Security Software Management

2015-07-15 Thread Vivian Fernandes 
Dear Sir or Madam, 

I was going through your website and understood that you specialize in
Security Software Services. I am really interested in your products; I have
clients list they are looking out for Cyber Security Software and similar
kind of software’s….……

Security Software Users: - 

Ø  IBM Websense Users

Ø  Alien Vault Users

Ø  Sophos Users

Ø  AVG Users

Ø  Trend Micro Users

Ø  WatchGuard Users

Ø  RSA Users

Ø  Palo Alto Networks Users

Ø  Cisco Systems Users

Ø  Tanium Users

Ø  Symantec Users

Ø  Blue Coat Systems Users

 

Data fields you can customize or filter the list by: Company Name, Web
Address, Contact Name, Verified Email, Job Title, Application Type, Company
Profile, Complete Mailing Address, Phone Number, FAX Number, Revenue, SIC
Code, and Industry details.

Let me know your target criteria / market:

Target Title:__

Target Industry:

Target Geography:___

 

We can also provide you with a Sample List to check the fields available.
Let me know if you would be interested in acquiring the above users records.


Look forward for your response.

Thanks and Regards,

Vivian Fernandez

Marketing Manager

 

If you do not wish to receive further emails kindly reply with "Leave Out"

1.6-dev2 crashes with certain server hostname

2015-07-15 Thread Jan A. Bruder 
Hi all,
this malloc crash occurs with and only with a certain hostname of one of my
backends being added to the config. See "redirector.domain.tld" in the
config below. Since this is a production server i had to mask the hostname.
As a hint: The hostname does not contain any special characters, just
alphabetic a-z characters.
Interestingly if i change only a single letter anywhere in the hostname it
doesn't crash anymore. Neither does it crash if i use it's IP instead of
the hostname. How strange is that!?
Also, i am using the same config with 1.5 stable without any problems.

The infos:

===
Running Haproxy 1.6-dev2
===

root@master:/# haproxy -d -f /etc/haproxy/haproxy-test.conf
haproxy: malloc.c:3096: sYSMALLOc: Assertion `(old_top == (((mbinptr)
(((char *) &((av)->bins[((1) - 1) * 2])) - __builtin_offsetof (struct
malloc_chunk, fd && old_size == 0) || ((unsigned long) (old_size) >=
(unsigned long)__builtin_offsetof (struct malloc_chunk,
fd_nextsize))+((2 * (sizeof(size_t))) - 1)) & ~((2 * (sizeof(size_t))) -
1))) && ((old_top)->size & 0x1) && ((unsigned long)old_end & pagemask) ==
0)' failed.
Aborted (core dumped)

===
Verbose info
===
root@master:/# haproxy -vv
HA-Proxy version 1.6-dev2-ad90f0d 2015/06/17
Copyright 2000-2015 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -g -O0
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.30 2012-02-04
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built without Lua support
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

===
Core dump debug
===

root@master:/# gdb haproxy
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /usr/sbin/haproxy...done.
(gdb) core-file core
[New LWP 14246]
warning: Can't read pathname for load map: Input/output error.
Core was generated by `haproxy -d -f /etc/haproxy/haproxy-test.conf'.
Program terminated with signal 6, Aborted.
#0  0x7faa0ea02165 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt full
#0  0x7faa0ea02165 in raise () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#1  0x7faa0ea053e0 in abort () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#2  0x7faa0ea45dea in ?? () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#3  0x7faa0ea48d13 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#4  0x7faa0ea4aa70 in malloc () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#5  0x004c3398 in pool_refill_alloc (pool=0xcc65d0, avail=2) at
src/memory.c:102
ptr = 0x0
failed = 0
#6  0x00411da5 in init_buffer () at src/buffer.c:54
buffer = 0xcc6550
#7  0x00408cb3 in init (argc=0, argv=0x7ffe8fb141f8) at
src/haproxy.c:818
arg_mode = 1
tmp = 0x0
cfg_pidfile = 0x0
err_code = 0
wl = 0x720a40
progname = 0x7ffe8fb14931 "haproxy"
change_dir = 0x0
curtime = {tm_sec = 29, tm_min = 39, tm_hour = 23, tm_mday = 15,
tm_mon = 6, tm_year = 115, tm_wday = 3, tm_yday = 195, tm_isdst = 0,
tm_gmtoff = 0, tm_zone = 0xcc57b0 "UTC"}
#8  0x0040b0e2 in main (argc=4, argv=0x7ffe8fb141d8) at
src/haproxy.c:1657
err = 0
retry = 4224192
limit = {rlim_cur = 140731309179056, rlim_max = 13339168}
errmsg =
"\260@\261\217\376\177\000\000\340\374q\000\000\000\000\000\004\000\000\000\000\000\000\000U*\245\017\252\177\000\000\020\227\313\000\000\000\000\000\000\227\313\000\000\000\000\000\350\003\000\000\000

Re: IP binding and standby health-checks

2015-07-15 Thread Nathan Williams 
Hi Baptiste,

Sorry for the delayed response, had some urgent things come up that
required more immediate attention... thanks again for your continued
support.

