RE: haproxy log
Thanks for your answer. 1. The prints are ok? They are printed only when tcp connections are not received by the server. What is the meaning of these numbers? Dec 13 10:55:15 localhost.localdomain haproxy[11803]: > 10.106.161.162:14719 [13/Dec/2015:10:55:05.923] HAProxy_VVM > HAProxy_VVM/cas-au61 1/0/9998 1239 -- 442/442/442/88/0 0/0 2. The maxconn is much more than we need and test. -Original Message- From: Cyril Bonté [mailto:cyril.bo...@free.fr] Sent: Sunday, December 20, 2015 3:51 PM To: Cohen Galit Cc: haproxy@formilux.org Subject: Re: haproxy log Le 20/12/2015 14:06, Cohen Galit a écrit : > Guys, > > We really need your advice here. Without any context, I guess you won't have any advice from anyone. You made some load tests, you have logs... and... well, nothing, no other description. 2 things : - consider adding some maxconn to your "server" lines - ensure your load tests don't exhaust tcp ports. > > *From:*Cohen Galit > *Sent:* Tuesday, December 15, 2015 10:59 AM > *To:* Cohen Galit; 'haproxy@formilux.org' > *Subject:* RE: haproxy log > > I'm talking about the prints in logs: > > Dec 13 10:55:15 localhost.localdomain haproxy[11803]: > 10.106.161.146:34747 [13/Dec/2015:10:55:05.698] HAProxy_VVM > HAProxy_VVM/cas-au53 1/0/ 966 -- 447/447/447/88/0 0/0 > > Dec 13 10:55:15 localhost.localdomain haproxy[11803]: > 10.106.161.163:63043 [13/Dec/2015:10:55:05.751] HAProxy_VVM > HAProxy_VVM/cas-au63 1/0/ 966 -- 445/445/445/89/0 0/0 > > Dec 13 10:55:15 localhost.localdomain haproxy[11803]: > 10.106.161.163:63043 [13/Dec/2015:10:55:05.751] HAProxy_VVM > HAProxy_VVM/cas-au63 1/0/ 966 -- 445/445/445/89/0 0/0 > > Dec 13 10:55:15 localhost.localdomain haproxy[11803]: > 10.106.161.166:49649 [13/Dec/2015:10:55:05.807] HAProxy_VVM > HAProxy_VVM/cas-au53 1/0/10004 966 -- 443/443/443/88/0 0/0 > > Dec 13 10:55:15 localhost.localdomain haproxy[11803]: > 10.106.161.166:49649 [13/Dec/2015:10:55:05.807] HAProxy_VVM > HAProxy_VVM/cas-au53 1/0/10004 966 -- 443/443/443/88/0 0/0 > > Dec 13 10:55:15 localhost.localdomain haproxy[11803]: > 10.106.161.162:14719 [13/Dec/2015:10:55:05.923] HAProxy_VVM > HAProxy_VVM/cas-au61 1/0/9998 1239 -- 442/442/442/88/0 0/0 > > Dec 13 10:55:15 localhost.localdomain haproxy[11803]: > 10.106.161.162:14719 [13/Dec/2015:10:55:05.923] HAProxy_VVM > HAProxy_VVM/cas-au61 1/0/9998 1239 -- 442/442/442/88/0 0/0 > > Dec 13 10:55:16 localhost.localdomain haproxy[11803]: > 10.106.161.164:17564 [13/Dec/2015:10:55:06.025] HAProxy_VVM > HAProxy_VVM/cas-au63 1/0/ 1238 -- 443/443/443/89/0 0/0 > > Dec 13 10:55:16 localhost.localdomain haproxy[11803]: > 10.106.161.164:17564 [13/Dec/2015:10:55:06.025] HAProxy_VVM > HAProxy_VVM/cas-au63 1/0/ 1238 -- 443/443/443/89/0 0/0 > > Dec 13 10:55:16 localhost.localdomain haproxy[11803]: > 10.106.161.164:17565 [13/Dec/2015:10:55:06.032] HAProxy_VVM > HAProxy_VVM/cas-au132 1/0/ 1239 -- 443/443/443/89/0 0/0 > > *From:*Cohen Galit > *Sent:* Monday, December 14, 2015 11:22 AM > *To:* 'haproxy@formilux.org' > *Subject:* FW: haproxy log > > Hello! > > Can you examine the logger below? > > I'm afraid I have a configuration problem in haproxy config, maybe in > one of the timeout limits. > > These lines are *printed only after load tests are starting to fail* > over tcp against 5 imap servers round robin. > > We are load testing over than 1M create sockets. > > Here is the configuration: > > global > > log 127.0.0.1 local0 debug #emerg alert crit err > warning notice info debug > > maxconn 90096 > > tune.ssl.default-dh-param 