that instead of repeating the issue. I understand
though that in such case better have this in separate commit, so I have
stuck with the tabs alignment.
> By the way, contrib/ was move to dev/ during your changes so if you keep
> this comment please update it.
Done.
On 13/04/2021 08:19, J
On 08/04/2021 21:55, Aleksandar Lazic wrote:
> Hi.
>
> Attached the patch to add the json_string sample.
>
> In combination with the JWT patch is a pre-validation of a bearer token
> part possible.
>
> I have something like this in mind.
>
> http-request set-var(sess.json)
> req.hdr(Authoriz
;t loop
twice over input string) but has the drawbacks of being intrusive with
the rest of the code and less clearer imo regarding how url variant is
different from standard base64.
Feel free to pick the one that looks better otherwise I can continue
with a different implementation if needbe.
--
Moeme
, Tim Düsterhus wrote:
>> +int base64urldec(const char *in, size_t ilen, char *out, size_t olen) {
>> +char conv[ilen+2];
>
> This looks like a remotely triggerable stack overflow.
You mean in case ilen is too big? in such case should we rather use
dynamic allocation ?
--
Mo
xVvo1wP5c0dVHnr-S_khnIdFkThqvwukmdg
$ curl -H "Authorization: Bearer ${TOKEN}" 127.0.0.1:8080
{"user":"foo","key":"chae6AhXai6e"}
--
Moemen MHEDHBI
>From e599ada315d01513e21f11cdff176cff1639b25c Mon Sep 17 00:00:00 2001
From: Moemen
Hey Willy
On 20/03/2020 12:02, Willy Tarreau wrote:
> Hi Moemen,
>
> On Thu, Mar 19, 2020 at 06:47:42PM +0100, Moemen MHEDHBI wrote:
>> This ML is the right place to contribute to the HAProxy software, but
>> for the ingress controller better do this by creating an issue in
responding
configuration is an important amount of work which for now seems to be
only useful for an edge case. That's why we would probably prefer having
CLI arg to activate this.
- No need for reload since we can set server weight via the Runtime API
(for example we do this already to change a se
On 19/05/2019 00:28, Aleksandar Lazic wrote:
> Hi.
>
> I have the following setup
>
> ```
> frontend public_ssl
>
> bind :::443 v4v6
>
> option tcplog
>
> tcp-request inspect-delay 5s
> tcp-request content capture req.ssl_sni len 25
> tcp-request content accept if { req.ssl_he
uot;abused" to serve a few
> "static files" (like `favicon.ico` or `robots.txt`) directly from
> HAProxy without requiring Lua. In fact the most viewed topic on
> HAProxy's forum is exactly about this:
>
>
> https://discourse.haproxy.org/t/how-do-i-serve-a-single-static-file-from-haproxy/32
>
> Ciprian.
>
HAProxy provides a cache, which was designed to perform cache on small
objects (favicon, css...). So this may be what you are looking for.
--
Moemen MHEDHBI
0.0.1:80
bind 127.0.0.1:443 ssl crt /etc/haproxy/ssl/
http-request redirect scheme https if !{ ssl_fc } { hdr(host),ssl_sni_check()
}
This converter may be even more useful when certificates will be
added/removed at runtime.
++
--
Moemen MHEDHBI
>From 14ed628ab9badbb06c45bab324eb00f998de
@list: sorry for the incorrect subject in my previous answer. At some
point the subject changed when email was saved and encrypted in Drafts.
On 28/11/2018 18:59, Moemen MHEDHBI wrote:
> Hi Igor,
>
> On 11/27/18 12:48 AM, Igor Cicimov wrote:
>> Hi Moemen,
>>
>> On T
Hi Igor,
On 11/27/18 12:48 AM, Igor Cicimov wrote:
> Hi Moemen,
>
> On Tue, Nov 27, 2018 at 1:24 AM Moemen MHEDHBI wrote:
>> On 11/14/18 1:34 AM, Igor Cicimov wrote:
>>
>> On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov
>> wrote:
>>> Hi,
>>>
On 11/20/18 2:25 PM, Christopher Faulet wrote:
> Le 17/11/2018 à 20:42, Willy Tarreau a écrit :
>> Hi Moemen,
>>
>> On Wed, Nov 14, 2018 at 04:07:42PM +0100, Moemen MHEDHBI wrote:
>>> Hi,
>>>
>>> I was playing with LUA, to configure a traffic mirro
et
> stapled but to domain.tld do not.