> Why not using proxy-protocol between HAProxy and nginx?

Sounds interesting; I'd definitely heard of it before, but hadn't looked
into it since what we've been doing has been working. My initial impression
is that it's a pretty big change from what we're currently doing (looks
like it would at least require a brief maintenance to roll out since it
requires coordinated change between client and load-balancer), but I'm not
fundamentally opposed if there's significant advantages. I'll definitely
take a look to see if it satisfies our requirements.

> I disagree, it would be only 2: the 'real' IP addresses of the
load-balancers only.

OK, fair point. Maybe it's just being paranoid to think that unless we're
explicitly setting the source, we should account for *all* possible
sources. The VIP wouldn't be the default route, so we could probably get
away with ignoring it. Come to think of it... maybe having keepalived
change the default route on the primary and skipping hardcoding the source
in haproxy would address what we're aiming for? seems worth further
investigation, as I'm not sure whether it supports this out of the box.

> there is no 0.0.0.0 magic values neither subnet values accepted in nginx
XFF  module?

I wouldn't use 0.0.0.0 whether there is or not, as i wouldn't want it to be
that open. It might be a different case for a subnet value, if we were able
to put the load-balancer cluster in a separate subnet, but our current
situation (managed private openstack deployment) doesn't give us quite that
much network control. maybe someday soon with VXLAN or another overlay (of
course, that comes with performance penalties, so maybe not).

> Then instead of using a VIP, you can book 2 IPs in your subnet that could
be used, whatever the LB is using.

Pre-allocating network IPs from the subnet that aren't permitted to be
assigned to anything other than whatever instance is currently filling the
load-balancer role would certainly work (I like this idea!); that's
actually pretty similar to what we're doing for the internal VIP currently
(the external VIP is just an openstack floating IP, aka a DNAT in the
underlying infrastructure), and then adding it as an allowed address for
the instance-associated network "port" instance in Neutron's
allowed-address-pairs... It'd be an extra step when creating an LB node,
but a pretty reasonable one I think, and we're already treating them
differently from "generic" instances anyways... definitely food for thought.

> HAProxy rocks !

+1 * 100. :)

> Can you start it up with strace ??

Yep! https://gist.github.com/nathwill/ea52324867072183b695

So far, I still like the "source 0.0.0.0 usesrc 10.240.36.13" solution the
best, as it seems the most direct and easily understood. Fingers crossed
the permissions issue is easily overcome.

Cheers,

Nathan W

On Tue, Jul 14, 2015 at 2:58 PM Baptiste  wrote:

> > As for details, it's advantageous for us for a couple of reasons... the
> > realip module in nginx requires that you list "trusted" hosts which are
> > permitted to set the X-Forwarded-For header before it will set the
> "source"
> > address in the logs to the x-forwarded-for address. as a result, using
> > anything other than the VIP means:
>
> Why not using proxy-protocol between HAProxy and nginx?
> http://blog.haproxy.com/haproxy/proxy-protocol/
>
> So you can get rid of X-FF header limitation in nginx. (don't know if
> proxy-protocol implementation in nginx suffers from the same
> limitations).
>
> > - not using the vip means we have to trust 3 addresses instead of 1 to
> set
> > x-forwarded-for
>
> I disagree, it would be only 2: the 'real' IP addresses of the
> load-balancers only.
>
> > - we have to update the list of allowed hosts on all of our backends any
> > time we replace a load-balancer node. We're using config management, so
> it's
> > automated, but that's still more changes than should ideally be
> necessary to
> > replace a no-data node that we ideally can trash and replace at will.
>
> there is no 0.0.0.0 magic values neither subnet values accepted in
> nginx XFF  module?
> If not, it deserves a patch !
>
> > - there's a lag between the time of a change(e.g. node replacement)  and
> the
> > next converge cycle of the config mgmt on the backends, so for some
> period
> > the backend config will be out of sync, incorrectly trusting IP(s) that
> may
> > now be associated with another host, or wrongly refusing to set the
> "source"
> > ip to the x-forwarded-for address. this is problematic for us, since we
> have
> > a highly-restricted internal environment, due to our business model
> (online
> > learn-to-code school) being essentially "running untrusted code as a
> > service".
>
> Then instead of using a VIP, you can book 2 IPs in your subnet that
> could be used, whatever the LB is using.
> So you

