Re: Help you generate more revenue for your haproxy.com.

[Olivier Houchard]

On Wed, Sep 05, 2018 at 10:14:55PM +1000, Rob Thomas wrote:
> You gotta wonder how this guy got this mailing list.  He must have actually
> LOOKED at the website, right?
> 
> Sigh. Spammers.
> 
> For anyone who cares, I don't think it's possible for haproxy to get MORE
> exposure on google.
> 
> [image: image.png]
> 

Notice how he mentionned haproxy.com, which is only 2nd in your google search.

I think we can trust somebody named FREDDIE KIRK, after all he is SEO
Strategist AND Business Development Manager.

Regards,

Olivier

> On Wed, 5 Sep 2018 at 22:07, FREDDIE KIRK 
> wrote:
> 
> > Hi *haproxy.com ,*
> >
> > *Do you need to know how your website currently ranks on search engine
> > result pages and how you can start beating your competitors right now?*
> >
> > Today, I went through your website *haproxy.com *;
> > you seem to have a great website, but only the thing is People are already
> > searching for your products and services, but if you don't use the Right
> > Keywords they're searching for on your site, it will be difficult for them
> > to find you.
> >
> > We will deliver you a huge ROI, high ranking, more traffic, clicks, page
> > views and most importantly converting those visitors into paying customers.
> >
> > Let me know if I should share a *Plan of Action* for your website
> >
> > Kind Regards
> >
> > SEO Strategist
> > Business Development Manager
> >

Help you generate more revenue for your haproxy.com.

[FREDDIE KIRK]

Hi *haproxy.com ,*

*Do you need to know how your website currently ranks on search engine
result pages and how you can start beating your competitors right now?*

Today, I went through your website *haproxy.com *; you
seem to have a great website, but only the thing is People are already
searching for your products and services, but if you don't use the Right
Keywords they're searching for on your site, it will be difficult for them
to find you.

We will deliver you a huge ROI, high ranking, more traffic, clicks, page
views and most importantly converting those visitors into paying customers.

Let me know if I should share a *Plan of Action* for your website

Kind Regards

SEO Strategist
Business Development Manager

Re: ppa1~xenial with TLS v1.3 support

[Lukas Tribus]

Hello,


On Wed, 5 Sep 2018 at 11:31, Haim Ari  wrote:
>
> Hello,
>
> Is there a way to add TLS v1.3 without compiling haproxy ? (and still use PPA 
> version for Ubuntu)

No. TLSv1.3 requires OpenSSL 1.1.1, which is still in beta phase, and
even if it becomes stable, it will require some time before openssl
1.1.1 hits the repository. Then haproxy will have to be rebuild on
that; I doubt the PPA will contain a static version of openssl 1.1.1.

Note also that currently *no* browser supports the final TLSv1.3
specification. Chrome supports some older draft (maybe draft-26) and
Firefox supports draft-28, none of it will work with OpenSSL, as they
just removed all draft support (only the final TLS1.3 spec is
supported in OpenSSL as of beta 7).


This is the time to test TLSv1.3, but it's not the time to deploy it
in production unless you have the time to closely follow openssl and
browser development.



cheers,
lukas

Re: BUG/MEDIUM: incompatibility between DNS SRV records and server-state

[Willy Tarreau]

On Wed, Sep 05, 2018 at 11:21:08AM +0200, Baptiste wrote:
> I did not see the patch in 1.8 (I sent a specific one in my mail).

It's expected, we usually run into some backporting sessions taking a
whole day instead of doing them one at a time in random order. It helps
us maintain the ordering (which is important sometimes) and to be sure
we didn't miss any. Your commit message mentions the presence of the
1.8-specific patch so it will be picked at this moment.

> I think it's safer to wait a bit to ensure there is no regressions.

Noted, thanks.

> Note that 2 people at least are currently using it successfully in prod.

Great!

