Re: [PATCH] REG-TEST: mailers: add new test for 'mailers' section

2019-01-21 Thread Willy Tarreau
On Tue, Jan 22, 2019 at 12:36:41AM +0100, PiBa-NL wrote: > The regtest works for me as well with this patch. Without needing the > 'timeout mail' setting. > > I think we can call it fixed once committed. OK so I've now merged it in dev and 1.9. Thanks! Willy

Some test case for HTTP/2 failed, are those bugs?

2019-01-21 Thread 高和东
Dear willy: I am a follower of haproxy. I tested HTTP/2 fuction in haproxy_1.8.17 with the tool h2spec, but some test cases failed. I wonder if those are bugs for haproxy. See the tool here https://github.com/summerwind/h2spec . Those failed cases are as follow:

Re: [PATCH] REG-TEST: mailers: add new test for 'mailers' section

2019-01-21 Thread PiBa-NL
Hi Christopher, Op 21-1-2019 om 15:28 schreef Christopher Faulet: Hi Pieter, About the timing issue, could you try the following patch please ? With it, I can run the regtest about email alerts without any error. Thanks, -- Christopher Faulet The regtest works for me as well with this

Automatic Redirect transformations using regex?

2019-01-21 Thread Joao Guimaraes
Hi Haproxy team! I've been trying to figure out how to perform automatic redirects based on source URL transformations. *Basically I need the following redirect: * mysite.*abc* redirected to *abc*.mysite.com. Note that mysite.abc is not fixed, must apply to whatever abc wants to be. *Other

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-21 Thread Adam Langley
On Mon, Jan 21, 2019 at 10:16 AM Dirkjan Bussink wrote: > Ah ok, I recently added support in HAProxy to handle the new > SSL_CTX_set_ciphersuites option since OpenSSL handles setting TLS 1.3 ciphers > separate from the regular ones. Are those things that BoringSSL would also > want to adopt

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-21 Thread Dirkjan Bussink
Hi Adam, > On 21 Jan 2019, at 10:09, Adam Langley wrote: > > HAProxy isn't a user that we have on our radar, but BoringSSL dislikes > pushing compatibility hacks into downstream projects. (You can always > ask for these things to be included in BoringSSL instead.) Ah ok, I recently added

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-21 Thread Adam Langley
On Mon, Jan 21, 2019 at 9:49 AM Emmanuel Hocdet wrote: > Boringssl does not have SSL_OP_NO_RENEGOTIATION and need KeyUpdate to work. > As workaround, SSL_OP_NO_RENEGOTIATION could be set to 0 in openssl-compat.h. HAProxy isn't a user that we have on our radar, but BoringSSL dislikes pushing

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-21 Thread Dirkjan Bussink
Hi Manu, > On 21 Jan 2019, at 09:49, Emmanuel Hocdet wrote: > > Boringssl does not have SSL_OP_NO_RENEGOTIATION and need KeyUpdate to work. > As workaround, SSL_OP_NO_RENEGOTIATION could be set to 0 in openssl-compat.h. Hmm, then we will need a different #define though since we can’t rely own

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-21 Thread Emmanuel Hocdet
Hi, > Le 21 janv. 2019 à 17:06, Emeric Brun a écrit : > > Interesting, it would be good to skip the check using the same method. > > We must stay careful to not put the OP_NO_RENEG flag on the client part (when > haproxy connects to server), because reneg from server is authorized > but i

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-21 Thread Dirkjan Bussink
Hi Emeric, > On 21 Jan 2019, at 08:06, Emeric Brun wrote: > > Interesting, it would be good to skip the check using the same method. > > We must stay careful to not put the OP_NO_RENEG flag on the client part (when > haproxy connects to server), because reneg from server is authorized > but i

Re: Seamless reloads: file descriptors utilization in LUA

2019-01-21 Thread William Lallemand
Hello, On Mon, Jan 21, 2019 at 06:53:12AM +0300, Wert wrote: > Hi, > > I'm talking only about performance ways) > > About socket. > I use UDP for sending, there are no reasons for delays. > However, my bad - I misunderstood some FDs in "lsof". It is not related to > that UDP-sending, that is

Re: Does anyone *really* use 51d or WURFL ?

