Re: HashiCorp
Yes, go ahead On Wed, Jul 14, 2021, 6:55 PM Donna Nash wrote: > Good Day, > > > > I would like to know you are interested HashiCorp Users across a range of > industries and geographic regions. > > > > If yes we can move forward. > > > > Who we are > > > > We are a global database providing company . > > > > Hope we get positive reply from your team. > > > > Thank > > Donna Nash > > Access tech data > > > > >
HaProxy Sends 502 Bad Gateway with 'SH' in the Log
HI Team,
I have problem with respect to the HaProxy timeouts.
I have an application which runs behind the HaProxy (Version 1.8)
The application which I have can be considered as a Blackbox in which, the
internals are unknown.
In this application there is a RESTFul endpoint which takes considerable time
to complete (less than 5 min) and returns an empty response (204).
When I execute above endpoint (which goes through the HAProxy) it returns 502
Bad Gateway response and I can see following log message in HAProxy logs.
RESTFul Endpoint: GET /abc/service/com.team.repository.internal.diagnostic
Log output->
Jul 14 05:55:01 localhost haproxy[116403]: 9.XX.XXX.219:38442
[14/Jul/2021:05:54:00.789] oift~ abc-default/defaultserver 0/0/143/-1/60217 502
204 - - SH-- 36/36/0/0/0 0/0 "GET
/abc/service/com.team.repository.internal.diagnostic?id=com.team.repository.service.database.databaseStatisticsDiagnostic
HTTP/1.1"
However, when I remove HAProxy from the topolgy and invoke the same RESTFul
endpoint, I can get the response (empty) correctly.
Note:
I can see the 'SH' response code in the above log.
According to https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#8.5,
I can see that HAProxy was waiting for proper headers from my application
server.
Is there anyway which we can overcome this issue ?
My HAProxy configurtions are as follows,
global
log 127.0.0.1:514 local0 info
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 6000
userhaproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
tune.ssl.default-dh-param 2048
tune.maxrewrite 4096
defaults
modehttp
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request10m
timeout queue 10m
timeout connect 1m
timeout client 10m
timeout server 10m
timeout tunnel 10m
timeout http-keep-alive 10m
maxconn 6000
frontend openshift
bind*:80
bind*:443 ssl crt /etc/ssl/private/hap.pem
modehttp
redirectscheme https if !{ ssl_fc }
maxconn 2000
default_backend abc-default
backend abc-default
fullconn 1000
balance roundrobin
server defaultserver abc-haproxy.apps.sstream-dev-new.os.com ssl verify none
Thanks you in advance!
Buddhi D. S.
DISCLAIMER
==
This e-mail may contain privileged and confidential information which is the
property of Persistent Systems Ltd. It is intended only for the use of the
individual or entity to which it is addressed. If you are not the intended
recipient, you are not authorized to read, retain, copy, print, distribute or
use this message. If you have received this communication in error, please
notify the sender and delete all copies of this message. Persistent Systems
Ltd. does not accept any liability for virus infected mails.
HashiCorp
Good Day, I would like to know you are interested HashiCorp Users across a range of industries and geographic regions. If yes we can move forward. Who we are We are a global database providing company . Hope we get positive reply from your team. Thank Donna Nash Access tech data
[PATCH] JA3 TLS Fingerprinting (take 2)
Hi,
Thank you for all comments I have received regarding JA3 Fingerprinting
patches. Here is the new set of patches which incorporated all your
suggestions.
Willy: I lowered memory requirements for ssl_capture (now 40 extra bytes),
but I did not go with the lowest as you suggested (unsigned char for
length/unsigned short for offset). Potentially this would work just fine,
yet specification allows to exceed that (
https://mta.openssl.org/pipermail/openssl-dev/2015-September/002860.html)
and personally I'm more in favour of sticking to standards as things could
bite us in the future. Dropping precalculated xxh64 hash would allow us to
go as low as 28 bytes if we care a lot about memory.
