Contribute to HaProxy
Hi There, I am looking for SCTP protocol based load balancer. I see that HaProxy has a solid platform for TCP load balancing. However, SCTP is not supported. I would like to develop and contribute to HaProxy SCTP support. I will start with SCTP unihomed connections and then graduate on to support the SCTP multi-homing support. I would like to know, how can I join the development and contribute to the enrichment of the HaProxy load-balancer. Regards Umesh Patel
Re: OCSP renewal with 2.8
On 6/1/23 16:19, Shawn Heisey wrote: I asked ChatGPT for help, and with that info, I was able to work out what to do. - elyograg@smeagol:/etc/haproxy$ cat crt-list.txt /etc/ssl/certs/local/REDACTED1.combined.pem [ocsp-update on] /etc/ssl/certs/local/REDACTED2.combined.pem [ocsp-update on] - Instead of two "crt" options, I now have "crt-list /etc/haproxy/crt-list.txt" on each bind line. Haproxy handles getting and updating the OCSP response for stapling. It's beautiful. @Matthias I have no idea whether crt-list can load all certs in a directory like crt can. If it can't, then you will probably need a script for starting/restarting haproxy that generates the cert list file. If you wantthat script to be automatically run whenever someone does `systemctl restart haproxy`, you could use the ExecStartPre and ExecReloadPre options in a systemd service file to run your script. My certificate files contain the server cert, the issuer cert, the private key, and DH PARAMETERS that are unique to that cert. Thanks, Shawn
Re: @Wolfssl: any plans to add "ECH (Encrypted client hello) support" and question about Roadmap
On Thu, Jun 01, 2023 at 02:15:57PM +0200, Aleksandar Lazic wrote: > Hi, > > As we have now a shiny new LTS let's take a look into the future :-) > > As the Wolfssl looks like a good future alternative for OpenSSL is there > any plan to add ECH (Encrypted client hello) ( > https://github.com/haproxy/haproxy/issues/1924 ) into Wolfssl? > > Is there any Idea which feature is planed to be added by HAProxy Company > from the feature requests > https://github.com/haproxy/haproxy/labels/type%3A%20feature ? > > Regards > Alex > As far as I know ECH is still a draft and was not release yet, it looks like it was already integrated in wolfssl though: https://www.wolfssl.com/encrypted-client-hello-ech-now-supported-wolfssl/ But since the RFC is not released yet their implementation would probably change. But this won't probably not be usable for HAProxy since we are using the OpenSSL compatiblity layer. If you want to discuss this, please continue on the haproxy github ticket or we will again split the discussion between multiple support.. -- William Lallemand
Re: OCSP renewal with 2.8
On 6/1/23 15:42, Willy Tarreau wrote: So this means that the doc is still not clear enough and we need to improve this. And indeed, I'm myself confused because William told me a few days ago that "ocsp-update" was for crt-list lines only and it's found in the "bind line options" section. And of course, when there are examples, they're not the ones you're looking for, that's classical! I looked at the 2.8.0 documentation for crt-list and it was not very clear what to actually put in the config to use it. I asked ChatGPT for help, and with that info, I was able to work out what to do. - elyograg@smeagol:/etc/haproxy$ cat crt-list.txt /etc/ssl/certs/local/REDACTED1.combined.pem [ocsp-update on] /etc/ssl/certs/local/REDACTED2.combined.pem [ocsp-update on] - I commented the crontab entry that was handling ocsp renewal, deleted the *.ocsp files from the certificate location, restarted haproxy, and did a fresh Qualys SSL test. That test indicated that it is still stapling OCSP. Awesome new feature! Thanks, Shawn
Re: OCSP renewal with 2.8
