Re: How to allow Client Requests at a given rate

2019-02-23 Thread Igor Cicimov
On Sat, 23 Feb 2019 3:09 pm Santos Das wrote: > Hi, > > I have a requirement where I need to allow only certain request rate for a > given URL. > > Say /login can be accessed at the rate of 10 RPS. If I get 100 RPS, then > 10 should be allowed and 90 should be denied. > > Any help on how this

Re: Tune HAProxy in front of a large k8s cluster

2019-02-19 Thread Igor Cicimov
On Wed, 20 Feb 2019 3:39 am Joao Morais Hi Willy, > > > Em 19 de fev de 2019, à(s) 01:55, Willy Tarreau escreveu: > > > > use_backend foo if { var(req.host) ssl:www.example.com } > > > This is a nice trick that I’m planning to use with dynamic use_backend. I > need to concat host (sometimes

Re: Anyone heard about DPDK?

2019-02-10 Thread Igor Cicimov
On Mon, 11 Feb 2019 1:49 am Bruno Henc Hi, > > > Another good explanation on what DPDK does is available here: > > > https://learning.oreilly.com/videos/oscon-2017/9781491976227/9781491976227-video306685 > > https://wiki.fd.io/images/1/1d/40_Gbps_IPsec_on_commodity_hardware.pdf > > > > On 2/10/19

Re: Using server-template for DNS resolution

2019-02-08 Thread Igor Cicimov
Hi Baptise, On Fri, Feb 8, 2019 at 6:10 PM Baptiste wrote: > > > On Fri, Feb 8, 2019 at 6:09 AM Igor Cicimov < > ig...@encompasscorporation.com> wrote: > >> On Fri, Feb 8, 2019 at 2:29 PM Igor Cicimov < >> ig...@encompasscorporation.com> wrote: >> &g

Re: Using server-template for DNS resolution

2019-02-07 Thread Igor Cicimov
On Fri, Feb 8, 2019 at 2:29 PM Igor Cicimov wrote: > Hi, > > I have a Jetty frontend exposed for couple of ActiveMQ servers behind SSL > terminating Haproxy-1.8.18. They share same storage and state via lock file > and there is only one active AMQ at any given time. I'm t

Using server-template for DNS resolution

2019-02-07 Thread Igor Cicimov
Hi, I have a Jetty frontend exposed for couple of ActiveMQ servers behind SSL terminating Haproxy-1.8.18. They share same storage and state via lock file and there is only one active AMQ at any given time. I'm testing this now with dynamic backend using Consul DNS resolution: # dig +short

Re: redirect question

2018-12-13 Thread Igor Cicimov
On Thu, Dec 13, 2018 at 10:18 PM Sevan Gelici wrote: > Hello, > > Could someone help me with a problem? I want to use haproxy but cannot get > one part working. All traffic need to pass proxy but one folder needs to be > mask ip only. > > I try to explain by examples > > So lets say > proxy

Re: OCSP stapling with multiple domains

2018-11-26 Thread Igor Cicimov
Hi Moemen, On Tue, Nov 27, 2018 at 1:24 AM Moemen MHEDHBI wrote: > > > On 11/14/18 1:34 AM, Igor Cicimov wrote: > > On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov > wrote: >> >> Hi, >> >> # haproxy -v >> HA-Proxy version 1.8.14-1ppa1~xenial

Re: Generic backend in HAProxy config with server options as placeholders

2018-11-14 Thread Igor Cicimov
On Thu, Nov 15, 2018 at 1:36 AM Aleksandar Lazic wrote: > Hi Vijay. > > Am 14.11.2018 um 10:14 schrieb Vijay Bais: > > Hello Aleksandar, > > > > We already considered using haproxy maps but we still have to define N > backends > > for corresponding N keys in the map file. > > I'm looking more at

Re: OCSP stapling with multiple domains

2018-11-13 Thread Igor Cicimov
On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov wrote: > Hi, > > # haproxy -v > HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23 > Copyright 2000-2018 Willy Tarreau > > I noticed that in case of multiple domains and OCSP setup: > > # ls -1 /etc/haproxy/ssl.d/

Re: h2 & server PUSH

2018-11-11 Thread Igor Cicimov
On Mon, 12 Nov 2018 4:23 am Louis Chanouha Hello, > > If I'm right (I may have missed some exchanges in mailing), h2 main > improvement in 1.9 will be end2end working. So to have an h2 with Server > Push, we will need to have h2 enabled backends. > > Is a server push initiated by HAProxy based

OCSP stapling with multiple domains

2018-11-10 Thread Igor Cicimov
Hi, # haproxy -v HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23 Copyright 2000-2018 Willy Tarreau I noticed that in case of multiple domains and OCSP setup: # ls -1 /etc/haproxy/ssl.d/*.ocsp /etc/haproxy/ssl.d/star_domain2_com.crt.ocsp /etc/haproxy/ssl.d/star_domain_com.crt.ocsp

Re: haproxy used to redirect sql server with ssl

2018-10-30 Thread Igor Cicimov
On Tue, Oct 30, 2018 at 2:45 AM Marcos Gonzalez wrote: > > Hi list > > I'm using haproxy to redirect traffic directly to backend server. We are > looking how to load balance sql servers directly, and this works, but I don't > know how to add ssl support. > > I'm using this config setup and

Re: enabling H2 slows down my webapp, how to use keep-alive on backend ssl connection?