2048 > > uid 55301 > > gid 55301 > > defaults > > logglobal > > modetcp > > option tcplog > > option dontlognull > > retries 3 > > maxconn 90096 > > timeout client 60 > > timeout server 6 > > timeout connect 5000 > > listen HAProxy_VVM > > log global > > option tcplog > > mode tcp > > bind :50143 name VVM_PLAIN > > bind :50443 name VVM_SSL > > #bind :50993 name VVM_TLS > > balance roundrobin > > #option tcp-check > > #tcp-check connect port 50443 ssl # USED FOR MIST VVM HEALTH > CHECK. DO NOT COMMENT OR CHANGE THIS LINE. > > #tcp-check expect string *\ OK > > maxconn 90096 > > timeout client 60 > > ti
RE: haproxy log
Guys, We really need your advice here. From: Cohen Galit Sent: Tuesday, December 15, 2015 10:59 AM To: Cohen Galit; 'haproxy@formilux.org' Subject: RE: haproxy log I'm talking about the prints in logs: Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.146:34747 [13/Dec/2015:10:55:05.698] HAProxy_VVM HAProxy_VVM/cas-au53 1/0/ 966 -- 447/447/447/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.163:63043 [13/Dec/2015:10:55:05.751] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 966 -- 445/445/445/89/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.163:63043 [13/Dec/2015:10:55:05.751] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 966 -- 445/445/445/89/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.166:49649 [13/Dec/2015:10:55:05.807] HAProxy_VVM HAProxy_VVM/cas-au53 1/0/10004 966 -- 443/443/443/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.166:49649 [13/Dec/2015:10:55:05.807] HAProxy_VVM HAProxy_VVM/cas-au53 1/0/10004 966 -- 443/443/443/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.162:14719 [13/Dec/2015:10:55:05.923] HAProxy_VVM HAProxy_VVM/cas-au61 1/0/9998 1239 -- 442/442/442/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.162:14719 [13/Dec/2015:10:55:05.923] HAProxy_VVM HAProxy_VVM/cas-au61 1/0/9998 1239 -- 442/442/442/88/0 0/0 Dec 13 10:55:16 localhost.localdomain haproxy[11803]: 10.106.161.164:17564 [13/Dec/2015:10:55:06.025] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 1238 -- 443/443/443/89/0 0/0 Dec 13 10:55:16 localhost.localdomain haproxy[11803]: 10.106.161.164:17564 [13/Dec/2015:10:55:06.025] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 1238 -- 443/443/443/89/0 0/0 Dec 13 10:55:16 localhost.localdomain haproxy[11803]: 10.106.161.164:17565 [13/Dec/2015:10:55:06.032] HAProxy_VVM HAProxy_VVM/cas-au132 1/0/ 1239 -- 443/443/443/89/0 0/0 From: Cohen Galit Sent: Monday, December 14, 2015 11:22 AM To: 'haproxy@formilux.org' Subject: FW: haproxy log Hello! Can you examine the logger below? I'm afraid I have a configuration problem in haproxy config, maybe in one of the timeout limits. These lines are printed only after load tests are starting to fail over tcp against 5 imap servers round robin. We are load testing over than 1M create sockets. Here is the configuration: global log 127.0.0.1 local0 debug #emerg alert crit errwarning notice info debug maxconn 90096 tune.ssl.default-dh-param 2048 uid 55301 gid 55301 defaults logglobal modetcp option tcplog option dontlognull retries 3 maxconn 90096 timeout client 60 timeout server 6 timeout connect 5000 listen HAProxy_VVM log global option tcplog mode tcp bind :50143 name VVM_PLAIN bind :50443 name VVM_SSL #bind :50993 name VVM_TLS balance roundrobin #option tcp-check #tcp-check connect port 50443 ssl # USED FOR MIST VVM HEALTH CHECK. DO NOT COMMENT OR CHANGE THIS LINE. #tcp-check expect string *\ OK maxconn 90096 timeout client 60 timeout server 12 timeout connect 5000 #server mips 10.45.92.35 check verify none inter 3 server cas-au53 10.106.75.53 check verify none inter 3 server cas-au61 10.106.75.61 check verify none inter 3 server cas-au62 10.106.75.62 check verify none inter 3 server cas-au63 10.106.75.63 check verify none inter 3 server cas-au132 10.106.138.132 check verify none inter 3 Thanks, Galit From: Kuterman Itzik Sent: Sunday, December 13, 2015 12:09 PM To: Cohen Galit Subject: haproxy log? Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.146:34747 [13/Dec/2015:10:55:05.698] HAProxy_VVM HAProxy_VVM/cas-au53 1/0/ 966 -- 447/447/447/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.163:63043 [13/Dec/2015:10:55:05.751] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 966 -- 445/445/445/89/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.163:63043 [13/Dec/2015:10:55:05.751] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 966 -- 445/445/445/89/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.166:49649 [13/Dec/2015:10:55:05.807] HAProxy_VVM HAProxy_VVM/cas-au53 1/0/10004 966 -- 443/443/443/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.166:49649 [13/Dec/2015:10:55:05.807] HAProxy_VVM HAProxy_VVM/cas-au53 1/0/10004 966 -- 443/443/443/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.162:14719 [13/Dec/2015:10:55:05.923] HAProxy_VVM HAProxy_VVM/cas-au61 1/0/9998 1239 -- 442/442/442/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.162:14719 [13/Dec/2015:10:55:05.923
RE: haproxy log
I'm talking about the prints in logs: Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.146:34747 [13/Dec/2015:10:55:05.698] HAProxy_VVM HAProxy_VVM/cas-au53 1/0/ 966 -- 447/447/447/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.163:63043 [13/Dec/2015:10:55:05.751] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 966 -- 445/445/445/89/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.163:63043 [13/Dec/2015:10:55:05.751] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 966 -- 445/445/445/89/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.166:49649 [13/Dec/2015:10:55:05.807] HAProxy_VVM HAProxy_VVM/cas-au53 1/0/10004 966 -- 443/443/443/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.166:49649 [13/Dec/2015:10:55:05.807] HAProxy_VVM HAProxy_VVM/cas-au53 1/0/10004 966 -- 443/443/443/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.162:14719 [13/Dec/2015:10:55:05.923] HAProxy_VVM HAProxy_VVM/cas-au61 1/0/9998 1239 -- 442/442/442/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.162:14719 [13/Dec/2015:10:55:05.923] HAProxy_VVM HAProxy_VVM/cas-au61 1/0/9998 1239 -- 442/442/442/88/0 0/0 Dec 13 10:55:16 localhost.localdomain haproxy[11803]: 10.106.161.164:17564 [13/Dec/2015:10:55:06.025] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 1238 -- 443/443/443/89/0 0/0 Dec 13 10:55:16 localhost.localdomain haproxy[11803]: 10.106.161.164:17564 [13/Dec/2015:10:55:06.025] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 1238 -- 443/443/443/89/0 0/0 Dec 13 10:55:16 localhost.localdomain haproxy[11803]: 10.106.161.164:17565 [13/Dec/2015:10:55:06.032] HAProxy_VVM HAProxy_VVM/cas-au132 1/0/ 1239 -- 443/443/443/89/0 0/0 From: Cohen Galit Sent: Monday, December 14, 2015 11:22 AM To: 'haproxy@formilux.org' Subject: FW: haproxy log Hello! Can you examine the logger below? I'm afraid I have a configuration problem in haproxy config, maybe in one of the timeout limits. These lines are printed only after load tests are