>
Hi Igor,
Testing OCSP on multiple certificates with different domains (based on
the CN) works correctly for me. (a.domain.com, b.domain.com, c.domain.com)
Are you using multiple certs with same CN but different SANs ?
--
Moemen MHEDHBI
elling me that this is an
invalid request but not a segfault.
There are two ways to avoid this by changing the script:
1/ Use mode tcp
2/ Use "get" and "send" instead of "forward", this way the LUA script
will send the response directly to the client, instead of HAProxy doing
that.
--
Moemen MHEDHBI
Previous patches added support to tracking up to MAX_SESS_STKCTR stick
counters in the same connection, but without updating the DOC, it is done
here.
--
Moemen MHEDHBI
>From 30038ba660a784202664fd4253ede15e7a9f8f91 Mon Sep 17 00:00:00 2001
From: Moemen MHEDHBI
Date: Tue, 25 Sep 2018 17:50
Hi Àbéjídé,
On 24/07/2018 17:59, Àbéjídé Àyodélé wrote:
> Hi Friends,
>
> I am trying to bump session limits via the maxconn in the global
> section as
> below:
>
> cat /etc/haproxy/redacted-haproxy.cfg
> global
> maxconn 1
> stats socket /var/run/redacted-haproxy-stats.sock user haproxy
are 3 more nodes like this,
> making the frontend connections in the ssl_sess_id_router frontend
> ~63k and ~60k in all frontends for nginx_ssl_fe. The nginx is still
> handling only 32k connections from nginx_backend.
>
> Please let me know if you need more info.
>
> Thanks,
> A
Hi
On 16/04/2018 12:04, Igor Cicimov wrote:
>
>
> On Mon, 16 Apr 2018 6:09 pm Ayush Goyal <mailto:ay...@helpshift.com>> wrote:
>
> Hi Moemen,
>
> Thanks for your response. But I think I need to clarify a few
> things here.
>
> On Mon,
d by the client, server
of HAProxy (timeouts, etc..)
> 2. Why haproxy is not terminating connections on the frontend to keep
> it them at 32k
> for 1:1 mapping?
I think there is no 1:1 mapping between the number of connections in
haproxy and nginx. This is because you are chaining the two fron/back
pairs in haproxy, so when the client establishes 1 connctions with
haproxy you will see 2 established connections in haproxy stats. This
explains why the number of connections in haproxy is the double of the
ones in nginx.
> Thanks
> Ayush Goyal
--
Moemen MHEDHBI
ting the date in the cookie with
the "replace-header" action. This won't be easy because the date is an
internal haproxy format.
So if you don't want to spend time redeveloping the application you can
still go with solution #1 by removing the persistence cookie in haproxy
using something like ( http-request replace-header Cookie SRV=[^;]*;? '
' if ACL )
--
Moemen MHEDHBI
looking for "denied connections", you can
find more about this here:
https://cbonte.github.io/haproxy-dconv/1.8/management.html#9.1
According to the doc, the "denied connections" is the 81th field
(counting from 0) so using the following command will help track the
counter:
watch 'echo "show stat" | socat stdio < haproxy-socket-path > | cut -d
"," -f 1-2,82 | column -s, -t'
++
--
Moemen MHEDHBI
nnections, etc ..
- A session is an end-to-end accepted connection. So maybe it is more
accurate to talk about requests per session rather than requests per
connection.
>
> And how can I get be_req_rate?
Unfortunately, this fetch does not seem to be implemented yet.
>
> Thank you
--
Moemen MHEDHBI
r the server would not be sufficient
here ? So the extra traffic due to the failed server will be queued.
>
>
> Andruw Smalley
>
> Loadbalancer.org Ltd.
>
> www.loadbalancer.org
> +1 888 867 9504 / +44 (0)330 380 1064
> asmal...@loadbalancer.org
>
> Leave a Review | Deployment Guides | Blog
>
--
Moemen MHEDHBI
mple expression" in the docs: then you can use only
sample fetches and converters.
On 30/01/2018 14:04, Tim Düsterhus wrote:
> Moemen,
>
> Am 30.01.2018 um 10:15 schrieb Moemen MHEDHBI:
>> The variables you are talking about are more precisely "log format
>> variables
re only available for the logging part of HAProxy.
