Re: TLS version by hostname

2016-06-09 Thread Andrew Smalley 
Hi Ed

Id say what you are asking is a no with a single vip.

However if you chain a vip with all ssl tls allowed on the first vip with
an acl

Then rather than your backend being real servers make the backend 2 more
vips one with the tls version and another without that would work very well
for you.

acl alltls goto alltlsVIP
acl sometls goto sometlsVIP

The syntax is not correct but im sure toy get the idea.

Have same ssl cert for sni on all 3 vips change your tls and cipher options
on the 2 backend vips and mirror your real servers there.
On 9 Jun 2016 22:36, "Eduard Martinescu"  wrote:

> Some googling didn't turn up what I was looking for so I thought I would
> ask here.
>
> Is it possible to enable different TLS version on a per hostname basis vis
> SNI?
>
> So, with a single
>
> frontend ssl_app
>   bind 10.0.0.1:443 ssl crt mycrt crt /my/crt/directory
>
> Is there a way for that ssl_app frontend to allow TLS 1.0 for some subset
> of SNI hostnames, while disallowing it for others? Or can I only enable it
> for all or none?
>
> Ed
>
> --
> Eduard Martinescu ✉ 
> Principal Software Engineer
> Office: 585.708.9685 ✆ <+15857089685>
> [image: http://www.salsalabs.com] 
> DonorPro merged with Salsa, read about it here.
> 
>

TLS version by hostname

2016-06-09 Thread Eduard Martinescu 
Some googling didn't turn up what I was looking for so I thought I would
ask here.

Is it possible to enable different TLS version on a per hostname basis vis
SNI?

So, with a single

frontend ssl_app
  bind 10.0.0.1:443 ssl crt mycrt crt /my/crt/directory

Is there a way for that ssl_app frontend to allow TLS 1.0 for some subset
of SNI hostnames, while disallowing it for others? Or can I only enable it
for all or none?

Ed

--
Eduard Martinescu ✉ 
Principal Software Engineer
Office: 585.708.9685 ✆ <+15857089685>
[image: http://www.salsalabs.com] 
DonorPro merged with Salsa, read about it here.

É isso aqui?

2016-06-09 Thread MDF Tecnologia 

	Bom dia!
	Qual dos itens abaixo mais te interessa?
	Suporte Técnico
	Websites
	Servidores
	Storage e Armazenamento na Nuvem
	Projetos WiFi
	Economia em Telefonia / PABX
	Link de Internet
	Hospedagem para sites
	
	Se algum desses itens for de seu interesse, você poderá responder este e-mail que entraremos em contato com você.
	
	Qualquer dúvida estamos à disposição.
	MDF Tecnologia
	www.mdftecnologia.com.br
	+55 11 4134-1720

Soutenez les Bleus avec le kit supporter officiel de la Fédération Française de Foot

2016-06-09 Thread Tous Bleus 
  Si vous n’arrivez pas à visualiser cet email, cliquez ici.  
-
FFF METTEZ VOUS AUX COULEURS DE L’EQUIPE DE FRANCE POUR L’EURO 2016 
 
Avec votre kit supporter officiel FFF, affichez la couleur et représentez 
l’équipe des bleus, où que vous soyez.
ON VA GAGNER !
POUR SEULEMENT
14,45€*  
COMMANDEZ VOS KITS ICI
VOS KITS LIVRÉS EN 24H   

LES LUNETTES TRICOLORES. Pour voir la vie en bleu.  LES 3 BRACELETS 
TRICOLORES. Pour représenter votre équipe ou que vous soyez.
LE MAQUILLAGE TRICOLORE LE PORTE CLEF FFF Pour retrouver vos clefs grâce à 
l’équipe de France.
Parce que vous avez l’équipe de France dans la peau.LE TAP TAP SUPPORTER. 
Pour vous faire entendre de tous.
BLISTER DE PROTECTION   LES 3 BRACELETS TRICOLORES. Pour représenter votre 
équipe ou que vous soyez.
-
HighGility  com1lundi   FFF VENISE activation   Opus Victoria
-
 
American ExpressPayPal  Master Card VisaDiscover 
 
Conformément à la loi d'informatique et libertés, du 6 janvier 1978, vous 
bénéficiez d'un droit d'accés, de modification, de rectification et de 
suppression des données qui vous concernent. Si vous souhaitez exercer ce droit 
et obtenir communication des informations vous concernant, veuillez vous 
adresser à : VENISE HBA, 7-13 Boulevard Paul Emile Victor 92200 Neuilly sur 
Seine , France. SIRET n°35013001900036 . TVA intrac n°FR58350130019 

* Dans la limite des stocks disponibles.
 
