$ rpm -q haproxy
haproxy-2.8.3-6.mga9

# systemctl start haproxy.service

# urpmi apache

# systemctl start httpd.service

$ curl -I -k http://localhost:8000/
HTTP/[...]

$ curl -I -k http://localhost:8080/
HTTP/[...]

$ curl -I -k https://localhost:8443/
HTTP/[...]

Version is 2.8.3-6.mga9 because I submitted by error 2.8.3-4.mga9 to core/updates_testing.

I tried reaching to sysadmin to remove it, they seems to have more important things to deal with than an improper release version and I don't want to waste their time with a 3rd mail.

I fixed missing REAME.urpmi doc in 2.8.3-6.mga9 as well.

Tell me if it is fine to submit a 2.8.3-6.mga9 version for update instead of 2.8.3-1.mga9 like documented in guidelines or what should I do in the alternative.

Hi,

For Cauldron, you need to increase the release number too, because 2.8.3-6.mga9 > 2.8.3-3.mga10 so a migration from Mga9 to Cauldron is impossible.

Best regards,

Nico.

CC: (none) => nicolas.salguero

(In reply to Nicolas Salguero from comment #5)
> For Cauldron, you need to increase the release number too, because
> 2.8.3-6.mga9 > 2.8.3-3.mga10 so a migration from Mga9 to Cauldron is
> impossible.

In theory I understand your remark, in practice both package (2.8.3-6.mga9 & 2.8.3-3.mga10) are identical and as haproxy tend to release a new subversion at the beginning of every month, it will be fixed on next update very soon ;)

Bumped release sent to build in cauldron just to be safe.

MGA9-64 Xfce on Acer Aspire 5253
No installation issues, haproxy was not installed before
Tried to follow Comment 2, but no joy, I suspect configuration issues.
# systemctl start haproxy
Job for haproxy.service failed because the control process exited with error code.
See "systemctl status haproxy.service" and "journalctl -xeu haproxy.service" for details.

# systemctl -l status haproxy
● haproxy.service - HAproxy Loadbalancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: disabled)
     Active: activating (auto-restart) (Result: exit-code) since Tue 2023-10-10 10:53:20 CEST; 203ms ago
    Process: 16327 ExecStartPre=/usr/sbin/haproxy -f ${CONFIG} -c -q (code=exited, status=1/FAILURE)
        CPU: 65ms
and

# journalctl -xeu haproxy.service
░░ 
░░ A stop job for unit haproxy.service has finished.
░░ 
░░ The job identifier is 17697 and the job result is done.
Oct 10 10:53:56 mach7.hviaene.thuis systemd[1]: Starting haproxy.service...
░░ Subject: A start job for unit haproxy.service has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit haproxy.service has begun execution.
░░ 
░░ The job identifier is 17697.
Oct 10 10:53:56 mach7.hviaene.thuis systemd[1]: haproxy.service: Control process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ An ExecStartPre= process belonging to unit haproxy.service has exited.
░░ 
░░ The process' exit code is 'exited' and its exit status is 1.
Oct 10 10:53:56 mach7.hviaene.thuis systemd[1]: haproxy.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ The unit haproxy.service has entered the 'failed' state with result 'exit-code'.
Oct 10 10:53:56 mach7.hviaene.thuis systemd[1]: Failed to start haproxy.service.
░░ Subject: A start job for unit haproxy.service has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit haproxy.service has finished with a failure.
░░ 
░░ The job identifier is 17697 and the job result is failed.
...skipping...
░░ 
░░ A stop job for unit haproxy.service has finished.
░░ 
░░ The job identifier is 17697 and the job result is done.
Oct 10 10:53:56 mach7.hviaene.thuis systemd[1]: Starting haproxy.service...
░░ Subject: A start job for unit haproxy.service has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit haproxy.service has begun execution.
░░ 
░░ The job identifier is 17697.
Oct 10 10:53:56 mach7.hviaene.thuis systemd[1]: haproxy.service: Control process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ An ExecStartPre= process belonging to unit haproxy.service has exited.
░░ 
░░ The process' exit code is 'exited' and its exit status is 1.
Oct 10 10:53:56 mach7.hviaene.thuis systemd[1]: haproxy.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ The unit haproxy.service has entered the 'failed' state with result 'exit-code'.
Oct 10 10:53:56 mach7.hviaene.thuis systemd[1]: Failed to start haproxy.service.
░░ Subject: A start job for unit haproxy.service has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit haproxy.service has finished with a failure.
░░ 
░░ The job identifier is 17697 and the job result is failed.

Googled for some tutorial and found https://www.haproxy.com/blog/haproxy-configuration-basics-load-balance-your-servers  
but the config file is quite complex and I'm not familiar with the subject. Leaving here

CC: (none) => herman.viaene

May you provide the content of:
$ cat /var/log/haproxy/error.log
$ rpm -V haproxy

Seems like a configuration problem.

