Re: [PATCH] support Openssl 1.1.1 early callback API for HS

2017-09-06 Thread Emmanuel Hocdet 
Hi Willy,

> Le 5 sept. 2017 à 10:11, Willy Tarreau  a écrit :
> 
> Hi Manu,
> 
> On Mon, Sep 04, 2017 at 04:39:45PM +0200, Emmanuel Hocdet wrote:
>> Hi Emeric, Christopher
>> 
>> If you can review when you have time. (3) for Christopher.
>> 
>> This patches allows to support native multicert selection (RSA/ECDSA) and
>> ssl-min-ver/ ssl-max-ver per certificat with openssl 1.1.1 (boringssl is the 
>> only
>> one to support this until this patch).
>> 
>> patches:
>> 1) Convert BoringSSL api call (CBS) to ssl-lib independent code.
>>This is the biggest part and only depend on BoringSSL build (until 2).
>> 
>> 2) support  openssl 1.1.1 early callback API. It mimic BoringSSL api, and 
>> this
>>   is a good news (small patch).
>>   Do we want to push code for openssl 1.1.1 (dev) in haproxy (dev) now?
> 
> I suspect it will be mandatory in order to support TLS early-data (0-RTT).
> So I think it will be nice to have it before the release. However given that
> both Christopher and Emeric are heavily loaded on the multi-threading part,
> I suggest that we postpone the patchset review until the multi-thread stuff
> gets merged. As you say, the patch is small so it will be easy to review and
> apply, and/or revert in case of issues so it's not a big deal to merge it
> late in the cycle.

It will be mandatory to avoid unexpected behavior (see notes on openssl 1.1.1 
API doc),
as I have noticed with boringssl before implement early callback. And yes, 
early-data
should need it and will work per certificate (i already tested it with 
boringssl).

Encouraging Emeric and Christopher for the multithreading part!
++
Manu

AWS ELB with HA proxy showing 5XX errors

2017-09-06 Thread DHAVAL JAISWAL 
I want to ensure if there is any IP change of AWS ELB it should not give
any 5XX, 503 or affect the production site.

In order to solve it following configuration changes made in haproxy.cfg.

Please advise if there is any change require in the
following configuration. Does it required two nameservers or one is fine ?
If it requires two name servers then which is advisable.  I want to ensure
if there is any IP change of the ELB it should detect it immediately and
send the traffic to the ELB.


resolvers myresolver
  nameserver dns1 8.8.8.8:53
  resolve_retries   3
  timeout retry 1s
  hold valid 10s

backend mybackend
server server1 internal-testinelbtomcat-193184.ap-southeast-1.elb.
amazonaws.com:8080 check resolvers myresolver


I have some queries as well. Will above configuration slow down request -
response or site performance ?

Re: regression with patch 19e8aa58 "BUG/MINOR: server: Remove FQDN requirement for using init-addr and state file"

2017-09-06 Thread Willy Tarreau 
On Wed, Sep 06, 2017 at 01:10:26PM +0200, Emmanuel Hocdet wrote:
> Hi,
> 
> server configuration now break with:
> 
> cfg sample:
> listen tls
> [...]
> server bla 127.0.0.1:8080
> 
> [ALERT] 248/130258 (21960) : parsing [/etc/haproxy/test.cfg:53] : 'server 
> bla' : no method found to resolve address '(null)'
> [ALERT] 248/130258 (21960) : Failed to initialize server(s) addr.

G Thanks Manu. I think that after 1.8 we'll declare it illegal
to introduce new bugs. Surely this will help... oh well, it may prevent
me from approaching the keyboard :-/

Nenad, could you please have a look, since it was meant to fix another
issue ?

Thanks,
Willy

Re: regression with patch 19e8aa58 "BUG/MINOR: server: Remove FQDN requirement for using init-addr and state file"

2017-09-06 Thread Nenad Merdanovic 

Hello Willy,

On 9/6/2017 2:03 PM, Willy Tarreau wrote:

On Wed, Sep 06, 2017 at 01:10:26PM +0200, Emmanuel Hocdet wrote:

Hi,

server configuration now break with:

cfg sample:
listen tls
[...]
server bla 127.0.0.1:8080

[ALERT] 248/130258 (21960) : parsing [/etc/haproxy/test.cfg:53] : 'server bla' 
: no method found to resolve address '(null)'
[ALERT] 248/130258 (21960) : Failed to initialize server(s) addr.


G Thanks Manu. I think that after 1.8 we'll declare it illegal
to introduce new bugs. Surely this will help... oh well, it may prevent
me from approaching the keyboard :-/

Nenad, could you please have a look, since it was meant to fix another
issue ?


Can you please revert this patch? It's not a good way to fix the issue 
we were experiencing before. It will need a bigger rewrite, because the 
logic in srv_iterate_initaddr needs to be changed.


Thanks,
nenad



Thanks,
Willy

regression with patch 19e8aa58 "BUG/MINOR: server: Remove FQDN requirement for using init-addr and state file"

2017-09-06 Thread Emmanuel Hocdet 
Hi,

server configuration now break with:

cfg sample:
listen tls
[…]
server bla 127.0.0.1:8080

[ALERT] 248/130258 (21960) : parsing [/etc/haproxy/test.cfg:53] : 'server bla' 
: no method found to resolve address '(null)'
[ALERT] 248/130258 (21960) : Failed to initialize server(s) addr.

++
Manu

Re: regression with patch 19e8aa58 "BUG/MINOR: server: Remove FQDN requirement for using init-addr and state file"

2017-09-06 Thread Willy Tarreau 
On Wed, Sep 06, 2017 at 02:16:34PM +0200, Nenad Merdanovic wrote:
> Can you please revert this patch? It's not a good way to fix the issue we
> were experiencing before. It will need a bigger rewrite, because the logic
> in srv_iterate_initaddr needs to be changed.

OK now done. Thanks for your fast response.

Willy