Re: HAProxy with Exchange 2016

2020-10-31 Thread Gibson, Brian (IMS) 
I haven't tried 2016 but it works with mapi over https on 2013 so it should be 
fine.

Sent from Nine

From: Issam Ben Rejeb 
Sent: Saturday, October 31, 2020 10:49 AM
To: haproxy@formilux.org
Subject: HAProxy with Exchange 2016

Hello,

I want to know if HAProxy works with MS Exchange 2016 and client Outlook 
Anywhere.
The client Outlook Anywhere use MAPI over HTTPS protocol.

I don't found any informations about this on the web.

Regards,
Issam BEN REJEB




Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

Re: IP binding and standby health-checks

2020-10-20 Thread Gibson, Brian (IMS) 
I think what you need is a stick-table and peers setup.

https://www.haproxy.com/blog/emulating-activepassing-application-clustering-with-haproxy/

Sent from Nine

From: Dave Hall 
Sent: Monday, October 19, 2020 11:38 PM
To: HAProxy
Subject: IP binding and standby health-checks

Hello,

I'm new to this list and somewhat new to HAProxy.  Before posting I scanned the 
archives and found a thread from 2015 that seems to apply to my situation:

IP binding and standby health-checks 
https://www.mail-archive.com/haproxy@formilux.org/msg18728.html

The specifics of our setup:

  *   HAProxy Active/Standby pair using keepalived and a virtual IP.
  *   Load balance SSH connections to a group of user access systems 
(long-running Layer 4 connections).
  *   Using Fail2Ban to protect against password attacks, so using 
send-proxy-v2 and go-mmproxy to present client IP to target servers.

Our objective is to preserve connections through a fail-over.  It would seem 
that it is necessary to use the virtual IP as the source address for 
connections to the target servers.  The problem, though, is how get get HAProxy 
not to use the virtual IP for health checks.  Since the HAProxy code-base has 
likely evolved since 2015 I'd like to know the current recommended approach for 
this situation.

Thanks.

-Dave

--
Dave Hall
Binghamton University




Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: travis-ci: should we drop openssl-1.1.0 and replace it with 3.0 ?

2019-11-19 Thread Gibson, Brian (IMS) 
Maybe after they stop security fixes we can drop 1.1.0.  I know there are many 
distributions still in support that use this branch.  3.0 doesn’t exist yet, 
and won’t until later in 2020 which is unfortunate since that means there will 
be no FIPS validated branch for several months.

From: Илья Шипицин [mailto:chipits...@gmail.com]
Sent: Tuesday, November 19, 2019 12:48 PM
To: HAProxy 
Subject: Re: travis-ci: should we drop openssl-1.1.0 and replace it with 3.0 ?

well, we can actually build bigger matrix by adding builds. I just want to save 
some electricity on non needed builds.

вт, 19 нояб. 2019 г. в 22:41, Илья Шипицин 
mailto:chipits...@gmail.com>>:
hello,

https://www.openssl.org/source/ says "The 1.1.0 series is currently only 
receiving security fixes and will go out of support on 11th September 2019"


what if we drop it ? and replace with 3.0 ?

cheers,
Ilya Shipitcin



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

Re: Loading multiple TLS certificates

2019-05-13 Thread Gibson, Brian (IMS) 
I personally use separate files to make it easier for my own sanity.

Sent from Nine

From: Norman Branitsky 
Sent: Monday, May 13, 2019 4:57 PM
To: haproxy@formilux.org
Subject: Loading multiple TLS certificates

For the first time, I have a client that refused to let me use a wildcard 
certificate.
So I submitted 6 separate CSRs and now have 6 separate certificates and 6 
separate keys.
The intermediate certificates all appear to be the same.
So should I create 6 separate PEM files containing the certificate, the 
intermediates, and the key,
or should I create a single PEM file containing all 6 certificates, 6 keys, and 
1 intermediate file?

Norman Branitsky
Senior Cloud Architect
MicroPact Toronto
416.916.1752 (61752)



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: SSL termination with HA proxy

2019-04-15 Thread Gibson, Brian (IMS) 
You need to run haproxy –vv not hparoxy –v.  Your output should look something 
like this:
haproxy -vv
HA-Proxy version 1.8.19 2019/02/11
Copyright 2000-2019 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv 
-Wno-unused-label
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 
USE_SYSTEMD=1 USE_PCRE2=1 USE_PCRE2_JIT=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.1a  20 Nov 2018
Running on OpenSSL version : OpenSSL 1.1.1b  26 Feb 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE2 version : 10.31 2018-02-12
PCRE2 library supports JIT : yes
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace

From: bhanu chandra suman [mailto:bhanuchandra.su...@gmail.com]
Sent: Monday, April 15, 2019 11:56 AM
To: Aleksandar Lazic 
Cc: haproxy 
Subject: Re: SSL termination with HA proxy

[https://mailtrack.io/trace/mail/fbd2a0eab7e2e5568c9b88276b6623f9505f8adb.png?u=3280423]

root@ip-172-31-80-163:~# uname -a
Linux ip-172-31-80-163 4.15.0-1035-aws #37-Ubuntu SMP Mon Mar 18 16:15:14 UTC 
20  
  19 x86_64 x86_64 x86_64 GNU/Linux
root@ip-172-31-80-163:~# haproxy -v
HA-Proxy version 1.8.8-1ubuntu0.4 2019/01/24
Copyright 2000-2018 Willy Tarreau mailto:wi...@haproxy.org>>



On Mon, Apr 15, 2019 at 8:58 PM Aleksandar Lazic 
mailto:al-hapr...@none.at>> wrote:
Hi.

Please keep the Mailinglist in the loop.

Am 15.04.2019 um 17:27 schrieb bhanu chandra suman:
> image.png

It's not easy to copy text from Screenshot's so please copy text into the mail.

Please use 2 v.

haproxy -vv

Thanks.

> On Mon, Apr 15, 2019 at 8:53 PM Aleksandar Lazic 
> mailto:al-hapr...@none.at>
> >> wrote:
>
> Hi.
>
> Am 15.04.2019 um 17:19 schrieb bhanu chandra suman:
> > Hi Team,
> >
> > I installed haproxy in ubuntu machine. and after that i edited the
> haproxy.cfg file.
>
> Please can you tell us more about this.
>
> haproxy -vv
> uname -a
>
> > bind *:18083
> > mode http
> > default_backend backendnodes
> > backend backendnodes
> > balance roundrobin
> > option forwardfor
> > server node1 x.x.x.x:18083 check
> > server node2 x.x.x.x:18083 check
> > listen stats
> > bind :32700
> > stats enable
> > stats uri /
> > stats hide-version
> > stats auth user:password
> > Its working fine.but i need SSL termination with HA proxy.
> > could you please help me this issue.
>
> Please take a look into this blog post which describes how TLS/SSL 
> Termination
> works in haproxy.
>
> 
> https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
>
> > --
> > S.B.C.Suman
>
> Regards
> Aleks
>
>
>
> --
> S.B.C.Suman
> +91 9989894950.


--
S.B.C.Suman
+91 9989894950.



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

Re: acme proxy for internal use

2018-12-01 Thread Gibson, Brian (IMS) 
I've used Lua or Apache web server depending on the environment.  Haproxy 
doesn't do this natively.

Sent from Nine

From: Joel Linn 
Sent: Saturday, December 1, 2018 4:17 PM
To: haproxy@formilux.org
Subject: acme proxy for internal use

Hi,

I want to use letsencrypt for services in my intranet.
The acme protocol demands that a challenge response is published under
http://certname.domain.tld/.well-known/acme-challenge/xyz
All subdomains under domain.tld get forwarded from the internet to a
haproxy on the intranet.

What I need haproxy to do is to simply proxy those requests to the
services that are resolved by local split dns where the challenge
response is hosted.
Having a rule to filter /.well-known/acme-challenge/ is easy of
course...
I'm having trouble finding out what the backend configuration needs to
be.
I figured this would be possible with lua but I hope there is a cleaner
solution.