2019-01-21 Thread Willy Tarreau
On Mon, Jan 21, 2019 at 04:37:32PM +, Ben Shillito wrote: > Hi Willy, > > Ah yes, thanks, I missed the S first time reading it. > > There are actually a couple of things I'd like to check over a bit more > thoroughly like the caching used in 51d.c, so it will probably be more like >

RE: Does anyone *really* use 51d or WURFL ?

2019-01-21 Thread Ben Shillito
Hi Willy, Ah yes, thanks, I missed the S first time reading it. There are actually a couple of things I'd like to check over a bit more thoroughly like the caching used in 51d.c, so it will probably be more like tomorrow. Thanks, Ben Shillito Developer O: +44 1183 287152 E:

Re: Does anyone *really* use 51d or WURFL ?

2019-01-21 Thread Willy Tarreau
Hi Patrick, On Mon, Jan 21, 2019 at 10:54:17AM -0500, Patrick Hemmer wrote: > We do use 51Degrees at my place of employment. However a couple of > caveats in that statement. Great, thank you for the feedback! > One is that we're still running on 1.7. No problem. > We'll > likely be upgrading

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-21 Thread Emeric Brun
On 1/21/19 3:37 PM, Dirkjan Bussink wrote: > Hi all, > >> On 21 Jan 2019, at 02:01, Emeric Brun wrote: >> >> Is there a way to check this is a keyupdate message which trigger the >> callback (and not an other)? > > Sadly there is not. I had taken a look at the OpenSSL code and it triggers >

Re: Does anyone *really* use 51d or WURFL ?

2019-01-21 Thread Willy Tarreau
On Mon, Jan 21, 2019 at 04:00:13PM +, Ben Shillito wrote: > Hi Willy, > > I agree, setting the flag from the HAProxy USE_THREADS is probably the > neatest solution. Yep. Be careful, it's "USE_THREAD" (without trailing S). > I will get a patch over to you later on today. Fine, no emergency

RE: Does anyone *really* use 51d or WURFL ?

2019-01-21 Thread Ben Shillito
Hi Willy, I agree, setting the flag from the HAProxy USE_THREADS is probably the neatest solution. I will get a patch over to you later on today. Thanks, Ben Shillito Developer O: +44 1183 287152 E: b...@51degrees.com T: @51Degrees -Original Message- From: Willy Tarreau

Re: Does anyone *really* use 51d or WURFL ?

2019-01-21 Thread Patrick Hemmer
On 2019/1/21 09:36, Willy Tarreau wrote: > Hi all, > > recently it was figured that the buffer API changes caused some breakage > to da.c and 51d.c (both fixed since), I don't know if wurfl builds at all > by the way since the last update to the module is its introduction more > than 2 years

Re: Does anyone *really* use 51d or WURFL ?

2019-01-21 Thread Willy Tarreau
Hi Ben, First, thanks for your quick response. On Mon, Jan 21, 2019 at 03:05:08PM +, Ben Shillito wrote: > Hi Willy, > > I'd like to point out that the 51Degrees API does in fact support > multi-threaded operation by default. The HAProxy makefile however, explicitly > uses the

RE: Does anyone *really* use 51d or WURFL ?

2019-01-21 Thread Ben Shillito
Hi Willy, I'd like to point out that the 51Degrees API does in fact support multi-threaded operation by default. The HAProxy makefile however, explicitly uses the FIFTYONEDEGREES_NO_THREADING compile option to disable this when building

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-21 Thread Dirkjan Bussink
Hi all, > On 21 Jan 2019, at 02:01, Emeric Brun wrote: > > Is there a way to check this is a keyupdate message which trigger the > callback (and not an other)? Sadly there is not. I had taken a look at the OpenSSL code and it triggers the callback without any additional information available

Does anyone *really* use 51d or WURFL ?