And:
$ /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -c

The execprestart runs a config file check which fails for unknown reason in your case.

I understand this update fixes one or more security issues as well. But when comparing https://www.haproxy.org/download/2.8/src/CHANGELOG to https://www.cvedetails.com/vulnerability-list/vendor_id-11969/Haproxy.html I get confused. Which CVEs are fixed with this update? 

CVE-2023-40225
CVE-2023-25950
CVE-2023-25725
CVE-2023-0836
CVE-2023-0056

All of the above?

CVE-2022-0711, too?

CC: (none) => marja11

Version 2.8.1-4.mga9 is not affected by any unfixed CVE, last one was CVE-2023-25725 fixed in 2.8-dev4 version.

The update to 2.8.3 is only to benefit from minor, medium and major bugs corrected in the 2.8.x branch.

Maybe I am wrong to add an advisory which is not required for a bugfix update ?

Feel free to tell me how I should have dealt with the situation to avoid mistakes next time.

Advisories are needed for bugfix updates.  They're not needed for backports.  Comment 0 and the bug settings say this is a security update, however.

(In reply to Raphael Gertz from comment #11)
> Version 2.8.1-4.mga9 is not affected by any unfixed CVE, last one was
> CVE-2023-25725 fixed in 2.8-dev4 version.

In comment 0 it says:

> Haproxy is in version 2.8.1 in mageia version while 2.8.3 version is available > with some major security updates for 2.8 branch.

That made me look for CVEs

The last CVE is from august https://www.cvedetails.com/cve/CVE-2023-40225/

I understand 2.8.2 is not affected, but 2.8.1 is

Version 2.8.1-4.mga9 has Build Date: Mon 10 Jul 2023 06:48:18 AM CEST, before this CVE was known

I had missed that the last update was as recent as that, btw, I wrongly thought it was over a year ago.. that's why I asked about 6 CVEs :-(

So isn't at least CVE-2023-40225 fixed by the jump to 2.8.3 ?


> 
> Maybe I am wrong to add an advisory which is not required for a bugfix
> update ?

For bugfix updates advisories are needed, too ;-)

(In reply to Raphael Gertz from comment #0)
> Description of problem:
> Haproxy is in version 2.8.1 in mageia version while 2.8.3 version is
> available with some major security updates for 2.8 branch.

Here again the excerpt from comment 0, which mentions major security updates

(In reply to David Walser from comment #12)
> Advisories are needed for bugfix updates.  They're not needed for backports.
> Comment 0 and the bug settings say this is a security update, however.

Thank's for the clarifiation.

(In reply to Marja Van Waes from comment #13)
> (In reply to Raphael Gertz from comment #11)
> > Version 2.8.1-4.mga9 is not affected by any unfixed CVE, last one was
> > CVE-2023-25725 fixed in 2.8-dev4 version.
> 
> In comment 0 it says:
> 
> > Haproxy is in version 2.8.1 in mageia version while 2.8.3 version is available > with some major security updates for 2.8 branch.
> 
> The last CVE is from august https://www.cvedetails.com/cve/CVE-2023-40225/
> 
> So isn't at least CVE-2023-40225 fixed by the jump to 2.8.3 ?

You are right, I missed the CVE reference and only listed it in fixed major bug from changelog:
- http: reject any empty content-length header value

Thanks, Raphael :-)

The advisory from comment 17 has been added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete".

Keywords: (none) => advisory

(In reply to Herman Viaene from comment #7)
> MGA9-64 Xfce on Acer Aspire 5253
> No installation issues, haproxy was not installed before
> Tried to follow Comment 2, but no joy, I suspect configuration issues.
> # systemctl start haproxy
> Job for haproxy.service failed because the control process exited with error
> code.
> See "systemctl status haproxy.service" and "journalctl -xeu haproxy.service"
> for details.
> 
> # systemctl -l status haproxy
> ● haproxy.service - HAproxy Loadbalancer
>      Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled;
> preset: disabled)
>      Active: activating (auto-restart) (Result: exit-code) since Tue
> 2023-10-10 10:53:20 CEST; 203ms ago
>     Process: 16327 ExecStartPre=/usr/sbin/haproxy -f ${CONFIG} -c -q
> (code=exited, status=1/FAILURE)
>         CPU: 65ms
> and
> 
> # journalctl -xeu haproxy.service
> [...]
> 
> Googled for some tutorial and found
> https://www.haproxy.com/blog/haproxy-configuration-basics-load-balance-your-
> servers  
> but the config file is quite complex and I'm not familiar with the subject.
> Leaving here

May you provide result of comment #8 and #9 ?