Regards,
Marcin Deranek
From 14a84a136e7e52957ae44fecaec432bdb9e3f4c9 Mon Sep 17 00:00:00 2001
From: Marcin Deranek
Date: Tue, 13 Jul 2021 14:05:24 +0200
Subject: [PATCH 3/5] MINOR: sample: Add be2dec converter
Add be2dec converter which allows to build JA3 compatible TLS
fingerprints by converting big-endian binary data into string
separated unsigned integers eg.
http-request set-header X-SSL-JA3 %[ssl_fc_protocol_hello_id],\
%[ssl_fc_cipherlist_bin(1),be2dec(-,2)],\
%[ssl_fc_extlist_bin(1),be2dec(-,2)],\
%[ssl_fc_eclist_bin(1),be2dec(-,2)],\
%[ssl_fc_ecformats_bin,be2dec(-,1)]
---
doc/configuration.txt | 12 +++
reg-tests/converter/be2dec.vtc | 50 +
src/sample.c | 57 ++
3 files changed, 119 insertions(+)
create mode 100644 reg-tests/converter/be2dec.vtc
diff --git a/doc/configuration.txt b/doc/configuration.txt
index ecbbcdd04..d39e90752 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -16064,6 +16064,18 @@ base64
an SSL ID can be copied in a header). For base64url("URL and Filename
Safe Alphabet" (RFC 4648)) variant see "ub64enc".
+be2dec(,,[])
+ Converts a binary input sample to a string containing an unsigned integer
+ number per input bytes. is put every
+ binary input bytes if specified. flag indicates whatever binary
+ input is truncated at boundaries. maximum value is
+ limited by the size of long long int (8 bytes).
+
+ Example:
+ bin(01020304050607),be2dec(:,2) # 258:772:1286:7
+ bin(01020304050607),be2dec(-,2,1) # 258-772-1286
+ bin(01020304050607),be2dec(,2,1) # 2587721286
+
bool
Returns a boolean TRUE if the input value of type signed integer is
non-null, otherwise returns FALSE. Used in conjunction with and(), it can be
diff --git a/reg-tests/converter/be2dec.vtc b/reg-tests/converter/be2dec.vtc
new file mode 100644
index 0..d329e01b3
--- /dev/null
+++ b/reg-tests/converter/be2dec.vtc
@@ -0,0 +1,50 @@
+varnishtest "be2dec converter Test"
+
+#REQUIRE_VERSION=2.5
+
+feature ignore_unknown_macro
+
+server s1 {
+ rxreq
+ txresp
+} -repeat 2 -start
+
+haproxy h1 -conf {
+defaults
+ mode http
+ timeout connect 1s
+ timeout client 1s
+ timeout server 1s
+
+frontend fe
+ bind "fd@${fe}"
+
+ requests
+ http-request set-var(txn.input) req.hdr(input)
+
+ http-response set-header be2dec-1 "%[var(txn.input),be2dec(:,1)]"
+ http-response set-header be2dec-2 "%[var(txn.input),be2dec(-,3)]"
+ http-response set-header be2dec-3 "%[var(txn.input),be2dec(::,3,1)]"
+
+ default_backend be
+
+backend be
+ server s1 ${s1_addr}:${s1_port}
+} -start
+
+client c1 -connect ${h1_fe_sock} {
+ txreq -url "/" \
+ -hdr "input: 0123456789"
+ rxresp
+ expect resp.status == 200
+ expect resp.http.be2dec-1 == "48:49:50:51:52:53:54:55:56:57"
+ expect resp.http.be2dec-2 == "3158322-3355701-3553080-57"
+ expect resp.http.be2dec-3 == "3158322::3355701::3553080"
+ txreq -url "/" \
+ -hdr "input: abcdefghijklmnopqrstuvwxyz"
+ rxresp
+ expect resp.status == 200
+ expect resp.http.be2dec-1 == "97:98:99:100:101:102:103:104:105:106:107:108:109:110:111:112:113:114:115:116:117:118:119:120:121:122"