Thanks for your help,
Joel




Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

Re: HA setup for HAProxy

2018-11-28 Thread Gibson, Brian (IMS) 
I either use openshift or if not using docker I use keepalive.  There is plenty 
of documentation out on the internet in how to use either of these solutions.

Sent from Nine

From: Gold Star 
Sent: Wednesday, November 28, 2018 12:33 AM
To: HAProxy
Subject: HA setup for HAProxy

We use HAProxy for HTTP load balancing in our company. We run HAProxy inside a 
docker container. We would like to run multiple HAProxy containers for High 
Availability. In particular, we would like to:

  *   run say, 10 HAProxy containers (1 HAProxy per container) to handle the 
incoming traffic to our company
  *   have each of them be active (i.e. each of them processes roughly 
one-tenth of traffic)
  *   if one of the containers goes down, the remaining HAProxy instances 
should quickly and seamlessly take over the traffic share of the downed HAProxy

How can we achieve this?

Thanks!




Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: 'stick': unknown fetch method 'res.cook_beg'

2018-10-31 Thread Gibson, Brian (IMS) 
Interesting, okay thanks guys!

-Original Message-
From: Cyril Bonté [mailto:cyril.bo...@free.fr]
Sent: Wednesday, October 31, 2018 8:47 PM
To: Gibson, Brian (IMS) ; James Brown 
Cc: HAProxy 
Subject: Re: 'stick': unknown fetch method 'res.cook_beg'

Hi,

Le 01/11/2018 à 01:33, Gibson, Brian (IMS) a écrit :
> Thanks for the response James, I’ll give that a shot.
>
> If that is indeed the case though, it seems that the documentation in
> section 7.3.6 should be reviewed.  That’s where I got the syntax I was
> using.

Well, the documentation is still valid but the syntax you used is only
valid for acls. This is true for all fetches preceded by "ACL derivatives".

--
Cyril Bonté



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: 'stick': unknown fetch method 'res.cook_beg'

2018-10-31 Thread Gibson, Brian (IMS) 
Thanks for the response James, I’ll give that a shot.

If that is indeed the case though, it seems that the documentation in section 
7.3.6 should be reviewed.  That’s where I got the syntax I was using.

From: James Brown [mailto:jbr...@easypost.com]
Sent: Wednesday, October 31, 2018 7:28 PM
To: Gibson, Brian (IMS) 
Cc: HAProxy 
Subject: Re: 'stick': unknown fetch method 'res.cook_beg'

I think the preferred format now is

req.cook(cookie_name) -m beg cookie_value

Check out §7.1.3 of the 
manual<http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.1.3> for 
more information.

On Tue, Oct 30, 2018 at 9:55 AM Gibson, Brian (IMS) 
mailto:gibs...@imsweb.com>> wrote:
I’m attempting to use a stick table to get all of a users sessions when using 
shibboleth to point to the same backend server to simplify a few configurations 
I have on the backend.

Here is the specific code I’m using
  stick-table type string len 64 size 100k expire 15m peers mypeers
  stick store-response res.cook_beg(_shibboleth_)
  stick match req.cook_beg(_shibboleth_)

When I attempt to load that configuration file I get an error saying the 
message in the subject line.

For reference here is the output of haproxy –vv

HA-Proxy version 1.8.13 2018/07/30
Copyright 2000-2018 Willy Tarreau mailto:wi...@haproxy.org>>

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv 
-fno-strict-overflow -Wno-unused-label
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 
USE_SYSTEMD=1 USE_PCRE2=1 USE_PCRE2_JIT=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.1  11 Sep 2018
Running on OpenSSL version : OpenSSL 1.1.1  11 Sep 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE2 version : 10.31 2018-02-12
PCRE2 library supports JIT : yes
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.


--
James Brown
Engineer



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

'stick': unknown fetch method 'res.cook_beg'

2018-10-30 Thread Gibson, Brian (IMS) 
I'm attempting to use a stick table to get all of a users sessions when using 
shibboleth to point to the same backend server to simplify a few configurations 
I have on the backend.

Here is the specific code I'm using
  stick-table type string len 64 size 100k expire 15m peers mypeers
  stick store-response res.cook_beg(_shibboleth_)
  stick match req.cook_beg(_shibboleth_)

When I attempt to load that configuration file I get an error saying the 
message in the subject line.

For reference here is the output of haproxy -vv

HA-Proxy version 1.8.13 2018/07/30
Copyright 2000-2018 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv 
-fno-strict-overflow -Wno-unused-label
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 
USE_SYSTEMD=1 USE_PCRE2=1 USE_PCRE2_JIT=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.1  11 Sep 2018
Running on OpenSSL version : OpenSSL 1.1.1  11 Sep 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE2 version : 10.31 2018-02-12
PCRE2 library supports JIT : yes
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: HAproxy fails to start in CentOS with 'systemctl reload' ?

2018-10-22 Thread Gibson, Brian (IMS) 
Ah you don’t need haproxy-systemd-wrapper with 1.8 branch.

Here is my systemd script I use, note I don’t install in the standard location 
so you will have to tweak it for your environment.

[Unit]
Description=HAProxy Load Balancer
After=syslog.target network.target

[Service]
# You can point the environment variable HAPROXY_STATS_SOCKET to a stats
# socket if you want seamless reloads.
Type=notify
Environment="HAPROXY_STATS_SOCKET=/var/run/haproxy.sock" 
"CONFIG=/usr/local/haproxy/conf/haproxy.conf" 
"PIDFILE=/var/run/haproxy-service.pid"
ExecStartPre=/usr/local/haproxy/sbin/haproxy -f $CONFIG -c -q
ExecStart=/usr/local/haproxy/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE
ExecReload=/usr/local/haproxy/sbin/haproxy -f $CONFIG -c -q -x 
$HAPROXY_STATS_SOCKET
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=mixed
Restart=always

[Install]
WantedBy=multi-user.target

From: Imam Toufique [mailto:techie...@gmail.com]
Sent: Monday, October 22, 2018 8:09 PM
To: Gibson, Brian (IMS) 
Cc: haproxy 
Subject: Re: HAproxy fails to start in CentOS with 'systemctl reload' ?

I recompiled with the SYSTEMD option.

[root@crsplabnet2 ~]# haproxy -vv
HA-Proxy version 1.8.14-52e4d43 2018/09/20
Copyright 2000-2018 Willy Tarreau mailto:wi...@haproxy.org>>

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv 
-fno-strict-overflow -Wno-unused-label
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_SYSTEMD=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace


But still no luck , I still get the error below:

[root@crsplabnet2 haproxy-1.8.14]# systemctl status haproxy.service
â— haproxy.service - HAProxy Load Balancer
   Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; vendor 
preset: disabled)
   Active: failed (Result: start-limit) since Mon 2018-10-22 17:06:05 PDT; 10s 
ago
  Process: 7598 ExecStart=/usr/local/sbin/haproxy-systemd-wrapper -f 
/etc/haproxy/haproxy.cfg -p /run/haproxy.pid (code=exited, status=203/EXEC)
  Process: 7595 ExecStartPre=/usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c 
-q (code=exited, status=0/SUCCESS)
 Main PID: 7598 (code=exited, status=203/EXEC)

Oct 22 17:06:05 crsplabnet2 systemd[1]: Unit haproxy.service entered failed 
state.
Oct 22 17:06:05 crsplabnet2 systemd[1]: haproxy.service failed.
Oct 22 17:06:05 crsplabnet2 systemd[1]: haproxy.service holdoff time over, 
scheduling restart.
Oct 22 17:06:05 crsplabnet2 systemd[1]: start request repeated too quickly for 
haproxy.service
Oct 22 17:06:05 crsplabnet2 systemd[1]: Failed to start HAProxy Load Balancer.
Oct 22 17:06:05 crsplabnet2 systemd[1]: Unit haproxy.service entered failed 
state.
Oct 22 17:06:05 crsplabnet2 systemd[1]: haproxy.service failed.


This binary ( or may be script ) /usr/local/sbin/haproxy-systemd-wrapper is not 
there.