I would like this update to be released, we are kind of already 1 month late :'(
(with a not so easy to exploit active CVE and major bugs)

$ cat /var/log/haproxy/error.log
$ rpm -V haproxy
No feedback on both commands

$ /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -c
[NOTICE]   (15425) : haproxy version is 2.8.3-86e043a
[NOTICE]   (15425) : path to executable is /usr/sbin/haproxy
[ALERT]    (15425) : config : parsing [/etc/haproxy/haproxy.conf:222] : 'bind :::8443' in section 'frontend' :  '/etc/pki/tls/private/haproxy.pem' is present but cannot be read or parsed.
[ALERT]    (15425) : config : Error(s) found in configuration file : /etc/haproxy/haproxy.conf
[ALERT]    (15425) : config : Fatal errors found in configuration.
but running it as root:
# /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -c
Configuration file is valid

(In reply to Herman Viaene from comment #20)
> $ /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -c
> [...]
> [ALERT]    (15425) : config : parsing [/etc/haproxy/haproxy.conf:222] :
> 'bind :::8443' in section 'frontend' :  '/etc/pki/tls/private/haproxy.pem'
> is present but cannot be read or parsed.
> [...]
> 
> but running it as root:
> # /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -c
> Configuration file is valid

Seems it can't access your haproxy.pem certificate as haproxy user.

Ok, the create ssl certificate trigger had not -g haproxy option to have /etc/pki/tls/private/haproxy.pem owned by root:haproxy.

On my server I was using the following acl and didn't saw that:
setfacl -m u:haproxy:r /etc/pki/tls/private/haproxy.pem

What is the result of after upgrading to latest haproxy-2.8.3-7.mga9:
ls -l /etc/pki/tls/certs/haproxy.pem
ls -l /etc/pki/tls/private/haproxy.pem
ls -lH /etc/pki/tls/certs/haproxy.pem
ls -lH /etc/pki/tls/private/haproxy.pem

I took the opportunity to fix a typo, add missing commented out directive and removed a circular bug which triggered a warning in log.
(see last two commits on SOURCE/haproxy.conf and SPECS/haproxy.spec)

I will need to update the advisory for next release which should fix the reported problem.

(In reply to Raphael Gertz from comment #21)

> 
> I will need to update the advisory for next release which should fix the
> reported problem.

so removing the advisory keyword

Keywords: advisory => (none)

I updated src to haproxy-2.8.3-7.mga9 in advisory 32319.

Keywords: (none) => advisory

(In reply to Herman Viaene from comment #20)
> $ /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -c
> [...]
> 'bind :::8443' in section 'frontend' :  '/etc/pki/tls/private/haproxy.pem'
> is present but cannot be read or parsed.

May you validate that everything works correctly now ?

You may need to remove these files:
/etc/pki/tls/certs/haproxy.pem
/etc/pki/tls/private/haproxy.pem

Then remove haproxy and install it again.

I don't think it's a good idea to add an upgrade trigger that fix group ownership of certificate to haproxy in case end user fixed his with acl or else.

Followed recommandations from Comment 25: remove those files, repove the haproxy packages and reinstalled the latest, giving
# rm /etc/pki/tls/certs/haproxy.pem
rm: remove regular file '/etc/pki/tls/certs/haproxy.pem'? y
[root@mach7 ~]# rm /etc/pki/tls/private/haproxy.pem
rm: remove regular file '/etc/pki/tls/private/haproxy.pem'? y
[root@mach7 ~]# systemctl start haproxy
[root@mach7 ~]# systemctl -l status haproxy
● haproxy.service - HAproxy Loadbalancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled)
     Active: active (running) since Tue 2023-10-24 16:08:10 CEST; 16s ago
    Process: 42487 ExecStartPre=/usr/sbin/haproxy -f ${CONFIG} -c -q (code=exited, status=0/SUCCESS)
   Main PID: 42656 (haproxy)
     Status: "Ready."
      Tasks: 9 (limit: 65000)
     Memory: 21.0M
        CPU: 409ms
     CGroup: /system.slice/haproxy.service
             ├─42656 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws
             └─42665 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws

Oct 24 16:08:09 mach7.hviaene.thuis systemd[1]: Starting haproxy.service...
Oct 24 16:08:10 mach7.hviaene.thuis systemd[1]: Started haproxy.service.
[root@mach7 ~]# systemctl start httpd
and then as normal user (opened up the ports in firewall)
$ curl -I -k http://localhost:8000/
HTTP/1.1 302 Found
content-length: 0
location: https://localhost:8000/
cache-control: no-cache

$ curl -I -k http://localhost:8080/
curl: (56) Recv failure: Connection reset by peer
$ curl -I -k http://localhost:8443/
curl: (56) Recv failure: Connection reset by peer