+ expect resp.http.be2dec-2 == "6382179-6579558-6776937-6974316-7171695-7369074-7566453-7763832-31098"
+ expect resp.http.be2dec-3 == "6382179::6579558::6776937::6974316::7171695::7369074::7566453::7763832"
+} -run
diff --git a/src/sample.c b/src/sample.c
index d02034cf0..5b7ad8b34 100644
--- a/src/sample.c
+++ b/src/sample.c
@@ -2057,6 +2057,62 @@ static int sample_conv_crypto_hmac(const struct arg *args, struct sample *smp, v
#endif /* USE_OPENSSL */
+static int sample_conv_be2dec_check(struct arg *args, struct sample_conv *conv,
+const char *file, int line, char **err)
+{
+ if (args[1].data.sint <= 0 || args[1].data.sint > sizeof(unsigned long long)) {
+ memprintf(err, "chunk_size out of [1..%ld] range (%lld)", sizeof(unsigned long long), args[1].data.sint);
+ return 0;
+ }
+
+ if (args[2].data.sint != 0 && args[2].data.sint != 1) {
+ memprintf(err, "Unsupported truncate value (%lld)", args[2].data.sint);
+ return 0;
+ }
+
+ return 1;
+}
+
+static int sample_conv_be2dec(const struct arg *args, struct
Empty agent_status in statistics
Hi,
After version 2.4-dev7, we lost some statistics about agent checks,
When we added below code to /src/stats.c, we start to get result of the
agent checks in statistics. But we are not sure about our code.
If it is a bug will you fix it soon ?
after "case ST_F_CHECK_HEALTH:" lines
case ST_F_AGENT_STATUS:
if ((sv->agent.state & (CHK_ST_ENABLED|CHK_ST_PAUSED)) ==
CHK_ST_ENABLED) {const char
*fld_chksts;fld_chksts =
chunk_newstr(out);
chunk_strcat(out, "* "); // for check in progress
chunk_strcat(out,
get_check_status_info(sv->agent.status));
if (!(sv->agent.state & CHK_ST_INPROGRESS))
fld_chksts += 2; // skip "* "
metric = mkf_str(FN_OUTPUT, get_check_status_info(sv->agent.status));
}break;
case ST_F_AGENT_CODE:
if ((sv->agent.state & (CHK_ST_ENABLED|CHK_ST_PAUSED)) ==
CHK_ST_ENABLED &&
sv->agent.status >= HCHK_STATUS_L57DATA)
metric = mkf_u32(FN_OUTPUT, sv->agent.code);
break;case ST_F_AGENT_DURATION:
if ((sv->agent.state &
(CHK_ST_ENABLED|CHK_ST_PAUSED)) == CHK_ST_ENABLED &&
sv->agent.status >= HCHK_STATUS_CHECKED)
metric = mkf_u64(FN_DURATION,
sv->agent.duration);break;
case ST_F_AGENT_DESC:if
((sv->agent.state & (CHK_ST_ENABLED|CHK_ST_PAUSED)) == CHK_ST_ENABLED)
metric = mkf_str(FN_OUTPUT,
get_check_status_description(sv->agent.status));
break;case ST_F_LAST_AGT:
if ((sv->agent.state &
(CHK_ST_ENABLED|CHK_ST_PAUSED)) == CHK_ST_ENABLED)
metric = mkf_str(FN_OUTPUT, sv->agent.desc);
break;case
ST_F_AGENT_RISE:if ((sv->check.state &
(CHK_ST_ENABLED|CHK_ST_PAUSED)) == CHK_ST_ENABLED)
metric = mkf_u32(FO_CONFIG|FS_SERVICE,
ref->agent.rise);break;
case ST_F_AGENT_FALL:if
((sv->check.state & (CHK_ST_ENABLED|CHK_ST_PAUSED)) == CHK_ST_ENABLED)
metric =
mkf_u32(FO_CONFIG|FS_SERVICE, ref->agent.fall);
break;case ST_F_AGENT_HEALTH:
if ((sv->check.state &
(CHK_ST_ENABLED|CHK_ST_PAUSED)) == CHK_ST_ENABLED)
me
Thanks,
Yusuf
