On 4/16/2018 9:15 AM, Lukas Tribus wrote:
Hello Shawn,
please keep the mailing-list in the loop.
Sorry about that. Looks like the haproxy list doesn't set a reply-to
header sending replies to the list. Most mailing lists I have dealt
with do this, so just hitting "reply" does the right thing. I sometimes
forget to do the "reply list" option.
I don't follow? Why is using a restricted admin socket a security issue?
You are already exposing the admin socket locally in your
configuration on line 16:
stats socket /etc/haproxy/stats.socket level admin
My suggestion was to use that admin interface to send the "set server" command.
I enabled the admin socket so that I could renew OCSP stapling. As far
as I understand, it can only be used on the load balancer machine
itself, and I think this is the only way to renew stapling other than
restarting the program, which isn't something I want to do.
As for the possible security issue: If somebody were to compromise the
back end server and the back end server had knowledge about the load
balancer, then the attacker might have enough information to fiddle with
the load balancer for *other* things the load balancer is handling that
are more sensitive.
I think your original issue may be due to the "retries 1"
configuration you have in there. I would recommend removing that.
The documentation for 1.5 says the default value for retries is 3.
Wouldn't removing it make whatever problems a retry causes *worse*? If
retries are bad, then perhaps I should set it to 0. I have no
recollection about why I have this setting in the config. The
default/global settings were created years ago and don't change much.
Thanks,
Shawn