$ cat /var/log/haproxy/error.log
[NOTICE]   (42656) : New worker (42665) forked
[NOTICE]   (42656) : Loading success.
[WARNING]  (42665) : Server http_default/apache is DOWN, reason: Layer4 connection problem, info: "Connection refused", check duration: 0ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[ALERT]    (42665) : backend 'http_default' has no server available!
[WARNING]  (42665) : Server https_default/apache is DOWN, reason: Layer4 connection problem, info: "Connection refused", check duration: 1ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[ALERT]    (42665) : backend 'https_default' has no server available!
[WARNING]  (42665) : Server http_css/css is DOWN, reason: Layer4 connection problem, info: "Connection refused", check duration: 0ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[ALERT]    (42665) : backend 'http_css' has no server available!
[WARNING]  (42665) : Server http_js/js is DOWN, reason: Layer4 connection problem, info: "Connection refused", check duration: 0ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[ALERT]    (42665) : backend 'http_js' has no server available!
[WARNING]  (42665) : Server http_default/apache is UP, reason: Layer7 check passed, code: 200, check duration: 3ms. 1 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
[WARNING]  (42665) : Server https_default/apache is UP, reason: Layer7 check passed, code: 200, check duration: 18ms. 1 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
[WARNING]  (42665) : Server http_js/js is UP, reason: Layer7 check passed, code: 404, check duration: 4ms. 1 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
Sure httpd is running.

$ rpm -V haproxy
no feedback

$ ls -l /etc/pki/tls/certs/haproxy.pem
-rw-r--r-- 1 root root 1277 Oct 24 16:06 /etc/pki/tls/certs/haproxy.pem
$ ls -l /etc/pki/tls/private/haproxy.pem
-rw-r----- 1 root haproxy 1704 Oct 24 16:06 /etc/pki/tls/private/haproxy.pem
$ ls -lH /etc/pki/tls/certs/haproxy.pem
-rw-r--r-- 1 root root 1277 Oct 24 16:06 /etc/pki/tls/certs/haproxy.pem
$ ls -lH /etc/pki/tls/private/haproxy.pem
-rw-r----- 1 root haproxy 1704 Oct 24 16:06 /etc/pki/tls/private/haproxy.pem
This is in response to the questions in Comment 21.

is it really a good idea to drop priviledges in systemd?

I get these errors:
[ALERT]    (5254) : Binding [/etc/haproxy.d/2_http80.cfg:3] for frontend port_80: cannot bind socket (Permission denied) for [0.0.0.0:80]


The user will not be able to bind ports in default systems

I added to service the following:
AmbientCapabilities=CAP_NET_BIND_SERVICE

Should be able to bind < 1024 privileged ports now.

Last advisory is commited as well.

I tested binding to 800 port it works, should be possible to bind 80 and 443 as well.

For me all is resolved and this package is ready to be pushed to release updates.

Haproxy has fixed issues in last upstream version 2.8.3 of branch 2.8.

Impacted mga9 & cauldron.

Suggested advisory:
========================
type: security
subject: Updated haproxy packages fix security vulnerability
CVE:
 - CVE-2023-40225
src:
  9:
   core:
     - haproxy-2.8.3-9.mga9
description: |
  Haproxy has fixed security and other issues in last upstream version
  2.8.3 of branch 2.8

  Default user access are now commented out to prevent local action
  possible exploit and prevent further rpmnew on future updates.

  Use a check script to have config check result in error log on failure.

  Fix corruption with non empty access log.

  Fixed major bug list:
  - quic: Really ignore malformed ACK frames
  - http-ana: Get a fresh trash buffer for each header value replacement
  - h3: reject header values containing invalid chars
  - http: reject any empty content-length header value (CVE-2023-40225)

  Fixed medium bug list:
  - quic: fix tasklet_wakeup loop on connection closing
  - stconn: Update stream expiration date on blocked sends
  - stconn: Wake applets on sending path if there is a pending shutdown
  - stconn: Don't block sends if there is a pending shutdown
  - h1-htx: Ensure chunked parsing with full output buffer
  - applet: Fix API for function to push new data in channels buffer
  - stconn: Report read activity when a stream is attached to front SC
  - applet: Report an error if applet request more room on aborted SC
  - stconn/stream: Forward shutdown on write timeout
  - stconn: Always update stream's expiration date after I/O
  - capabilities: enable support for Linux capabilities
  - sink: invalid server list in sink_new_from_logsrv()
  - log: improper use of logsrv->maxlen for buffer targets
  - quic: token IV was not computed using a strong secret
  - quic: missing check of dcid for init pkt including a token
  - quic: timestamp shared in token was using internal time clock
  - hlua_fcn/queue: bad pop_wait sequencing
  - listener: Acquire proxy's lock in relax_listener() if necessary
  - h3: Properly report a C-L header was found to the HTX start-line
  - h3: Be sure to handle fin bit on the last DATA frame
  - bwlim: Reset analyse expiration date when then channel analyse ends
  - quic: consume contig space on requeue datagram
references:
 - https://bugs.mageia.org/show_bug.cgi?id=32319
 - https://www.haproxy.org/download/2.8/src/CHANGELOG

Default config is fixed imao, I remove the dependency on bug #32442 which requests new features not suited for a security update.
(we will see what is reasonable for cauldron and next mga10)

Blocks: 32442 => (none)

Is everything in order to release this security update ?

