Re: WAF with HA Proxy.
Thank you for the feedback, although this is in fact a technical solution I never intended to offend anyone. I have submitted fixes to haproxy in the past but have not as you say responded to questions before this. thanks again for the feedback -mark On Wed, May 9, 2018 at 2:03 PM, Willy Tarreau <w...@1wt.eu> wrote: > Mark, > > On Wed, May 09, 2018 at 10:40:38AM -0700, Mark Lakes wrote: > > For commercial purposes, see Signal Sciences Next Gen WAF solution: > > https://www.signalsciences.com/waf-web-application-firewall/ > > Advertising for commercial products on an open source list is never welcome > especially when such a response looks like it's made only to try to place a > product and nor really to propose a technical solution (and it's not as if > you had ever responded to a question here prior to this one). > > A large number of commercial product vendors are represented here, some of > whom invest a lot in R and support, some even competing in certain areas, > and all of them respect this basic rule, focusing only on sharing knowledge > and improvements to haproxy. A few times I've even rejected requests from > some of my coworkers who asked if it was OK to respond to someone with a > link to one of HapTech's commercial solutions and I'm pretty sure others > do the same in other companies. > > Given the complaints we used to have in the past with the spams on the > list, > I'm pretty sure that most of the list's participants would prefer that the > list remains free of any form of advertising so that we can continue to > work > all together without being polluted nor starting to suspect that each > proposal > or question would derive to another ad. > > Also, I'm normally not the one who'd comment on each other's signature, but > this one occupies almost half of my 80x24 response e-mail window, full of > links and even trackers as if you were trying hard to make a bit of SEO, > and this is quite impolite to many users, so I think it would be reasonable > to significantly trim it down : > > > *Mark Lakes* > > Sr Software Engineer > > (555) 555- > > <https://www.signalsciences.com/?utm_source=emailsig> > > Winner: InfoWorld Technology of the Year 2018 > > <https://www.infoworld.com/article/3251828/application- > development/infoworlds-2018-technology-of-the-year-award- > winners.html#slide24> > > <https://www.facebook.com/SignalSciences/> > > <https://twitter.com/signalsciences> > > <https://www.linkedin.com/company/signal-sciences/> > > You will simply not find this from most of the regular participants on this > list and many would probably like to take the opportunity as well but > refrain > from doing so to respect others. So at least being the only one to post > like > this should give you a hint how to proceed in the future. > > Thanks, > Willy >
Re: WAF with HA Proxy.
Sure, note that it doesnt integrate with mod_security. It integrates with haproxy via a lua script and haproxy config that uses it. *Mark Lakes* Sr Software Engineer (555) 555- <https://www.signalsciences.com/?utm_source=emailsig> Winner: InfoWorld Technology of the Year 2018 <https://www.infoworld.com/article/3251828/application-development/infoworlds-2018-technology-of-the-year-award-winners.html#slide24> <https://www.facebook.com/SignalSciences/> <https://twitter.com/signalsciences> <https://www.linkedin.com/company/signal-sciences/> On Wed, May 9, 2018 at 12:40 PM, Andrew Smalley <asmal...@loadbalancer.org> wrote: > Hi Mark > > Actually as far as I understand the Haproxy implementation of > mod_security integration is not with Lua but with SPOA > > https://www.haproxy.org/download/1.7/doc/SPOE.txt > Andruw Smalley > > Loadbalancer.org Ltd. > > www.loadbalancer.org > +1 888 867 9504 / +44 (0)330 380 1064 > asmal...@loadbalancer.org > > Leave a Review | Deployment Guides | Blog > > > On 9 May 2018 at 20:36, Mark Lakes <mla...@signalsciences.com> wrote: > > RIght, via lua module it integrates with haproxy. > > -mark > > > > > > > > > > Mark Lakes > > Sr Software Engineer > > (555) 555- > > Winner: InfoWorld Technology of the Year 2018 > > > > > > On Wed, May 9, 2018 at 11:43 AM, Jonathan Matthews < > cont...@jpluscplusm.com> > > wrote: > >> > >> On Wed, 9 May 2018 at 18:43, Mark Lakes <mla...@signalsciences.com> > wrote: > >>> > >>> For commercial purposes, see Signal Sciences Next Gen WAF solution: > >>> https://www.signalsciences.com/waf-web-application-firewall/ > >> > >> > >> That page says it supports "Nginx, Nginx Plus, Apache and IIS". Does it > >> integrate with HAProxy? Via what mechanism? > >> > >> J > >> > >> -- > >> Jonathan Matthews > >> London, UK > >> http://www.jpluscplusm.com/contact.html > > > > > >
Re: WAF with HA Proxy.