Re: haproxy/hapee Transparent LB

2015-07-15 Thread Baptiste 
On Tue, Jul 14, 2015 at 7:55 PM, Baptiste  wrote:
> On Tue, Jul 14, 2015 at 7:15 PM, Bearly Breathin
>  wrote:
>> I at a bit of a loss… Last week I tried, quite unsuccessfully, to make
>> haproxy work as I understand it should after reading the docs, FAQs, and a
>> variety of other sources i found with Google. I purchased hapee last Friday
>> so that I could obtain support and hopefully stop banging my head against
>> the wall. I was given a configuration to test (Thanks, Support!), but it did
>> not work.
>>
>> What I need is to have hapee do round-robin load-balancing and source-IP
>> spoofing of syslog traffic to multiple destination hosts via TCP.
>>
>>
>> Actual Configuration:
>>
>> SourceHost-10.0.0.1---   ---DestHost-10.1.0.1
>>  |   |
>> SourceHost-10.0.0.2-10.0.0.254-hapee-10.1.0.254-DestHost-10.1.0.2
>>  |   |
>> SourceHost-10.0.0.3---   ---DestHost-10.1.0.3
>>
>>
>>
>> Effective Functionality:
>>
>>  ---DestHost-10.1.0.1
>>  |
>> SourceHost-10.0.0.1-- --DestHost-10.1.0.2
>>  |
>>  ---DestHost-10.1.0.3
>>
>>  ---DestHost-10.1.0.1
>>  |
>> SourceHost-10.0.0.2-- --DestHost-10.1.0.2
>>  |
>>  ---DestHost-10.1.0.3
>>
>>  ---DestHost-10.1.0.1
>>  |
>> SourceHost-10.0.0.3-- --DestHost-10.1.0.2
>>  |
>>  ---DestHost-10.1.0.3
>>
>>
>> Should this be possible with hapee/haproxy?
>>
>> Thanks!
>> BB
>>
>
> Hi,
>
> It seems you double post, here and on haproxy.com.
> I'll answer you on haproxy.com and we'll share the definitive response
> here (I need some private information which you don't want to share on
> a public mailing list) :)
>
> Baptiste


Hi all,

FYI, routing issue coupled with missing sysctls and low level ip rules
/ iptables issue.

Now it works properly!

Baptiste

Re: Rewrite cookie path & cookie domain

2015-07-15 Thread rickytato rickytato 
Hi all,
I've problem to rewrite cookie path and cookie domain in HAproxy; I've a
Nginx configuration but I want to move from Nginx to HAProxy for this proxy
pass.

This is a Nginx config I want to replace:

  location /~xxx/ {
proxy_cookie_domain ~.* .$site.it;
proxy_cookie_path   ~.* /~xxx/;
proxy_set_headerHost $site.it;
proxy_pass  http://192.168.1.2/;
 }

I need same function of proxy_cookie_domain and proxy_cookie_path; I found
this:
http://blog.haproxy.com/2014/04/28/howto-write-apache-proxypass-rules-in-haproxy/
but not work form me.

Now I can change cookie path with:
  rspirep ^(Set-Cookie:.*)\ path=(.*) \1\ path=/~xxx/

I need add also domain, only if exists, but with dynamic hostname; I;ve
tried with

  acl hdr_set_cookie_domain_and_path res.hdr(Set-cookie) -m sub domain=
res.hdr(Set-cookie) -m sub path=
 rspirep ^(Set-Cookie:.*)\ path=(.*) \1\ path=/~xxx/;\ domain=%[hdr(Host)]
if hdr_set_cookie_domain_and_path

But not work.


Anyone can help me?

Tnx,
rr

2015-07-14 21:34 GMT+02:00 Baptiste :

> Please repost your question. I can't see it in my mail history.
>
> Baptiste
>
> On Tue, Jul 14, 2015 at 3:33 PM, rickytato rickytato
>  wrote:
> > Anyone can help me? I keep using Nginx?
> >
> > 2015-07-07 10:46 GMT+02:00 rickytato rickytato <
> rickyt...@r2consulting.it>:
> >>
> >> 1.5.12
> >>
> >> 2015-07-06 17:58 GMT+02:00 Aleksandar Lazic :
> >>>
> >>> Dear rickytato rickytato.
> >>>
> >>> Am 06-07-2015 15:32, schrieb rickytato rickytato:
> >>>
>  Hi all,
>  I've problem to rewrite cookie path and cookie domain in HAproxy;
> I've a
>  Nginx configuration but I want to move from Nginx to HAProxy for this
> proxy
>  pass.
> >>>
> >>>
> >>> Which Version of haproxy do you use?
> >>>
> >>> haproxy -vv ?
> >>>
> >>> Cheers Aleks
> >>
> >>
> >
>

unsubscribe

2015-07-15 Thread Jorge Severino 
unsubscribe

Re: Mailer does not work

2015-07-15 Thread Jorge Severino 
unsubscribe

2015-07-15 9:17 GMT-03:00 mlist :