Se désinscrire

Re: SNI healthcheck on backend?

2016-06-09 Thread Ray Cote 
On Thu, Jun 9, 2016 at 12:10 PM,  wrote:

> http://discourse.haproxy.org/t/can-1-6-do-sni-on-backend/278/12
>

I’ve been looking for an official place to post a request ticket for this
(I’m the originator of that thread).
Yes, it does seem that HAProxy 1.6 does not send the SNI header during the
health check.
Will make it a formal request if someone could point me towards the proper
channel for enhancement requests.
—Ray



-- 
Raymond Cote, President
voice: +1.603.924.6079 email: rgac...@appropriatesolutions.com skype:
ray.cote

SNI healthcheck on backend?

2016-06-09 Thread rainer 

Hi,

I came upon this thread:

http://discourse.haproxy.org/t/can-1-6-do-sni-on-backend/278/12

Is this true? I can't do healthchecks on a backend that needs to do SNI 
to the target-server?



BTW: is there a (public) bug-database for haproxy?
I couldn't find one on the web-page.

As haproxy doesn't (seem to) use github, the authors might think about 
installing gitlab.





Best Regards
Rainer

Re: external-check error ??

2016-06-09 Thread Holger Just 
Hi Hugo

Hugo Delval wrote:
> global
> # [...]
> chroot /var/lib/haproxy
>
> # [...]
> 
> backend web-backend
> balance roundrobin
> option external-check
> external-check path "/usr/bin:/bin:/tmp"
> external-check command /bin/true
> server web1 127.0.0.1:80 check
> server web2 127.0.0.1:81 check


You are configuring HAProxy to drop into a chroot directly after start.
Thus, any scripts or external tools  (including all its required
libraries and potentially device nodes) it runs have to be inside the
chroot directory. In your case, this is probably not the case.

Thus, you can either get rid of the chroot completely or move all your
dependencies into the chroot. The latter is probably a bit of a hassle
for more complex checks but might be more secure.

Good luck,
Holger

Re: HTTP Keep Alive : Limit number of sessions in a connection

2016-06-09 Thread Manas Gupta 
On Wed, Jun 8, 2016 at 10:44 PM, Willy Tarreau  wrote:
> On Wed, Jun 08, 2016 at 10:00:04PM -0700, Manas Gupta wrote:
>> >> So I have a component which issues a lot of requests over a keep-alive
>> >> connection to HAProxy. In the middle there is a TCP Load Balancer
>> >> (hardware) which only intercepts new tcp connection requests. Once the
>> >> tcp connection is established, the client can send as many HTTP
>> >> requests as it wants. For lack of a better term, it becomes sticky.
>> >
>> > What do you mean by "it becomes sticky" ? Just the fact that it sticks
>> > to *this* haproxy server ? This seems logical if it works at the TCP
>> > level. I'm seeing that you want to "fix" this, but how is it a problem
>> > at all ? Most users would instead find this normal, and even desired.
>> >
>>
>> You are correct, its not a problem.
>>
>> I am simply trying to figure out the best way for this :-
>> Say I have an HAProxy server with several long running http-keep-alive
>> connections. I want to send traffic away from this HAProxy server, but
>> without dropping any connections.
>
> OK, initially I thought you meant "from this process" (during a process
> replacement). But now I get it. But you normally also need to manipulate
> health check results so that your HW load balancer stops sending new
> connections to haproxy.
>
> At the moment, haproxy checks the frontend's stopped state to decide if it
> needs to force to disable keep-alive on client connections. By the way that
> makes me realize that we should also check for the "full" state to optimize
> early release of client connections when the frontend is full. But we could
> imagine having an extra "stopping" state that could be turned from the CLI
> to have the exact same effect.
>

I am not sure I understand your last comment.