2018-10-29 Thread Igor Cicimov
On Tue, Oct 30, 2018 at 10:15 AM Lukas Tribus wrote: > On Mon, 29 Oct 2018 at 23:55, Igor Cicimov > wrote: > > > > However when enabling H2 on the frontend the connection to the > webserver > > > > (which itself is also made with SSL encryption) is made for

Re: enabling H2 slows down my webapp, how to use keep-alive on backend ssl connection?

2018-10-29 Thread Igor Cicimov
Hi Lukas, On Tue, Oct 30, 2018 at 2:42 AM Lukas Tribus wrote: > > Hi, > > > On Sun, 28 Oct 2018 at 23:47, PiBa-NL wrote: > > > > Hi List, > > > > When i enable H2 'alpn h2,http/1.1' on haproxy bind line with offloading > > 'mode http'. The overall loading of a web-application i use takes longer

Re: apache proxy pass rules in HAproxy

2018-10-28 Thread Igor Cicimov
g something? " > > Well, I am not sure what you meant by that comment above. > > On Sun, Oct 28, 2018 at 8:07 PM Igor Cicimov < > ig...@encompasscorporation.com> wrote: > >> Well you need to point crsplabweb2.example.com to the haproxy IP that's >> the whole

Re: apache proxy pass rules in HAproxy

2018-10-28 Thread Igor Cicimov
boleth will > be able to communicate with the HAP for its SSO calls. > > --imam > > > > On Sun, Oct 28, 2018 at 5:21 PM Igor Cicimov < > ig...@encompasscorporation.com> wrote: > >> Hi Imam, >> >> On Sat, Oct 27, 2018 at 4:42 PM Imam Toufique >> wr

Re: apache proxy pass rules in HAproxy

2018-10-28 Thread Igor Cicimov
3_cluster server shibboleth1 10.1.100.160:80 check inter 2000 On the apache side remove the ssl settings (since now HAP will be terminating SSL) and set a SSL redirect, something like this: ServerName crsplabweb1.domain.com ServerAlias www.crsplabweb1.domain.com SetEnvIfNoCase

Re: apache proxy pass rules in HAproxy

2018-10-26 Thread Igor Cicimov
see what is going on (please obfuscate any sensitive data). Also the use of the "cookie w1" is not clear since you are not setting it in HAP and is kinda redundant for single backend setup. > > On Thu, Oct 25, 2018 at 1:21 AM Igor Cicimov < > ig...@encompasscorporation

Re: apache proxy pass rules in HAproxy

2018-10-25 Thread Igor Cicimov
On Thu, Oct 25, 2018 at 6:31 PM Igor Cicimov wrote: > > > On Thu, 25 Oct 2018 6:13 pm Imam Toufique wrote: > >> so I almost got this to work, based on the situation I am in. To >> elaborate just a bit, my setup involves a shibboleth SP that I need to >> authent

Re: apache proxy pass rules in HAproxy

2018-10-25 Thread Igor Cicimov
On Thu, 25 Oct 2018 6:13 pm Imam Toufique wrote: > so I almost got this to work, based on the situation I am in. To > elaborate just a bit, my setup involves a shibboleth SP that I need to > authenticate my application. Since I can't set up the HA proxy node with > shibboleth SP - I had to

Re: Lots of PR state failed connections with HTTP/2 on HAProxy 1.8.14

2018-10-24 Thread Igor Cicimov
On Wed, 24 Oct 2018 5:06 pm Aleksandar Lazic wrote: > Hi. > > Am 24.10.2018 um 03:02 schrieb Igor Cicimov: > > On Wed, Oct 24, 2018 at 9:16 AM James Brown wrote: > >> > >> I tested enabling HTTP/2 on the frontend for some of our sites today > and immediately

Re: Lots of PR state failed connections with HTTP/2 on HAProxy 1.8.14

2018-10-23 Thread Igor Cicimov
On Wed, Oct 24, 2018 at 9:16 AM James Brown wrote: > > I tested enabling HTTP/2 on the frontend for some of our sites today and > immediately started getting a flurry of failures. Browsers (at least Chrome) > showed a lot of SPDY protocol errors and the HAProxy logs had a lot of lines > ending

Re: apache proxy pass rules in HAproxy

2018-10-23 Thread Igor Cicimov
On Wed, Oct 24, 2018 at 11:35 AM Imam Toufique wrote: > Not completely there yet, but I at least got the backend server login > screen to come up with the following: > > frontend > acl host_web3 path_beg /jhub > use_backend web3_cluster if host_web3 > > backend > backend web3_cluster >mode