--imam


On Mon, Oct 22, 2018 at 4:56 PM Gibson, Brian (IMS) 
mailto:gibs...@imsweb.com>> wrote:
I think you need to add USE_SYSTEMD=1 to your compile.

Sent from Nine<http://www.9folders.com/>

From: Imam Toufique mailto:techie...@gmail.com>>
Sent: Monday, October 22, 2018 7:49 PM
To: Gibson, Brian (IMS)
Cc: haproxy
Subject: Re: HAproxy fails to start in CentOS with 'systemctl reload' ?

Thanks Brian, please see below:

[root@crsplabnet2 sbin]# /usr/sbin/haproxy -vv
HA-Proxy version 1.8.14-52e4d43 2018/09/20
Copyright 2000-2018 Willy Tarreau 
mailto:wi...@haproxy.org><mailto:wi...@haproxy.org<mailto:wi...@haproxy.org>>>

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv 
-fno-strict-overflow -Wno-unused-label
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1

Default

Re: HAproxy fails to start in CentOS with 'systemctl reload' ?

2018-10-22 Thread Gibson, Brian (IMS) 
I think you need to add USE_SYSTEMD=1 to your compile.

Sent from Nine<http://www.9folders.com/>

From: Imam Toufique 
Sent: Monday, October 22, 2018 7:49 PM
To: Gibson, Brian (IMS)
Cc: haproxy
Subject: Re: HAproxy fails to start in CentOS with 'systemctl reload' ?

Thanks Brian, please see below:

[root@crsplabnet2 sbin]# /usr/sbin/haproxy -vv
HA-Proxy version 1.8.14-52e4d43 2018/09/20
Copyright 2000-2018 Willy Tarreau mailto:wi...@haproxy.org>>

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv 
-fno-strict-overflow -Wno-unused-label
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
    [TRACE] trace




On Mon, Oct 22, 2018 at 4:47 PM Gibson, Brian (IMS) 
mailto:gibs...@imsweb.com>> wrote:
Can you reply with the output of haproxy -vv

Need to know your compile options.

Sent from Nine<http://www.9folders.com/>

From: Imam Toufique mailto:techie...@gmail.com>>
Sent: Monday, October 22, 2018 7:45 PM
To: haproxy
Subject: HAproxy fails to start in CentOS with 'systemctl reload' ?

Hi,

I ran into this twice in last 2 days, where HAproxy fails to start in centOS 
7.5.  I compiled the latest stable from source and it did not have any startup 
scripts in the tarball that I downloaded. So, I broke up an older RPM file from 
fedora and used it /etc/init.d/haproxy script.  It works fine for 
stop/start/restart , etc. -- but I noticed that systemd is killing haproxy , 
mostl likely on 'reload' .

Here is 'systemctl status haproxy' output:

 haproxy.service - SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is 
particularly suited for high availability environments.
   Loaded: loaded (/etc/rc.d/init.d/haproxy; bad; vendor preset: disabled)
   Active: failed (Result: signal) since Mon 2018-10-22 03:45:01 PDT; 6h ago
 Docs: man:systemd-sysv-generator(8)
  Process: 5939 ExecStop=/etc/rc.d/init.d/haproxy stop (code=exited, 
status=0/SUCCESS)
  Process: 5930 ExecReload=/etc/rc.d/init.d/haproxy reload (code=exited, 
status=0/SUCCESS)
  Process: 5387 ExecStart=/etc/rc.d/init.d/haproxy start (code=exited, 
status=0/SUCCESS)
 Main PID: 5937 (code=killed, signal=KILL)
   CGroup: /system.slice/haproxy.service

Oct 21 19:14:29 crsplabnet2 haproxy[5395]: Proxy http_front started.
Oct 21 19:14:29 crsplabnet2 haproxy[5387]: Starting haproxy: [  OK  ]
Oct 21 19:14:29 crsplabnet2 systemd[1]: Started SYSV: HA-Proxy is a TCP/HTTP 
reverse proxy which is particularly suited for high availability environments..
Oct 22 03:45:01 crsplabnet2 haproxy[5936]: Proxy http_front started.
Oct 22 03:45:01 crsplabnet2 haproxy[5936]: Proxy http_front started.
Oct 22 03:45:01 crsplabnet2 systemd[1]: Reloaded SYSV: HA-Proxy is a TCP/HTTP 
reverse proxy which is particularly suited for high availability environments..
Oct 22 03:45:01 crsplabnet2 systemd[1]: haproxy.service: main process exited, 
code=killed, status=9/KILL
Oct 22 03:45:01 crsplabnet2 haproxy[5939]: Shutting down haproxy: [FAILED]
Oct 22 03:45:01 crsplabnet2 systemd[1]: Unit haproxy.service entered failed 
state.
Oct 22 03:45:01 crsplabnet2 systemd[1]: haproxy.service failed.


Is there a different way this should be setup in centOS7.5 ? Some posts in GGL 
suggests a systemd-wrapper for HAproxy, but I do not see that in source tarball 
or I can't find it anywhere else.

Any suggestion would be very helpful.

Thanks.





Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly

Re: HAproxy fails to start in CentOS with 'systemctl reload' ?

2018-10-22 Thread Gibson, Brian (IMS) 
Can you reply with the output of haproxy -vv

Need to know your compile options.

Sent from Nine

From: Imam Toufique 
Sent: Monday, October 22, 2018 7:45 PM
To: haproxy
Subject: HAproxy fails to start in CentOS with 'systemctl reload' ?

Hi,

I ran into this twice in last 2 days, where HAproxy fails to start in centOS 
7.5.  I compiled the latest stable from source and it did not have any startup 
scripts in the tarball that I downloaded. So, I broke up an older RPM file from 
fedora and used it /etc/init.d/haproxy script.  It works fine for 
stop/start/restart , etc. -- but I noticed that systemd is killing haproxy , 
mostl likely on 'reload' .

Here is 'systemctl status haproxy' output:

 haproxy.service - SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is 
particularly suited for high availability environments.
   Loaded: loaded (/etc/rc.d/init.d/haproxy; bad; vendor preset: disabled)
   Active: failed (Result: signal) since Mon 2018-10-22 03:45:01 PDT; 6h ago
 Docs: man:systemd-sysv-generator(8)
  Process: 5939 ExecStop=/etc/rc.d/init.d/haproxy stop (code=exited, 
status=0/SUCCESS)
  Process: 5930 ExecReload=/etc/rc.d/init.d/haproxy reload (code=exited, 
status=0/SUCCESS)
  Process: 5387 ExecStart=/etc/rc.d/init.d/haproxy start (code=exited, 
status=0/SUCCESS)
 Main PID: 5937 (code=killed, signal=KILL)
   CGroup: /system.slice/haproxy.service

Oct 21 19:14:29 crsplabnet2 haproxy[5395]: Proxy http_front started.
Oct 21 19:14:29 crsplabnet2 haproxy[5387]: Starting haproxy: [  OK  ]
Oct 21 19:14:29 crsplabnet2 systemd[1]: Started SYSV: HA-Proxy is a TCP/HTTP 
reverse proxy which is particularly suited for high availability environments..
Oct 22 03:45:01 crsplabnet2 haproxy[5936]: Proxy http_front started.
Oct 22 03:45:01 crsplabnet2 haproxy[5936]: Proxy http_front started.
Oct 22 03:45:01 crsplabnet2 systemd[1]: Reloaded SYSV: HA-Proxy is a TCP/HTTP 
reverse proxy which is particularly suited for high availability environments..
Oct 22 03:45:01 crsplabnet2 systemd[1]: haproxy.service: main process exited, 
code=killed, status=9/KILL
Oct 22 03:45:01 crsplabnet2 haproxy[5939]: Shutting down haproxy: [FAILED]
Oct 22 03:45:01 crsplabnet2 systemd[1]: Unit haproxy.service entered failed 
state.
Oct 22 03:45:01 crsplabnet2 systemd[1]: haproxy.service failed.


Is there a different way this should be setup in centOS7.5 ? Some posts in GGL 
suggests a systemd-wrapper for HAproxy, but I do not see that in source tarball 
or I can't find it anywhere else.

