HAPROXY HELP REQUIRED -- please contact

2017-06-08 Thread Vasudev Daxini 



Regards,
Vasudev Daxini,??RHCE
(M) +91-9920347199

Re: ECDSA and HAProxy help

2016-10-13 Thread Bryan Talbot 

> On Oct 13, 2016, at Oct 13, 3:19 PM, Thierry Fournier 
>  wrote:
> 
> 
> The negociated cipher is "AECDH-AES256-SHA", and I don't know if this
> cipher is ECDSA :) At least it seems to work.
> 
> Thierry
> 


That’s not a cipher that would normally be considered “good” to use since it 
doesn’t perform any message authentication [1].
It may (or may not) be enough to trigger the memory leak you’re looking for 
though. However, if you’d like to go with a full EC stack and use a realistic 
cipher, then get it working with one of these.


$> openssl ciphers -v 'ECDSA:!NULL'
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) 
Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) 
Mac=AEAD
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128)  Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1




1. https://en.wikipedia.org/wiki/Authenticated_encryption 



-Bryan (not a cryptographer)

Re: ECDSA and HAProxy help

2016-10-13 Thread Thierry Fournier 
Hi,

Thanks guys for the tips. I can connect to haproxy with ECDSA cipher
using the following cipher string on the OpenSSL client side:

   openssl s_client -connect 127.0.0.1:1 -cipher ECDSA:EECDH:ECDH

and this string in the haproxy configuration:

   ssl-default-bind-ciphers "ECDSA:EECDH:ECDH"

and only ECDSA certificates.

The negociated cipher is "AECDH-AES256-SHA", and I don't know if this
cipher is ECDSA :) At least it seems to work.

Thierry



On Tue, 11 Oct 2016 15:32:04 -0700
Bryan Talbot  wrote:

> 
> > On 12 Oct 2016 8:45 am, "Igor Cicimov"  > > wrote:
> > >
> > > On 11 Oct 2016 7:05 pm, "Thierry Fournier"  > > > wrote:
> > > > I'm currently trying to investigate about a little leak of memory in
> > > > the certificates loading, and I try to test ECDSA certificates and
> > > > cipher.
> > > >
> > > > I can't done this :( I don't understand anything in the ECDSA
> > > > certificate process.
> > > >
> > > > My test certificate is generated from a little chain where the root CA
> > > > is autosigned. So the root CA and the 2 intermediate are RSA
> > > > certificates. The ECDSA certificate is build with these commands:
> > > >
> > > >openssl ecparam -name secp521r1 -genkey -param_enc explicit -out \
> > > >   $CN.ecdsa.key
> > 
> > 
> 
> 
> I ran into this as well and it turns out that s_client and s_server do not 
> seem to play nicely with curves when using -param_enc explicit and instead 
> prefer to only deal with named curves.
> 
> Encode the key params using named curve that both sides can accept and your 
> test should work.
> 
> Also, see 
> https://groups.google.com/forum/#!topic/mailing.openssl.users/Rg6yV4ccWeo 
> 
> 
> -Bryan
> 
> 
-- 
Thierry Fournier
Web Performance & Security Expert
m: +33 6 68 69 21 85  | e: thierry.fourn...@ozon.io
w: http://www.ozon.io/| b: http://blog.ozon.io/

Re: ECDSA and HAProxy help

2016-10-11 Thread Bryan Talbot 

> On 12 Oct 2016 8:45 am, "Igor Cicimov"  > wrote:
> >
> > On 11 Oct 2016 7:05 pm, "Thierry Fournier"  > > wrote:
> > > I'm currently trying to investigate about a little leak of memory in
> > > the certificates loading, and I try to test ECDSA certificates and
> > > cipher.
> > >
> > > I can't done this :( I don't understand anything in the ECDSA
> > > certificate process.
> > >
> > > My test certificate is generated from a little chain where the root CA
> > > is autosigned. So the root CA and the 2 intermediate are RSA
> > > certificates. The ECDSA certificate is build with these commands:
> > >
> > >openssl ecparam -name secp521r1 -genkey -param_enc explicit -out \
> > >   $CN.ecdsa.key
> 
> 


I ran into this as well and it turns out that s_client and s_server do not seem 
to play nicely with curves when using -param_enc explicit and instead prefer to 
only deal with named curves.

Encode the key params using named curve that both sides can accept and your 
test should work.