Re: confused by HAProxy log line

2018-10-11 Thread Igor Cicimov
The NOSRV can simply mean you have received a request that does not match your backend selection acls, common to bots probing for wordpress login page etc. On Fri, 12 Oct 2018 12:23 am Michał Pasierb wrote: > Hello, > > I did not mention it but all servers in c_backend have a httpchk >

Re: HAProxy listed as Ingress controllers

2018-09-25 Thread Igor Cicimov
On Wed, 26 Sep 2018 4:34 am Aleksandar Lazic wrote: > Hi Daniel. > > Thank you also to clarify this topic. > > I strongly suggest to develop a operator and not only a controller, as > this is a more future oriented pattern, imho. > > https://www.startpage.com/do/search?query=kubernetes+operator

Re: HAProxy keeps using outdated IPs when backend (ELB) address changes

2018-08-27 Thread Igor Cicimov
-- > > > -- > Daniel Schneller > Principal Cloud Engineer > > CenterDevice GmbH > Rheinwerkallee 3 > 53227 Bonn > www.centerdevice.com > > __ > Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina, Michael > Rosbach, Handelsregister-Nr.: HRB 18655, HR-Gericht: Bonn, > USt-IdNr.: DE-815299431 > > Diese E-Mail einschließlich evtl. beigefügter Dateien enthält vertrauliche > und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige > Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren > Sie bitte sofort den Absender und löschen Sie diese E-Mail und evtl. > beigefügter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder > Öffnen evtl. beigefügter Dateien sowie die unbefugte Weitergabe > dieser E-Mail ist nicht gestattet. > > > -- Igor Cicimov | DevOps p. +61 (0) 433 078 728 e. ig...@encompasscorporation.com <http://encompasscorporation.com/> w*.* www.encompasscorporation.com a. Level 4, 65 York Street, Sydney 2000

Re: Clarification re Timeouts and Session State in the Logs

2018-08-23 Thread Igor Cicimov
Hi Daniel, We had similar issue in 2015, and the answer was: server timeout was too short. Simple. On Thu, 23 Aug 2018 9:56 pm Daniel Schneller < daniel.schnel...@centerdevice.com> wrote: > Friendly bump. > I'd volunteer to do some documentation amendments once I understand the > issue better

Re: HaProxy question

2018-08-12 Thread Igor Cicimov
t port? What will the rest > of the bind look like on the front-end config in haproxy? > > Cheers > Jonathan > > On Tue, Aug 7, 2018 at 1:16 PM Igor Cicimov < > ig...@encompasscorporation.com> wrote: > >> >> >> On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov &l

Re: HaProxy question

2018-08-06 Thread Igor Cicimov
On Tue, Aug 7, 2018 at 10:53 AM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > Hi Jonathan, > > On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman > wrote: > >> Hi All, >> >> I am hoping someone can give me some tips and pointers on getting >&g

Re: HaProxy question

2018-08-06 Thread Igor Cicimov
Hi Jonathan, On Tue, Aug 7, 2018 at 9:43 AM, Jonathan Opperman wrote: > Hi All, > > I am hoping someone can give me some tips and pointers on getting > something working > in haproxy that could do the following: > > I have installed haproxy and put a web server behind it, the proxy has 2 >

Re: haproxy and changing ELB IPs

2018-08-06 Thread Igor Cicimov
Hi Lukas, On Sat, Aug 4, 2018 at 11:19 PM, Lukas Tribus wrote: > On Sat, 4 Aug 2018 at 14:21, Igor Cicimov > wrote: > > > > Hi, > > > > On Sat, Aug 4, 2018 at 1:50 AM, K3 wrote: > >> > >> Hi, > >> We are running into a problem and wo

Re: haproxy and changing ELB IPs

2018-08-04 Thread Igor Cicimov
Hi, On Sat, Aug 4, 2018 at 1:50 AM, K3 wrote: > Hi, > We are running into a problem and would like to hear any advice. > > Our Setup: > We use haproxy 1.7.7 with two backends. > One of the backends is AWS ELB > The haproxy is running on a linux machine in our data center (on premises) > >

Re: Help with environment variables in config

2018-07-21 Thread Igor Cicimov
On Sat, Jul 21, 2018 at 7:12 PM, Jonathan Matthews wrote: > On Sat, 21 Jul 2018 at 09:12, jdtommy wrote: > >> I am setting them before I start haproxy in the terminal. I tried both >> starting it as a service and starting directly, but neither worked. It >> still would not forward it along. >>

Re: Help with environment variables in config

2018-07-21 Thread Igor Cicimov
On Sat, Jul 21, 2018 at 4:49 PM, jdtommy wrote: > here is my simple `listen` section of the haproxy config file: > > listen graph_front >bind *:8182 >mode tcp >server graph_server graph.server.com:8182 > > this works just fine, but I need the address and port to be a

Re: TLS handshake works with certificate name mismatch using "verify required" and "verifyhost"