Sample fetches are used to extract data from traffic streams and use it
for content aware routing, stickiness,etc .
++
Moemen MHEDHBI
to the custom protocol,
using LUA scripts may be useful here.
++
--
Moemen MHEDHBI
the moment you force a cipher list that does not include a
TLSv1.3 cipher in the server side (which has TLSv1.3 enabled) the TLS
handshake will break regardless of what is in the Client hello.
--
Moemen MHEDHBI
t being said HAProxy can still "pass" proxy requests to http/socks
proxies if the client is configured to use a proxy.
++
>
> Am 11. Dezember 2017 16:56:12 MEZ schrieb Moemen MHEDHBI
> :
>
>
> On 11/12/2017 15:02, Gbg wrote:
>
> I need to contact applic
d *:8000
acl is_extweb path_beg -i /policies /produkte
use_backend forward_proxy if is_extweb
default_backend another_backend
backend forward_proxy
server static < IP-of-the-forward-proxy > : < Port > check
++
Moemen MHEDHBI
it is written:
> That host only sends RST packets to all[2] connections from a single
client IP.
Are we talking about connections initiated or accepted by HAProxy ?
Also without providing logs and the conf, I can't be of a great help.
++
--
Moemen MHEDHBI
gt; Search mailing list but found nothing about HLS.
>
> Regards
>
> Deon
>
> --
Hls
--
Moemen MHEDHBI
ke this
work. (Unless I am mistaken about how your app works)
I think we are being confused by the whole Websocket thing while it
**shouldn't be** the case.
Sorry for the confusion but Websocket is probably not the problem here.
So I am going to get back to some of your previous questions in o
_cookie_domain
>
> acl hdr_set_cookie_path_cc_test res.hdr(Set-cookie) -m found sub Path=
>
> rspirep ^(Set-Cookie:.*)\ Path=(.*)$ \1\ Path=/CoscendCC.Test\2 if
> hdr_set_cookie_path_cc_test
>
>
>
> server CoscendCC.Test bk.coscend.local:6080 cookie cc-tt-d check
>
>
>
> Sincerely,
>
>
>
> Hemant K. Sabat
&g
se header Cache-Control len 8
>
> capture response header Via len 20
>
> capture response header Location len 20
>
> capture response header X-Backend-Server-Name len 20
>
>
>
> capture response header Content-Security-Policy len 128
>
> capture response header Strict-Transport-Security len 64
>
> capture response header X-Frame-Options len 32
>
> capture response header X-XSS-Protection len 32
>
> capture response header X-Content-Type-Options len 32
>
> capture response header Referrer-Policy len 32
>
> capture response header Pragma len 32
>
> capture response header Transfer-Encoding len 32
>
>
>
> capture response header Access-Control-Allow-Origin len 32
>
> capture response header Access-Control-Allow-Headers len 32
>
> capture response header Access-Control-Allow-Methods len 32
>
> capture response header Access-Control-Allow-Credentials len 20
>
>
>
> backend subdomain-backend
>
> http-response set-header Strict-Transport-Security
> "max-age=31536000; includeSubDomains; preload"
>
> http-response set-header X-Frame-Options "SAMEORIGIN" # or "DENY"
>
> http-response set-header X-XSS-Protection "1; mode=block"
>
> http-response set-header X-Content-Type-Options "nosniff"
>
> http-response set-header Referrer-Policy
> "no-referrer-when-downgrade"
>
>
>
> http-response set-header Pragma "no-cache" #Deprecated, only for
> backwards compatibility with HTTP/1.0 clients.
>
> http-response set-header Cache-Control "nocache, no-store"
>
>
>
>
>
>
> http-response set-header Access-Control-Allow-Origin "*"
> #"%%{AccessControlAllowOrigin} env=AccessControlAllowOrigin"
>
> http-response set-header Access-Control-Allow-Headers "Origin,
> X-Requested-With, Content-Type, Accept, X-CSRF-Token, X-XSRF-TOKEN"
>
> http-response set-header Access-Control-Allow-Methods "GET, POST,
> PUT, DELETE, OPTIONS"
>
> http-response set-header Access-Control-Allow-Credentials "true"
>
>
>
> http-response set-header X-Backend-Server-Name %s
>
>
>
>
>
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>
>
>
> Virus-free. www.avg.com
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>
>
>
>
--
Moemen MHEDHBI
n track-sc0 src table nappsmtp
> tcp-request connection reject if { sc0_get_gpt0 gt 0 }
>
> and the backend :
>
> tcp-response content sc-set-gpt0(0) 1 if isfail
>
> This will mark the IP in the table on the first occurrence of a 5xx
> response. If you want to leave a small margin to start blocking after
> the 3rd failure as you did, better then the gpc0 counter then.
