avoid this issue by an explicit VCL implementation.
-
Geoff Simmons authored
If the .via field is also set, then the value of .authority is set as the authority TLV in the PROXY header. This gives the "true" backend (usually the ssl-onloader) the opportunity to set the SNI (HostName field) from the TLV value, for the TLS handshake with the remote backend. This mandates that PROXYv2 is always used with a via backend (since only version 2 supports TLVs). If the value of .authority is the empty string, then the TLV is not sent. If .authority is not set for the backend, then fall back to .host_header, which itself may have been a fallback to .host. Note that if neither .authority nor .host_header is set, and .host is set to an IP address, then the IP address is forwarded as the SNI value, which is not permitted for HostName (RFC4366 ch 3.1). So users are advised to set either .authority or .host_header, or set .authority="", when .via is set. Usage note with haproxy: To enable sending SNI when haproxy is used as a TLS onloader, ``sni fc_pp_authority`` needs to be used with the backend configuration. Full usage example with haproxy 2.2: listen sslon mode tcp maxconn 1000 bind /shared/varnish_haproxy/haproxy_sslon accept-proxy mode 777 stick-table type ip size 100 stick on dst server s00 0.0.0.0:443 ssl ca-file /etc/ssl/certs/ca-bundle.crt alpn http/1.1 sni fc_pp_authority server s01 0.0.0.0:443 ssl ca-file /etc/ssl/certs/ca-bundle.crt alpn http/1.1 sni fc_pp_authority # ... A higher number of servers improves TLS session caching.
-
Nils Goroll authored
Due to the intialization order, only native vcl backends can be used from vcl as via backends. As directors are defined in vcl_init which gets to run only after the native backends have been initialized, directors can not be refered to from a backend.
-
Nils Goroll authored
In varnish-cache, the deliberate decision has been made to not support TLS from the same address space as varnish itself, see doc/sphinx/phk/ssl_again.rst So the obvious way to connect to TLS backends is to use a TLS "onloader" (a term coined by @slimhazard as in the opposite of "offloader"), which turns a clear connection into a TLS connection. Before this change, this required additional configuration in two places: An address/port or UDS path needs to be uniquely allocated for each destination address, the specific onloader configuration has to be put in place and a varnish backend pointing to the onloader needs to be added. All of this for each individual backend. Also, this requirement prevents any use of dynamic backends with a TLS onloader. haproxy, however, offers a convenient and elegant way to avoid this configuration overhead: The PROXY protocol can also be used to transport the destination address which haproxy is to connect to if a server's address is unspecified (IN_ADDR_ANY / 0.0.0.0). The configuration template for this use case looks like this (huge thank you to @wtarreau for pointing out this great option in haproxy): listen clear-to-ssl bind /my/path/to/ssl_onloader accept-proxy balance roundrobin stick-table type ip size 100 stick on dst server s0 0.0.0.0:443 ssl ca-file /etc/ssl/certs/ca-bundle.crt server s1 0.0.0.0:443 ssl ca-file /etc/ssl/certs/ca-bundle.crt server s2 0.0.0.0:443 ssl ca-file /etc/ssl/certs/ca-bundle.crt # .. approximately as many servers as expected peers # for improved tls session caching With this setup, by connecting to /my/path/to/ssl_onloader and sending the address to make a TLS connection to in a PROXY header (as the server address / port), we can reduce the configuration overhead outside varnish substantially. In particular, we do not require a path / port per destination dynamic TLS backends become possible This patch implements the basis for simple means of configuring such an ssl onloader: backends can be created with an additional "via" director, which has to resolve to a simple backend. The connection is then made to that address and the actual endpoint address is sent in an additional PROXY header. Notice that sending yet another proxy header to the actual backend is unaffected. Despite using the same format, the two proxy headers are semantically different: The first, here coined the "preamble", is the address to make the connection to while the (optional) second proxy header continues to contain the addresses of the connection to varnish. Future improvements on the roadmap: * resolution of the "via" backend at the time the connection is made: This will allow for fault tolerance and load balancing of via backends * Cascade the health check: If the "via" backend is probed / set down, any backends using it could be set unhealthy also. * Timeouts: The "via" backend's timeouts could define maximum values for any connections made through it Tivia: To future Varnish-Cache historians, this patch originates from #2850 and went through three more iterations, making it a likely candidate for the PR with the longest turnaround time of 1543 days.
-
Dridi Boukelmoune authored
-
Dridi Boukelmoune authored
-
- 13 Feb, 2023 1 commit
-
-
William Wilson authored
The value should always be set, because we already assign zero on error, but it might escape (pun intended) the vigilance of the compiler. Instead of always making `VNUM_2bytes()` assign its second parameter, it was decided that fixing the test case would be enough since we already require error handling.
-
- 10 Feb, 2023 1 commit
-
-
Nils Goroll authored
Document that the daemon and worker user have to share their primary group. Provide an exmaple of how to set up a system for the default users. Note: I am well aware of the commands in pkg-varnish-cache, but they use Linux specific useradd syntax. The commands given hopefully are portable - I tested them on Solaris and Linux.
-
- 08 Feb, 2023 2 commits
-
-
Nils Goroll authored
-
Nils Goroll authored
phk, if any of this does not match your intentions, please just change it back. waving from the boat...
-