2018-07-12 Thread Igor Cicimov
On Fri, Jul 13, 2018 at 11:26 AM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > On Fri, Jul 13, 2018 at 11:08 AM, Igor Cicimov < > ig...@encompasscorporation.com> wrote: > >> Hi Martin, >> >> On Thu, Jul 12, 2018 at 6:55 PM, Martin RADEL <

Re: TLS handshake works with certificate name mismatch using "verify required" and "verifyhost"

2018-07-12 Thread Igor Cicimov
On Fri, Jul 13, 2018 at 11:08 AM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > Hi Martin, > > On Thu, Jul 12, 2018 at 6:55 PM, Martin RADEL < > martin.ra...@rbinternational.com> wrote: > >> Hi all, >> >> >> >> we have a str

Re: TLS handshake works with certificate name mismatch using "verify required" and "verifyhost"

2018-07-12 Thread Igor Cicimov
Hi Martin, On Thu, Jul 12, 2018 at 6:55 PM, Martin RADEL < martin.ra...@rbinternational.com> wrote: > Hi all, > > > > we have a strange situation with our HAProxy, running on Version 1.8.8 > with OpenSSL. > > (See the details in the setup listed below - some lines are missing by > intention.

Re: cookie insert method secure

2018-06-24 Thread Igor Cicimov
On Sun, Jun 24, 2018 at 11:28 PM, mlist wrote: > Hi Igor, > > as I see, this is not true. > > > > I think ssl_fs is just persisted between request and response as this work > fine without setting vars (as for below example), *but never works for > cookie header inserted by “cookie insert* …”.

Re: cookie insert method secure

2018-06-24 Thread Igor Cicimov
erarsi strettamente riservate. > > This email is confidential, do not use the contents for any purpose > whatsoever nor disclose them to anyone else. If you are not the intended > recipient, you should not copy, modify, distribute or take any action in > reliance on it.

Re: tcp-check expect with exclamation mark

2018-06-21 Thread Igor Cicimov
Hi Dmitriy, On Thu, Jun 21, 2018 at 12:45 PM, Dmitriy Kuzmin wrote: > Greetings > > I’m using haproxy to load balance readonly queries between redis slaves. > I want to use health check system to exclude slaves from load balancing, > that are in a process of sync with master. > The idea is to

Re: Haproxy support for handling concurrent requests from different clients

2018-05-12 Thread Igor Cicimov
On Fri, 11 May 2018 8:01 pm Mihir Shirali wrote: > Thanks Aleksandar for the help! > I did look up some examples for setting 503 - but all of them (as you've > indicated) seem based on src ip or src header. I'm guessing this is more > suitable for a DOS/DDOS attack? In

Re: HAProxy Healthcheck issue using Virtual hostname

2018-05-04 Thread Igor Cicimov
On Fri, May 4, 2018 at 5:01 PM, Lukas Tribus <lu...@ltri.eu> wrote: > Hello Igor, Sen, > > > On 4 May 2018 at 08:46, Igor Cicimov <ig...@encompasscorporation.com> > wrote: > > Have you tried: > > > > option httpchk GET /env HTTP/1.1\r\nHost:\ %[req.hdr

Re: HAProxy Healthcheck issue using Virtual hostname

2018-05-04 Thread Igor Cicimov
Hi, On Fri, Apr 27, 2018 at 3:03 PM, Sen wrote: > Hi > > I have an app deployed in Pivotal Cloudfoundry (PCF) and to route traffic > to an app in PCF, we have to use application route name (virtual hostname). > > We have PCF in two different datacenters and I need to load

Re: Question regarding haproxy backend behaviour

2018-04-16 Thread Igor Cicimov
On Mon, 16 Apr 2018 6:09 pm Ayush Goyal wrote: > Hi Moemen, > > Thanks for your response. But I think I need to clarify a few things here. > > On Mon, Apr 16, 2018 at 4:33 AM Moemen MHEDHBI > wrote: > >> Hi >> >> On 12/04/2018 19:16, Ayush Goyal wrote:

Re: Can HA-Proxy set an header when he "breaks" stick routing

2018-03-22 Thread Igor Cicimov
On Thu, Mar 22, 2018 at 10:42 PM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > Hi, > > On Thu, Mar 22, 2018 at 6:24 PM, Gisle Grimen <gisle.gri...@evry.com> > wrote: > >> Hi, >> >> >> >> Thank you for your response. >> &

Re: Can HA-Proxy set an header when he "breaks" stick routing

2018-03-22 Thread Igor Cicimov
RID with the value of the server name can help. It will have value of Server1 for the first requests that have fell over to Server2 so checking the value will tell you it came from different server. > > Best regards, > > > > Gisle > > > > > > *From: *Igor Ci

Re: Can HA-Proxy set an header when he "breaks" stick routing

2018-03-22 Thread Igor Cicimov
l caches. > > The problem I'm having is that you don't describe exactly what you're > trying to achieve nor how you want to use that information about the > broken stickiness, so it's very hard for me to try to figure a working > solution. I proposed one involving sending

