Segmentation fault when running config check

Hi,

When attempting to check the configuration of a file, I get a segmentation fault.

/ # haproxy -c -f haproxy.cfg
[WARNING] 162/142118 (8736) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.
Configuration file is valid
Segmentation fault (core dumped)
/ # haproxy -v
HA-Proxy version 1.6.6 2016/06/26
Copyright 2000-2016 Willy Tarreau <willy@haproxy.org>

Has anyone seen this before? It makes it impossible to check the config before reloading haproxy. I can’t find an issue tracker for HAproxy, so i don’t know if this is a known issue.

HAproxy is running inside a Docker container.

It seems I’m not permitted to attach text files, so I’m afraid I’ll paste the config here instead:

global
  log local-traffic-logger len 65535 local0
  log local-traffic-logger len 65535 local1 notice
  log-send-hostname
  maxconn 4096
  pidfile /var/run/haproxy.pid
  user haproxy
  group haproxy
  daemon
  stats socket /var/run/haproxy.stats level admin
  ssl-default-bind-options no-sslv3
  ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA
defaults
  balance roundrobin
  log global
  mode http
  option redispatch
  option httplog
  option dontlognull
  option forwardfor
  timeout connect 5s
  timeout client 50s
  timeout server 50s
  timeout http-keep-alive 5s
  log-format "{\"timestamp\":\"%Ts\",\"backend\":\"%b\",\"bytes\":\"%B\",\"clientip\":\"%ci\",\"duration\":\"%Tt\",\"encoding\":\"json\",\"host\":\"%s\",\"method\":\"%HM\",\"query\":\"%HQ\",\"sls_service_level\":\"${SERVICE_LEVEL}\",\"sls_tag_0\":\"webfarm\",\"sls_tag_1\":\"front-end\",\"sls_tag_2\":\"haproxy\",\"sls_type\":\"apache_access\",\"sslcipher\":\"%sslc\",\"sslversion\":\"%sslv\",\"status\":\"%ST\",\"urlpath\":\"%HP\",\"urlquery\":\"%HQ\",\"useragent\":\"%hr\",\"webapp\":\"%b\"}"
listen stats
  bind :1936 ssl crt /run/secrets/cert0.pem
  mode http
  stats enable
  timeout connect 10s
  timeout client 1m
  timeout server 1m
  stats hide-version
  stats realm Haproxy\ Statistics
  stats uri /
  stats auth stats:Hope&Anchor
frontend port_443
  bind :443 ssl crt /run/secrets/
  reqadd X-Forwarded-Proto:\ https
  maxconn 4096
  capture request header Host len 50
  capture request header User-Agent len 100
  acl is_websocket hdr(Upgrade) -i WebSocket
  acl host_rule_2 hdr_reg(host) -i ^neptune-logs\..*\.foo\.ac\.uk$
  acl host_rule_2_port hdr_reg(host) -i ^neptune-logs\..*\.foo\.ac\.uk:443$
  use_backend SERVICE_webapps_neptune-logs if host_rule_2 or host_rule_2_port
  acl host_rule_4 hdr(host) -i finance-security.neptune-preprod.foo.ac.uk
  acl host_rule_4_port hdr(host) -i finance-security.neptune-preprod.foo.ac.uk:443
  use_backend SERVICE_webapps_finance-security if host_rule_4 or host_rule_4_port
  acl host_rule_6 hdr(host) -i finance-security.neptune-preprod.footol.ac.uk
  acl host_rule_6_port hdr(host) -i finance-security.neptune-preprod.footol.ac.uk:443
  use_backend SERVICE_webapps_finance-security if host_rule_6 or host_rule_6_port
  acl host_rule_8 hdr_reg(host) -i ^parking-permit-service\..*\.foo\.ac\.uk$
  acl host_rule_8_port hdr_reg(host) -i ^parking-permit-service\..*\.foo\.ac\.uk:443$
  use_backend SERVICE_webapps_parking-permit-service if host_rule_8 or host_rule_8_port
  acl host_rule_10 hdr(host) -i interface-catalogue.neptune-preprod.foo.ac.uk
  acl host_rule_10_port hdr(host) -i interface-catalogue.neptune-preprod.foo.ac.uk:443
  use_backend SERVICE_webapps_interface-catalogue if host_rule_10 or host_rule_10_port
  acl host_rule_12 hdr(host) -i interface-catalogue.neptune-preprod.footol.ac.uk