starting to fail over tcp against 5 imap servers round robin. We are load testing over than 1M create sockets. Here is the configuration: global log 127.0.0.1 local0 debug #emerg alert crit errwarning notice info debug maxconn 90096 tune.ssl.default-dh-param 2048 uid 55301 gid 55301 defaults logglobal modetcp option tcplog option dontlognull retries 3 maxconn 90096 timeout client 60 timeout server 6 timeout connect 5000 listen HAProxy_VVM log global option tcplog mode tcp bind :50143 name VVM_PLAIN bind :50443 name VVM_SSL #bind :50993 name VVM_TLS balance roundrobin #option tcp-check #tcp-check connect port 50443 ssl # USED FOR MIST VVM HEALTH CHECK. DO NOT COMMENT OR CHANGE THIS LINE. #tcp-check expect string *\ OK maxconn 90096 timeout client 60 timeout server 12 timeout connect 5000 #server mips 10.45.92.35 check verify none inter 3 server cas-au53 10.106.75.53 check verify none inter 3 server cas-au61 10.106.75.61 check verify none inter 3 server cas-au62 10.106.75.62 check verify none inter 3 server cas-au63 10.106.75.63 check verify none inter 3 server cas-au132 10.106.138.132 check verify none inter 3 Thanks, Galit From: Kuterman Itzik Sent: Sunday, December 13, 2015 12:09 PM To: Cohen Galit Subject: haproxy log? Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.146:34747 [13/Dec/2015:10:55:05.698] HAProxy_VVM HAProxy_VVM/cas-au53 1/0/ 966 -- 447/447/447/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.163:63043 [13/Dec/2015:10:55:05.751] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 966 -- 445/445/445/89/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.163:63043 [13/Dec/2015:10:55:05.751] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 966 -- 445/445/445/89/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.166:49649 [13/Dec/2015:10:55:05.807] HAProxy_VVM HAProxy_VVM/cas-au53 1/0/10004 966 -- 443/443/443/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.166:49649 [13/Dec/2015:10:55:05.807] HAProxy_VVM HAProxy_VVM/cas-au53 1/0/10004 966 -- 443/443/443/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.162:14719 [13/Dec/2015:10:55:05.923] HAProxy_VVM HAProxy_VVM/cas-au61 1/0/9998 1239 -- 442/442/442/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.162:14719 [13/Dec/2015:10:55:05.923] HAProxy_VVM HAProxy_VVM/cas-au61 1/0/9998 1239 -- 442/442/442/88/0 0/0 Dec 13 10:55:16 localhost.localdomain haproxy[11803]: 10.106.161.164:17564 [13/Dec/2015:10:55
FW: haproxy log
Hello! Can you examine the logger below? I'm afraid I have a configuration problem in haproxy config, maybe in one of the timeout limits. These lines are printed only after load tests are starting to fail over tcp against 5 imap servers round robin. We are load testing over than 1M create sockets. Here is the configuration: global log 127.0.0.1 local0 debug #emerg alert crit errwarning notice info debug maxconn 90096 tune.ssl.default-dh-param 2048 uid 55301 gid 55301 defaults logglobal modetcp option tcplog option dontlognull retries 3 maxconn 90096 timeout client 60 timeout server 6 timeout connect 5000 listen HAProxy_VVM log global option tcplog mode tcp bind :50143 name VVM_PLAIN bind :50443 name VVM_SSL #bind :50993 name VVM_TLS balance roundrobin #option tcp-check #tcp-check connect port 50443 ssl # USED FOR MIST VVM HEALTH CHECK. DO NOT COMMENT OR CHANGE THIS LINE. #tcp-check expect string *\ OK maxconn 90096 timeout client 60 timeout server 12 timeout connect 5000 #server mips 10.45.92.35 check verify none inter 3 server cas-au53 10.106.75.53 check verify none inter 3 server cas-au61 10.106.75.61 check verify none inter 3 server cas-au62 10.106.75.62 check verify none inter 3 server cas-au63 10.106.75.63 check verify none inter 3 server cas-au132 10.106.138.132 check verify none inter 3 Thanks, Galit From: Kuterman Itzik Sent: Sunday, December 13, 2015 12:09 PM To: Cohen Galit Subject: haproxy log? Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.146:34747 [13/Dec/2015:10:55:05.698] HAProxy_VVM HAProxy_VVM/cas-au53 1/0/ 966 -- 447/447/447/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.163:63043 [13/Dec/2015:10:55:05.751] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 966 -- 445/445/445/89/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.163:63043 [13/Dec/2015:10:55:05.751] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 966 -- 445/445/445/89/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.166:49649 [13/Dec/2015:10:55:05.807] HAProxy_VVM HAProxy_VVM/cas-au53 1/0/10004 966 -- 443/443/443/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.166:49649 [13/Dec/2015:10:55:05.807] HAProxy_VVM HAProxy_VVM/cas-au53 1/0/10004 966 -- 443/443/443/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.162:14719 [13/Dec/2015:10:55:05.923] HAProxy_VVM HAProxy_VVM/cas-au61 1/0/9998 1239 -- 442/442/442/88/0 0/0 Dec 13 10:55:15 localhost.localdomain haproxy[11803]: 10.106.161.162:14719 [13/Dec/2015:10:55:05.923] HAProxy_VVM HAProxy_VVM/cas-au61 1/0/9998 1239 -- 442/442/442/88/0 0/0 Dec 13 10:55:16 localhost.localdomain haproxy[11803]: 10.106.161.164:17564 [13/Dec/2015:10:55:06.025] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 1238 -- 443/443/443/89/0 0/0 Dec 13 10:55:16 localhost.localdomain haproxy[11803]: 10.106.161.164:17564 [13/Dec/2015:10:55:06.025] HAProxy_VVM HAProxy_VVM/cas-au63 1/0/ 1238 -- 443/443/443/89/0 0/0 Dec 13 10:55:16 localhost.localdomain haproxy[11803]: 10.106.161.164:17565 [13/Dec/2015:10:55:06.032] HAProxy_VVM HAProxy_VVM/cas-au132 1/0/ 1239 -- 443/443/443/89/0 0/0 "This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Xura, Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@xura.com. Thank You."
RE: SSLv2Hello is disabled
-Original Message- From: Lukas Tribus [mailto:luky...@hotmail.com] Sent: Wednesday, December 02, 2015 4:42 PM To: Cohen Galit; Igor Cicimov Cc: HAProxy Subject: RE: SSLv2Hello is disabled Hi Galit, > I want to emphasize that the following test succeeded: > > [root@proxy-au51 ~]# openssl s_client -connect 10.106.75.53:50443 -tls1 > > CONNECTED(0003) Ok. > Built with OpenSSL version : OpenSSL 0.9.8b 04 May 2006 > Running on OpenSSL version : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 I don't like this. build against an older non-fips 0.9.8b while running with 0.9.8e-fips. This could be very well cause issues here. Let me guess, RPMs have not been installed via the original repository, but via third party RPM website from Google, right? Thats not good. [Cohen Galit] I'm sorry, I can't answer that since I got this rpm as is.. I'll try to pack again the OpenSSL files (must work with rpm) from original repository and will let you know. Thanks. > Should I just add to haproxy.cfg the following? > force-tlsv10 Yes, you can try: global ssl-default-server-options no-sslv3 or: global ssl-default-server-options force-tlsv10 But I'm afraid it may be more complex than that ... Regards, Lukas "This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Xura, Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@xura.com. Thank You."