> We take a tcpdump. Following the tcp traffic we can see each step.
> Reproducing manually the mail was sent. Probably HAProxy SMTP communication
> has an error on the final stage . as of that all goes right.
>
> Follows manual communication with mmail server reproducing tpcdump smto
> command seguence.
> EHLO smtp1
> 250-MAIL1 Hello [192.168.1.x]
> 250-SIZE 10485760
> 250-PIPELINING
> 250-DSN
> 250-ENHANCEDSTATUSCODES
> 250-STARTTLS
> 250-AUTH
> 250-8BITMIME
> 250-XEXCH50
> 250 XSHADOW
> MAIL FROM:
> 250 2.1.0 Sender OK
> RCPT TO:
> 250 2.1.5 Recipient OK
> DATA
> 354 Start mail input; end with .
> From: loadbha1@domain
> To: alerts@domain
> Date: Wed, 15 Jul 2015 12:50:48 +0200 (CEST)
> Subject: [HAproxy Alert] Server /webhost1 is DOWN, reason: Layer4
> timeout, check duration: 5002ms. 1 active and 0 backup servers left. 0
> sessions active, 0 requeued, 0 remaining in queue
>
> Server /webhost1 is DOWN, reason: Layer4 timeout, check duration:
> 5002ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued,
> 0 remaining in queue
> .
> 250 2.6.0 <7c4f8f74-8d6b-446e-a504-e7a45fc58baf@MAIL> [InternalId=293812]
> Queued mail for delivery
>
> Entering manually all these commands we correctly receive the email.
>
>
> Dr. Roberto Cazzato
> Divisione ICT e Sicurezza
> Senior IT Designer
> gsm +39 348 22 00 850
>
> A.P. SYSTEMS s.r.l.
> 20013 Magenta (Milano)
> Via Milano 89/91 (ang.Via Cimarosa) Italia - www.apsystems.it
> tel. +39 02 97226.1 - fax 02 97226.339
>
>
> -Original Message-
> From: Baptiste [mailto:bed...@gmail.com]
> Sent: mercoledì 15 luglio 2015 12.01
> To: mlist
> Cc: haproxy@formilux.org
> Subject: Re: Mailer does not work
>
> On Wed, Jul 15, 2015 at 9:48 AM, mlist  wrote:
> > We compiled from source haproxy-1.6-dev2.tar.gz. New Mailers mechanism
> does
> > not seems to work, we configured as on manual:
> >
> >
> >
> > mailers apsmailer1
> >
> >mailer smtp1 :10025
> >
> >
> >
> > …
> >
> > …
> >
> >
> >
> > backend somebackend_https
> >
> >mode http
> >
> >balance roundrobin
> >
> >…
> >
> >email-alert mailers apsmailer1
> >
> >email-alert from 
> >
> >email-alert to 
> >
> >   email-alert level info
> >
> >…
> >
> >
> >
> > We see in haproxy.log server status change:
> >
> > Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server …/
> is
> > UP, reason: Layer4 check passed, check duration: 0ms. 2 active and 0
> backup
> > servers online. 0 sessions requeued, 0 total in queue.
> >
> > Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server …/
> is
> > UP, reason: Layer6 check passed, check duration: 1ms. 2 active and 0
> backup
> > servers online. 0 sessions requeued, 0 total in queue.
> >
> >
> >
> > But no mail alerts are sent, no error or warning logged about sending
> mail.
> >
> >
> >
> > haproxy -f /etc/haproxy/haproxy.cfg –c
> >
> > does not return any error. All seems to be right, but mail alerts are not
> > sent.
> >
> >
> > Roberto
> >
>
> Hi Roberto,
>
> Could you please take a tcpdump on port 10025 and confirm HAProxy
> tries to get connected to the SMTP server?
>
> Baptiste
>
> --
> Il messaggio e' stato analizzato alla ricerca di virus o
> contenuti pericolosi da MailScanner, ed e'
> risultato non infetto.
>
>


-- 
Atte
Jorge Severino
Numero movil Personal: 08-7775834

RE: Mailer does not work

2015-07-15 Thread mlist 
At the end of each smtp session, we see a packet with Reset  + Acknowledge nits 
set:

tcp.flags = RST + ACK

Roberto


-Original Message-
From: Baptiste [mailto:bed...@gmail.com] 
Sent: mercoledì 15 luglio 2015 12.01
To: mlist
Cc: haproxy@formilux.org
Subject: Re: Mailer does not work

On Wed, Jul 15, 2015 at 9:48 AM, mlist  wrote:
> We compiled from source haproxy-1.6-dev2.tar.gz. New Mailers mechanism does
> not seems to work, we configured as on manual:
>
>
>
> mailers apsmailer1
>
>mailer smtp1 :10025
>
>
>
> …
>
> …
>
>
>
> backend somebackend_https
>
>mode http
>
>balance roundrobin
>
>…
>
>email-alert mailers apsmailer1
>
>email-alert from 
>
>email-alert to 
>
>   email-alert level info
>
>…
>
>
>
> We see in haproxy.log server status change:
>
> Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server …/ is
> UP, reason: Layer4 check passed, check duration: 0ms. 2 active and 0 backup
> servers online. 0 sessions requeued, 0 total in queue.
>
> Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server …/ is
> UP, reason: Layer6 check passed, check duration: 1ms. 2 active and 0 backup
> servers online. 0 sessions requeued, 0 total in queue.
>
>
>
> But no mail alerts are sent, no error or warning logged about sending mail.
>
>
>
> haproxy -f /etc/haproxy/haproxy.cfg –c
>
> does not return any error. All seems to be right, but mail alerts are not
> sent.
>
>
> Roberto
>

Hi Roberto,

Could you please take a tcpdump on port 10025 and confirm HAProxy
tries to get connected to the SMTP server?