RIght, via lua module it integrates with haproxy. -mark *Mark Lakes* Sr Software Engineer (555) 555- <https://www.signalsciences.com/?utm_source=emailsig> Winner: InfoWorld Technology of the Year 2018 <https://www.infoworld.com/article/3251828/application-development/infoworlds-2018-technology-of-the-year-award-winners.html#slide24> <https://www.facebook.com/SignalSciences/> <https://twitter.com/signalsciences> <https://www.linkedin.com/company/signal-sciences/> On Wed, May 9, 2018 at 11:43 AM, Jonathan Matthews <cont...@jpluscplusm.com> wrote: > On Wed, 9 May 2018 at 18:43, Mark Lakes <mla...@signalsciences.com> wrote: > >> For commercial purposes, see Signal Sciences Next Gen WAF solution: >> https://www.signalsciences.com/waf-web-application-firewall/ >> > > That page says it supports "Nginx, Nginx Plus, Apache and IIS". Does it > integrate with HAProxy? Via what mechanism? > > J > >> <https://www.signalsciences.com/waf-web-application-firewall/> >> > <https://www.signalsciences.com/waf-web-application-firewall/> >> > -- > Jonathan Matthews > London, UK > http://www.jpluscplusm.com/contact.html >
Re: WAF with HA Proxy.
For commercial purposes, see Signal Sciences Next Gen WAF solution: https://www.signalsciences.com/waf-web-application-firewall/ *Mark Lakes* Sr Software Engineer (555) 555- <https://www.signalsciences.com/?utm_source=emailsig> Winner: InfoWorld Technology of the Year 2018 <https://www.infoworld.com/article/3251828/application-development/infoworlds-2018-technology-of-the-year-award-winners.html#slide24> <https://www.facebook.com/SignalSciences/> <https://twitter.com/signalsciences> <https://www.linkedin.com/company/signal-sciences/> On Wed, May 9, 2018 at 2:23 AM, DHAVAL JAISWAL <dhava...@gmail.com> wrote: > I am looking for WAF solution with HA Proxy. > > One which I come to know is with HA Proxy version 1.8.8 + mode security. > However, I feel its still on early stage. > > Any other recommendation for WAF with HA Proxy. > > > -- > Thanks & Regards > Dhaval Jaiswal >
Re: lua socket api settimeout in seconds vs. milliseconds
Hi Thierry, thanks for feedback. Addressed concerns in the new attached patch. http://w3.impa.br/~diego/software/luasocket/tcp.html#settimeout Description: instead of hlua_socket_settimeout() accepting only integers, allow user to specify float and double as well. Convert to milliseconds much like cli_parse_set_timeout but also sanity check the value. -mark On Wed, Mar 7, 2018 at 9:55 AM, Thierry Fournier <tfourn...@arpalert.org> wrote: > Hi Mark, > > Thanks for the patch. I don’t like usage of floating point, but the > luasocket documentation says that the settimeout() function accept only > second. In this case, the usage of floating point seems be to be a good > way. > > Can you split in a second commit the fix of comments from the effective > patch, and avoid this kind of changes: > >-int tmout; >+inttmout; > > Just because, this kind of changes are useless, and it add noisy > information in the patch. > > A last point: could you explain int the message of the patch the > goal of these patch. To avoid a search, this is the link of the official > luasocket setimeout function: > > http://w3.impa.br/~diego/software/luasocket/tcp.html#settimeout > > Thanks > Thierry > > > > On 7 Mar 2018, at 18:16, Mark Lakes <mla...@signalsciences.com> wrote: > > > > In regards to earlier conversation, herein is a patch attached for the > feature. > > From the mail archive: > > https://www.mail-archive.com/haproxy@formilux.org/msg27806.html > > https://www.mail-archive.com/haproxy@formilux.org/msg27807.html > > > > Mark Lakes > > Signal Sciences | www.signalsciences.com | > > > > conversation participants: > > Willy Tarreau > > Adis Nezirovic > > Nick Galbreath > > > > - Last conversation and decision agreement -- > > Nick Galbreath Thu, 09 Nov 2017 20:44:28 -0800 > > > > thanks wily. > > > > re: " CONTRIBUTING in the sources directory," - > > > > yes, that is what I was looking for! thanks for the tip. > > > > re: least it seems important to round up non-null values to the next > > millisecond. > > > > Definitely, we can and should add some checks for invalid values, etc. > > > > I'll read CONTRIBUTING, and set up my dev env, try a patch, and report > > back appropriately. > > > > regards, > > > > n > > > > On Thu, Nov 9, 2017 at 8:37 PM, Willy Tarreau <w...