Herman? This is all quite a bit beyond my abilities. You are better at this than I am, and I trust your opinion.

Do you object to sending it on?

CC: (none) => andrewsfarm

Lately I have been working on M8 updates. I see now Raphael has provided a new package, which I haven't tested yet. I'll give it a try this afternoon.

Tried new package as in Comment 33, but 
Sorry, the following package cannot be selected:

- haproxy-2.8.3-9.mga9.x86_64 (due to unsatisfied haproxy-server[== 2.8.3-9.mga9])
This is when using qarepo. Disabled that one, used the repo directly and pacges installed, there is no haproxy-server in view
# systemctl start haproxy
# systemctl -l status haproxy
● haproxy.service - HAproxy Loadbalancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled)
     Active: active (running) since Sun 2023-11-12 13:54:36 CET; 1min 21s ago
   Main PID: 4008 (haproxy)
     Status: "Ready."
      Tasks: 9 (limit: 65000)
     Memory: 16.0M
        CPU: 517ms
     CGroup: /system.slice/haproxy.service
             ├─4008 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws
             └─4010 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws

Nov 12 13:54:36 mach7.hviaene.thuis systemd[1]: Starting haproxy.service...
Nov 12 13:54:36 mach7.hviaene.thuis systemd[1]: Started haproxy.service.

As normal user
$ curl -I -k http://localhost:8000/
HTTP/1.1 302 Found
content-length: 0
location: https://localhost:8000/
cache-control: no-cache
I'm not sure about the following tests, Comment 2 uses ports 8080 and 8443, but Comment 32 seems to point to 80 and 443. Made sure ports are open in firewall, but on any I get the same result as in:
$ curl -I -k http://localhost:443
curl: (7) Failed to connect to localhost port 443 after 1 ms: Couldn't connect to server

Qarepo failed because comment 33 did not list the rpms to test, but instead listed the source name. So, when you used that in qarepo as your rpm list, you didn't get all the packages.

Using qarepo's wild card feature, I searched for "*haproxy*" (the "*" in the front was to catch any potential libraries) and came up with this list:

haproxy-2.8.3-9.mga9.x86_64.rpm
haproxy-noquic-2.8.3-9.mga9.x86_64.rpm
haproxy-quic-2.8.3-9.mga9.x86_64.rpm
haproxy-utils-2.8.3-9.mga9.x86_64.rpm

Installing haproxy requires haproxy-noquic, but selecting haproxy-quic first requires haproxy and lib64quictls81, but not haproxy noquic. And finally, selecting haproxy-utils doesn't ask for anything more, not even haproxy.

haproxy-utils says:

"HAProxy-utils contains a couple of command line utilities for working with haproxy servers.

You should install haproxy-utils if you need to get information from HAProxy servers."

Would that be of any assistance? Still quite beyond me...

@Herman: the proxy binds the remote ports to local ports.
I don't know how exactly apache is confiured, to it should listen to ports 8000,8080 and 8443 (in this example)
(where is the config file for that?)

For that test, I guess some more simple server should be used e.g. netcat or some other minimal server (while true ; do nc -l -p 1500 -c 'echo -e "HTTP/1.1 200 OK\n\n $(date)"'; done)

So connects to port 80/443 should not work without haproxy.

Using this command:
echo "show stat no-maint" | socat stdio unix-connect:/run/haproxy/haproxy.sock|cut -d "," -f 1,2,5-10,18,19,36,50,34,36,37,38,56 | column -s, -t
should show "L7OK" or "L4OK" in the column check_status - which means the proxy was able to connect to the backend.

After starting haproxy the connection to port 80 and 443 should be able and should return the status or the document.

First test: Install current haproxy-quic haproxy-utils and update to testing versions