Baptiste

-- 
Il messaggio e' stato analizzato alla ricerca di virus o
contenuti pericolosi da MailScanner, ed e'
risultato non infetto.

RE: Mailer does not work

2015-07-15 Thread mlist 
We take a tcpdump. Following the tcp traffic we can see each step. Reproducing 
manually the mail was sent. Probably HAProxy SMTP communication has an error on 
the final stage . as of that all goes right.

Follows manual communication with mmail server reproducing tpcdump smto command 
seguence.
EHLO smtp1
250-MAIL1 Hello [192.168.1.x]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-XEXCH50
250 XSHADOW
MAIL FROM:
250 2.1.0 Sender OK
RCPT TO:
250 2.1.5 Recipient OK
DATA
354 Start mail input; end with .
From: loadbha1@domain
To: alerts@domain
Date: Wed, 15 Jul 2015 12:50:48 +0200 (CEST)
Subject: [HAproxy Alert] Server /webhost1 is DOWN, reason: Layer4 
timeout, check duration: 5002ms. 1 active and 0 backup servers left. 0 sessions 
active, 0 requeued, 0 remaining in queue

Server /webhost1 is DOWN, reason: Layer4 timeout, check duration: 
5002ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 
remaining in queue
.
250 2.6.0 <7c4f8f74-8d6b-446e-a504-e7a45fc58baf@MAIL> [InternalId=293812] 
Queued mail for delivery

Entering manually all these commands we correctly receive the email.


Dr. Roberto Cazzato
Divisione ICT e Sicurezza
Senior IT Designer
gsm +39 348 22 00 850

A.P. SYSTEMS s.r.l.
20013 Magenta (Milano)
Via Milano 89/91 (ang.Via Cimarosa) Italia - www.apsystems.it
tel. +39 02 97226.1 - fax 02 97226.339


-Original Message-
From: Baptiste [mailto:bed...@gmail.com] 
Sent: mercoledì 15 luglio 2015 12.01
To: mlist
Cc: haproxy@formilux.org
Subject: Re: Mailer does not work

On Wed, Jul 15, 2015 at 9:48 AM, mlist  wrote:
> We compiled from source haproxy-1.6-dev2.tar.gz. New Mailers mechanism does
> not seems to work, we configured as on manual:
>
>
>
> mailers apsmailer1
>
>mailer smtp1 :10025
>
>
>
> …
>
> …
>
>
>
> backend somebackend_https
>
>mode http
>
>balance roundrobin
>
>…
>
>email-alert mailers apsmailer1
>
>email-alert from 
>
>email-alert to 
>
>   email-alert level info
>
>…
>
>
>
> We see in haproxy.log server status change:
>
> Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server …/ is
> UP, reason: Layer4 check passed, check duration: 0ms. 2 active and 0 backup
> servers online. 0 sessions requeued, 0 total in queue.
>
> Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server …/ is
> UP, reason: Layer6 check passed, check duration: 1ms. 2 active and 0 backup
> servers online. 0 sessions requeued, 0 total in queue.
>
>
>
> But no mail alerts are sent, no error or warning logged about sending mail.
>
>
>
> haproxy -f /etc/haproxy/haproxy.cfg –c
>
> does not return any error. All seems to be right, but mail alerts are not
> sent.
>
>
> Roberto
>

Hi Roberto,

Could you please take a tcpdump on port 10025 and confirm HAProxy
tries to get connected to the SMTP server?

Baptiste

-- 
Il messaggio e' stato analizzato alla ricerca di virus o
contenuti pericolosi da MailScanner, ed e'
risultato non infetto.

RE: Load Balancing the Load Balancer

2015-07-15 Thread mlist 
>> Hi, 
>> we see there is a new feature of HAProxy, peer and share table 
>> (sticky-table). This peer feature can be used to have in synch stick cookie 
>> so if one haproxy goes down the other can take over connections ?


> Yes, the stick table remember and share each which is sticked to which
> server. You can use any criteria of the connexion, and of course you
> can use a cookie set by your application.

> In othe way, HAProxy can put his own cookie in the HTTP response and
> use it for the persistance. This mode is useful because you don't need
> to share the stick table and two "unconnected" haproxy can assure the
> high avalaibility without loosing the session affinity.


So if we'll use share stick table between 2 HAProxy LB we'll do not need cookie 
to maintain backend server sessions and if we'll use cookie we do not need to 
share stick table ? in the latter case how the surviving HAProxy know where to 
route the request to the correct backend server using some haproxy.cfg with 
some beckend server definition ?