Re: Syslog with systemd

2018-03-02 Thread Igor Cicimov
On Fri, Mar 2, 2018 at 5:49 PM, Vincent Bernat <ber...@luffy.cx> wrote: > ❦ 2 mars 2018 09:49 +1100, Igor Cicimov <ig...@encompasscorporation.com > > : > > > $ ls -l /var/log/haproxy.log > > -rw-r- 1 syslog adm 48939 Mar 1 20:17 /var/log/haproxy.lo

Re: Syslog with systemd

2018-03-01 Thread Igor Cicimov
On Thu, Mar 1, 2018 at 5:08 PM, Vincent Bernat <ber...@luffy.cx> wrote: > ❦ 1 mars 2018 09:53 +1100, Igor Cicimov <ig...@encompasscorporation.com > > : > > >> > ​Same, no logging:​ > >> [...] > >> > >> Could you strace rsyslogd

Re: Syslog with systemd

2018-02-28 Thread Igor Cicimov
On Thu, Mar 1, 2018 at 2:08 AM, Vincent Bernat <ber...@luffy.cx> wrote: > ❦ 28 février 2018 22:14 +1100, Igor Cicimov <igorc@encompasscorporation. > com> : > > > ​Same, no logging:​ > [...] > > Could you strace rsyslogd and check if it is receiving the messa

Re: Syslog with systemd

2018-02-28 Thread Igor Cicimov
On Wed, Feb 28, 2018 at 9:28 PM, Vincent Bernat <ber...@luffy.cx> wrote: > ❦ 28 février 2018 21:00 +1100, Igor Cicimov <igorc@encompasscorporation. > com> : > > > ​# ls -l /var/lib/haproxy/dev/log > > srw-rw-rw- 1 root root 0 Feb 28 16:06 /var/lib/haproxy/dev

Re: Syslog with systemd

2018-02-28 Thread Igor Cicimov
Hi Vincent, On Wed, Feb 28, 2018 at 6:18 PM, Vincent Bernat <ber...@luffy.cx> wrote: > ❦ 28 février 2018 17:51 +1100, Igor Cicimov <igorc@encompasscorporation. > com> : > > >> > ​Actually spoke too soon, still have an issue. One of the servers > started &

Re: Syslog with systemd

2018-02-27 Thread Igor Cicimov
On Wed, Feb 28, 2018 at 5:51 PM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > Hi Vincent, > > On Wed, Feb 28, 2018 at 5:14 PM, Vincent Bernat <ber...@luffy.cx> wrote: > >> ❦ 28 février 2018 15:50 +1100, Igor Cicimov < >> ig...@encompasscorpora

Re: Syslog with systemd

2018-02-27 Thread Igor Cicimov
Hi Vincent, On Wed, Feb 28, 2018 at 5:14 PM, Vincent Bernat <ber...@luffy.cx> wrote: > ❦ 28 février 2018 15:50 +1100, Igor Cicimov <igorc@encompasscorporation. > com> : > > > ​Actually spoke too soon, still have an issue. One of the servers started > &g

Re: Syslog with systemd

2018-02-27 Thread Igor Cicimov
On Wed, Feb 28, 2018 at 3:33 PM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > > > On Wed, Feb 28, 2018 at 3:28 PM, Igor Cicimov <igorc@encompasscorporation. > com> wrote: > >> Hi all, >> >> I have haproxy 1.7.10-1ppa1~xenial installed on Ubu

Re: Syslog with systemd

2018-02-27 Thread Igor Cicimov
On Wed, Feb 28, 2018 at 3:28 PM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > Hi all, > > I have haproxy 1.7.10-1ppa1~xenial installed on Ubuntu-16.04 and > struggling to enable rsyslog-ing for the service. > > I have rsyslog running and the following haproxy r

Syslog with systemd

2018-02-27 Thread Igor Cicimov
Hi all, I have haproxy 1.7.10-1ppa1~xenial installed on Ubuntu-16.04 and struggling to enable rsyslog-ing for the service. I have rsyslog running and the following haproxy related config: # cat /etc/rsyslog.d/49-haproxy.conf # Create an additional socket in haproxy's chroot in order to allow

Re: Plans for 1.9

2018-02-08 Thread Igor Cicimov
Hi Willy,​ On Fri, Feb 9, 2018 at 1:16 AM, Willy Tarreau wrote: Fred plans to bring SSL support to the peers among > other things, and is working on a regression testing suite (yeah!). ​Does this mean it will be possible to share the sessions tickets between the peers?​

Re: haproxy 1.8.3 has a very slow tc time after some time of running

2018-02-06 Thread Igor Cicimov
665536bytes > Max address space unlimited unlimited bytes > Max file locksunlimitedunlimitedlocks > Max pending signals 3140131401signals > Max msgqueue si

Re: haproxy 1.8.3 has a very slow tc time after some time of running

2018-02-05 Thread Igor Cicimov
On 6 Feb 2018 4:38 am, "Kai Timmer" wrote: Hello, I recently tried to update from v1.6.14 to v1.8.3 but experienced a lot of problems with it. I do hope that I made mistake in my configuration that works in 1.6 but blows up my system up in 1.8. So I'm going to describe my

Re: Is it good practice to set up a nginx behind haproxy with h2 or not ?