As a side, is there some doc which explains everything I see when I
run 'show sess'

for example

0xfdf780: proto=tcpv4 src=10.193.248.156:51384 fe=ingress be=webs
srv=web2 ts=08 age=2s calls=2
rq[f=8848080h,i=0,an=2000h,rx=,wx=,ax=]
rp[f=8040h,i=0,an=6h,rx=4m57s,wx=,ax=] s0=[7,8h,fd=1997,ex=]
s1=[7,118h,fd=1998,ex=]exp=4m57s



>> I can live with what's there for now. I was just wondering if
>> keep-alive max HTTP directive could be implemented (it not already
>> done) using a combination of settings or some stick table fudgery.
>
> I didn't think about stick tables but that makes me think that we have
> variables (per-session and per-request). The per-session variables could
> hold a request count. The only thing we're missing is an action to force
> to disable keep-alive on the client side. I think the actions will be
> taken too late after the decision was already taken during the request
> but we could do it when processing the response.
>
> I think a few more thoughts should be given on this.
>
> Willy

external-check error ??

2016-06-09 Thread Hugo Delval 
Hi everyone,

I'm quite new with Haproxy and I have a weird behavior with external check..

here is my config file :

global
log /dev/loglocal0
log /dev/loglocal1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
*external-check*

defaults
logglobal
modehttp
optionhttplog
optiondontlognull
timeout connect 5000
timeout client  5
timeout server  5
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

backend web-backend
balance roundrobin




*option external-checkexternal-check path "/usr/bin:/bin:/tmp"
 external-check command /bin/trueserver web1 127.0.0.1:80
 checkserver web2 127.0.0.1:81
 check*

frontend http
bind *:82
mode http

default_backend web-backend


And yet I get a 503 and in my logs I got this :

...: Server web-backend/web1 is DOWN, reason: External check error, code:
255, check duration: 5ms. 1 active and 0 backup servers left. 0 sessions
active, 0 requeued, 0 remaining in queue.
...: Server web-backend/web1 is DOWN, reason: External check error, code:
255, check duration: 5ms. 1 active and 0 backup servers left. 0 sessions
active, 0 requeued, 0 remaining in queue.
...: Server web-backend/web2 is DOWN, reason: External check error, code:
255, check duration: 1ms. 0 active and 0 backup servers left. 0 sessions
active, 0 requeued, 0 remaining in queue.
...: Server web-backend/web2 is DOWN, reason: External check error, code:
255, check duration: 1ms. 0 active and 0 backup servers left. 0 sessions
active, 0 requeued, 0 remaining in queue.
...: backend web-backend has no server available!
...: backend web-backend has no server available!

How could the check */bin/true* fail and return 255 ?

I'm running the latest stable version (1.6.5)
If someone have an idea of what I'm doing wrong please heelp ! ^^

Bye,
Hugo DELVAL

Re: Rewriting Host Based on Path and Changing the Path

2016-06-09 Thread Aleksandar Lazic 

Hi.

Am 09-06-2016 14:27, schrieb Chaim Keren-Tzion:


Note, the TLD and domain can also change and must be part of the regex.
'static' is the only string which will not change. In all cases where 
it is the subdomain we want it to be removed and replaced by the first 
element of the path. That element should also be removed from the path.


static.domainA.tldW/site1/resource1.jpg => 
site1.domainW.tldA/resource1.jpg
static.domainB.tldX/site2/resource2.js => 
site2.domainB.tldX/resource2.js
static.domainC.tldY/site3/resource3.gif => 
site3.domainC.tldY/resource3.gif
static.domainD.tldZ/site4/someDir/resource4.txt => 
site4.domainD.tldZ/someDir/resource4.txt


I'm thinking it an be done with http-request (set-var, set-path, 
replace-header, etc)

LUA could also be an option.


