Bug #10937
closed
HAProxy frontend and backend entry limit
0%
Description
There seems to be some sort of limit in the number of entries/rows you can have in a single haproxy frontend or backend.
- In backends, it shows an error after clicking save at 292 server rows. Error: The value " in field 'Client timeout' is not a number
- In frontends, it shows an error after clicking save at 122 action rows with 1 ext address entry. Depending on the combination of entries(ext address entries, acl entries, action entries), the overall limit changes. Error: The field 'Strict-Transport-Security' is not empty or a number.
This is reproducible in 2.5.0, 2.4.5-p1, as well as haproxy and haproxy-devel packages.
Steps to reproduce:- Start with a default configuration of haproxy-devel
- Click Add to create a front end; give it a name.
- Click the arrow to add an action; leave everything else as is.
- Click Save.
- Edit the new frontend and duplicate the action entry until there's a total of 121, then click save.
- Edit the new frontend and create 1 duplicate action entry and click save.
- Error appears.
Files
| error-backend.png (18.1 KB) error-backend.png | error on backend page | ||
| error-frontend.png (15.4 KB) error-frontend.png | error on frontend page | ||
| success [20-09-29 09-10-07].har (1.35 MB) success [20-09-29 09-10-07].har | http archive from browser on successful save | ||
| fail [20-09-29 09-10-35].har (2.35 MB) fail [20-09-29 09-10-35].har | http archive from browser on failed save |
Related issues
Updated by Marcos M over 4 years ago
- File error-backend.png error-backend.png added
- File error-frontend.png error-frontend.png added
- File success [20-09-29 09-10-07].har success [20-09-29 09-10-07].har added
- File fail [20-09-29 09-10-35].har fail [20-09-29 09-10-35].har added
Some additional files from testing.
Updated by Marcos M over 4 years ago
Making the following change then restarting php-fpm and webConfigurator (option 16 & 11 in console) resolved the issue:
In the file:
/etc/rc.php_ini_setup
Change:
max_input_vars = 5000
to:
max_input_vars = 50000
Updated by Jim Pingle over 4 years ago
The input variable change is an OK workaround (I'm not sure why it's at 5000) but also the form code should probably be improved so that it only submits relevant variables. Somehow I doubt it should be submitting 5000 variables for only <= 300 entries.
This happened to ACME a while back, the same fix may apply here:
https://github.com/pfsense/FreeBSD-ports/commit/1b65abcd8cebda591eebe55aa7f77cef111e5685
Updated by Marcos M over 4 years ago
I looked for existing CVE's around increasing the limit, but did not find any issues with it. I would agree however that increasing the limit is not ideal and a more efficient form submission method should be implemented.
Updated by Marcos M almost 4 years ago
Error still present on 21.02.2 using haproxy-devel.
Tested on 21.09.a.20210517.0100 and the issue persists, but php crashes instead and the user receives a "CSRF check failed" error:
Crash report begins. Anonymous machine information: amd64 12.2-STABLE FreeBSD 12.2-STABLE plus-devel-12-n202543-5c42cd642845 pfSense Crash report details: PHP Errors: [18-May-2021 18:33:39 Etc/UTC] PHP Warning: Unknown: Input variables exceeded 5000. To increase the limit change max_input_vars in php.ini. in Unknown on line 0 [18-May-2021 18:33:39 Etc/UTC] PHP Warning: Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 30 [18-May-2021 18:33:39 Etc/UTC] PHP Warning: session_start(): Cannot start session when headers already sent in /etc/inc/phpsessionmanager.inc on line 41 [18-May-2021 18:33:39 Etc/UTC] PHP Warning: Cannot modify header information - headers already sent in /usr/local/www/csrf_error.php on line 22 [18-May-2021 18:33:39 Etc/UTC] PHP Warning: session_start(): Cannot start session when headers already sent in /etc/inc/phpsessionmanager.inc on line 41 [18-May-2021 18:33:39 Etc/UTC] PHP Warning: Cannot modify header information - headers already sent in /usr/local/www/csrf/csrf-magic.php on line 234 No FreeBSD crash data found.
Updated by Viktor Gurov over 3 years ago
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
- Assignee set to Viktor Gurov
Updated by Viktor Gurov about 3 years ago
- Related to Bug #12692: Haproxy backend issue added
Updated by Christopher Cope about 3 years ago
Tested on
2.6.0-RELEASE (amd64) built on Mon Jan 31 19:57:53 UTC 2022 FreeBSD 12.3-STABLE
on haproxy-devel 0.62_8 and it behaves as expected even when a large number of entries are input. Marking as resolved.
Updated by Christopher Cope about 3 years ago
- Status changed from Feedback to Resolved