@1wt.eu > > > wrote: > > > > > Hi Nick, > > > > > > On Thu, Nov 09, 2017 at 08:27:29PM -0800, Nick Galbreath wrote: > > > > Hello Adis, > > > > > > > > We could certainly add another API/Lua function but it might be > easier to > > > > change > > > > > > > > luaL_checkinteger(L, 2) in > > > > > > > > tmout = MAY_LJMP(luaL_checkinteger(L, 2)) * 1000; > > > > > > > > to luaL_checknumber(L, 2), along with appropriate cast to int. > > > > > > > > Then we have backwards compatibility, less documentation to write, > and > > > get > > > > millisecond timeouts. > > > > > > At least it seems important to round up non-null values to the next > > > millisecond, otherwise we may observe busy loops when users specify > > > sleep delays smaller than the millisecond, as haproxy's internal > > > clock is millisecond-based (poll()'s resolution). > > > > > > > > > If people want a separate API, I'm happy to do that too, just more > work. > > > > > > I think it should work as you propose it, more or less the round up of > > > course. > > > > > > > Please advise, and I'll make a patch either way. I'm unfamiliar > with the > > > > HAProxy development process, so any tips or pointers are welcome, > > > > > > It's important to CC the subsystem maintainer when submitting a change, > > > since they are supposed to have the last word on submissions in their > > > area. This is done here since Thierry maintains the Lua area. Please > > > carefully read CONTRIBUTING in the sources directory, it's not very > > > long and will help you ensure that all your patches are easily merged. > > > And you're welcome to propose changes to this file if something is > > > unclear :-) > > > > > > Thanks, > > > Willy > > > > > > > > > -- > > > > > > > > <0001-MINOR-lua-allow-socket-api-settimeout-to-accept-inte.patch> > > 0001-MINOR-lua-allow-socket-api-settimeout-to-accept-inte.patch Description: Binary data
lua socket api settimeout in seconds vs. milliseconds
In regards to earlier conversation, herein is a patch attached for the feature. >From the mail archive: https://www.mail-archive.com/haproxy@formilux.org/msg27806.html https://www.mail-archive.com/haproxy@formilux.org/msg27807.html Mark Lakes Signal Sciences | www.signalsciences.com | conversation participants: Willy Tarreau Adis Nezirovic Nick Galbreath - Last conversation and decision agreement -- Nick Galbreath <https://www.mail-archive.com/search?l=haproxy@formilux.org=from:%22Nick+Galbreath%22> Thu, 09 Nov 2017 20:44:28 -0800 <https://www.mail-archive.com/search?l=haproxy@formilux.org=date:20171109> thanks wily. re: " CONTRIBUTING in the sources directory," - yes, that is what I was looking for! thanks for the tip. re: least it seems important to round up non-null values to the next millisecond. Definitely, we can and should add some checks for invalid values, etc. I'll read CONTRIBUTING, and set up my dev env, try a patch, and report back appropriately. regards, n On Thu, Nov 9, 2017 at 8:37 PM, Willy Tarreau <w...@1wt.eu> wrote: > Hi Nick, > > On Thu, Nov 09, 2017 at 08:27:29PM -0800, Nick Galbreath wrote: > > Hello Adis, > > > > We could certainly add another API/Lua function but it might be easier to > > change > > > > luaL_checkinteger(L, 2) in > > > > tmout = MAY_LJMP(luaL_checkinteger(L, 2)) * 1000; > > > > to luaL_checknumber(L, 2), along with appropriate cast to int. > > > > Then we have backwards compatibility, less documentation to write, and > get > > millisecond timeouts. > > At least it seems important to round up non-null values to the next > millisecond, otherwise we may observe busy loops when users specify > sleep delays smaller than the millisecond, as haproxy's internal > clock is millisecond-based (poll()'s resolution). > > > If people want a separate API, I'm happy to do that too, just more work. > > I think it should work as you propose it, more or less the round up of > course. > > > Please advise, and I'll make a patch either way. I'm unfamiliar with the > > HAProxy development process, so any tips or pointers are welcome, > > It's important to CC the subsystem maintainer when submitting a change, > since they are supposed to have the last word on submissions in their > area. This is done here since Thierry maintains the Lua area. Please > carefully read CONTRIBUTING in the sources directory, it's not very > long and will help you ensure that all your patches are easily merged. > And you're welcome to propose changes to this file if something is > unclear :-) > > Thanks, > Willy > -- 0001-MINOR-lua-allow-socket-api-settimeout-to-accept-inte.patch Description: Binary data