Yes mabe or a map file 
http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#7.3.1-map


cheers Aleks

On Thu, Jun 9, 2016 at 2:13 PM, Chaim Keren-Tzion 
 wrote:


Hi,

Thanks.

# haproxy -vv
HA-Proxy version 1.6.4 2016/03/13
Copyright 2000-2016 Willy Tarreau 

Build options :
TARGET  = linux2628
CPU = generic
CC  = gcc
CFLAGS  = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing 
-Wdeclaration-after-statement

OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity("identity"), 
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")

Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.2
Built with transparent proxy support using: IP_TRANSPARENT 
IPV6_TRANSPARENT IP_FREEBIND


Available polling systems :
epoll : pref=300,  test result OK
poll : pref=200,  test result OK
select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.


We tried this but it has not worked at all:
acl host_static hdr_beg(host) -i static.
reqirep ^([^\ :]*\ \/)([^\/]+)(\/.*\n)Host:\ static\.([^\/]+?)$   
\1\2\3Host:\ \2.\4 if host_static

reqirep ^([^\ :]*)\ /[^/]+/(.*) \1\ /\2 if host_static

On Thu, Jun 9, 2016 at 12:51 PM, Aleksandar Lazic  
wrote:

Hi.

Am 09-06-2016 11:18, schrieb Chaim Keren-Tzion:

Hi,

Is there a way to rewrite the Host based on Path?

I'm trying to redirect all requests of type:

static.domain.com/site1/resource.jpg
static.domain.com/site1/resource2.js
static.domain.com/site2/resource3.gif
static.domain.com/site2/someDir/resource4.txt

to

site1.domain.com/resource.jpg
site1.domain.com/resource2.js
site2.domain.com/resource3.gif
site2.domain.com/someDir/resource4.txt

Basically, if the host is static.domain.com:

* New subdomain is based on the first part of the original path, with 
the same TLD.

* New path is the original path not including the first part.
Please can you send the haproxy -vv

What have you already done to solve the requirement?
Please can you send the relevant part from the config.

Maybe the doc could help you to find a good start point.

http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-http-request
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#redirect
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-reqrep

regex build with https://regex101.com/

Testdata:
GET static.domain.com/site1/resource.jpg HTTP/1.1
GET static.domain.com/site2/someDir/resource4.txt HTTP/1.1

reqrep ^([^\ :]*)\ .*?/(\w+)/(.*)\ \1.domain.com/\2

Hth Aleks


  --

CHAIM KEREN-TZION
ch...@intercomp.co.il
+972-54-465-2983

  --

CHAIM KEREN-TZION
ch...@intercomp.co.il
+972-54-465-2983

Invalid 301 redirect target URL on haproxy.org

2016-06-09 Thread Holger Just 
Hi,

when navigating to a directory of the downloads section on haproxy.org
while omitting the trailing slash, e.g.

http://www.haproxy.org/download/1.5

the response is a 301 redirect to

http://www.haproxy.org:81/download/1.5/

which I assume is generated by the backend Apache by adding its internal
port to the generated URL. This could potentially be solved by adding
this config rule in the frontend HAproxy to drop any explicit port
number from the redirects (or any other way you see fit :)

http-response replace-header Location ^(https?://[^:]*):\d+/(.*) \1/\2

Regards,
Holger

Re: Rewriting Host Based on Path and Changing the Path

2016-06-09 Thread Chaim Keren-Tzion 
Note, the TLD and domain can also change and must be part of the regex.
'static' is the only string which will not change. In all cases where it is
the subdomain we want it to be removed and replaced by the first element of
the path. That element should also be removed from the path.


static.domainA.tldW/site1/resource1.jpg => site1.domainW.tldA/resource1.jpg
static.domainB.tldX/site2/resource2.js => site2.domainB.tldX/resource2.js
static.domainC.tldY/site3/resource3.gif => site3.domainC.tldY/resource3.gif
static.domainD.tldZ/site4/someDir/resource4.txt
=> site4.domainD.tldZ/someDir/resource4.txt

I'm thinking it an be done with http-request (set-var, set-path,
replace-header, etc)
LUA could also be an option.