2019-01-21 Thread Willy Tarreau
Hi all, recently it was figured that the buffer API changes caused some breakage to da.c and 51d.c (both fixed since), I don't know if wurfl builds at all by the way since the last update to the module is its introduction more than 2 years ago. But more importantly I'm realizing that neither 51d

Re: reg-tests situation in haproxy 1.8

2019-01-21 Thread Frederic Lecaille
On 1/19/19 8:53 AM, Willy Tarreau wrote: Hi Lukas, On Fri, Jan 18, 2019 at 12:43:34PM +0100, Lukas Tribus wrote: Hello, currently we have 4 reg-tests in haproxy-1.8, backported due to the actual bugfix commit, which included a test. We also have a broken symbolic link in

Re: [PATCH] REG-TEST: mailers: add new test for 'mailers' section

2019-01-21 Thread Christopher Faulet
Le 23/12/2018 à 21:17, PiBa-NL a écrit : Hi List, Attached a new test to verify that the 'mailers' section is working properly. Currently with 1.9 the mailers sends thousands of mails for my setup... As the test is rather slow i have marked it with a starting letter 's'. Note that the test

Re: H2 Server Connection Resets (1.9.2)

2019-01-21 Thread Aleksandar Lazic
Hi Luke. Am 21.01.2019 um 10:30 schrieb Luke Seelenbinder: > Hi all, > > One more bug (or configuration hole) from our transition to 1.9.x using > end-to-end h2 connections. > > After enabling h2 backends (technically `server … alpn h2,http/1.1`), we > began seeing a high number of backend

Re: reg-tests situation in haproxy 1.8

2019-01-21 Thread Frederic Lecaille
On 1/19/19 8:53 AM, Willy Tarreau wrote: Hi Lukas, On Fri, Jan 18, 2019 at 12:43:34PM +0100, Lukas Tribus wrote: Hello, currently we have 4 reg-tests in haproxy-1.8, backported due to the actual bugfix commit, which included a test. We also have a broken symbolic link in

Re: HTX & tune.maxrewrite [1.9.2]

2019-01-21 Thread Christopher Faulet
Le 18/01/2019 à 14:23, Luke Seelenbinder a écrit : Quick clarification on the previous message. The code emitting the warning is almost assuredly here: https://github.com/haproxy/haproxy/blob/ed7a066b454f09fee07a9ffe480407884496461b/src/proto_htx.c#L3242 not in proto_http.c, seeing how this

Re: [PATCH] MINOR: startup: certain goto paths in init_pollers fail to free

2019-01-21 Thread Uman Shahzad
Hi On Mon, Jan 21, 2019, at 08:49, Willy Tarreau wrote: > On Mon, Jan 21, 2019 at 04:39:53AM +0100, Willy Tarreau wrote: > > Hi, > > > > On Thu, Jan 17, 2019 at 08:21:39AM +, Uman Shahzad wrote: > > > If we fail to initialize pollers due to fdtab/fdinfo/polled_mask > > > not getting

Re: Lots of mail from email alert on 1.9.x

2019-01-21 Thread Johan Hendriks
Op 13-01-19 om 18:47 schreef Willy Tarreau: > Hi Olivier, > > On Sun, Jan 13, 2019 at 06:40:56PM +0100, Olivier Houchard wrote: >>> Indeed, this function should not have any special effect in this case, >>> it is needed to prepend this at the beginning of chk_report_conn_err() : >>> >>> if

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-21 Thread Janusz Dziemidowicz
pon., 21 sty 2019 o 00:10 Adam Langley napisał(a): > No idea, I'm afraid. If you have a server to test, it looks like one > can use OpenSSL 1.1.1's `openssl s_client` tool to send a KeyUpdate > message by writing "K" on a line by itself. I tested all my servers and I've noticed that nginx is

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-21 Thread Emeric Brun
Hi Adam, On 1/20/19 10:12 PM, Adam Langley wrote: > KeyUpdate messages are a feature of TLS 1.3 that allows the symmetric > keys of a connection to be periodically rotated. It's > mandatory-to-implement in TLS 1.3, but not mandatory to use. Google > Chrome tried enabling KeyUpdate and promptly

H2 Server Connection Resets (1.9.2)

2019-01-21 Thread Luke Seelenbinder
Hi all, One more bug (or configuration hole) from our transition to 1.9.x using end-to-end h2 connections. After enabling h2 backends (technically `server … alpn h2,http/1.1`), we began seeing a high number of backend /server/ connection resets. A reasonable number of client-side connection