  acl host_rule_12_port hdr(host) -i interface-catalogue.neptune-preprod.footol.ac.uk:443
  use_backend SERVICE_webapps_interface-catalogue if host_rule_12 or host_rule_12_port
  acl host_rule_14 hdr_reg(host) -i ^azure-testing-webapp\..*\.foo\.ac\.uk$
  acl host_rule_14_port hdr_reg(host) -i ^azure-testing-webapp\..*\.foo\.ac\.uk:443$
  use_backend SERVICE_webapps_azure-testing-webapp if host_rule_14 or host_rule_14_port
  acl host_rule_16 hdr_reg(host) -i ^.*$
  acl host_rule_16_port hdr_reg(host) -i ^.*:443$
  use_backend SERVICE_webapps_out-of-service if host_rule_16 or host_rule_16_port
frontend port_80
  bind :80
  reqadd X-Forwarded-Proto:\ http
  maxconn 4096
  capture request header Host len 50
  capture request header User-Agent len 100
  acl is_websocket hdr(Upgrade) -i WebSocket
  acl host_rule_1 hdr_reg(host) -i ^neptune-logs\..*\.foo\.ac\.uk$
  acl host_rule_1_port hdr_reg(host) -i ^neptune-logs\..*\.foo\.ac\.uk:80$
  use_backend SERVICE_webapps_neptune-logs if host_rule_1 or host_rule_1_port
  acl host_rule_3 hdr(host) -i finance-security.neptune-preprod.foo.ac.uk
  acl host_rule_3_port hdr(host) -i finance-security.neptune-preprod.foo.ac.uk:80
  use_backend SERVICE_webapps_finance-security if host_rule_3 or host_rule_3_port
  acl host_rule_5 hdr(host) -i finance-security.neptune-preprod.footol.ac.uk
  acl host_rule_5_port hdr(host) -i finance-security.neptune-preprod.footol.ac.uk:80
  use_backend SERVICE_webapps_finance-security if host_rule_5 or host_rule_5_port
  acl host_rule_7 hdr_reg(host) -i ^parking-permit-service\..*\.foo\.ac\.uk$
  acl host_rule_7_port hdr_reg(host) -i ^parking-permit-service\..*\.foo\.ac\.uk:80$
  use_backend SERVICE_webapps_parking-permit-service if host_rule_7 or host_rule_7_port
  acl host_rule_9 hdr(host) -i interface-catalogue.neptune-preprod.foo.ac.uk
  acl host_rule_9_port hdr(host) -i interface-catalogue.neptune-preprod.foo.ac.uk:80
  use_backend SERVICE_webapps_interface-catalogue if host_rule_9 or host_rule_9_port
  acl host_rule_11 hdr(host) -i interface-catalogue.neptune-preprod.footol.ac.uk
  acl host_rule_11_port hdr(host) -i interface-catalogue.neptune-preprod.footol.ac.uk:80
  use_backend SERVICE_webapps_interface-catalogue if host_rule_11 or host_rule_11_port
  acl host_rule_13 hdr_reg(host) -i ^azure-testing-webapp\..*\.foo\.ac\.uk$
  acl host_rule_13_port hdr_reg(host) -i ^azure-testing-webapp\..*\.foo\.ac\.uk:80$
  use_backend SERVICE_webapps_azure-testing-webapp if host_rule_13 or host_rule_13_port
  acl host_rule_15 hdr_reg(host) -i ^.*$
  acl host_rule_15_port hdr_reg(host) -i ^.*:80$
  use_backend SERVICE_webapps_out-of-service if host_rule_15 or host_rule_15_port
backend SERVICE_webapps_out-of-service
  server webapps_out-of-service.1.mksakhmcijo97a39oiye6uaf5 10.0.0.5:8080 check inter 2000 rise 2 fall 3
backend SERVICE_webapps_parking-permit-service
  cookie SRV insert indirect nocache
  redirect scheme https code 301 if !{ ssl_fc }
  option httpchk GET /healthcheck HTTP/1.1\r\nHost:\ www\nUser-Agent:\ haproxy
  server webapps_out-of-service webapps_out-of-service:8080 check inter 2000 rise 2 fall 3 backup
  http-response add-header X-Service %b
  http-response add-header X-Backend-Name %s
  http-response add-header X-HAProxy-Container %H
  server webapps_parking-permit-service.1.hxpwjz49oyvy4g6dhyj63q3wu 10.0.0.24:8080 cookie webapps_parking-permit-service.1.hxpwjz49oyvy4g6dhyj63q3wu check inter 2000 rise 2 fall 3
backend default_service
backend SERVICE_webapps_neptune-logs
  cookie SRV insert indirect nocache
  redirect scheme https code 301 if !{ ssl_fc }
  option httpchk GET /healthcheck HTTP/1.1\r\nHost:\ www\nUser-Agent:\ haproxy
  server webapps_out-of-service webapps_out-of-service:8080 check inter 2000 rise 2 fall 3 backup
  http-response add-header X-Service %b
  http-response add-header X-Backend-Name %s
  http-response add-header X-HAProxy-Container %H
  server webapps_neptune-logs.1.5ywkz8y3ymu9yyay5bdj6gril 10.0.0.15:8080 cookie webapps_neptune-logs.1.5ywkz8y3ymu9yyay5bdj6gril check inter 2000 rise 2 fall 3
backend SERVICE_webapps_interface-catalogue
  cookie SRV insert indirect nocache
  redirect scheme https code 301 if !{ ssl_fc }
  option httpchk GET /InterfaceCatalogue/healthcheck HTTP/1.1\r\nHost:\ www\nUser-Agent:\ haproxy
  server webapps_out-of-service webapps_out-of-service:8080 check inter 2000 rise 2 fall 3 backup
  http-response add-header X-Service %b
  http-response add-header X-Backend-Name %s
  http-response add-header X-HAProxy-Container %H
  server webapps_interface-catalogue.1.0fas2vgvbd2y3t8p66ebsu7dh 10.0.0.23:8080 cookie webapps_interface-catalogue.1.0fas2vgvbd2y3t8p66ebsu7dh check inter 2000 rise 2 fall 3
backend SERVICE_webapps_azure-testing-webapp
  cookie SRV insert indirect nocache
  redirect scheme https code 301 if !{ ssl_fc }
  option httpchk GET /healthcheck HTTP/1.1\r\nHost:\ www\nUser-Agent:\ haproxy
  server webapps_out-of-service webapps_out-of-service:8080 check inter 2000 rise 2 fall 3 backup
  http-response add-header X-Service %b
  http-response add-header X-Backend-Name %s
  http-response add-header X-HAProxy-Container %H
  server webapps_azure-testing-webapp.1.2y8wh5yaw3rds58pes9x5l16o 10.0.0.19:8080 cookie webapps_azure-testing-webapp.1.2y8wh5yaw3rds58pes9x5l16o check inter 2000 rise 2 fall 3
backend SERVICE_webapps_finance-security
  cookie SRV insert indirect nocache
  redirect scheme https code 301 if !{ ssl_fc }
  option httpchk GET /Depts/Finance/secure/applications/security/healthcheck HTTP/1.1\r\nHost:\ www\nUser-Agent:\ haproxy
  server webapps_out-of-service webapps_out-of-service:8080 check inter 2000 rise 2 fall 3 backup
  http-response add-header X-Service %b
  http-response add-header X-Backend-Name %s
  http-response add-header X-HAProxy-Container %H
  server webapps_finance-security.1.21a0x3fwsu9jv1o4okf956f72 10.0.0.10:8080 cookie webapps_finance-security.1.21a0x3fwsu9jv1o4okf956f72 check inter 2000 rise 2 fall 3/

thanks,
Mark

Here is a shorter config that also segfaults:

/ # haproxy  -c -f haproxy.cfg
[WARNING] 162/152958 (506) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.
Configuration file is valid
Segmentation fault (core dumped)
/ # cat haproxy.cfg
    global
      pidfile /var/run/haproxy.pid
      ssl-default-bind-options no-sslv3
    defaults
      log global
      mode http
      timeout connect 5s
      timeout client 50s
      timeout server 50s
      timeout http-keep-alive 5s
    frontend port_443
      bind :443 ssl crt /run/secrets/
      reqadd X-Forwarded-Proto:\ https
    frontend port_80
      bind :80
      reqadd X-Forwarded-Proto:\ http

Yes, this was fixed shortly after the v1.6.6 release in commit 2706accd32 (“Revert “BUG/MINOR: ssl: fix potential memory leak in ssl_sock_load_dh_params()””):

http://git.haproxy.org/?p=haproxy-1.6.git;a=commitdiff;h=2706accd32d05b6be21ae134706aae5468a2bf5d

Any release newer than v1.6.6 will have this bug fixed already.

FYI v1.6.6 contains 98 known bugs:
http://www.haproxy.org/bugs/bugs-1.6.6.html