LC_ALL=C urpmi haproxy-quic haproxy-utils 
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  haproxy                        2.8.1        4.mga9        x86_64  
  haproxy-quic                   2.8.1        4.mga9        x86_64  
  haproxy-utils                  2.8.1        4.mga9        x86_64  
(medium "Core Updates")
  lib64quictls81.3               3.0.12       1.mga9        x86_64  
12MB of additional disk space will be used.
3.9MB of packages will be retrieved.
Proceed with the installation of the 4 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/haproxy-utils-2.8.1-4.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/haproxy-2.8.1-4.mga9.x86_64.rpm         
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/haproxy-quic-2.8.1-4.mga9.x86_64.rpm    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64quictls81.3-3.0.12-1.mga9.x86_64.rpm
installing haproxy-utils-2.8.1-4.mga9.x86_64.rpm lib64quictls81.3-3.0.12-1.mga9.x86_64.rpm haproxy-2.8.1-4.mga9.x86_64.rpm haproxy-quic-2.8.1-4.mga9.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     ###########################################################################################
      1/4: lib64quictls81.3      ###########################################################################################
      2/4: haproxy               ###########################################################################################
...+.+......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..............+....+.....+..........+...+...+.....+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...+..........+............+.....+...+.......+......+..+...+...+.......+..+...+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+...........+.+...+..+.+..+.+.....+......+...............+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.........+.+.........+.....+....+...+.................+......+...............+......+.+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+......+......+.....+.......+...........+.+......+..+.+..+...+....+...+..+..........+.................+.+..+.+......+........+...+...+.........+......+..........+......+......+..+...+....+...+.....+.......+.....+.+...+..+.............+..+.........+......+...+......................+........+.......+..+...+.......+.....+...+....+.....................+..+..........+..+......+..................+.+......+.........+......+.........+.....+......+...+..........+.....+.......+.........+.........+..+....+...+........+.......+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
      3/4: haproxy-quic          ###########################################################################################
      4/4: haproxy-utils         ###########################################################################################
[root@phoenix ~]# LC_ALL=C urpmi haproxy-quic haproxy-utils
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  haproxy                        2.8.3        9.mga9        x86_64  
  haproxy-quic                   2.8.3        9.mga9        x86_64  
  haproxy-utils                  2.8.3        9.mga9        x86_64  
13KB of additional disk space will be used.
1.7MB of packages will be retrieved.
Proceed with the installation of the 3 packages? (Y/n) y


installing haproxy-2.8.3-9.mga9.x86_64.rpm haproxy-quic-2.8.3-9.mga9.x86_64.rpm haproxy-utils-2.8.3-9.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###########################################################################################
      1/3: haproxy-quic          ###########################################################################################
      2/3: haproxy               ###########################################################################################
      3/3: haproxy-utils         ###########################################################################################
      1/3: removing haproxy-2.8.1-4.mga9.x86_64
                                 ###########################################################################################
      2/3: removing haproxy-quic-2.8.1-4.mga9.x86_64
                                 ###########################################################################################
      3/3: removing haproxy-utils-2.8.1-4.mga9.x86_64
                                 ###########################################################################################
----------------------------------------------------------------------
More information on package haproxy-2.8.3-9.mga9.x86_64
Haproxy is now installed.

Configuration file is /etc/haproxy/haproxy.conf

The server listen on any:8080 and 8443 by default.

Add to /etc/shorewall/rules.haproxy these shorewall rules for a transparent proxy:
# Redirect tcp traffic from net on port 80 to 8000
REDIRECT        net     8000    tcp     80
# Redirect tcp traffic from net on port 443 to 8000
REDIRECT        net     8000    tcp     443
# Redirect udp traffic from net on port 443 to 8443
#REDIRECT       net     8443    udp     443

Enable the service with:
# systemctl enable haproxy.service

Start the service with:
# systemctl start haproxy.service
----------------------------------------------------------------------

Not install issues

Test 2: Install current versions of haproxy-noquic haproxy-utils and update to testing versions

LC_ALL=C urpmi haproxy-noquic haproxy-utils
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  haproxy                        2.8.1        4.mga9        x86_64  
  haproxy-noquic                 2.8.1        4.mga9        x86_64  
  haproxy-utils                  2.8.1        4.mga9        x86_64  
4.9MB of additional disk space will be used.
1.6MB of packages will be retrieved.
Proceed with the installation of the 3 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/haproxy-noquic-2.8.1-4.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/haproxy-utils-2.8.1-4.mga9.x86_64.rpm   
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/haproxy-2.8.1-4.mga9.x86_64.rpm         
installing haproxy-2.8.1-4.mga9.x86_64.rpm haproxy-utils-2.8.1-4.mga9.x86_64.rpm haproxy-noquic-2.8.1-4.mga9.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     ###########################################################################################
      1/3: haproxy-noquic        ###########################################################################################
      2/3: haproxy               ###########################################################################################
      3/3: haproxy-utils         ###########################################################################################

LC_ALL=C urpmi haproxy-noquic haproxy-utils
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  haproxy                        2.8.3        9.mga9        x86_64  
  haproxy-noquic                 2.8.3        9.mga9        x86_64  
  haproxy-utils                  2.8.3        9.mga9        x86_64  
13KB of additional disk space will be used.
1.6MB of packages will be retrieved.
Proceed with the installation of the 3 packages? (Y/n) y


installing haproxy-noquic-2.8.3-9.mga9.x86_64.rpm haproxy-2.8.3-9.mga9.x86_64.rpm haproxy-utils-2.8.3-9.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###########################################################################################
      1/3: haproxy               ###########################################################################################
      2/3: haproxy-noquic        ###########################################################################################
      3/3: haproxy-utils         ###########################################################################################
      1/3: removing haproxy-noquic-2.8.1-4.mga9.x86_64
                                 ###########################################################################################
      2/3: removing haproxy-2.8.1-4.mga9.x86_64
                                 ###########################################################################################
      3/3: removing haproxy-utils-2.8.1-4.mga9.x86_64
                                 ###########################################################################################
----------------------------------------------------------------------
More information on package haproxy-2.8.3-9.mga9.x86_64
Haproxy is now installed.