>
> Hoping this helps,
> Willy
>
> --
> STOP Virus, STOP SPAM, SAVE Bandwidth!
> http://www.safentrix.com/adlink?cid=0
> --
>
--
Moemen MHEDHBI
gt;
> Thanks a lot.
>
--
Moemen MHEDHBI
rns nothing or
> something else.
> Suggestions, please?
>
>
>
> Norman
>
> * *
>
> *Norman Branitsky
> *Cloud Architect
>
> MicroPact
>
> (o) 416.916.1752
>
> (c) 416.843.0670
>
> (t) 1-888-232-0224 x61752
>
> www.micropact.com <http://www.micropact.com/>
>
> Think it > Track it > Done
>
>
>
--
Moemen MHEDHBI
Support Engineer
http://haproxy.com
Tel: +33 1 30 67 60 71
completed, I am confused。
>
>
> haproxy cfg exmaple:
>
> http-request use-service lua.haproxy-proxy
>
>
>
>
>
--
Moemen MHEDHBI
%[res.hdr("X-Used-Params"),djb2(1),hex]
>
> I'm having trouble getting haproxy to log this value with the
> additional capture header that should get routed to my custom http log:
>
> capture response header X-R-ID len 16
>
> Does http-response set-header run too late to be captured for logging?
>
--
Moemen MHEDHBI
ded_proto
> mode http
> server 03bfdfc9400011968ca41e78cca5cf00dc68b773 10.42.179.224:8069
>
>
It is not clear what you want to do here, if you just want to send the
X-Forwarded-Proto with the corresponding scheme then you already have
the answer, otherwise we need more details about your problem.
++
--
Moemen MHEDHBI
> >> timeout connect 5s
> >> timeout server 5s
> >>
> >> frontend frontend_chat
> >> bind :80
> >> mode http
> >> timeout client 120s
> >> option forwardfor
> >> option http-server-close
> >> option http-pretend-keepalive
> >> default_backend backend_chat
> >>
> >> backend backend_chat
> >> balance url_param chatName
> >> timeout server 120s
> >> server chat chat:80
> >>
> >> At the moment it seems that only the Commercial Subscribtion of
> Nginx can handle this kind of cases using the sticky route $variable
> ...; directive in the upstream module.
> >
> >
> > Maybe try:
> >
> > http-request set-header Host 10.0.0.12 if { query -m beg -i
> chatName=fun }
> >
--
Moemen MHEDHBI
process pid to the pidfile
2. Then When I hit restart, all process are stopped correctly.
So the question is ( @William ): when doing a soft stop should we
preserve old process pid in the pidfile until the process terminates ?
--
Moemen MHEDHBI
t aware of.
If we need to fix 2/, a possible solution would be:
- Set killmode to "control-group" rather than "mixed" (the current
value) in systemd unit file.
>
> Seems to me you want RELOAD behavior instead, so RELOAD is what Ansible
> should trigger when it detects a config change, no RESTART.
>
Agree
--
Moemen MHEDHBI
me architectural reason why this would be difficult or
> impractical to do? Or is it just something that didn't seem
> necessary/useful at the time?
>
> Regards,
> Mark Staudinger
>
--
Moemen MHEDHBI
From 66707e9fc90fb2726c8e7dd9f060a52325b780bd Mon Sep 17 00:00:00 2001
on
> how these counters are held in memory there is a slight difference?
>
> thanks
>
>
The explanation may differ based on the number/metric in question. For
example, the Total sessions in the backend may be not equal to the sum
of total sessions of the servers, because there were some requests
aborted before HAProxy chooses a backend server.
--
Moemen MHEDHBI
t;fullconn" parameter if you have set up
"minconn" in server lines (to use dynamic maxconn), otherwise you can
ignore it.
Regards,
--
Moemen MHEDHBI
47 matches
Mail list logo