From scan-admin at coverity.com Mon Feb 6 08:13:42 2023 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Mon, 06 Feb 2023 08:13:42 +0000 (UTC) Subject: Coverity Scan: Analysis completed for varnish Message-ID: <63e0b6b650d08_1166982af236de599c33522@prd-scan-dashboard-0.mail> Your request for analysis of varnish has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrJbcjUxJo9eCHXi2QbgV6mmItSKtPrD4wtuBl7WlE3MQ-3D-3DhmDe_WyTzqwss9kUEGhvWd0SG502mTu1yasCtuh9h-2FD3Je4-2FeW-2BE3dMPm9mNzne4Dt03C59kSWfq7sdmSjehtHOdIB1CW5LTUmHK6C1JAFjjvguy6Hx22XCQ18kyJxXbxVi-2BayDyOhoG4dfkiH0vWqiEmQhJPfXghaTXkPo8-2FWDI34SIqQuPR9qUBTxz57-2B0tRaeagJabZXn1j735BB5l3BDSjbgXgI-2FDZBaPcppsoy3BzJs-3D Build ID: 511621 Analysis Summary: New defects found: 0 Defects eliminated: 1 From scan-admin at coverity.com Mon Feb 13 08:26:53 2023 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Mon, 13 Feb 2023 08:26:53 +0000 (UTC) Subject: Coverity Scan: Analysis completed for varnish Message-ID: <63e9f44d48f74_184a692af236de599c335d2@prd-scan-dashboard-0.mail> Your request for analysis of varnish has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrJbcjUxJo9eCHXi2QbgV6mmItSKtPrD4wtuBl7WlE3MQ-3D-3DRo19_WyTzqwss9kUEGhvWd0SG502mTu1yasCtuh9h-2FD3Je49QgWqQpaqgY4CH4H41tELb1jQja6OlGGbpAqZ2f7b2wBl8B7Mnr9sz-2F4ywIvIFVjumbq0S8KvkXI9HHC-2BlqndaAiVetGe4-2BIf6nOFnmh3OnrOX4cs39lT7yhWzbTIWGgDZ49Kv8Kxu61a9CSt8imvOpKjyk-2FXPCWegIxq7A1y-2FnRLx-2BoLtLg7mMA6KON08HuA-3D Build ID: 512930 Analysis Summary: New defects found: 0 Defects eliminated: 0 From nils.goroll at uplex.de Mon Feb 13 14:25:57 2023 From: nils.goroll at uplex.de (Nils Goroll) Date: Mon, 13 Feb 2023 15:25:57 +0100 Subject: vdd 2023q1 notes Message-ID: Here's the decentralized backup of our etherpad at https://etherpad.wikimedia.org/p/VDD2023q1 Dridi has also created a nicely formatted backup at https://github.com/varnishcache/varnish-cache/wiki/VDD23Q1 VDD 2023q1 https://etherpad.wikimedia.org/p/VDD2023q1 IRC: #vdd on irc.linpro.no TOPICS? happy varnish day evening programme? Feb 7 in town revisit last year's notes https://etherpad.wikimedia.org/p/VDD2022q2_topics_suggestions vdd2022q2 #1 varnishlog scalability =================================== - dridi talks about progress on #1 logging - keep shared memory, but add option to block varnishd - different vsm layout for improved concurrency, more page based - -d option would still be kept, idea of running queries in varnishd is not on the table any more at this time - discussion about the nature of the problem - phk mentions old idea about split log (complete/incomplete tx) - phk idea to suppress transactions from VCL - phk idea to use log files only once, open a new one once full - phk idea keep req grouping in varnishd (into dynamic memory), flush only once per top level request. - dridi presents vsl scrubbing idea - replace log entries or fields with Xes - discussion about oob info from length - should redaction be a single fixed token or original length? tasks - VIP for scrubbing (dridi) - VIP batching on toplevel req in varnishd (PHK) vdd2022q2 #3 Varnish Association ================================ - reiterated over status quo vdd2022q2 #4 TLS ================ - no progress - discussion again about the future life of vtest: binary dependency vs. source dependency vs. submodule - VS has green light to contribute TLS support - slink has talked to CF guys at H3 workshop, no known show stoppers - h2o also has keyless "neverbleed" https://github.com/h2o/neverbleed MIT licensed - should be one or several VEXTs (openssl, libressl, ...) - TODO: - vtest - VIP the backend interface - backend definition like vmod function for vext backend newstuff { .options = { .foo = 123; } } options get passed as string at init time vdd2022q2 #5 H3 =============== - asad: still working on it with msquic - also researching alternatives - haproxy also needs patched openssl Tenants and VCL files ===================== - hermunn/dridi: want to add a parameter to vcl.load as the base path for includes with fall back on global vcl_path, ban absolute includes from vcl vdd2022q2 #6 Extensions ======================= - do we want extension arguments? - env vars working find for now BANs and persistent storages ============================ - loading old storage requires a control system - control system can assign the "ban id" (current vtim_real) - CLI command to return min(max(silo(ban_id))) (or per silo max(silo(ban_id))) ? - feature flag to deny bans from vcl - multi tenancy support General idea to ponder: proper VCL "jails" for multi-tenancy Direction of VCL? ================= - local, task scoped variables/objects - vcl functions - bump vcl version every time? -> NO - new include version check? - "umbrella" vcl x.y requires x.Y with Y <= y for (x in vmod.bla(...)) { } - foreach (key[, val[, idx]]) in vmod.something(arguments) { key type is defined by vmod.something iterator val type is defined by vmod.something iterator idx is integer } - foreach x in vmod.something(arguments) { x type is defined by vmod.something iterator can have x.key x.index, x.whatever } # built-in structured fields knowledge? foreach bla in req.http { // bla has type "http_header" what members does `bla` have ? // "literal, string, iterable".fields possible too if (bla.name == "something") { for fld in bla.val.fields { // comma, fld has type sf-element (?) for x in fld.attr { // semi-colon, x has type sf-attr (?) x.key x.val } } } } jobj = vmod_json(input) for x in jobj.somthing_i_really_want(dont_fail_hard=True) { } if (jobj.failed) { } foreach bla in req.http { if (bla.name ~ "(?i)cache-control") { foreach directive in std.split(bla.val, ", ") { ... } } } => Everyone should re-write their complex vcl how they would want it to look Fastly-Syntax for SF resp.http.Cache-Control["max-age"] = 2h; function foo(myvmod.mytype x) { } What about: for (x in myvmod.bla()) { foo(x); } Also, what if the above is in foo()? Answer: Maybe we will allow recursive functions, maybe not # foo takes type returned by vmod? compliance ========== Dridi gives a very short talk about a minor change. He will share his 49 page presentation later. https://github.com/varnishcache/varnish-cache/files/10707808/vdd23q1-compliance-stuff.pdf ==== DAY2 ==== VCL SYNTAX DISCUSSION AROUND FIELD ACCESS ========================================= if (req.http.Cache-Control[private]) => true if private present if (req.http.Cache-Control[private] is none) => true if private has no value if (req.http.Cache-Control[private] == "public") => true if value of private folds to string "public" if (req.http.Cache-Control has private) if (req.http.Cache-Control[private] is flag) => true if private is present if (req.http.Cache-Control[private] is not bool) => true if private= is present if ("private=4"[private] is string) => false if ("private=*true"[private] is not bool) => false if ("private"[private]) => bool (true) if (exists(req.http.Cache-Control[private])) if (nonzero(req.http.Cache-Control[private])) if (req.http.Cache-Control[private]) if (req.http.Cache-Control[private].exists) if (req.http.Cache-Control[private].val) if (req.http.Cache-Control[private].type) "private" => True, None, Bool "private=" => True, "", String "private=X" => True, "X", String "private=43" => True, 43, Number "" => False, None, None if (req.http.Cache-Control[private]) { //exist if (req.http.Cache-Control[private].value) { //exist && has value } } ==> PHK to write up a strawman Specifically on issue 3844: * HEADER == STRING should be equivalent to STRING == HEADER (it is) * implicit HEADER to BOOL conversion conveys existence (it does) --- varnishtest cmp varnish v1 -vcl { backend be none; sub vcl_recv { return (synth(200)); } sub vcl_synth { set resp.http.nohdr-eq-empty = req.http.nohdr == ""; set resp.http.empty-eq-nohdr = "" == req.http.nohdr; } } -start client c1 { txreq rxresp expect resp.http.nohdr-eq-empty == true expect resp.http.empty-eq-nohdr == true } -start --- BUGWASH & NEXT VDD ================== Does it work as is? - basically yes - but we want to set up IRC & web bridge with simple basic auth - should keep logs @slink to ping @theis about VUG VUG needs to be a varnish-cache (!) thing find a sponsor for a venue VS, UPLEX, fastly, whoever, are welcome as sponsors 10 days after release idea: 26./27. september VDD: combine with VUG sub vcl_connect / vcl_accept / vcl_client_hello ================================================ sub vcl_init { mytls = new newtls(); mytls.load("/etc/tls/.....pem"); mytls.load("/etc/tls/.....pem"); } sub vcl_client_hello { mytls.dynload(tls.sni, ttl=10m); # Dynamicly load cert? if (tls.sni == "legacysite.asas") { set tls.ciphers = "ssl, tlsv3"; tls.hint = mytls; } set tls.ciphers = "sslv1, tlsv3"; set tls.alpn = "h1,h2,h3=...."; tls.hint = fallback; return(OK); } also: vcl_h[23]_settings, proxy2_tlv ---------------------- VEXT client_ssl has vmod tls sub vcl_init { new something = tls.init(...) something.callback(myfunc) } func myfunc(tls.type: arg) { arg.crytomumblemumble = "bla"; return(tls.OK) } ----------------------- sub vcl_accept { // Probably not needed. if (...) { filter.use(); } } modifying the response body (thi.js) ================================ sub vcl_backend_response { set beresp.filter_list += "gunzip vmodfoo.spot_foo"; } sub vcl_backend_body_is_here { if (vmodfoo.did_you_see_foo) { if (! beresp.body.try_filter({"regsuball(...) gzip"})) { return (deliver); # keep the "source" object } beresp.body.filter("..."); } // trailers goes here } h2/h3 on the backend, for backend not understanding h1. ======================================================= we can have h2 in-core, but vext is maybe also viable option. AGENDA DAY2 =========== h3 add vext_path -> probably just PR it -- ** * * UPLEX - Nils Goroll Systemoptimierung Scheffelstra?e 32 22301 Hamburg tel +49 40 28805731 mob +49 170 2723133 fax +49 40 42949753 xmpp://slink at jabber.int.uplex.de/ http://uplex.de/ From scan-admin at coverity.com Mon Feb 20 08:15:54 2023 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Mon, 20 Feb 2023 08:15:54 +0000 (UTC) Subject: Coverity Scan: Analysis completed for varnish Message-ID: <63f32c3a453a9_1abe92ac9c4a1f9b044b6@prd-scan-dashboard-0.mail> Your request for analysis of varnish has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrJbcjUxJo9eCHXi2QbgV6mmItSKtPrD4wtuBl7WlE3MQ-3D-3DDA5m_WyTzqwss9kUEGhvWd0SG502mTu1yasCtuh9h-2FD3Je49-2F1qgyz73j-2B1ZnMgncK6kKnWYGjzqWar-2B8LcHy-2BfWv2SfbzZZK7pX0u20kBIpyTG6ltBRXT-2FCSNYBhvevil4xTNMgDrYDVOGbJXxKql6Aq00aplTexNUwniYwhjXc0lc-2B4uDLlCpO6cweT9iYlOsfAQ9QZAOwKRPK1IrOo7hMbo-2F-2FXHX2kd7XPctyENe3Evxs-3D Build ID: 514380 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Mon Feb 27 08:51:34 2023 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Mon, 27 Feb 2023 08:51:34 +0000 (UTC) Subject: Coverity Scan: Analysis completed for varnish Message-ID: <63fc6f15ab3f1_8a2dc2ac9c4a1f9b044ea@prd-scan-dashboard-0.mail> Your request for analysis of varnish has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrJbcjUxJo9eCHXi2QbgV6mmItSKtPrD4wtuBl7WlE3MQ-3D-3DKr6g_WyTzqwss9kUEGhvWd0SG502mTu1yasCtuh9h-2FD3Je4-2BUf3BYZaLScgXXERmxtf7GfbJ7CiUeC9osRIQvN-2F4jjCmPt8jssRDzzfg17oRvxaJqkQE1ZZQhCWQyPJEKT-2FQUFoMp7eJDWAavtLkH3O-2FohqAnU1Qti2BMPxapu-2Bkt2zayssbIWLrWMEZ83OeVxbtjGjXYAxRQTs4dtjZE4hAFtTwIbkaWeoD-2F9aVraTMY55M-3D Build ID: 515818 Analysis Summary: New defects found: 0 Defects eliminated: 0