On Thu, Jun 9, 2016 at 2:13 PM, Chaim Keren-Tzion 
wrote:

> Hi,
>
> Thanks.
>
> # haproxy -vv
> HA-Proxy version 1.6.4 2016/03/13
> Copyright 2000-2016 Willy Tarreau 
>
> Build options :
>   TARGET  = linux2628
>   CPU = generic
>   CC  = gcc
>   CFLAGS  = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing
> -Wdeclaration-after-statement
>   OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1
>
> Default settings :
>   maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
>
> Encrypted password support via crypt(3): yes
> Built with zlib version : 1.2.7
> Compression algorithms supported : identity("identity"),
> deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
> Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
> Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
> OpenSSL library supports TLS extensions : yes
> OpenSSL library supports SNI : yes
> OpenSSL library supports prefer-server-ciphers : yes
> Built with PCRE version : 8.32 2012-11-30
> PCRE library supports JIT : no (USE_PCRE_JIT not set)
> Built with Lua version : Lua 5.3.2
> Built with transparent proxy support using: IP_TRANSPARENT
> IPV6_TRANSPARENT IP_FREEBIND
>
> Available polling systems :
>   epoll : pref=300,  test result OK
>poll : pref=200,  test result OK
>  select : pref=150,  test result OK
> Total: 3 (3 usable), will use epoll.
> 
>
> We tried this but it has not worked at all:
>   acl host_static hdr_beg(host) -i static.
>   reqirep ^([^\ :]*\ \/)([^\/]+)(\/.*\n)Host:\ static\.([^\/]+?)$
> \1\2\3Host:\ \2.\4 if host_static
>   reqirep ^([^\ :]*)\ /[^/]+/(.*) \1\ /\2 if host_static
>
>
>
> On Thu, Jun 9, 2016 at 12:51 PM, Aleksandar Lazic 
> wrote:
>
>> Hi.
>>
>> Am 09-06-2016 11:18, schrieb Chaim Keren-Tzion:
>>
>> Hi,
>>>
>>> Is there a way to rewrite the Host based on Path?
>>>
>>> I'm trying to redirect all requests of type:
>>>
>>> static.domain.com/site1/resource.jpg
>>> static.domain.com/site1/resource2.js
>>> static.domain.com/site2/resource3.gif
>>> static.domain.com/site2/someDir/resource4.txt
>>>
>>> to
>>>
>>> site1.domain.com/resource.jpg
>>> site1.domain.com/resource2.js
>>> site2.domain.com/resource3.gif
>>> site2.domain.com/someDir/resource4.txt
>>>
>>> Basically, if the host is static.domain.com:
>>>
>>> * New subdomain is based on the first part of the original path, with
>>> the same TLD.
>>> * New path is the original path not including the first part.
>>>
>>
>> Please can you send the haproxy -vv
>>
>> What have you already done to solve the requirement?
>> Please can you send the relevant part from the config.
>>
>> Maybe the doc could help you to find a good start point.
>>
>>
>> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-http-request
>> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#redirect
>> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-reqrep
>>
>> regex build with https://regex101.com/
>>
>> Testdata:
>> GET static.domain.com/site1/resource.jpg HTTP/1.1
>> GET static.domain.com/site2/someDir/resource4.txt HTTP/1.1
>>
>> reqrep ^([^\ :]*)\ .*?/(\w+)/(.*)\ \1.domain.com/\2
>> 
>>
>> Hth Aleks
>>
>
>
>
> --
> *Chaim Keren-Tzion*
> ch...@intercomp.co.il
> +972-54-465-2983
>



-- 
*Chaim Keren-Tzion*
ch...@intercomp.co.il
+972-54-465-2983

Re: Rewriting Host Based on Path and Changing the Path

2016-06-09 Thread Chaim Keren-Tzion 
Hi,

Thanks.

# haproxy -vv
HA-Proxy version 1.6.4 2016/03/13
Copyright 2000-2016 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing
-Wdeclaration-after-statement
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.2
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.


