Project

General

Profile

Actions

Bug #10937

open

HAProxy frontend and backend entry limit

Added by Marcos Mendoza 12 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
haproxy
Target version:
-
Start date:
09/29/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

There seems to be some sort of limit in the number of entries/rows you can have in a single haproxy frontend or backend.

  • In backends, it shows an error after clicking save at 292 server rows. Error: The value " in field 'Client timeout' is not a number
  • In frontends, it shows an error after clicking save at 122 action rows with 1 ext address entry. Depending on the combination of entries(ext address entries, acl entries, action entries), the overall limit changes. Error: The field 'Strict-Transport-Security' is not empty or a number.

This is reproducible in 2.5.0, 2.4.5-p1, as well as haproxy and haproxy-devel packages.

Steps to reproduce:
  1. Start with a default configuration of haproxy-devel
  2. Click Add to create a front end; give it a name.
  3. Click the arrow to add an action; leave everything else as is.
  4. Click Save.
  5. Edit the new frontend and duplicate the action entry until there's a total of 121, then click save.
  6. Edit the new frontend and create 1 duplicate action entry and click save.
  7. Error appears.

Files

error-backend.png (18.1 KB) error-backend.png error on backend page Marcos Mendoza, 09/29/2020 11:01 AM
error-frontend.png (15.4 KB) error-frontend.png error on frontend page Marcos Mendoza, 09/29/2020 11:01 AM
success [20-09-29 09-10-07].har (1.35 MB) success [20-09-29 09-10-07].har http archive from browser on successful save Marcos Mendoza, 09/29/2020 11:03 AM
fail [20-09-29 09-10-35].har (2.35 MB) fail [20-09-29 09-10-35].har http archive from browser on failed save Marcos Mendoza, 09/29/2020 11:03 AM
Actions #2

Updated by Marcos Mendoza 12 months ago

Making the following change then restarting php-fpm and webConfigurator (option 16 & 11 in console) resolved the issue:

In the file:

/etc/rc.php_ini_setup

Change:
max_input_vars = 5000

to:
max_input_vars = 50000

Actions #3

Updated by Jim Pingle 12 months ago

The input variable change is an OK workaround (I'm not sure why it's at 5000) but also the form code should probably be improved so that it only submits relevant variables. Somehow I doubt it should be submitting 5000 variables for only <= 300 entries.

This happened to ACME a while back, the same fix may apply here:

https://github.com/pfsense/FreeBSD-ports/commit/1b65abcd8cebda591eebe55aa7f77cef111e5685

Actions #4

Updated by Marcos Mendoza 12 months ago

I looked for existing CVE's around increasing the limit, but did not find any issues with it. I would agree however that increasing the limit is not ideal and a more efficient form submission method should be implemented.

Actions #5

Updated by Marcos Mendoza 4 months ago

Error still present on 21.02.2 using haproxy-devel.

Tested on 21.09.a.20210517.0100 and the issue persists, but php crashes instead and the user receives a "CSRF check failed" error:

Crash report begins.  Anonymous machine information:

amd64
12.2-STABLE
FreeBSD 12.2-STABLE plus-devel-12-n202543-5c42cd642845 pfSense

Crash report details:

PHP Errors:
[18-May-2021 18:33:39 Etc/UTC] PHP Warning:  Unknown: Input variables exceeded 5000. To increase the limit change max_input_vars in php.ini. in Unknown on line 0
[18-May-2021 18:33:39 Etc/UTC] PHP Warning:  Cannot modify header information - headers already sent in /usr/local/www/guiconfig.inc on line 30
[18-May-2021 18:33:39 Etc/UTC] PHP Warning:  session_start(): Cannot start session when headers already sent in /etc/inc/phpsessionmanager.inc on line 41
[18-May-2021 18:33:39 Etc/UTC] PHP Warning:  Cannot modify header information - headers already sent in /usr/local/www/csrf_error.php on line 22
[18-May-2021 18:33:39 Etc/UTC] PHP Warning:  session_start(): Cannot start session when headers already sent in /etc/inc/phpsessionmanager.inc on line 41
[18-May-2021 18:33:39 Etc/UTC] PHP Warning:  Cannot modify header information - headers already sent in /usr/local/www/csrf/csrf-magic.php on line 234

No FreeBSD crash data found.

Actions

Also available in: Atom PDF