Any suggestion would be very helpful.

Thanks.





Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

Re: HAProxy / shibboleth ( SP ) authentication question

2018-10-13 Thread Gibson, Brian (IMS) 
I have experience with this.  The main concern is that shibboleth needs to 
retain shared session data between all the service provider instances.  I 
accomplished this with a postgres database.  If you'd like more information you 
can contact me off line from the haproxy list since it's not really related.

Sent from Nine

From: Aleksandar Lazic 
Sent: Saturday, October 13, 2018 5:23 AM
To: Imam Toufique; haproxy
Subject: Re: HAProxy / shibboleth ( SP ) authentication question

Hi.

Am 13.10.2018 um 10:26 schrieb Imam Toufique:
> Hello,
>
> I have been searching for an answer whether HAProxy can forward authentication
> request from shibboleth SP.

With SP you mean Service Provider, right?

https://wiki.shibboleth.net/confluence/display/SP3

> Here is my proposed setup for delivering some web contents.
>
> A. load balancer is HAPorxy
> B. 3 web servers behind HA proxy
>
> -- > clients go to the proxy address: https://example.com
>
> --> shibboleth SP is installed on the LB node ( where HA proxy is running )
> --> HAPorxy will call in shibboleth for authentication
>
> --> 'valid-user' will be passed through HAProxy to the web server
>
> --> user will be granted access to the site.
>
> I am not sure if HAProxy has anything more then basic authentication support.
> At least I could not find anything.
>
> any feedback on this will be appreciated, very much.

I think the https://github.com/TimWolla/haproxy-auth-request could help here the
"Doc" is here https://bl.duesterhus.eu/20180119/ .

> thanks

Regards
Aleks




Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: Problems setting up SMTP health checks with Sophos email gateway

2018-09-28 Thread Gibson, Brian (IMS) 
Thanks for the response, I had a feeling you were going to respond with 
something like that :)

I've opened a ticket with Sophos to get a resolution.

-Original Message-
From: li...@ltri.eu [mailto:li...@ltri.eu]
Sent: Friday, September 28, 2018 7:33 AM
To: Gibson, Brian (IMS) 
Cc: haproxy 
Subject: Re: Problems setting up SMTP health checks with Sophos email gateway

Hello,


On Thu, 27 Sep 2018 at 19:05, Gibson, Brian (IMS)  wrote:
>
> EHLO domain.com\r\n
>
> Which throws an error “501 Syntactically invalid EHLO argument(s)”
>
>
>
> If I telnet to the host, and manually use EHLO domain.com it works
> fine, but if I do EHLO domain.com\r\n it reproduces the error.

I don't know why Sophos would reject this. All (E)SMTP commands are supposed to 
be terminated by \r\n (CRLF), including EHLO:

https://tools.ietf.org/html/rfc1869#section-4.2


> I was wondering if there was a way that I’m not seeing in
> documentation to surpress the \r\n in the health check without writing a 
> custom check.

No, there is not.


Regards,
Lukas



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

Problems setting up SMTP health checks with Sophos email gateway

2018-09-27 Thread Gibson, Brian (IMS) 
I have a very simple configuration that I've setup to handle load balancing 
with my Sophos email gateway.

listen smtp_relay
bind IP:25
  mode tcp
  option smtpchk EHLO domain.com
  balance roundrobin
  server SMTPGATEWAY IP:25 check
  server ALTERNATEGATEWAY IP:25 backup check

According to the logs on the Sophos appliance the health checks are sending in 
this format

EHLO domain.com\r\n

Which throws an error "501 Syntactically invalid EHLO argument(s)"

If I telnet to the host, and manually use EHLO domain.com it works fine, but if 
I do EHLO domain.com\r\n it reproduces the error.

I also tested on my Postfix and Exchange servers, and they seem to handle the 
\r\n just fine, but the Email gateway freaks out.  I've sent a ticket in to 
them as well, but I was wondering if there was a way that I'm not seeing in 
documentation to surpress the \r\n in the health check without writing a custom 
check.

Thanks!



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: Haproxy 1.8 rpm for CentOS 6

2018-06-18 Thread Gibson, Brian (IMS) 
You’d have to ask the standard repository maintainers for that answer.  IMO 
though it’s trivial to compile so if you need it why not just compile it 
yourself?

From: Vijay Bais [mailto:vija...@endurance.com]
Sent: Monday, June 18, 2018 12:28 PM
To: haproxy@formilux.org
Subject: Haproxy 1.8 rpm for CentOS 6

Hello,

Is there a particular reason for no standard rpm available of haproxy-1.8 on 
CentOS 6?

Any inputs will be appreciate.

Thanks,
Vijay B



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

Re: Warning: upgrading to openssl master+ enable_tls1_3 (coming v1.1.1) could break handshakes for all protocol versions .

2018-01-12 Thread Gibson, Brian (IMS) 
The way I read it you just have to be sure to specify a valid tls 1.3 cipher.  
I have not attempted the configuration though to confirm.

Sent from Nine

From: Pavlos Parissis 
Sent: Friday, January 12, 2018 4:55 PM
To: Emeric Brun; haproxy@formilux.org
Subject: Re: Warning: upgrading to openssl master+ enable_tls1_3 (coming 
v1.1.1) could break handshakes for all protocol versions .

On 12/01/2018 03:57 μμ, Emeric Brun wrote:
> Hi All,
>
> FYI: upgrading to next openssl-1.1.1 could break your prod if you're using a 
> forced cipher list because
> handshake will fail regardless the tls protocol version if you don't specify 
> a cipher valid for TLSv1.3
> in your cipher list.
>
> https://github.com/openssl/openssl/issues/5057
>
> https://github.com/openssl/openssl/issues/5065
>
> Openssl's team doesn't seem to consider this as an issue and I'm just bored 
> to discuss with them.
>
> R,
> Emeric
>


So, If we enable TLSv1.3, together with TLSv1.2, on the server side, then 
client must support
TLSv1.3 otherwise it will get a nice SSL error. Am I right? If I am right, I 
hope I'm not, then we
have to wait for all clients to support TLSv1.3 before we enabled it on the 
server side, this
doesn't sound right and I am pretty sure I am completely wrong here.

Cheers,
Pavlos





Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

Re: Force Sticky session on HaProxy

2017-10-18 Thread Gibson, Brian (IMS) 
I've used peers for this situation personally.

Sent from Nine

From: Aaron West 
Sent: Oct 18, 2017 5:33 AM
To: Devendra Joshi
Cc: HAProxy
Subject: Re: Force Sticky session on HaProxy

I've used something like this before:

stick store-response res.cook(JSESSIONID)
stick match req.cook(JSESSIONID)

"stick on" does this I think:

stick match req.cook(JSESSIONID)
stick store-request req.cook(JSESSIONID)

As the client doesn't have the cookie at the beginning of the
connection it has to wait to store it until it's received from the
server, I have a vague memory that I had issues with using simply
"stick on" for this so switched to the first method above.

There is a massive problem with my suggestion however, if you clear
the stick table or restart the service(Which will clear the stick
table) then users lose persistence until they close their browsers and
start a new session or the server issues a new cookie. Obviously
reloads while synchronising the stick table should be fine.

However, i'm sure there will be a far better solution so I'm just
starting the ball rolling really...

Aaron West

Loadbalancer.org Ltd.

www.loadbalancer.org

+1 888 867 9504 / +44 (0)330 380 1064
aa...@loadbalancer.org

LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG




Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

Re: Experimental / broken HTTP/2 support

2017-10-15 Thread Gibson, Brian (IMS) 
PCoIP comes to mind but blast seems to have replaced the need.

Sent from Nine

From: Aaron West 
Sent: Oct 15, 2017 3:11 PM
To: Willy Tarreau; HAProxy
Subject: Re: Experimental / broken HTTP/2 support

Yes! RDP 8.0+ can use UDP traffic for a better connection, that's what
I was thinking when I asked.