RE: SSLv2Hello is disabled
Already did. Unfortunately same error in servers -Original Message- From: Lukas Tribus [mailto:luky...@hotmail.com] Sent: Thursday, December 03, 2015 3:36 PM To: Cohen Galit Cc: HAProxy Subject: RE: SSLv2Hello is disabled Hi, > I'll try to pack again the OpenSSL files (must work with rpm) from > original repository and will let you know. Thanks. Ok, but first try the other proposal (takes less time): >> Should I just add to haproxy.cfg the following? >> force-tlsv10 > > Yes, you can try: > > global > ssl-default-server-options no-sslv3 > > or: > global > ssl-default-server-options force-tlsv10 Regards, Lukas "This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Xura, Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@xura.com. Thank You."
RE: SSLv2Hello is disabled
Thanks, all, for your help! For your questions: I use openssl 0.9.8 Haproxy -vv: [root@proxy-au51 ~]# haproxy -vv HA-Proxy version 1.5.9 2014/11/25 Copyright 2000-2014 Willy Tarreau <w...@1wt.eu> Build options : TARGET = linux26 CPU = i686 CC = gcc CFLAGS = -m32 -march=i686 -O2 -march=i686 -g -fno-strict-aliasing OPTIONS = USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1 USE_LIBCRYPT=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built without zlib support (USE_ZLIB not set) Compression algorithms supported : identity Built with OpenSSL version : OpenSSL 0.9.8b 04 May 2006 Running on OpenSSL version : OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : no (version might be too old, 0.9.8f min needed) OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 6.6 06-Feb-2006 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Currently only the server requires authentication in TLS only (!) and the haproxy configured as check verify none for all servers. -Original Message- From: Lukas Tribus [mailto:luky...@hotmail.com] Sent: Wednesday, December 02, 2015 11:25 AM To: Igor Cicimov Cc: Cohen Galit; HAProxy Subject: RE: SSLv2Hello is disabled >>>> javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled >>> You need to disable SSLv3 in haproxy >> >> We are talking about the SSLv2 hello format. Its not about SSLv2 >> or SSLv3, its about the hello format. > Which can also be used by sslv3 clients hence my comment. True, but disabling or enabling SSLv3 doesn't impact the hello format behavior in OpenSSL afaik. > However, haproxy unconditionally sets SSL_OP_NO_SSLv2, which > makes openssl not use the SSLv2 Hello, so I don't see why this would > happen. This is the openssl behavior since 0.9.8: http://cp.mcafee.com/d/avndxNJ5xwQsToupK-rKrjhpKCOyyCYrhhhsKYUM-qejqqbdSknxPP9IKyr8WvavmGj-0a3SUXOVIfrzLbCXKL4fvsvW_cEThuKPRXBQSrIsUMyyY-NR4kRHFGTohVkffGhBrwqrhdECXY-UUOYevovsdTdAVPmEBC4pj9JAenOGTMFg_aHv2B3YnlBfbemjZB5BZ11OPHGq90wNp2X-IL6zB4w-WwxZS3hOe76PSOFoKOe1heINfBPqrybxI5zihEw61waCkMLVVZjh1axEwgBji1_E6QT3uqJKGV6N Maybe the OP uses an ancient openssl version (<= 0.9.7). Galit, can you provide the ouput of "haproxy -vv"? Also please clarify if you are authenticating the client and/or the server. Providing a tcpdump of this failed handshake would also be helpful. Regards, Lukas "This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Xura, Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@xura.com. Thank You."