>> What is your choice ?


> The choice depends of each problem. HAProxy is very rich and permits to
> solve many LB and HA issues. Generally I prefer the simplest solution
> able to solve my issues.

I mean your choice to take in sync haproxy.cfg file between 2 or more haproxy 
LB (rsync, custom script, etc.)



>> Also... I know that a major pros of L7 load balancing is to manage centrally 
>> all phase of the communication (sticky, balancing, etc. ), but in Hybrid 
>> Cloud thinking... is not right to can controll the connection up to a 
>> certain point and so using some mechanism
>> as L4 load balancer (as LVS) to put in direct communication clients and 
>> final servers. At least for communications not rely on sticky (persistent) 
>> session, one can alleviate periodic extraordinary high connection rate 
>> redirecting connection for some services
>> (L7 acl) in a Public Cloud wihout weigh down our Private Cloud 
>> infrastructure ? Probably there is some other way... We do not see at the 
>> moment...


> I don't understand the relation between L4 and L7 load-balancing, and
> the private and public cloud.

I read something about that but I'm to go deep... some L4 LB (LVS) can work 
managing first connection and so redirecting communication to the backend, 
after that source and backend communicate directly without LB analyzing every 
subsequent packet. This is not so useful in L7 as the culprit is managing every 
packet to allow complex and correct management of all communication (cookie, 
stick, acl, ecc), but for some situation such escape can be usefull.

I hope I'm clear... but this is  no so important as now.

Thank you in advance


Roberto




-Original Message-
From: Thierry FOURNIER [mailto:thierry.fourn...@arpalert.org] 
Sent: mercoledì 15 luglio 2015 11.04
To: mlist
Cc: 'haproxy@formilux.org'
Subject: Re: Load Balancing the Load Balancer

On Thu, 9 Jul 2015 14:52:19 +
mlist  wrote:

> Hi, 
> we see there is a new feature of HAProxy, peer and share table 
> (sticky-table). This peer feature can be used to have in synch stick cookie 
> so if one haproxy goes down the other can take over connections ?


Yes, the stick table remember and share each which is sticked to which
server. You can use any criteria of the connexion, and of course you
can use a cookie set by your application.

In othe way, HAProxy can put his own cookie in the HTTP response and
use it for the persistance. This mode is useful because you don't need
to share the stick table and two "unconnected" haproxy can assure the
high avalaibility without loosing the session affinity.


> There is some HAProxy native feature to have HAProxy nodes configuration in 
> synch automatically or we have to rely on external tools like rsync manually 
> or as we do on LVS a cron job executing a script to synch configuration ?


The stick table synchronisation is a native protocol. The configuration
or map synchronisation must be done by external tools.


> What is your choice ?


The choice depends of each problem. HAProxy is very rich and permits to
solve many LB and HA issues. Generally I prefer the simplest solution
able to solve my issues.


> For the connection limitation, you speak of frontend and per backand server 
> minconn / maxconn ? it isn't right to divide by n (n=numero ov HAProxy) 
> established total and per server connection ? also if this is not perfect 
> we'll have at most always (n * maxconn).


This divide guaranty that your serveur will not exceed the limitation.
If your server can process 100 connections, you tune the maxconn of your
HAProxy to 50 per server. If the first lb process 75 connections, and
the second process only 25 (because bad repartition in front of LBs)
the first one is limits the connections, and the users requests will be
latency, however the limited server does not reach 100 connections.


> Also... I know that a major pros of L7 load balancing is to manage central

[PATCH] BUG/MINOR: payload: Add volatile flag to smp_fetch_req_ssl_ec_ext

2015-07-15 Thread Nenad Merdanovic 
This bug was introduced in 5fc7d7e. No backport to 1.5 needed.

Signed-off-by: Nenad Merdanovic 
---
 src/payload.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/payload.c b/src/payload.c
index 78f5608..852727a 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -161,6 +161,7 @@ smp_fetch_req_ssl_ec_ext(const struct arg *args, struct 
sample *smp, const char
if (ext_type == 10) {
smp->type = SMP_T_BOOL;
smp->data.uint = 1;
+   smp->flags = SMP_F_VOLATILE;
return 1;
}
 