2018-02-04 Thread Igor Cicimov
On Mon, Feb 5, 2018 at 12:12 AM, Aleksandar Lazic <al-hapr...@none.at> wrote: > Hi. > > > Am 03-02-2018 10:25, schrieb Igor Cicimov: > > On Sat, Feb 3, 2018 at 6:02 PM, <garb...@gmx.de> wrote: >> >> I need to set up haproxy 1.8.3 as a loadbalance

Re: Is it good practice to set up a nginx behind haproxy with h2 or not ?

2018-02-03 Thread Igor Cicimov
On Sat, Feb 3, 2018 at 6:02 PM, wrote: > I need to set up haproxy 1.8.3 as a loadbalancer for several nginx > webservers (1.13.x). The haproxy will be set up to support h2 connections. > I am undecided if it is a good idea to setup nginx for h2 also. I > understand that haproxy

Re: haproxy http2 benchmark

2018-01-30 Thread Igor Cicimov
On Wed, Jan 31, 2018 at 1:41 PM, 龙红波 wrote: > *hi all,* > *recently we are ready to upgrade to haproxy 1.8,however, when testing > HTTP2, we found a drop in performance,below is the test scenario:* > * haproxy version:* > > HA-Proxy version 1.8.3-205f675

Re: HAproxy ( + UCARP ) in an Active / Passive setup

2018-01-26 Thread Igor Cicimov
On 27 Jan 2018 4:44 pm, "TomK" <tomk...@mdevsys.com> wrote: On 1/26/2018 7:49 PM, Igor Cicimov wrote: > > On Fri, Jan 26, 2018 at 2:28 PM, TomK <tomk...@mdevsys.com tomk...@mdevsys.com>> wrote: > > Hey All, > > We have UCARP and HApro

Re: HAproxy ( + UCARP ) in an Active / Passive setup

2018-01-26 Thread Igor Cicimov
On Fri, Jan 26, 2018 at 2:28 PM, TomK wrote: > Hey All, > > We have UCARP and HAproxy configured and setup between two servers. > HAproxy is bound to the UCARP VIP between the nodes. There are four > services per hoer: four on SRV1 (primary) and same four apps on SRV2 >

Re: Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Igor Cicimov
Hi Willy, On Fri, Jan 26, 2018 at 6:21 PM, Willy Tarreau <w...@1wt.eu> wrote: > Hi Igor, > > On Fri, Jan 26, 2018 at 05:07:10PM +1100, Igor Cicimov wrote: > > Hi Willy, > > > > On Fri, Jan 26, 2018 at 3:47 PM, Willy Tarreau <w...@1wt.eu> wrote: > > &

Re: Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Igor Cicimov
Hi Willy, On Fri, Jan 26, 2018 at 3:47 PM, Willy Tarreau <w...@1wt.eu> wrote: > On Fri, Jan 26, 2018 at 01:26:35AM +1100, Igor Cicimov wrote: > > Or you meant using the haproxy 16.04 image actually. Ok, another option > is > > to compile it myself with the openssl vers

Re: How can I map bindings to the correct backend?

2018-01-25 Thread Igor Cicimov
On Fri, Jan 26, 2018 at 2:36 AM, Pieter Vogelaar <pie...@pietervogelaar.nl> wrote: > It’s TCP layer 4 load balancing, so the HTTP hdr(host) won’t work. > > > > > > Best regards, > > Pieter Vogelaar > > > > *Van: *Igor Cicimov <ig...@encompasscorpo

Re: How can I map bindings to the correct backend?

2018-01-25 Thread Igor Cicimov
Hi Pieter, On Thu, Jan 25, 2018 at 3:15 AM, Pieter Vogelaar wrote: > I have the following configuration: > > > > > > frontend default-tcp > > bind 192.168.52.12:5044 > > bind 192.168.52.12: > > bind 192.168.52.12:5556 > > bind 192.168.52.12:5672 > > bind

Re: Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Igor Cicimov
On Fri, Jan 26, 2018 at 1:22 AM, Igor Cicimov < ig...@encompasscorporation.com> wrote: > Hi Lukas, > > On Fri, Jan 26, 2018 at 1:04 AM, Lukas Tribus <lu...@ltri.eu> wrote: > >> Hello, >> >> >> On 25 January 2018 at 14:53, Igor Cicimov >>

Re: Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Igor Cicimov
Hi Lukas, On Fri, Jan 26, 2018 at 1:04 AM, Lukas Tribus <lu...@ltri.eu> wrote: > Hello, > > > On 25 January 2018 at 14:53, Igor Cicimov > <ig...@encompasscorporation.com> wrote: > > > > Hi, > > > > The info below, that openssl