Aaron West

Loadbalancer.org Ltd.

www.loadbalancer.org

+1 888 867 9504 / +44 (0)330 380 1064
aa...@loadbalancer.org

LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG




Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: Problem getting cookies to work

2017-08-15 Thread Gibson, Brian (IMS) 
Well that worked.  I didn't see any warnings before at startup no, but that may 
be because I use puppet to deploy my configurations and restart services as 
needed.  Thanks for finding my simple mistake!

-Original Message-
From: Aleksandar Lazic [mailto:al-hapr...@none.at]
Sent: Tuesday, August 15, 2017 10:04 AM
To: Gibson, Brian (IMS) <gibs...@imsweb.com>; haproxy@formilux.org
Subject: Re: Problem getting cookies to work

Hi Brian.

Gibson, Brian (IMS) wrote on 15.08.2017:

> I've been fighting with this a bit and I keep scratching my head.  I
> am trying to setup the VMware Horizon View UAG behind haproxy.  It
> requires session persistence, which I could do with a stick table, but
> I'd rather use a cookie in case  the load balancer goes down for
> whatever reason, I have another using the same VIP and I want the
> client to hit the same backend so long as it's up.

>
> Here's the configuration I tried most recently:
>
> listen vmview-uag
>   bind vip:443 ssl crt cert.pem
>   mode tcp

I think you will need here

mode http

Doesn't you get any warning at startup time from haproxy?

>   balance roundrobin
>   cookie JSESSIONID prefix
>   option httpchk GET /favicon.ico HTTP/1.1
>
>   server vuag-01 10.10.10.1:443 ssl verify none cookie vuag-01 check
>   server vuag-02 10.10.10.2:443 ssl verify none cookie vuag-02 check
>
> JSESSIONID is provided by the UAG, when I use the above configuration
> the cookie remains the same as if I don't do anything with it.  I also
> attempted to create a new cookie called SERVERID and no cookie shows up on 
> the client side.
>
> I'm using haproxy 1.7.2.  Also I did double check that the ssl
> certificate is the same on the UAG as the Haproxy, and according to
> the VMware documentation this should be a supported configuration.

--
Best Regards
Aleks





Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

Problem getting cookies to work

2017-08-15 Thread Gibson, Brian (IMS) 
I've been fighting with this a bit and I keep scratching my head.  I am trying 
to setup the VMware Horizon View UAG behind haproxy.  It requires session 
persistence, which I could do with a stick table, but I'd rather use a cookie 
in case the load balancer goes down for whatever reason, I have another using 
the same VIP and I want the client to hit the same backend so long as it's up.

Here's the configuration I tried most recently:

listen vmview-uag
  bind vip:443 ssl crt cert.pem
  mode tcp
  balance roundrobin
  cookie JSESSIONID prefix
  option httpchk GET /favicon.ico HTTP/1.1

  server vuag-01 10.10.10.1:443 ssl verify none cookie vuag-01 check
  server vuag-02 10.10.10.2:443 ssl verify none cookie vuag-02 check

JSESSIONID is provided by the UAG, when I use the above configuration the 
cookie remains the same as if I don't do anything with it.  I also attempted to 
create a new cookie called SERVERID and no cookie shows up on the client side.

I'm using haproxy 1.7.2.  Also I did double check that the ssl certificate is 
the same on the UAG as the Haproxy, and according to the VMware documentation 
this should be a supported configuration.



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: HAProxy 1.7.8 compile problem with new OpenSSL

2017-07-28 Thread Gibson, Brian (IMS) 
I would try specifying a different location for your openssl build and then 
build against that.

-Original Message-
From: Willy Tarreau [w...@1wt.eu]
Received: Friday, 28 Jul 2017, 6:19AM
To: Norman Branitsky [norman.branit...@micropact.com]
CC: haproxy@formilux.org [haproxy@formilux.org]
Subject: Re: HAProxy 1.7.8 compile problem with new OpenSSL

On Wed, Jul 26, 2017 at 06:40:46PM +, Norman Branitsky wrote:
> On another server, I upgraded OpenSSL:
>
> # openssl version
>
> OpenSSL 1.0.2l  25 May 2017
>
> This is my make statement:
>
> # make TARGET=linux2628 USE_OPENSSL=1 USE_PCRE=1 USE_SLZ=1
>
> This is the end of the compile output:
>
> gcc  -g -o haproxy src/haproxy.o src/base64.o src/protocol.o src/uri_auth.o 
> src/standard.o src/buffer.o src/log.o src/task.o src/chunk.o src/channel.o 
> src/listener.o src/lru.o src/xxhash.o src/time.o src/fd.o src/pipe.o 
> src/regex.o src/cfgparse.o src/server.o src/checks.o src/queue.o 
> src/frontend.o src/proxy.o src/peers.o src/arg.o src/stick_table.o 
> src/proto_uxst.o src/connection.o src/proto_http.o src/raw_sock.o 
> src/backend.o src/tcp_rules.o src/lb_chash.o src/lb_fwlc.o src/lb_fwrr.o 
> src/lb_map.o src/lb_fas.o src/stream_interface.o src/stats.o src/proto_tcp.o 
> src/applet.o src/session.o src/stream.o src/hdr_idx.o src/ev_select.o 
> src/signal.o src/acl.o src/sample.o src/memory.o src/freq_ctr.o src/auth.o 
> src/proto_udp.o src/compression.o src/payload.o src/hash.o src/pattern.o 
> src/map.o src/namespace.o src/mailers.o src/dns.o src/vars.o src/filters.o 
> src/flt_http_comp.o src/flt_trace.o src/flt_spoe.o src/cli.o src/ev_poll.o 
> src/ev_epoll.o src/ssl_sock.o src/shctx.o ebtree/ebtree.o ebtree/eb32tree.o 
> ebtree/eb64tree.o ebtree/ebmbtree.o ebtree/ebsttree.o ebtree/ebimtree.o 
> ebtree/ebistree.o   -lcrypt  -lslz -ldl  -lssl -lcrypto -ldl -L/usr/lib 
> -lpcreposix -lpcre
>
> src/ssl_sock.o: In function `smp_fetch_ssl_fc_alpn':
>
> /tmp/haproxy-1.7.8/src/ssl_sock.c:4927: undefined reference to 
> `SSL_get0_alpn_selected'
>
> src/ssl_sock.o: In function `ssl_sock_load_sctl':
>
> /tmp/haproxy-1.7.8/src/ssl_sock.c:1006: undefined reference to 
> `SSL_CTX_add_server_custom_ext'
>
> src/ssl_sock.o: In function `ssl_sock_prepare_ctx':
>
> /tmp/haproxy-1.7.8/src/ssl_sock.c:2879: undefined reference to 
> `SSL_CTX_set_alpn_select_cb'
>
> collect2: error: ld returned 1 exit status
>
> make: *** [haproxy] Error 1

I think you have not correctly upgraded your openssl version on this
machine. It detected version 1.0.2 and enabled ALPN (so the include
files are OK) but it seems that it linked against the previous one.
You probably have some libssl.so lying around and still pointing to
1.0.1.

Willy




Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: HAProxy 1.7.8 compile problem with new OpenSSL

2017-07-26 Thread Gibson, Brian (IMS) 
That would likely break more things. Can you post your build commands for 
openssl?