-- 
2.1.4

Re: Mailer does not work

2015-07-15 Thread Baptiste 
On Wed, Jul 15, 2015 at 9:48 AM, mlist  wrote:
> We compiled from source haproxy-1.6-dev2.tar.gz. New Mailers mechanism does
> not seems to work, we configured as on manual:
>
>
>
> mailers apsmailer1
>
>mailer smtp1 :10025
>
>
>
> …
>
> …
>
>
>
> backend somebackend_https
>
>mode http
>
>balance roundrobin
>
>…
>
>email-alert mailers apsmailer1
>
>email-alert from 
>
>email-alert to 
>
>   email-alert level info
>
>…
>
>
>
> We see in haproxy.log server status change:
>
> Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server …/ is
> UP, reason: Layer4 check passed, check duration: 0ms. 2 active and 0 backup
> servers online. 0 sessions requeued, 0 total in queue.
>
> Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server …/ is
> UP, reason: Layer6 check passed, check duration: 1ms. 2 active and 0 backup
> servers online. 0 sessions requeued, 0 total in queue.
>
>
>
> But no mail alerts are sent, no error or warning logged about sending mail.
>
>
>
> haproxy -f /etc/haproxy/haproxy.cfg –c
>
> does not return any error. All seems to be right, but mail alerts are not
> sent.
>
>
> Roberto
>

Hi Roberto,

Could you please take a tcpdump on port 10025 and confirm HAProxy
tries to get connected to the SMTP server?

Baptiste

Re: ocsp

2015-07-15 Thread Marc-Antoine 
Hi,

nobody knows plz ?

On Thu, 9 Jul 2015 13:06:59 +0200,
Marc-Antoine  wrote :

> Hi all,
> 
> I have some problem making ocsp stapling working. here is what i did :
> 
> I have 8150.pem with chain, cert and key in it.
> 
> I have 8150.pem.ocsp that seems ok :
> 
> # openssl ocsp -respin 8150.pem.ocsp -text -CAfile alphassl256.chain 
> OCSP Response Data:
> OCSP Response Status: successful (0x0)
> Response Type: Basic OCSP Response
> Version: 1 (0x0)
> Responder Id: 9F10D9EDA5260B71A677124526751E17DC85A62F
> Produced At: Jul  9 09:47:04 2015 GMT
> Responses:
> Certificate ID:
>   Hash Algorithm: sha1
>   Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
>   Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
>   Serial Number: 11216784E7CA1813F3AD922B60EAF6428EE0
> Cert Status: good
> This Update: Jul  9 09:47:04 2015 GMT
> Next Update: Jul  9 21:47:04 2015 GMT
> 
> No error/warn at haproxy launching but not sure haproxy is loading .ocsp file 
> because no notice in log.
> 
> But nothing in tlsextdebug :
> 
> echo Q | openssl s_client -connect www.beluc.fr:443 -servername www.beluc.fr  
> -tlsextdebug  -status -CApath /etc/ssl/certs
> [...]
> OCSP response: no response sent
> [...]
> 
> Do you see smth wrong ? What can i do in order to debug ?
> 
> Regards,
> 


-- 
Marc-Antoine

Re: Load Balancing the Load Balancer

2015-07-15 Thread Thierry FOURNIER 
On Thu, 9 Jul 2015 14:52:19 +
mlist  wrote:

> Hi, 
> we see there is a new feature of HAProxy, peer and share table 
> (sticky-table). This peer feature can be used to have in synch stick cookie 
> so if one haproxy goes down the other can take over connections ?


Yes, the stick table remember and share each which is sticked to which
server. You can use any criteria of the connexion, and of course you
can use a cookie set by your application.

In othe way, HAProxy can put his own cookie in the HTTP response and
use it for the persistance. This mode is useful because you don't need
to share the stick table and two "unconnected" haproxy can assure the
high avalaibility without loosing the session affinity.


> There is some HAProxy native feature to have HAProxy nodes configuration in 
> synch automatically or we have to rely on external tools like rsync manually 
> or as we do on LVS a cron job executing a script to synch configuration ?


The stick table synchronisation is a native protocol. The configuration
or map synchronisation must be done by external tools.


> What is your choice ?


The choice depends of each problem. HAProxy is very rich and permits to
solve many LB and HA issues. Generally I prefer the simplest solution
able to solve my issues.


> For the connection limitation, you speak of frontend and per backand server 
> minconn / maxconn ? it isn't right to divide by n (n=numero ov HAProxy) 
> established total and per server connection ? also if this is not perfect 
> we'll have at most always (n * maxconn).


This divide guaranty that your serveur will not exceed the limitation.
If your server can process 100 connections, you tune the maxconn of your
HAProxy to 50 per server. If the first lb process 75 connections, and
the second process only 25 (because bad repartition in front of LBs)
the first one is limits the connections, and the users requests will be
latency, however the limited server does not reach 100 connections.


> Also... I know that a major pros of L7 load balancing is to manage centrally 
> all phase of the communication (sticky, balancing, etc. ), but in Hybrid 
> Cloud thinking... is not right to can controll the connection up to a certain 
> point and so using some mechanism as L4 load balancer (as LVS) to put in 
> direct communication clients and final servers. At least for communications 
> not rely on sticky (persistent) session, one can alleviate periodic 
> extraordinary high connection rate redirecting connection for some services 
> (L7 acl) in a Public Cloud wihout weigh down our Private Cloud infrastructure 
> ? Probably there is some other way... We do not see at the moment...


I don't understand the relation between L4 and L7 load-balancing, and
the private and public cloud. 