Configuration file is /etc/haproxy/haproxy.conf

The server listen on any:8080 and 8443 by default.

Add to /etc/shorewall/rules.haproxy these shorewall rules for a transparent proxy:
# Redirect tcp traffic from net on port 80 to 8000
REDIRECT        net     8000    tcp     80
# Redirect tcp traffic from net on port 443 to 8000
REDIRECT        net     8000    tcp     443
# Redirect udp traffic from net on port 443 to 8443
#REDIRECT       net     8443    udp     443

Enable the service with:
# systemctl enable haproxy.service

Start the service with:
# systemctl start haproxy.service
----------------------------------------------------------------------

3rd Test:
 systemctl start haproxy.service
Job for haproxy.service failed because the control process exited with error code.
See "systemctl status haproxy.service" and "journalctl -xeu haproxy.service" for details.

systemctl status haproxy.service
● haproxy.service - HAproxy Loadbalancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: disabled)
     Active: activating (auto-restart) (Result: exit-code) since Mon 2023-11-13 21:21:05 CST; 1s ago
    Process: 210675 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=1/FAILURE)
        CPU: 25ms

nov 13 21:21:05 phoenix systemd[1]: Failed to start haproxy.service.

what did you change for the 3rd test? did you add an error inside the config, so it is intended to fail?

I've been reading thru Marc's explanation and thru  the haproxy.conf and httpd.conf files.
As far as I understand this haproxy should listen on ports 8080 and 8443 and send the requests thru to http ports 80 and 443.
I checked my httpd.conf and it only listens to port 80, so the test to port 8443 should fail anyway.
But I checked localhost:80 responds "It works", both haproxy and httpd are running, the firewall is opened to 8080/tcp (confirmed by telenet), but still I get:
$ curl -I -k http://localhost:8080/
curl: (56) Recv failure: Connection reset by peer
So, I suspect somehow http blocks this off. Googling doesn't get me any further.

@Raphael: it is your main config - I was just helping out - maybe I can take a look at it too. But atm I thing the testing looks too complicated. All firewalls keep local-interface open, so I guess there is no need to change the firewall. In my opinion, the test should go like this:
- start 2 terminal netcat with loop
- start haproxy
- test netcat port 80/443 work
- test haproxy status
- test connect port 8080, 8443 work

@Herman: I am new to this service too, but already have it working, so I try to look into this at evening

(In reply to Marc Krämer from comment #44)
> what did you change for the 3rd test? did you add an error inside the
> config, so it is intended to fail?

I go direct from 2nd to 3rd, I also test direct install the testing versions switch  between noquic and quic packages.
But also the current versions not works out of the box, If is a requirement having shrorewall then can be the cause of fail because I don't set firewall

The error is stated in /var/log/haproxy/error.log:
[ALERT]    (15706) : config : Error(s) found in configuration file : /etc/haproxy/haproxy.conf
[ALERT]    (15706) : config : Fatal errors found in configuration.
[NOTICE]   (15741) : haproxy version is 2.8.3-86e043a
[NOTICE]   (15741) : path to executable is /usr/sbin/haproxy
[ALERT]    (15741) : config : parsing [/etc/haproxy/haproxy.conf:227] : 'bind :::8443' in section 'frontend' :  '/etc/pki/tls/private/haproxy.pem' is present but cannot be read or parsed.
[ALERT]    (15741) : config : Error(s) found in configuration file : /etc/haproxy/haproxy.conf
[ALERT]    (15741) : config : Fatal errors found in configuration.

This is the bug in https://bugs.mageia.org/show_bug.cgi?id=32442

In case haproxy should drop priviledges, the file /etc/pki/tls/private/haproxy.pem must be owned by the user haproxy - not root.

ok, at my pc, the file /etc/pki/tls/private/haproxy.pem was created by an earlier test, so after removing that file and reinstalling the package it works:
$ ls -la /etc/pki/tls/private/haproxy.pem
-rw-r----- 1 root haproxy 1704 Nov 14 21:49 /etc/pki/tls/private/haproxy.pem

The default config looks way to complicated!!

backend 8080 will not run safely. it uses "send-proxy-v2". This must be enabled on apache - and protocol version 2 is not yet (?) supported!!! I ran into this pitfall myself - on higher load apache stated bad protocol codes in the log.


haproxy shows it is running, and it looks good so far.

I think it would be good to get that update out, even if the config is still not in a shape that it could be tested easily.