-Original Message-
From: Norman Branitsky [norman.branit...@micropact.com]
Received: Wednesday, 26 Jul 2017, 5:20PM
To: Gibson, Brian (IMS) [gibs...@imsweb.com]; haproxy@formilux.org 
[haproxy@formilux.org]
Subject: RE: HAProxy 1.7.8 compile problem with new OpenSSL

I found the following folders:

/usr/lib64/openssl

/usr/include/openssl

In /usr/include/openssl/ssl.h, I find the following:
# grep SSL_get0_alpn_selected *
ssl.h:void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,

I modified my make command thus:

make TARGET=linux2628 USE_PCRE=1 USE_SLZ=1 USE_OPENSSL=1 
SSL_INC=/usr/include/openssl SSL_LIB=/usr/lib64/openssl

Compile still fails:

LZ  -DENABLE_POLL -DENABLE_EPOLL -DUSE_CPU_AFFINITY -DASSUME_SPLICE_WORKS 
-DUSE_ACCEPT4 -DNETFILTER -DUSE_GETSOCKNAME -DUSE_OPENSSL 
-I/usr/include/openssl -DUSE_SYSCALL_FUTEX -DUSE_PCRE -I/usr/include  
-DCONFIG_HAPROXY_VERSION=\"1.7.8\" -DCONFIG_HAPROXY_DATE=\"2017/07/07\" -c -o 
ebtree/ebistree.o ebtree/ebistree.c

gcc  -g -o haproxy src/haproxy.o src/base64.o src/protocol.o src/uri_auth.o 
src/standard.o src/buffer.o src/log.o src/task.o src/chunk.o src/channel.o 
src/listener.o src/lru.o src/xxhash.o src/time.o src/fd.o src/pipe.o 
src/regex.o src/cfgparse.o src/server.o src/checks.o src/queue.o src/frontend.o 
src/proxy.o src/peers.o src/arg.o src/stick_table.o src/proto_uxst.o 
src/connection.o src/proto_http.o src/raw_sock.o src/backend.o src/tcp_rules.o 
src/lb_chash.o src/lb_fwlc.o src/lb_fwrr.o src/lb_map.o src/lb_fas.o 
src/stream_interface.o src/stats.o src/proto_tcp.o src/applet.o src/session.o 
src/stream.o src/hdr_idx.o src/ev_select.o src/signal.o src/acl.o src/sample.o 
src/memory.o src/freq_ctr.o src/auth.o src/proto_udp.o src/compression.o 
src/payload.o src/hash.o src/pattern.o src/map.o src/namespace.o src/mailers.o 
src/dns.o src/vars.o src/filters.o src/flt_http_comp.o src/flt_trace.o 
src/flt_spoe.o src/cli.o src/ev_poll.o src/ev_epoll.o src/ssl_sock.o 
src/shctx.o ebtree/ebtree.o ebtree/eb32tree.o ebtree/eb64tree.o 
ebtree/ebmbtree.o ebtree/ebsttree.o ebtree/ebimtree.o ebtree/ebistree.o   
-lcrypt  -lslz -ldl -L/usr/lib64/openssl -lssl -lcrypto -ldl -L/usr/lib 
-lpcreposix -lpcre

src/ssl_sock.o: In function `smp_fetch_ssl_fc_alpn':

/tmp/haproxy-1.7.8/src/ssl_sock.c:4927: undefined reference to 
`SSL_get0_alpn_selected'

src/ssl_sock.o: In function `ssl_sock_load_sctl':

/tmp/haproxy-1.7.8/src/ssl_sock.c:1006: undefined reference to 
`SSL_CTX_add_server_custom_ext'

src/ssl_sock.o: In function `ssl_sock_prepare_ctx':

/tmp/haproxy-1.7.8/src/ssl_sock.c:2879: undefined reference to 
`SSL_CTX_set_alpn_select_cb'

collect2: error: ld returned 1 exit status

make: *** [haproxy] Error 1

The original ssl was installed in /usr/lib64 –
should I force the new one to install in the same directories overwriting the 
old?
From: Gibson, Brian (IMS) [mailto:gibs...@imsweb.com]
Sent: July-26-17 3:12 PM
To: Norman Branitsky <norman.branit...@micropact.com>; haproxy@formilux.org
Subject: RE: HAProxy 1.7.8 compile problem with new OpenSSL

I would try this
USE_OPENSSL=1 SSL_INC=/path/to/include SSL_LIB=/path/to/lib

I had to do this myself when using openssl 1.1.0x branch on centos 7, but I 
thought it was because I use a non-default location.


From: Norman Branitsky [mailto:norman.branit...@micropact.com]
Sent: Wednesday, July 26, 2017 2:41 PM
To: haproxy@formilux.org<mailto:haproxy@formilux.org>
Subject: HAProxy 1.7.8 compile problem with new OpenSSL

I have no problem compiling HAProxy 1.7.8 on a CentOS 7 box with the default 
distribution of OpenSSL:

uname -a

Linux ip-10-241-7-240 3.10.0-123.20.1.el7.centos.plus.x86_64 #1 SMP Thu Jan 29 
22:05:39 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

openssl version

OpenSSL 1.0.1e-fips 11 Feb 2013

On another server, I upgraded OpenSSL:

# openssl version

OpenSSL 1.0.2l  25 May 2017

This is my make statement:

# make TARGET=linux2628 USE_OPENSSL=1 USE_PCRE=1 USE_SLZ=1

This is the end of the compile output:

gcc  -g -o haproxy src/haproxy.o src/base64.o src/protocol.o src/uri_auth.o 
src/standard.o src/buffer.o src/log.o src/task.o src/chunk.o src/channel.o 
src/listener.o src/lru.o src/xxhash.o src/time.o src/fd.o src/pipe.o 
src/regex.o src/cfgparse.o src/server.o src/checks.o src/queue.o src/frontend.o 
src/proxy.o src/peers.o src/arg.o src/stick_table.o src/proto_uxst.o 
src/connection.o src/proto_http.o src/raw_sock.o src/backend.o src/tcp_rules.o 
src/lb_chash.o src/lb_fwlc.o src/lb_fwrr.o src/lb_map.o src/lb_fas.o 
src/stream_interface.o src/stats.o src/proto_tcp.o src/applet.o src/session.o 
src/stream.o src/hdr_idx.o src/ev_select.o src/signal.o src/acl.o src/sample.o 
src/memory.o src/freq_ctr.o src/auth.o src/proto_udp.o src/compression.o 
src/payload.o src/hash.o src/pattern.o src/map.o src/namespace.o src/mailers.o 
src/dns.o src/vars.o src/f

RE: HAProxy 1.7.8 compile problem with new OpenSSL

2017-07-26 Thread Gibson, Brian (IMS) 
I would try this
USE_OPENSSL=1 SSL_INC=/path/to/include SSL_LIB=/path/to/lib

I had to do this myself when using openssl 1.1.0x branch on centos 7, but I 
thought it was because I use a non-default location.


From: Norman Branitsky [mailto:norman.branit...@micropact.com]
Sent: Wednesday, July 26, 2017 2:41 PM
To: haproxy@formilux.org
Subject: HAProxy 1.7.8 compile problem with new OpenSSL

I have no problem compiling HAProxy 1.7.8 on a CentOS 7 box with the default 
distribution of OpenSSL:

uname -a

Linux ip-10-241-7-240 3.10.0-123.20.1.el7.centos.plus.x86_64 #1 SMP Thu Jan 29 
22:05:39 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

openssl version

OpenSSL 1.0.1e-fips 11 Feb 2013

On another server, I upgraded OpenSSL:

# openssl version

OpenSSL 1.0.2l  25 May 2017

This is my make statement:

# make TARGET=linux2628 USE_OPENSSL=1 USE_PCRE=1 USE_SLZ=1

This is the end of the compile output:

gcc  -g -o haproxy src/haproxy.o src/base64.o src/protocol.o src/uri_auth.o 
src/standard.o src/buffer.o src/log.o src/task.o src/chunk.o src/channel.o 
src/listener.o src/lru.o src/xxhash.o src/time.o src/fd.o src/pipe.o 
src/regex.o src/cfgparse.o src/server.o src/checks.o src/queue.o src/frontend.o 
src/proxy.o src/peers.o src/arg.o src/stick_table.o src/proto_uxst.o 
src/connection.o src/proto_http.o src/raw_sock.o src/backend.o src/tcp_rules.o 
src/lb_chash.o src/lb_fwlc.o src/lb_fwrr.o src/lb_map.o src/lb_fas.o 
src/stream_interface.o src/stats.o src/proto_tcp.o src/applet.o src/session.o 
src/stream.o src/hdr_idx.o src/ev_select.o src/signal.o src/acl.o src/sample.o 
src/memory.o src/freq_ctr.o src/auth.o src/proto_udp.o src/compression.o 
src/payload.o src/hash.o src/pattern.o src/map.o src/namespace.o src/mailers.o 
src/dns.o src/vars.o src/filters.o src/flt_http_comp.o src/flt_trace.o 
src/flt_spoe.o src/cli.o src/ev_poll.o src/ev_epoll.o src/ssl_sock.o 
src/shctx.o ebtree/ebtree.o ebtree/eb32tree.o ebtree/eb64tree.o 
ebtree/ebmbtree.o ebtree/ebsttree.o ebtree/ebimtree.o ebtree/ebistree.o   
-lcrypt  -lslz -ldl  -lssl -lcrypto -ldl -L/usr/lib -lpcreposix -lpcre

src/ssl_sock.o: In function `smp_fetch_ssl_fc_alpn':

/tmp/haproxy-1.7.8/src/ssl_sock.c:4927: undefined reference to 
`SSL_get0_alpn_selected'

src/ssl_sock.o: In function `ssl_sock_load_sctl':

/tmp/haproxy-1.7.8/src/ssl_sock.c:1006: undefined reference to 
`SSL_CTX_add_server_custom_ext'

src/ssl_sock.o: In function `ssl_sock_prepare_ctx':

/tmp/haproxy-1.7.8/src/ssl_sock.c:2879: undefined reference to 
`SSL_CTX_set_alpn_select_cb'

collect2: error: ld returned 1 exit status

make: *** [haproxy] Error 1

Norman

Norman Branitsky
Cloud Architect
MicroPact
(o) 416.916.1752
(c) 416.843.0670
(t) 1-888-232-0224 x61752
www.micropact.com
Think it > Track it > Done




Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: in-house vulnerability scan vs. stats socket

2017-06-19 Thread Gibson, Brian (IMS) 
What scanner did you use?

-Original Message-
From: Jim Freeman [sovr...@gmail.com]
Received: Monday, 19 Jun 2017, 3:36PM
To: HAProxy [haproxy@formilux.org]
Subject: in-house vulnerability scan vs. stats socket

FWIW / FYI -

# haproxy -v
HA-Proxy version 1.5.18 2016/05/10

An in-house vulnerability scanner found our haproxy stats sockets and
started probing, sending bogus requests, HTTP_* methods, etc.

The many requests, even though the request paths were not valid at the
stats socket, made for a DoS attack (with haproxy's CPU consumption
often pegging at 100% generating stats pages).

Since it looks like the only valid stats socket requests are GETs to
'/' (with possible ';', '#', and '?' modifiers), we ameliorated the
in-house DoS using these 2 lines in the cfg for the stats socket :

  http-request tarpit unless { path_reg ^/($|\?|\#|\;) }
  http-request tarpit unless METH_GET # silent-drop > 1.5




Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: OneConnect feature in HAProxy

2017-06-09 Thread Gibson, Brian (IMS) 
Yeah I've used them for a few things. Works great.

-Original Message-
From: James Stroehmann [james.stroehm...@proquest.com]
Received: Friday, 09 Jun 2017, 11:18AM
To: Gibson, Brian (IMS) [gibs...@imsweb.com]; Brendan Kearney 
[bpk...@gmail.com]; haproxy@formilux.org [haproxy@formilux.org]
Subject: RE: OneConnect feature in HAProxy

Thanks for that, I had not heard of IUS before. This could solve a couple of my 
problems.


From: Gibson, Brian (IMS) [mailto:gibs...@imsweb.com]
Sent: Thursday, June 8, 2017 10:30 AM
To: Stroehmann, James <james.stroehm...@proquest.com>; Brendan Kearney 
<bpk...@gmail.com>; haproxy@formilux.org
Subject: RE: OneConnect feature in HAProxy

[External Email]
The IUS repos will have 1.7 I believe.

https://ius.io/GettingStarted/

From: James Stroehmann [mailto:james.stroehm...@proquest.com]
Sent: Thursday, June 08, 2017 10:27 AM
To: Brendan Kearney <bpk...@gmail.com<mailto:bpk...@gmail.com>>; 
haproxy@formilux.org<mailto:haproxy@formilux.org>
Subject: RE: OneConnect feature in HAProxy

Thanks for the info - I will look into it but it looks like I'll have to 
upgrade to 1.6 first ... currently I'm using 1.5 out of the standard 
repositories for centos 7.

Any pointers to a yum repo for 1.6 or 1.7?



From: Brendan Kearney [mailto:bpk...@gmail.com]
Sent: Thursday, May 25, 2017 8:36 AM
To: haproxy@formilux.org<mailto:haproxy@formilux.org>
Subject: Re: OneConnect feature in HAProxy

[External Email]
On 05/25/2017 08:26 AM, James Stroehmann wrote:
Is there a feature in HAProxy similar to OneConnect that the F5 LTM has? 
https://www.f5.com/pdf/deployment-guides/oneconnect-tuning-dg.pdf

I am trying to migrate some frontends from an LTM to an HAProxy load balancer, 
and a few of the existing frontends have the OneConnect feature turned on. I 
spoke to the app owner and he believes that it allows us to have less 
connections (and therefore less backend servers) and it enables more seamless 
rolling bounces on the stateless backends.

http-reuse is the directive you are looking for.



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: OneConnect feature in HAProxy

2017-06-08 Thread Gibson, Brian (IMS) 
The IUS repos will have 1.7 I believe.

https://ius.io/GettingStarted/

From: James Stroehmann [mailto:james.stroehm...@proquest.com]
Sent: Thursday, June 08, 2017 10:27 AM
To: Brendan Kearney ; haproxy@formilux.org
Subject: RE: OneConnect feature in HAProxy

Thanks for the info - I will look into it but it looks like I'll have to 
upgrade to 1.6 first ... currently I'm using 1.5 out of the standard 
repositories for centos 7.

Any pointers to a yum repo for 1.6 or 1.7?



From: Brendan Kearney [mailto:bpk...@gmail.com]
Sent: Thursday, May 25, 2017 8:36 AM
To: haproxy@formilux.org
Subject: Re: OneConnect feature in HAProxy

[External Email]
On 05/25/2017 08:26 AM, James Stroehmann wrote:
Is there a feature in HAProxy similar to OneConnect that the F5 LTM has? 
https://www.f5.com/pdf/deployment-guides/oneconnect-tuning-dg.pdf

I am trying to migrate some frontends from an LTM to an HAProxy load balancer, 
and a few of the existing frontends have the OneConnect feature turned on. I 
spoke to the app owner and he believes that it allows us to have less 
connections (and therefore less backend servers) and it enables more seamless 
rolling bounces on the stateless backends.

http-reuse is the directive you are looking for.



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: High Availability for haproxy itself

2017-06-08 Thread Gibson, Brian (IMS) 
You could do something like this.  Setup the haproxy status page on the haproxy 
server.

Then create a bash script with syntax like this

#!/bin/bash
#

value=$(curl -I http://www.example.org 2>/dev/null | head -n 1 | cut -d$' ' -f2)

if [ $value -eq 200 ]
then
  exit
else
  exit 1
fi

that will return 0 if it's up and 1 if it's down.

So if you change your track_script to use that bash script it'll then base 
whether or not haproxy is up based on if it can access that status page.

-Original Message-
From: Markus Rietzler [mailto:w...@mrietzler.de]
Sent: Thursday, June 08, 2017 8:32 AM
To: haproxy@formilux.org
Subject: Re: High Availability for haproxy itself

Am 02.06.17 um 11:35 schrieb Raphaël Enrici:
> Hi,
>
> if you are in a simple case where you only need some kind of active/passive 
> solution without big scaling needs on a
> Linux system, look for "haproxy keepalived" on your favorite search engine, 
> you'll find many articles explaining the way
> to go.
>
> If you need HA and horizontal scaling, take a look at the article from 
> Vincent Bernat here:
> https://vincent.bernat.im/en/blog/2013-exabgp-highavailability
>
> HTH,
> Raph
>
>
> Le 2017-06-02 10:34, Jiafan Zhou a écrit :
>> Hi,
>>
>> Haproxy ensures the HA for real servers such as httpd. However, in the
>> case of haproxy itself, if it fails, then it requires another instance
>> of haproxy to be ready. Is there any High Availability solution for
>> haproxy itself?
>>
>> Regards,
>> Jiafan
>
>
Hi,
keepalived works very well. i have a setup with haproxy running on two VM which 
are connected via keepalived.
the node (to be exact the virtual IP address) is switched if i stop haproxy on 
my master. then haproxy on my fallback
node will "jump in". if i restart haproxy on master the IP is switched back...
this works very stable in the last years.

the only thing which i could optimize is the healthcheck in keepalived. at the 
moment i do a simple "is the process
running" (killall -0 haproxy) test.

i think this could be optimized. Eg. don't know if it would recognise a hanging 
haproxy process correctly. maybe it
would be better to do some http access and look at the answer (eg. do i get an 
"OK" back) or check the response time and
switch if it tooks too long...


Markus




Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: Please

2017-04-16 Thread Gibson, Brian (IMS) 
Don't we all

-Original Message-
From: Shane Kern [skern...@gmail.com]
Received: Sunday, 16 Apr 2017, 7:36AM
To: haproxy@formilux.org [haproxy@formilux.org]
Subject: Please

i need gift cards to different stores



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: Problems with SNI config

2017-04-13 Thread Gibson, Brian (IMS) 
I’ve not tried using ACLs in curly brackets like you are, but I can confirm 
that this configuration works for me

acl name1 hdr(host) -i www.example.org
acl name2 hdr(host) -i www.example-other.org

use_backend backend1 if name1
use_backend backend2 if name2

I use this code specifically to do what you’re trying to do, though I’m using 
the latest stable build.  I’m pretty sure this code should work in 1.5 though 
as well.

Also if you can’t use self compiled stuff, can you use something like IUS? 
https://ius.io/

From: Jeremy Utley [mailto:jer...@ifuzioncorp.com]
Sent: Thursday, April 13, 2017 12:29 PM
To: haproxy@formilux.org
Subject: Problems with SNI config

Hello all!

I'm trying to convert an Apache reverse proxy setup over to using HAProxy, but 
am running into issues with SNI.  I followed 
http://stuff-things.net/2016/11/30/haproxy-sni/  to set this up, but it's not 
working, and I have not yet been able to figure out why.

HAProxy version:  1.5.4-3 installed from the EPEL repo on Centos 6 (Policy here 
forbids self-compiled versions, so we are limited to only what's available to 
us in EPEL)

I've narrowed down the problem to my frontend definition - if I simplify the 
front-end to not do SNI, it works fine to either backend.  If I add a 
default_backend definition, it goes to the default backend no matter which 
hostname I provide.  Without the default_backend in the frontend configuration, 
I get a 503 error from the proxy.  So something is definately not right with my 
SNI configuration, but I certainly can not find it!

Here is a sanitized version of my frontend definition in haproxy.cfg:

frontend https-8443
bind 192.168.1.1:8443 ssl crt /etc/haproxy/certs/
use_backend site1 if { hdr(host) -i 
site1.domain.com }
use_backend site2 if { hdr(host) -i 
site2.domain.com }


We will eventually have something like 20-30 different SSL sites in this 
configuration, along with some IP-based ACLs as well, but I'm not to that point 
as of yet.  I am simply trying to get SNI working, to direct to a different 
backend depending on the hostname requested (which, according to my reading, 
should be perfectly doable with haproxy.

Anybody got any ideas of what I'm doing wrong?

Thanks for your time!

Jeremy Utley



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: Dynamically add/remove frontend/backend

2017-04-01 Thread Gibson, Brian (IMS) 
Umm can you explain what your circumstances are that you have this requirement? 
Give an example?

-Original Message-
From: Roshan Pradeep [rprad...@whispir.com]
Received: Saturday, 01 Apr 2017, 4:13AM
To: haproxy@formilux.org [haproxy@formilux.org]
Subject: Dynamically add/remove frontend/backend


Hi

We need to add/remove front/back-end without any manual involvement? Is this 
possible?

If so please point to an example.

Thanks

Roshan


?


This communication contains information which is confidential and the copyright 
of Whispir or a third party. If you have received this email in error please 
notify us by return email or telephone Whispir on +613 8630 9900 and delete the 
document and delete all copies immediately. If you are the intended recipient 
of this communication you should not copy, disclose or distribute this 
communication without the authority of Whispir. Any views expressed in this 
Communication are those of the individual sender, except where the sender 
specifically states them to be the views of Whispir. Except as required at law, 
Whispir does not represent, warrant and/or guarantee that the integrity of this 
communication has been maintained nor that the communication is free of 
errors,virus, interception or interference.



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

RE: Getting an HTTP code 302 when I specify 301

2017-03-20 Thread Gibson, Brian (IMS) 
Actually I am sorry for my mistake, this one development resource does not use 
the haproxy DOH I should have done a little more investigation before I 
contacted this list.  My haproxy is redirecting properly but a separate 
webserver is not.  Sorry!

-Original Message-
From: Cyril Bonté [mailto:cyril.bo...@free.fr]
Sent: Monday, March 20, 2017 1:44 PM
To: Gibson, Brian (IMS) <gibs...@imsweb.com>
Cc: haproxy@formilux.org
Subject: Re: Getting an HTTP code 302 when I specify 301

Hi,

Le 20/03/2017 à 18:17, Gibson, Brian (IMS) a écrit :
> I'm running haproxy 1.7.2 on my development server, and I have this
> code in to redirect traffic to https
>
> http-request redirect code 301 scheme https if  !{ ssl_fc }
>
> The redirect works, but it's generating http code 302 not 301.  At least 
> that's what curl is telling me.
>
> curl -I -L http://devurl/
> HTTP/1.1 302 Found
> Date: Mon, 20 Mar 2017 17:08:05 GMT
> Server: Apache/2.4.25 (Unix) OpenSSL/1.0.2k-fips PHP/5.6.30

Here, your redirection is not done by haproxy but by your apache instance.
Without more details about your configuration, it will be difficult to say 
what's going wrong in it. It's even possible that the request doesn't go 
through haproxy but goes directly to the apache server.

Do you have enabled logs in haproxy ? Did you have a look at them ?

Please provide your configuration without sensitive data.


> Location: https://devurl/
> Content-Type: text/html; charset=iso-8859-1
>
> HTTP/1.1 200 OK
> Date: Mon, 20 Mar 2017 17:08:06 GMT
> Server: Apache/2.4.25 (Unix) OpenSSL/1.0.2k-fips PHP/5.6.30
> Vary: Accept-Encoding
> Last-Modified: Mon, 20 Mar 2017 16:06:58 GMT
> Content-Type: text/html
> Content-Length: 188
> Accept-Ranges: bytes
> X-Frame-Options: SAMEORIGIN
> Strict-Transport-Security: max-age=15768000;includeSubDomains
>
> 
>
> Information in this e-mail may be confidential. It is intended only for the 
> addressee(s) identified above. If you are not the addressee(s), or an 
> employee or agent of the addressee(s), please note that any dissemination, 
> distribution, or copying of this communication is strictly prohibited. If you 
> have received this e-mail in error, please notify the sender of the error.
>


--
Cyril Bonté



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

Getting an HTTP code 302 when I specify 301

2017-03-20 Thread Gibson, Brian (IMS) 
I'm running haproxy 1.7.2 on my development server, and I have this code in to 
redirect traffic to https

http-request redirect code 301 scheme https if  !{ ssl_fc }

The redirect works, but it's generating http code 302 not 301.  At least that's 
what curl is telling me.

curl -I -L http://devurl/
HTTP/1.1 302 Found
Date: Mon, 20 Mar 2017 17:08:05 GMT
Server: Apache/2.4.25 (Unix) OpenSSL/1.0.2k-fips PHP/5.6.30
Location: https://devurl/
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Date: Mon, 20 Mar 2017 17:08:06 GMT
Server: Apache/2.4.25 (Unix) OpenSSL/1.0.2k-fips PHP/5.6.30
Vary: Accept-Encoding
Last-Modified: Mon, 20 Mar 2017 16:06:58 GMT
Content-Type: text/html
Content-Length: 188
Accept-Ranges: bytes
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15768000;includeSubDomains



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.