Willy

ppa1~xenial with TLS v1.3 support

[Haim Ari]

Hello,

Is there a way to add TLS v1.3 without compiling haproxy ? (and still use PPA 
version for Ubuntu)
I noticed there is "OpenSSL extensions support"

Thank you,



HA-Proxy version 1.8.13-1ppa1~xenial 2018/08/01
Copyright 2000-2018 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -g -O2 -fPIE -fstack-protector-strong -Wformat 
-Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 
USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_NS=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.2g  1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.2g  1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.38 2015-11-23
Running on PCRE version : 8.38 2015-11-23
PCRE library supports JIT : yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace







Haim Ari / SysOps Manager

M: 972.584563032 / T: 972.722288367

BUG/MINOR: fix server's resolver checking at configuration validation step

[Baptiste]

Hi there,

In attachment, a patch to fix a bug reported by Marcos on the ML during the
summer.
The bug is that "haproxy -c -f cfgfile" don't check for if a server's
resolver section exist, despite "haproxy -f cfgfile" does it.
The issue, is that init scripts are not able to detect a mis configuration
and production can be impacted. (In Marocs case, the tool which builds the
configuration forgot to set the resolvers section).

This patch aims at fixing this issue and now, if a resolvers section
pointed by a server can't be found, then "haproxy -c -f cfgfile" will fail
too:
[ALERT] 247/111027 (28758) : config : backend 'bk_pouet', server 'bla':
unable to find required resolvers 'dns'
[ALERT] 247/111027 (28758) : Fatal errors found in configuration.

Baptiste
From e618d06562a41d44c6023f2ea4f5d4a2ff306490 Mon Sep 17 00:00:00 2001
From: Baptiste Assmann 
Date: Fri, 10 Aug 2018 10:56:38 +0200
Subject: [PATCH] BUG/MINOR: dns: check and link servers' resolvers right after
 config parsing

On the Mailing list, Marcos Moreno reported that haproxy configuration
validation (through "haproxy -c cfgfile") does not detect when a
resolvers section does not exist for a server.
That said, this checking is done after HAProxy has started up.

The problem is that this can create production issue, since init
script can't detect the problem before starting / reloading HAProxy.

To fix this issue, this patch registers the function which validates DNS
configuration validity and run it right after configuration parsing is
finished (through cfg_register_postparser()).
Thanks to it, now "haproxy -c cfgfile" will fail when a server
points to a non-existing resolvers section (or any other validation made
by the function above).

Backport status: 1.8

---
 src/dns.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/dns.c b/src/dns.c
index 033fcc1..16a2c17 100644
--- a/src/dns.c
+++ b/src/dns.c
@@ -19,6 +19,7 @@
 
 #include 
 
+#include 
 #include 
 #include 
 #include 
@@ -2056,7 +2057,7 @@ static void __dns_init(void)
 	dns_answer_item_pool = create_pool("dns_answer_item", sizeof(struct dns_answer_item), MEM_F_SHARED);
 	dns_resolution_pool  = create_pool("dns_resolution",  sizeof(struct dns_resolution),  MEM_F_SHARED);
 
-	hap_register_post_check(dns_finalize_config);
+	cfg_register_postparser("dns runtime resolver", dns_finalize_config);
 	hap_register_post_deinit(dns_deinit);
 
 	cli_register_kw(_kws);
-- 
2.7.4

Re: BUG/MEDIUM: incompatibility between DNS SRV records and server-state

[Baptiste]

On Tue, Sep 4, 2018 at 5:46 PM, Willy Tarreau  wrote:

> On Tue, Sep 04, 2018 at 10:02:09AM +0200, Baptiste wrote:
> > This patch improve the server-state file to fix this issue: the srv
> record
> > used to manage this server is now saved by the previous process and
> changes
> > can be re-applied by the new one (unless the SRV record has changed, of
> > course)
> (...)
>
> applied, thanks Baptiste!
>
> Willy
>


I did not see the patch in 1.8 (I sent a specific one in my mail). I think
it's safer to wait a bit to ensure there is no regressions.
Note that 2 people at least are currently using it successfully in prod.

Baptiste