SSLv2Hello is disabled
Hello, When HAProxy 1.5.9 is trying to sample our servers with this configuration: tcp-check connect port 50443 ssl Our servers returns an error: 2015-11-29 09:48:18,155 [StartPoint-IMAP-SSL-Worker(14)] [e8d05153-267f-4378-9a97-5245391ffe26] [] ERROR connection.SSLHandshakeStartPointListener (SSLHandshakeStartPointListener.java:onFailure :80) - SSL/TLS handshake failed with client identified by /10.106.75.51:35892 javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled Please advice, Thanks, Galit Cohen Comverse "This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Xura, Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@xura.com. Thank You."
FW: SSL offloading in HAProxy
Hello HAProxy team, I see that the SSL offloading for http protocol is already supported ( http://blog.haproxy.com/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ ) I would like to know if there is an option of SSL offloading for IMAP protocol. Thanks, Galit From: Avrahami David Sent: Wednesday, July 01, 2015 3:50 PM To: Cohen Galit Cc: Sabban Gili; Meltser Tiran Subject: SSL offloading in HAProxy Hi Galit, Can you please post the below question to HAProxy forum? I see that the SSL offloading for http protocol is already supported ( http://blog.haproxy.com/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ ) I would like to know if there is an option of SSL offloading for IMAP protocol. Best Regards, David Avrahami Security SE Tel: +972-3-6452374 Mobile: +972-544382374 Email: david.avrah...@comverse.commailto:david.avrah...@comverse.com This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
Gracefull shutdown
Hello HAProxy team, How can I perform a graceful shutdown to HAProxy? I mean, not by killing process with pid. Thanks, Galit This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
RE: Logging to file when HAProxy failed to start
Hello HAProxy team, We will appreciate your answer for the question below. Thanks, Galit _ From: Yosef Amir Sent: Tuesday, February 10, 2015 5:08 PM To: HAProxy Cc: Cohen Galit; Yosef Amir Subject: Logging to file when HAProxy failed to start Hi , Currently, When HAproxy failed to initial (E.G invalid haproxy.cfg options) it write the error to the screen. Is there option that HAproxy will write to log file when it failed to initial? Example: [root@proxy-au2 ~]# haproxy -f /usr/cti/conf/haproxy/haproxy.cfg [ALERT] 040/172141 (12460) : Starting proxy HAProxy_DirectDeposit: cannot bind socket [0.0.0.0:50025] In this example: HAProxy alert - cannot bind socket. How can I get this kind of alerts that stop HAProxy from starting to write log file ? Thanks Amir Yosef This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
RE: haproxy rpm
Thanks, guys.
I added the following to spec in order to stop stripping the haproxy binary and
it worked fine:
%define __os_install_post %{nil}
From: Yuan Long [mailto:yuan.l...@chinanetcloud.com]
Sent: Monday, January 19, 2015 6:19 PM
To: Tait Clarridge
Cc: haproxy@formilux.org; Cohen Galit
Subject: Re: haproxy rpm
THis was enough for me
http://pkgs.org/search/haproxyhttp://cp.mcafee.com/d/k-Kr40UqdEI9EKfccIzztPqqbdQSkkkTzqqbdQSknQTzqqbdSknxPP9J6ZPhOy-Nt5UShQ-k-JkDY0kKp-dfVsSKp-dfVsSyeZd0wM_R-juKCYYeWZOWqbMXC66jhOY-DORQX8EGTd7avaxVZicHs3jq9JwTvASmbI9LLIFCXCM0qNkzjw0ek_oS9UjRqdgYIrbdX3zWM8wGNekd1JzWJEsKr78CzBYS2_id41flER3ONEwyIGrhvdF3dqrHx0yZEt
Regards,
Long Wu Yuan 龙 武 缘
Sr. Linux Engineer 高级工程师
ChinaNetCloud 云络网络科技(上海)有限公司 |
www.ChinaNetCloud.com1238http://www.ChinaNetCloud.com1238 Xietu Lu, X2 Space
1-601, Shanghai, China | 中国上海市徐汇区斜土路1238号X2空 间1-601室
24x7 Support Hotline: +86-400-618-0024 | Office Tel: +86-(21)-6422-1946
We are hiring!