(In reply to Marc Krämer from comment #49)
> ok, at my pc, the file /etc/pki/tls/private/haproxy.pem was created by an
> earlier test, so after removing that file and reinstalling the package it
> works:
> $ ls -la /etc/pki/tls/private/haproxy.pem
> -rw-r----- 1 root haproxy 1704 Nov 14 21:49 /etc/pki/tls/private/haproxy.pem

I do thqt and works 

systemctl status haproxy.service
● haproxy.service - HAproxy Loadbalancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: disabled)
     Active: active (running) since Wed 2023-11-15 11:52:33 CST; 28s ago
    Process: 42848 ExecStartPre=/usr/sbin/haproxy-check (code=exited, status=0/SUCCESS)
   Main PID: 42853 (haproxy)
     Status: "Ready."
      Tasks: 9 (limit: 65000)
     Memory: 16.2M
        CPU: 169ms
     CGroup: /system.slice/haproxy.service
             ├─42853 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws
             └─42855 /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -Ws


But I think the update must care of that, or we must add a note in the errata page

(In reply to katnatek from comment #51)
> But I think the update must care of that, or we must add a note in the
> errata page

Between fixing the permission of the pem file for people with an unworking haproxy and trashing permission for people with a working one, I think it's safer to keep the working install...

To test default config, you need :
- listening http server on port 80
- listening http server on port 443

To test http:
curl -I http://127.0.0.1:8000
curl -I -k https://127.0.0.1:8000

The 8080 and 8443 ports are kind of internal because of the proxy stuff to not loose the REMOTE_ADDR in the process.

The redirection with shorewall is optional, it is intended to keep existing http/https server and insert haproxy in between transparently.

People using this package will tailor it to their needs, the configuration for mga9 was just to have something that works out of the box, the user will tailor it to their needs afterwards.

I give ok for mga9-64b, and still think is necessary a note in errata in case legacy /etc/pki/tls/private/haproxy.pem don't allow starting the service after the update

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => FOR_ERRATA9

(In reply to Marc Krämer from comment #50)
> The default config looks way to complicated!!
That's why I didn't close the other bug report for cauldron.

It is out of scope of this security updates, it will ask for a vim-syntax update to support /etc/haproxy/*.cfg config files.

It will require some brainstorm to bring something better.

Break the configuration in multiple parts ?
Keep current transparent proxy configuration ?
Add various configuration example in haproxy shared documentation ?

> backend 8080 will not run safely. it uses "send-proxy-v2". This must be
> enabled on apache - and protocol version 2 is not yet (?) supported!!! I ran
> into this pitfall myself - on higher load apache stated bad protocol codes
> in the log.

In default configuration backend on port 8080 and 8443 are not designed to receive direct traffic on them, without removing the accept-proxy here to not loose the REMOTE_ADDR.

 
> haproxy shows it is running, and it looks good so far.
> 
> I think it would be good to get that update out, even if the config is still
> not in a shape that it could be tested easily.

Http QA test process:
- urpmi haproxy + haproxy-(quic|noquic)
- start service
- have http server on 80 port
- curl -I http://127.0.0.1:8000
- See result

Https QA test process:
- urpmi haproxy + haproxy-(quic|noquic)
- start service
- have https server on 443 port
- curl -I -k http://127.0.0.1:8000
- See result

Shorewall rules are only usefull to have it running as a transparent proxy between your already existing apache/nginx server and internet without changing existing web server port configuration.

Haproxy sending X-Forwarded* headers:
frontend https_default
    # Store proto variable as txn
    http-request set-var(txn.proto) ssl_fc,iif(https,http)

    # Set forwarded proto
    http-request set-header X-Forwarded-Proto %[var(txn.proto)]
    # Set forwarded port
    http-request set-header X-Forwarded-Port %[dst_port]
    # Set forwarded for
    #http-request set-header X-Forwarded-For %[src]
    # Set forwarded by
    http-request set-header X-Forwarded-By %[dst]

    # Set forwarded
    #http-request set-header Forwarded by=%[dst]:%[dst_port];for=%[src]:%[src_port];host=%[var(txn.host)];proto=%[var(txn.proto)]
    http-request set-header Forwarded by=%[dst]:%[dst_port];for=%[src]:%[src_port];proto=%[var(txn.proto)]


Apache config to receive the haproxy X-Forwarded* headers:
# HAProxy configuration
<IfModule remoteip_module>
        RemoteIPHeader X-Forwarded-For
        RemoteIPTrustedProxy 127.0.0.1 ::1 <ipv4> <ipv6>
        RemoteIPProxiesHeader X-Forwarded-By
</IfModule>

@all: I suggest we push this update at that stage

@Raphael: the default config changes should be backported to mga9 even to help qa make the test. Like defaults in apache and others it is suffient to show the service is running and a connection from 8080 (ha-proxy) to 80 works. And for most users this is also a good starting point.
If you want, we can keep in touch and discuss some more (via mail? or inside the config bug). I think I already had a few lessons learned (e.g. protocol version 2 not supported by apache2 atm)

Validating, then.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0320.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED