Re: dns resoluton and caching
Thank you Baptiste. I think it will be very useful feature to add for any service that uses dynamic dns of some sort. Thanks for your reply, Best, ‹aydan On 7/3/14, 4:41 PM, Baptiste bed...@gmail.com wrote: On Wed, Jul 2, 2014 at 5:03 AM, Yumerefendi, Aydan aydan.yumerefe...@inin.com wrote: We are using haproxy to route traffic to several AWS services that are behind an ELB and noticed the following behavior: - haproxy resolves the ELB address at startup and routes traffic just fine (not sure if haproxy uses the first IP or all resolved IPs and round-robins between them, though) - however, Amazon uses short TTL for ELB DNS entries, 60s or so. If the ELB is modified, due to load, or internal reconfiguration, Amazon can modify the ELB DNS mapping - once the IP(s) mapped to the ELB are completely replaced, relative to the initially resolved ones at startup, haproxy fails to route traffic and returns status 503 Is there a way to configure haproxy to respect DNS TTL when resolving dns names? If not, is there something you can recommend that would allow us to deal with this problem? Our current plan is to stop using DNS for the ELB and instead to use its ip addresses. We'll then periodically do DNS resolutions and once we detect a change, we'll rewrite the configuration and have haproxy reload it. Thanks for you help and for this great product! --aydan Hi, This is not yet available in HAProxy. It's a common request and should be available some day, but no idea when! Baptiste
Re: Issue with ssl_c_sha1
Willy, Thanks for you help. Your suggestion worked! What tripped me was the lack of an example involving ssl_c_sha1 in the documentation. The easiest way to improve would be to the line you sent me to the list of other SSL examples. Thanks, ‹aydan On 5/28/14, 5:47 PM, Willy Tarreau w...@1wt.eu wrote: Hi, On Wed, May 28, 2014 at 08:47:11PM +, Yumerefendi, Aydan wrote: Hi, I am trying to extract the sha1 hash of the client certificate and to pass it to the backend server. My configuration has this line: http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1] However, this does not seem to produce a string of the form aabbcc... as the examples I've seen on the web. Instead, it appears to write the raw sha1 hash bytes. The downstream server, node.js, appears to treat these value as utf8 strings. Indeed, the doc says it's binary, so if you want it in hex, you just need to chain the hex converter : http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1,hex] The binary form is more suited to stick tables for example as it takes half of the space. Do you think we could improve the doc one way or another to make this easier to find ? Maybe with more examples ? Do not hesitate to suggest adaptations or even patches! Regards, Willy
dns resoluton and caching
We are using haproxy to route traffic to several AWS services that are behind an ELB and noticed the following behavior: - haproxy resolves the ELB address at startup and routes traffic just fine (not sure if haproxy uses the first IP or all resolved IPs and round-robins between them, though) - however, Amazon uses short TTL for ELB DNS entries, 60s or so. If the ELB is modified, due to load, or internal reconfiguration, Amazon can modify the ELB DNS mapping - once the IP(s) mapped to the ELB are completely replaced, relative to the initially resolved ones at startup, haproxy fails to route traffic and returns status 503 Is there a way to configure haproxy to respect DNS TTL when resolving dns names? If not, is there something you can recommend that would allow us to deal with this problem? Our current plan is to stop using DNS for the ELB and instead to use its ip addresses. We'll then periodically do DNS resolutions and once we detect a change, we'll rewrite the configuration and have haproxy reload it. Thanks for you help and for this great product! -aydan
Issue with ssl_c_sha1
Hi, I am trying to extract the sha1 hash of the client certificate and to pass it to the backend server. My configuration has this line: http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1] However, this does not seem to produce a string of the form aabbcc... as the examples I've seen on the web. Instead, it appears to write the raw sha1 hash bytes. The downstream server, node.js, appears to treat these value as utf8 strings. This is the version I am running: ./haproxy --version HA-Proxy version 1.5-dev25-a339395 2014/05/10 Copyright 2000-2014 Willy Tarreau w...@1wt.eu What am I doing wrong? Ideally I would like to get the sha1 hash as a hex string. Thanks, -aydan