Also, see 
https://groups.google.com/forum/#!topic/mailing.openssl.users/Rg6yV4ccWeo 


-Bryan

Re: ECDSA and HAProxy help

2016-10-11 Thread Igor Cicimov 
On 12 Oct 2016 8:45 am, "Igor Cicimov" 
wrote:
>
> On 11 Oct 2016 7:05 pm, "Thierry Fournier" 
wrote:
> >
> > Hi list,
> >
> > I'm currently trying to investigate about a little leak of memory in
> > the certificates loading, and I try to test ECDSA certificates and
> > cipher.
> >
> > I can't done this :( I don't understand anything in the ECDSA
> > certificate process.
> >
> > So, after many fails with HAProxy, I tried to validate the concept only
> > with openssl. I used openssl 1.0.2j.
> >
> > First I test classic RSA ciphers (I suppose that OpenSSL build its own
> > certificates ?):
> >
> >openssl s_server -accept 1 -cipher RSA
> >openssl s_client -connect 127.0.0.1:1 -cipher RSA
> >
> > That's run ! I tried with ECDSA. I ts exactily the same command but
> > with ECDSA ciphers.
> >
> >openssl s_server -accept 1 -cipher ECDSA
> >openssl s_client -connect 127.0.0.1:1 -cipher ECDSA
> >
>
> Try with more specific cipher like
>
> -cipher ECDHE-ECDSA-AES128-GCM-SHA256
>
> > That's no work. I read these error: "ssl3_get_client_hello:no shared
> > cipher". I don't understand because the server and the client are the
> > same binary, and I suppose that the cipher are obviously the same.
> >
> > I have exactly the same behaviour with haproxy (I wrote a temporary
> > path for having the detail of the handshake errors). If I load only a
> > ECDSA certificate, and I enable only the ECDSA ciphers.
> >
> > I run a tcpdump network capture, and I se that the client announce
> > the right list of ECDSA ciphers. In other way, the protocol used is TLS
> > 1.2.
> >
> >... ECDHE-ECDSA-AES128-SHA256 ... ECDHE-ECDSA-AES128-SHA ...
> >... and others ...
> >
> > My test certificate is generated from a little chain where the root CA
> > is autosigned. So the root CA and the 2 intermediate are RSA
> > certificates. The ECDSA certificate is build with these commands:
> >
> >openssl ecparam -name secp521r1 -genkey -param_enc explicit -out \
> >   $CN.ecdsa.key

Also try with different EC like:

openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1)
-keyout cert_ecdsa.key -out cert_ecdsa.crt -days 7200 -subj 'subject'

I remember I had issues with secp higher than 384r1 when was testing ecdsa
with tomcat9. See
https://icicimov.github.io/blog/server/Tomcat9-ECDSA-Certificates-and-HTTP2/,
maybe you can find something useful. Was using curl as client for testing
though.

> >openssl req -new -key $CN.ecdsa.key -out $CN.ecdsa.csr -subj \
> >   "$SUBJECT"
> >
> >openssl x509 -req -in $CN.ecdsa.csr -CA inter2.pem -CAkey \
> >   inter2.key -CAcreateserial -out $CN.ecdsa.cert -days 50 \
> >   -sha256
> >
> > Any ideas ?
> >
> > PS: I can't neither test the DSA, but in this case, the openssl
> > s_client fail before trying to connect :) This is another story.
> >
> > Thierry
> >
> >
> > --
> > Thierry Fournier
> > m: +33 6 68 69 21 85  | e: thierry.fourn...@ozon.io
> > w: http://www.ozon.io/| b: http://blog.ozon.io/
> >

Re: ECDSA and HAProxy help

2016-10-11 Thread Igor Cicimov 
On 11 Oct 2016 7:05 pm, "Thierry Fournier"  wrote:
>
> Hi list,
>
> I'm currently trying to investigate about a little leak of memory in
> the certificates loading, and I try to test ECDSA certificates and
> cipher.
>
> I can't done this :( I don't understand anything in the ECDSA
> certificate process.
>
> So, after many fails with HAProxy, I tried to validate the concept only
> with openssl. I used openssl 1.0.2j.
>
> First I test classic RSA ciphers (I suppose that OpenSSL build its own
> certificates ?):
>
>openssl s_server -accept 1 -cipher RSA
>openssl s_client -connect 127.0.0.1:1 -cipher RSA
>
> That's run ! I tried with ECDSA. I ts exactily the same command but
> with ECDSA ciphers.
>
>openssl s_server -accept 1 -cipher ECDSA
>openssl s_client -connect 127.0.0.1:1 -cipher ECDSA
>