Re: Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Igor Cicimov
a No LSB modules are available. Distributor ID:Ubuntu Description:Ubuntu 14.04.5 LTS Release:14.04 Codename:trusty On Fri, Jan 26, 2018 at 12:39 AM, Lukas Tribus <lu...@ltri.eu> wrote: > Hello, > > On 25 January 2018 at 13:26, Igor Cicimov > <ig...@encompasscor

Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Igor Cicimov
Hi, I was testing haproxy 1.8 from the ppa repository and noticed it is not build with alpn support so just wonder why? Thanks, Igor

Re: [ANNOUNCE] haproxy-1.8.0

2017-11-26 Thread Igor Cicimov
asks. And for this reason, among the 466 persons who participated to discussions over the last year and those animating the Discourse forums, I'd like to address special thanks to the following ones who together responded to the vast majority of the threads on the list, saving many of us from hav

Re: Change backend between a time frame

2017-11-17 Thread Igor Cicimov
On Sat, Nov 18, 2017 at 2:35 AM, GARET Julien wrote: > Hello, > > > > I have a use case here where we want to be able to modify the backend > between 8 pm et and 8 am, everyday. I was guessing that it would have > something to do with an acl and the Date header. Do you

Re: backend has no server available!

2017-11-15 Thread Igor Cicimov
B is overall >> performance of site is slightly reduced. The response which I used to get >> in less than 100 ms now some time is going beyond 100 ms. >> >> Any clue how can I improve it. >> >> On Wed, Nov 15, 2017 at 4:21 AM, Igor Cicimov < >> ig...@enc

Re: backend has no server available!

2017-11-14 Thread Igor Cicimov
Provided link is helpful, however if any one face same issue or can share > experience to solve it will be really helpful. > > On Tue, Nov 14, 2017 at 5:00 AM, Igor Cicimov <igorc@encompasscorporation. > com> wrote: > >> >> >> On Mon, Nov 13, 2017 at 11:28 PM,

Re: backend has no server available!

2017-11-13 Thread Igor Cicimov
gt; > balance roundrobin > > server server1 internal-testtomcatautoscale-1314784611.ap-southeast-1.elb. > amazonaws.com:8080 check resolvers testresolver > > > > > > What could be the cause of this issue. How can i fix it. > > > -- Igor Cicimov | DevOps p. +61 (0) 433 078 728 e. ig...@encompasscorporation.com <http://encompasscorporation.com/> w*.* www.encompasscorporation.com a. Level 4, 65 York Street, Sydney 2000

Re: HTTP DELETE command failing

2017-11-02 Thread Igor Cicimov
On Fri, Nov 3, 2017 at 11:29 AM, Norman Branitsky < norman.branit...@micropact.com> wrote: > I have this included in the configuration: > > # Filter nasty input > > acl missing_cl hdr_cnt(Content-length) eq 0 > > acl METH_PUT method PUT > > acl METH_GET method GET HEAD > > acl

Re: [PATCH] LDAP authentication

2017-11-02 Thread Igor Cicimov
Hi ​Thierry, On Fri, Nov 3, 2017 at 8:16 AM, ​​ Thierry Fournier wrote: > > > On 2 Nov 2017, at 21:56, my.card@web.de wrote: > > > > Hi all, > > > > the attached patch implements authentication against an LDAP Directory > Server. It has been tested on Ubuntu 16.04

Re: Force Sticky session on HaProxy

2017-10-18 Thread Igor Cicimov
https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#option redispatch On 18 Oct 2017 11:28 pm, "Devendra Joshi" wrote: Hi Daniel , Following is the case. [image: Inline images 1] My Query is : 1: When users are serving the webpages,and my *Apache1

Re: Haproxy config for sticky route

2017-10-10 Thread Igor Cicimov
On Tue, Oct 10, 2017 at 11:25 PM, Ruben wrote: > I have some stateful chat servers (SockJS) running in docker swarm mode. > When doing dig chat I get an unordered randomized list of servers for > example: > > (every time the order is different) > 10.0.0.12 > 10.0.0.10 >

Re: Set-Cookie Secure

2017-10-08 Thread Igor Cicimov
ck table as base for ddos control, ect, as now only basic > rules and > > use cookies mechanism for normal persistence and for special client side > app persistence > > needed to identify backend server in special situations. > > > > In attach config file > > > &g

Re: Set-Cookie Secure

2017-10-05 Thread Igor Cicimov
Hi, On Fri, Oct 6, 2017 at 2:50 AM, mlist <ml...@apsystems.it> wrote: > Hi Igor, some news about this ? > > > > *From:* mlist > *Sent:* venerdì 22 settembre 2017 08:58 > *To:* 'Igor Cicimov' <ig...@encompasscorporation.com> > *Cc:* 'HAProxy' <haproxy@fo