http://careers.chinanetcloud.comhttp://cp.mcafee.com/d/5fHCNEe4x0edEI9EKfccIzztPqqbdQSkkkTzqqbdQSknQTzqqbdSknxPP9J6ZPhOy-Nt5UShQ-k-JkDY0kKp-dfVsSKp-dfVsSyeZd0wM_R-juKCYYeWZOWqbMXC66jhOY-DORQX8EGTd7avaxVZicHs3jqpJwTvASmbI9LLIFCXCM0tJz_NFRysEq3r7RrgVsSmrS77Rwh1lysEq3r7RrgVsSehd7bVI5-Aq82uHhG7Bzh15pkSy-ruamS
| Customer Portal -
https://customer-portal.service.chinanetcloud.com/http://cp.mcafee.com/d/1jWVIe6hASyMCyUYMOOedTdFEITjphhjudFEITjphvjudFEITphu7fcCQrTd7abX5Qnzp7jVjWRivM1iVDUQ_BPqVDUQ_BPq8XQQ233_nVdWWrPMXHTbFEL3Koopd7bPWvbnjIyyHsQsFYG7DR8OJMddICS3t-jpoKMC--OCrKr9PCJhbcITitlvynmH6uDZjUCpm_H4VgQ6SfGSxO-6OPuMU-I28aIjB3gro-Hq7bCNO9EVvdwLQzh0jRqdgYIq88HaCQnPq-xZ
On Mon, Jan 19, 2015 at 10:07 PM, Tait Clarridge
t...@clarridge.camailto:t...@clarridge.ca wrote:
On Mon, Jan 19, 2015 at 8:59 AM, Cohen Galit
galit.co...@comverse.commailto:galit.co...@comverse.com wrote:
Hi,
I have a problem in packaging the haproxy binary into an rpm.
I am using a regular cp command in %install section of spec, but I see that
after the copying, the file size is changed and I suspect it is corrupted.
Can you advice what am I'm doing wrong?
Hi Cohen,
Have you taken a look at the spec file from a source RPM for Haproxy?
Here are some builds from fedora/epel:
http://koji.fedoraproject.org/koji/packageinfo?packageID=5025http://cp.mcafee.com/d/FZsSd21J5xd5NVxBAsrKrjhpKCOyyCYrjhpKCOy-CYrjhpKOyYeupdETKqeknSbEL6OeDODRGA_w2BPfNF_bCRPfNF_bCQhTFE467-LOrRQTDxTnKnjhu7sMMOqenDQ-mKDp55mVEVjVkffGhBrwqrodI6XYCONtxdZZBcTsS03aR4psXW5oWJ6EzZFY01MHkhBySSaWh-k7qABJIlQzUq77fTjvdBCZxNZo4gloDa6wSNZmQendzAjhO-r1vF6y0DGQqxVoQghmldELCQo3EEr7a
You can click on one of the builds, grab the source RPM and rebuild
locally (and tweak if necessary).
In my opinion, this is not really a question for the HAProxy mailing
list. RPM packaging issues are better suited for your distro
development mailing list.
Tait
“This e-mail message may contain confidential, commercial or privileged
information that constitutes proprietary information of Comverse Inc. or its
subsidiaries. If you are not the intended recipient of this message, you are
hereby notified that any review, use or distribution of this information is
absolutely prohibited and we request that you delete all copies and contact us
by e-mailing to: secur...@comverse.com. Thank You.”
haproxy rpm
Hi, I have a problem in packaging the haproxy binary into an rpm. I am using a regular cp command in %install section of spec, but I see that after the copying, the file size is changed and I suspect it is corrupted. Can you advice what am I'm doing wrong? Thanks. This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: secur...@comverse.com. Thank You.