Try with more specific cipher like

-cipher ECDHE-ECDSA-AES128-GCM-SHA256

> That's no work. I read these error: "ssl3_get_client_hello:no shared
> cipher". I don't understand because the server and the client are the
> same binary, and I suppose that the cipher are obviously the same.
>
> I have exactly the same behaviour with haproxy (I wrote a temporary
> path for having the detail of the handshake errors). If I load only a
> ECDSA certificate, and I enable only the ECDSA ciphers.
>
> I run a tcpdump network capture, and I se that the client announce
> the right list of ECDSA ciphers. In other way, the protocol used is TLS
> 1.2.
>
>... ECDHE-ECDSA-AES128-SHA256 ... ECDHE-ECDSA-AES128-SHA ...
>... and others ...
>
> My test certificate is generated from a little chain where the root CA
> is autosigned. So the root CA and the 2 intermediate are RSA
> certificates. The ECDSA certificate is build with these commands:
>
>openssl ecparam -name secp521r1 -genkey -param_enc explicit -out \
>   $CN.ecdsa.key
>
>openssl req -new -key $CN.ecdsa.key -out $CN.ecdsa.csr -subj \
>   "$SUBJECT"
>
>openssl x509 -req -in $CN.ecdsa.csr -CA inter2.pem -CAkey \
>   inter2.key -CAcreateserial -out $CN.ecdsa.cert -days 50 \
>   -sha256
>
> Any ideas ?
>
> PS: I can't neither test the DSA, but in this case, the openssl
> s_client fail before trying to connect :) This is another story.
>
> Thierry
>
>
> --
> Thierry Fournier
> m: +33 6 68 69 21 85  | e: thierry.fourn...@ozon.io
> w: http://www.ozon.io/| b: http://blog.ozon.io/
>

ECDSA and HAProxy help

2016-10-11 Thread Thierry Fournier 
Hi list,

I'm currently trying to investigate about a little leak of memory in
the certificates loading, and I try to test ECDSA certificates and
cipher.

I can't done this :( I don't understand anything in the ECDSA
certificate process.

So, after many fails with HAProxy, I tried to validate the concept only
with openssl. I used openssl 1.0.2j.

First I test classic RSA ciphers (I suppose that OpenSSL build its own
certificates ?):

   openssl s_server -accept 1 -cipher RSA
   openssl s_client -connect 127.0.0.1:1 -cipher RSA

That's run ! I tried with ECDSA. I ts exactily the same command but
with ECDSA ciphers.

   openssl s_server -accept 1 -cipher ECDSA
   openssl s_client -connect 127.0.0.1:1 -cipher ECDSA

That's no work. I read these error: "ssl3_get_client_hello:no shared
cipher". I don't understand because the server and the client are the
same binary, and I suppose that the cipher are obviously the same.

I have exactly the same behaviour with haproxy (I wrote a temporary
path for having the detail of the handshake errors). If I load only a
ECDSA certificate, and I enable only the ECDSA ciphers.

I run a tcpdump network capture, and I se that the client announce
the right list of ECDSA ciphers. In other way, the protocol used is TLS
1.2.

   ... ECDHE-ECDSA-AES128-SHA256 ... ECDHE-ECDSA-AES128-SHA ...
   ... and others ...

My test certificate is generated from a little chain where the root CA
is autosigned. So the root CA and the 2 intermediate are RSA
certificates. The ECDSA certificate is build with these commands:

   openssl ecparam -name secp521r1 -genkey -param_enc explicit -out \
  $CN.ecdsa.key

   openssl req -new -key $CN.ecdsa.key -out $CN.ecdsa.csr -subj \
  "$SUBJECT" 

   openssl x509 -req -in $CN.ecdsa.csr -CA inter2.pem -CAkey \
  inter2.key -CAcreateserial -out $CN.ecdsa.cert -days 50 \
  -sha256

Any ideas ?

PS: I can't neither test the DSA, but in this case, the openssl
s_client fail before trying to connect :) This is another story.