We tried this but it has not worked at all:
  acl host_static hdr_beg(host) -i static.
  reqirep ^([^\ :]*\ \/)([^\/]+)(\/.*\n)Host:\ static\.([^\/]+?)$
\1\2\3Host:\ \2.\4 if host_static
  reqirep ^([^\ :]*)\ /[^/]+/(.*) \1\ /\2 if host_static



On Thu, Jun 9, 2016 at 12:51 PM, Aleksandar Lazic 
wrote:

> Hi.
>
> Am 09-06-2016 11:18, schrieb Chaim Keren-Tzion:
>
> Hi,
>>
>> Is there a way to rewrite the Host based on Path?
>>
>> I'm trying to redirect all requests of type:
>>
>> static.domain.com/site1/resource.jpg
>> static.domain.com/site1/resource2.js
>> static.domain.com/site2/resource3.gif
>> static.domain.com/site2/someDir/resource4.txt
>>
>> to
>>
>> site1.domain.com/resource.jpg
>> site1.domain.com/resource2.js
>> site2.domain.com/resource3.gif
>> site2.domain.com/someDir/resource4.txt
>>
>> Basically, if the host is static.domain.com:
>>
>> * New subdomain is based on the first part of the original path, with the
>> same TLD.
>> * New path is the original path not including the first part.
>>
>
> Please can you send the haproxy -vv
>
> What have you already done to solve the requirement?
> Please can you send the relevant part from the config.
>
> Maybe the doc could help you to find a good start point.
>
>
> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-http-request
> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#redirect
> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-reqrep
>
> regex build with https://regex101.com/
>
> Testdata:
> GET static.domain.com/site1/resource.jpg HTTP/1.1
> GET static.domain.com/site2/someDir/resource4.txt HTTP/1.1
>
> reqrep ^([^\ :]*)\ .*?/(\w+)/(.*)\ \1.domain.com/\2
> 
>
> Hth Aleks
>



-- 
*Chaim Keren-Tzion*
ch...@intercomp.co.il
+972-54-465-2983

Re: Rewriting Host Based on Path and Changing the Path

2016-06-09 Thread Aleksandar Lazic 

Hi.

Am 09-06-2016 11:18, schrieb Chaim Keren-Tzion:


Hi,

Is there a way to rewrite the Host based on Path?

I'm trying to redirect all requests of type:

static.domain.com/site1/resource.jpg
static.domain.com/site1/resource2.js
static.domain.com/site2/resource3.gif
static.domain.com/site2/someDir/resource4.txt

to

site1.domain.com/resource.jpg
site1.domain.com/resource2.js
site2.domain.com/resource3.gif
site2.domain.com/someDir/resource4.txt

Basically, if the host is static.domain.com:

* New subdomain is based on the first part of the original path, with 
the same TLD.

* New path is the original path not including the first part.


Please can you send the haproxy -vv

What have you already done to solve the requirement?
Please can you send the relevant part from the config.

Maybe the doc could help you to find a good start point.

http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-http-request
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#redirect
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-reqrep

regex build with https://regex101.com/

Testdata:
GET static.domain.com/site1/resource.jpg HTTP/1.1
GET static.domain.com/site2/someDir/resource4.txt HTTP/1.1

reqrep ^([^\ :]*)\ .*?/(\w+)/(.*)\ \1.domain.com/\2

Hth Aleks

Rewriting Host Based on Path and Changing the Path

2016-06-09 Thread Chaim Keren-Tzion 
Hi,

Is there a way to rewrite the Host based on Path?

I'm trying to redirect all requests of type:

static.domain.com/site1/resource.jpgstatic.domain.com/site1/resource2.jsstatic.domain.com/site2/resource3.gifstatic.domain.com/site2/someDir/resource4.txt

to

site1.domain.com/resource.jpg
site1.domain.com/resource2.js
site2.domain.com/resource3.gif
site2.domain.com/someDir/resource4.txt

Basically, if the host is static.domain.com:


   1. New subdomain is based on the first part of the original path, with
   the same TLD.
   2. New path is the original path not including the first part.