On Thu, Jun 01, 2023 at 03:30:36PM -0600, Shawn Heisey wrote: > On 5/31/23 23:25, Matthias Fechner wrote: > > I just saw in the release notes for 2.8 that an automatic OCSP renewal > > is now included and I would like to get rid of my manual scripts that > > are currently injecting the OCSP information. > > > > I checked a little bit the documentation here: > > https://docs.haproxy.org/2.8/configuration.html#ocsp-update > > https://docs.haproxy.org/2.8/configuration.html#5.1-crt-list > > I can't figure out where to put the option. I've tried several different > places and the config check fails every time. So this means that the doc is still not clear enough and we need to improve this. And indeed, I'm myself confused because William told me a few days ago that "ocsp-update" was for crt-list lines only and it's found in the "bind line options" section. And of course, when there are examples, they're not the ones you're looking for, that's classical! So normally in order to enable ocsp updates you have to use "crt-list" instead of "crt", and reference your certificate(s) there, and in front of each of them you can place some options. One of them is "ocsp-update on", which will enable automatic renewal. > Upgraded from dev13 to 2.8.0 and that didn't help. > > It will be very cool for haproxy to handle ocsp renewal itself so I can > retire my script. That's exactly the goal, that for those whose load balancer has direct access to the internet (i.e. not on an internal network nor in an inbound DMZ), the renewal can be done automatically. > The doc said that it would need the issuer cert, which is included in the > file referenced by the crt option. Is that enough? At this point I don't know :-/ William and/or RĂ©mi will know better, let's wait for their complementary info if you can't sort it out with the info above. I intend to enable them soon on haproxy.org so I'm interested in configuring it as well :-) Regards, Willy
Re: OCSP renewal with 2.8
On 5/31/23 23:25, Matthias Fechner wrote: I just saw in the release notes for 2.8 that an automatic OCSP renewal is now included and I would like to get rid of my manual scripts that are currently injecting the OCSP information. I checked a little bit the documentation here: https://docs.haproxy.org/2.8/configuration.html#ocsp-update https://docs.haproxy.org/2.8/configuration.html#5.1-crt-list I can't figure out where to put the option. I've tried several different places and the config check fails every time. Upgraded from dev13 to 2.8.0 and that didn't help. It will be very cool for haproxy to handle ocsp renewal itself so I can retire my script. The doc said that it would need the issuer cert, which is included in the file referenced by the crt option. Is that enough? Thanks, Shawn
[PATCH] BUG/MINOR: Fix Lua's `get_stats` function
Lua's `get_stats` function stopped working in 4cfb0019e65bce79953164eddf54c1bbb61add62, due to the addition a new field ST_F_PROTO without a corresponding entry in `stat_fields`. Fix the issue by adding the entry, like a46b142e8807ea640e041d3a29e3fd427844d559 did previously for a different field. This patch fixes GitHub Issue #2174, it should be backported to 2.8. --- src/stats.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/stats.c b/src/stats.c index 68adde6c5..1d071e2c1 100644 --- a/src/stats.c +++ b/src/stats.c @@ -274,6 +274,7 @@ const struct name_desc stat_fields[ST_F_TOTAL_FIELDS] = { [ST_F_H1REQ] = { .name = "h1req", .desc = "Total number of HTTP/1 sessions processed by this object since the worker process started" }, [ST_F_H2REQ] = { .name = "h2req", .desc = "Total number of hTTP/2 sessions processed by this object since the worker process started" }, [ST_F_H3REQ] = { .name = "h3req", .desc = "Total number of HTTP/3 sessions processed by this object since the worker process started" }, + [ST_F_PROTO] = { .name = "proto", .desc = "Protocol" }, }; /* one line of info */ -- 2.40.1
@Wolfssl: any plans to add "ECH (Encrypted client hello) support" and question about Roadmap
Hi, As we have now a shiny new LTS let's take a look into the future :-) As the Wolfssl looks like a good future alternative for OpenSSL is there any plan to add ECH (Encrypted client hello) ( https://github.com/haproxy/haproxy/issues/1924 ) into Wolfssl? Is there any Idea which feature is planed to be added by HAProxy Company from the feature requests https://github.com/haproxy/haproxy/labels/type%3A%20feature ? Regards Alex