Thierry


-- 
Thierry Fournier
m: +33 6 68 69 21 85  | e: thierry.fourn...@ozon.io
w: http://www.ozon.io/| b: http://blog.ozon.io/

Haproxy help

2015-08-18 Thread vivek pal 
Hi,

We have configured haproxy with balance roundrobin, added 2 web server
web1,web2 and map website.domain.com with haproxy ip when we hit
website.domain.com into browser it's working, request is transferring both
server. We want to set first 100 hit sent to web1 and rest web2. is it
possible?

Regards,

Vivek Pal.

Re: Haproxy help

2015-08-18 Thread Aaron West 
Hi Vivek,

You can do this I think with the first scheduler so the option balance
first :

This is what haproxy doc says:

  first   The first server with available connection slots receives
the
  connection. The servers are chosen from the lowest numeric
  identifier to the highest (see server parameter id),
which
  defaults to the server's position in the farm. Once a
server
  reaches its maxconn value, the next server is used. It
does
  not make sense to use this algorithm without setting
maxconn.
  The purpose of this algorithm is to always use the
smallest
  number of servers so that extra servers can be powered off
  during non-intensive hours. This algorithm ignores the
server
  weight, and brings more benefit to long session such as
RDP
  or IMAP than HTTP, though it can be useful there too. In
  order to use this algorithm efficiently, it is recommended
  that a cloud controller regularly checks server usage to
turn
  them off when unused, and regularly checks backend queue
to
  turn new servers on when the queue inflates.
Alternatively,
  using http-check send-state may inform servers on the
load.

Otherwise you may be able to do something based on session rate with ACL's,
I used this config once previously :

frontend TestVIP 192.168.0.236:80 http://192.168.0.236/ transparent
mode http
maxconn 4
option accept-invalid-http-request
acl max_conn_reached srv_sess_rate(prod/ProdRIP) gt 10
acl prod_dead nbsrv(prod) lt 1
acl whitelist hdr_sub(Cookie) -i SERVERID
default_backend prod
use_backend prod if whitelist
use_backend fallback if max_conn_reached OR prod_dead

backend prod
 mode http
 balance leastconn
option abortonclose
option forwardfor
option accept-invalid-http-response
option http-keep-alive
cookie SERVERID insert nocache indirect
 server ProdRIP 192.168.0.245 weight 100 cookie ProdRIP check port 80
inter 4000 rise 2 fall 2 minconn 0 maxconn 0


backend fallback
mode http
balance leastconn
option abortonclose
option forwardfor
option accept-invalid-http-response
option http-keep-alive
server FallbackRIP 192.168.0.246 weight 100 minconn 0 maxconn 0

Regards

Aaron West

Loadbalancer.org Limited
+44 (0)330 380 1064
www.loadbalancer.org

On 18 August 2015 at 13:06, vivek pal mr.vivek...@gmail.com wrote:


 Hi,

 We have configured haproxy with balance roundrobin, added 2 web server
 web1,web2 and map website.domain.com with haproxy ip when we hit
 website.domain.com into browser it's working, request is transferring
 both server. We want to set first 100 hit sent to web1 and rest web2. is it
 possible?

 Regards,

 Vivek Pal.

Re: haproxy help

2014-09-02 Thread JCM 
On 2 September 2014 09:44, Matt James matt_jame...@hotmail.com wrote:
 Hi

 I am looking for some help with ha proxy.

 It is my first proper experience with it and i am a novice when it comes to
 ubuntu!

 We have it currently running version 1.4.24 on an ubuntu server.  Due to
 compliance etc we want to update this so we have deployed a new ubuntu
 server with version 1.5.3

 Everything appears to have installed ok and i have copied the .conf file
 from the old version to new and renamed it .cfg

 Now, when we attempt to start everything we get the attached error.

 Please help!

You are attempting to run the startup script as a non-root user, which
isn't going to work without someone having done some non-trivial
configuration to your server beforehand. Try running it as root.

[ As an aside (and I do hate to be negative) if you are professionally
involved with compliance and aren't able to troubleshoot a
relatively simple issue like this, then you need to get your company
to involve more experienced technical people with your work.

I don't know what industry you're in, but there are a number of red
flags in your first couple of emails to this list which would -- if I
were in your shoes -- make me very wary of saying I'd successfully
made a service or server compliant. IMHO you may well be storing up
problems for your company *and* for yourself.

There's no harm in telling people they're asking you to do things
outside your comfort zone, and compliance work is probably *not*
somewhere that you or your company wants you to be doing your
otherwise perfectly valid learning-through-doing! /my2cents ]

Jonathan