Thierry

> 
> 
> 
> -Original Message-
> From: Thierry FOURNIER [mailto:thierry.fourn...@arpalert.org] 
> Sent: giovedì 9 luglio 2015 14.51
> To: mlist
> Cc: 'haproxy@formilux.org'
> Subject: Re: Load Balancing the Load Balancer
> 
> On Thu, 9 Jul 2015 11:08:58 +
> mlist  wrote:
> 
> > We have a question about Load Balancing the load balancer... We have as now 
> > 2 LVS load balancer in active / passive configuration with keepalived.
> > We want to introduce L7 load balancer (HAProxy) in active / active 
> > configuration, so we have not only HA configuration but also load balanced 
> > configuration of load balancer. We think we can do that using the two 
> > active / passive LVS machine to load balancing request on 2 HAProxy 
> > machine, using correctly persistence (LVS) and stickiness (HAProxy) so 
> > application / session behave as expected. We do not found such solution on 
> > the Internet, do you think this is a bad design ?
> 
> 
> Hi,
> 
> this is the classic design, but make sure that the both haproxy
> configruation are the same (mainly with the stick cookie name and
> values).
> 
> You must known that its not really possible to limit the amount of
> connexions to your servers because the first haproxy don't known the
> current connexions of the second haproxy.
> 
> Thierry
> 
> -- 
> Il messaggio e' stato analizzato alla ricerca di virus o
> contenuti pericolosi da MailScanner, ed e'
> risultato non infetto.
> 
>

FW: SSL offloading in HAProxy

2015-07-15 Thread Cohen Galit 
Hello HAProxy team,

I see that the SSL offloading for http protocol is already supported ( 
http://blog.haproxy.com/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
 )
I would like to know if there is an option of SSL offloading for IMAP protocol.

Thanks,
Galit

From: Avrahami David
Sent: Wednesday, July 01, 2015 3:50 PM
To: Cohen Galit
Cc: Sabban Gili; Meltser Tiran
Subject: SSL offloading in HAProxy

Hi Galit,

Can you please post the below question to HAProxy forum?

I see that the SSL offloading for http protocol is already supported ( 
http://blog.haproxy.com/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
 )
I would like to know if there is an option of SSL offloading for IMAP protocol.


Best Regards,
David Avrahami
Security SE
Tel: +972-3-6452374
Mobile: +972-544382374
Email: david.avrah...@comverse.com


"This e-mail message may contain confidential, commercial or privileged 
information that constitutes proprietary information of Comverse Inc. or its 
subsidiaries. If you are not the intended recipient of this message, you are 
hereby notified that any review, use or distribution of this information is 
absolutely prohibited and we request that you delete all copies and contact us 
by e-mailing to: secur...@comverse.com. Thank You."

Mailer does not work

2015-07-15 Thread mlist 
We compiled from source haproxy-1.6-dev2.tar.gz. New Mailers mechanism does not 
seems to work, we configured as on manual:

mailers apsmailer1
   mailer smtp1 :10025

...
...

backend somebackend_https
   mode http
   balance roundrobin
   ...
   email-alert mailers apsmailer1
   email-alert from 
   email-alert to 
  email-alert level info
   ...

We see in haproxy.log server status change:
Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server .../ is 
UP, reason: Layer4 check passed, check duration: 0ms. 2 active and 0 backup 
servers online. 0 sessions requeued, 0 total in queue.
Jul 15 09:42:00 localhost.localdomain haproxy[3342]: Server .../ is 
UP, reason: Layer6 check passed, check duration: 1ms. 2 active and 0 backup 
servers online. 0 sessions requeued, 0 total in queue.

But no mail alerts are sent, no error or warning logged about sending mail.

haproxy -f /etc/haproxy/haproxy.cfg -c
does not return any error. All seems to be right, but mail alerts are not sent.


Roberto

Re: Server IP resolution using DNS in HAProxy

2015-07-15 Thread Robin Geuze 

Hey Nenad,

Actually a local resolver can take care of that for you as well since 
every resolver I know allows configuring a different destination on 
domain basis. Also as described in the first email, the server has to be 
resolvable via the OS resolving stack as well otherwise haproxy won't 
start. This means you cannot use custom domains without configuring some 
sort of custom resolver anyway.


-Robin-

Nenad Merdanovic wrote on 7/15/2015 08:56:

Hello Robin,

On 07/15/2015 08:49 AM, Robin Geuze wrote:

Tbh I don't really see the point of configuring the resolvers in haproxy
when the OS has perfectly fine working facilities for this? What is the
benefit besides possibly causing lookups to happen twice, once from the
OS resolving stack and once from haproxies? If you really want exactly
the same behavior as described you could always configure a local
resolver that queries multiple other resolvers instead of recursing itself.

Because this would perfectly integrate with things like Consul
(https://www.consul.io/docs/agent/dns.html), which are currently very
widely used to provide service discovery.


-Robin-


Regards,