Re: external-check stdout ends up in load-balanced traffic, destroying tcp sessions

2016-06-09 Thread Lukas Erlacher 
Ah, this is fun :D

Running this haproxy built from git:
> erlacher@vmrbg81:~/haproxy$ sudo ./haproxy -vv
> HA-Proxy version 1.7-dev3-4b788f-35 2016/06/08
> Copyright 2000-2016 Willy Tarreau 
> 
> Build options :
>   TARGET  = linux2628
>   CPU = generic
>   CC  = gcc
>   CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
>   OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1
> 
> Default settings :
>   maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
> 
> Encrypted password support via crypt(3): yes
> Built with zlib version : 1.2.8
> Compression algorithms supported : identity("identity"), deflate("deflate"), 
> raw-deflate("deflate"), gzip("gzip")
> Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
> Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
> OpenSSL library supports TLS extensions : yes
> OpenSSL library supports SNI : yes
> OpenSSL library supports prefer-server-ciphers : yes
> Built with PCRE version : 8.31 2012-07-06
> PCRE library supports JIT : no (USE_PCRE_JIT not set)
> Built without Lua support
> Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
> IP_FREEBIND
> 
> Available polling systems :
>   epoll : pref=300,  test result OK
>poll : pref=200,  test result OK
>  select : pref=150,  test result OK
> Total: 3 (3 usable), will use epoll.
> 
> Available filters :
> [COMP] compression
> [TRACE] trace


Running this commandline:
> erlacher@vmrbg81:~/haproxy$ sudo ./haproxy -d -f /etc/haproxy/haproxy.cfg 
>   
>   
>  

Results in the ldapcheck output going out to just regular stdout. So I'll have 
to run haproxy daemonized to reproduce the problem...
> erlacher@vmrbg81:~/haproxy$ sudo ./haproxy -f /etc/haproxy/haproxy.cfg

This results in the expected erroneous output on the first client connection.

Now to apply the patch and rebuild...

Running haproxy with -d still gives the check output on haproxy stdout, which 
is ok I suppose.

Running haproxy daemonized... gives no check output. Good!

So from this small test I believe the patch works.

Best,
Luke


On 08.06.2016 03:17, Simon Horman wrote:
> On Tue, Jun 07, 2016 at 08:18:21PM +0200, Willy Tarreau wrote:
>> On Tue, Jun 07, 2016 at 12:01:31PM +0200, Benoit Garnier wrote:
>>> You can always open /dev/null before chrooting and dup() it into FD 0 and 1 
>>> after chroot() has been called.
>>
>> I'd be more tempted to simply close those FDs after the fork(). That
>> may improve the ability to detect faulty scripts which try to dump
>> GBs of data.
>>
>> A very long time ago I've seen a health check perform an LDAP search
>> retrieving all the hundreds of thousands of members of a group, and
>> the people in charge for the server were complaining that the health
>> checks were hurting the server... Better have the script fail with a
>> broken pipe in this case.
>>
>> Just a suggestion.
> 
> Thanks, I think that is reasonable. I particularly like its simplicity.
> 
> Lukas, could you try this?
> 
> diff --git a/src/checks.c b/src/checks.c
> index c4ac947b6051..e65d28f7c3c6 100644
> --- a/src/checks.c
> +++ b/src/checks.c
> @@ -1836,6 +1836,12 @@ static int connect_proc_chk(struct task *t)
>   if (pid == 0) {
>   /* Child */
>   extern char **environ;
> +
> + if ((global.mode & MODE_QUIET) && !(global.mode & 
> MODE_VERBOSE)) {
> + close(0);
> + close(1);
> + }
> +
>   environ = check->envp;
>   extchk_setenv(check, EXTCHK_HAPROXY_SERVER_CURCONN, 
> ultoa_r(s->cur_sess, buf, sizeof(buf)));
>   execvp(px->check_command, check->argv);
> 

-- 

Mit freundlichen Gruessen,
Lukas Erlacher

--
Rechnerbetriebsgruppe der Fakultäten Mathematik und Informatik
Raum 00.05.042
Tel. 089-289-18258
erlac...@in.tum.de
Technische Universität München - Boltzmannstr. 3 - 85748 Garching



smime.p7s
Description: S/MIME Cryptographic Signature