Re: TCP ACL rules based on host name

2017-10-04 Thread Igor Cicimov
On 22 Sep 2017 11:15 am, "rt3p95qs" wrote: Is it possible to assign TCP (no HTTP) connections to a backend based on an alias haproxy has? For example: HAProxy has 3 alias names, server01.example.com, server02.example.com and server03.example.com. The haproxy.conf file

Re: Set-Cookie Secure

2017-09-21 Thread Igor Cicimov
be_http > > > > *From:* Igor Cicimov [mailto:ig...@encompasscorporation.com] > *Sent:* venerdì 22 settembre 2017 00:44 > *To:* rob.mlist <rob.ml...@apsystems.it> > *Cc:* HAProxy <haproxy@formilux.org> > *Subject:* Re: Set-Cookie Secure > > > > >

Re: Set-Cookie Secure

2017-09-21 Thread Igor Cicimov
On 18 Sep 2017 10:37 pm, "rob.mlist" wrote: I set 2 cookies on behalf of Backend Servers: one with these configuration lines at Frontend: rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1 !back_cookie_present rspadd Set-Cookie:\

Re: OCSP stapling with multiple certificates

2017-09-20 Thread Igor Cicimov
On Wed, Sep 20, 2017 at 4:00 PM, Jarno Huuskonen <jarno.huusko...@uef.fi> wrote: > Hi, > > On Wed, Sep 20, Igor Cicimov wrote: > > I've been running haproxy with OCSP stapling for some time with a single > > ssl certificate. Now I'm trying to enable the same for multi

OCSP stapling with multiple certificates

2017-09-19 Thread Igor Cicimov
Hi, I've been running haproxy with OCSP stapling for some time with a single ssl certificate. Now I'm trying to enable the same for multiple certificates but am getting an error: OCSP single response: Certificate ID does not match any certificate or issuer. The OCSP response itself from the

Re: Dynamic server name with HAProxy, based on original hostname

2017-09-17 Thread Igor Cicimov
On Mon, Sep 18, 2017 at 7:11 AM, Ludovic Gasc <gml...@gmail.com> wrote: > 2017-09-17 11:16 GMT+02:00 Igor Cicimov <ig...@encompasscorporation.com>: > >> In 1.8 haproxy takes all records returned by the dns resolver into >> account where is in 1.7 only the

Re: Dynamic server name with HAProxy, based on original hostname

2017-09-17 Thread Igor Cicimov
h HAProxy 1.7. > > Where you see that it's a feature of 1.8 ? > You mean I could try my piece of configuration on HAProxy 1.8, it should > work ? > > Regards. > > > 2017-09-15 14:47 GMT+02:00 Igor Cicimov <ig...@encompasscorporation.com>: > >> >&

Re: Dynamic server name with HAProxy, based on original hostname

2017-09-15 Thread Igor Cicimov
On Fri, Sep 15, 2017 at 9:25 PM, Ludovic Gasc wrote: > Hi, > > I imagine that if I have no answer, it's because it isn't possible with > HAProxy ? > > Thanks for your return. > > > 2017-09-10 22:27 GMT+02:00 Ludovic Gasc : > >> Hi, >> >> I'm trying to

Re: redirect scheme except some urls/params

2017-09-09 Thread Igor Cicimov
On 10 Sep 2017 12:05 am, "Markus Rietzler" wrote: hi, i want activate redirection from http to https for my sites. but my problem is, that there are certain requests, which can't be redirected to https. so i have to write some acls to check this. the urls which can't be

Re: tcp-response content tarpit if hdr(X-Tarpit-This)

2017-07-29 Thread Igor Cicimov
another > backend (or drop it) in haproxy based on something I received from one > backend?? > > Den 28 juli 2017 1:40 em skrev "Igor Cicimov" <igorc@encompasscorporation. > com>: > > > > On Fri, Jul 28, 2017 at 6:03 PM, Charlie Elgholm <char...@brig

Re: tcp-response content tarpit if hdr(X-Tarpit-This)

2017-07-28 Thread Igor Cicimov
gt; A: stream backend response to client > B: tarpit / reject > > > 2017-07-28 9:52 GMT+02:00 Igor Cicimov <ig...@encompasscorporation.com>: > >> >> >> On 28 Jul 2017 5:41 pm, "Charlie Elgholm" <char...@brightly.se> wrote: >> >> Hi F

Re: tcp-response content tarpit if hdr(X-Tarpit-This)

2017-07-28 Thread Igor Cicimov
On 28 Jul 2017 5:41 pm, "Charlie Elgholm" wrote: Hi Folks, Either I'm too stupid, or it's because it's Friday Can you tarpit/reject (or other action) based on a response from the backend? You should be able to, right? Like this: tcp-response content tarpit/reject if

Re: Seeking Assistance: HTTP Headers Conf. to Access Web Product

2017-07-19 Thread Igor Cicimov
On Wed, Jul 19, 2017 at 5:29 PM, Coscend@HAProxy < haproxy.insig...@coscend.com> wrote: > Attached is the correct HAProxy log output. > > > > The attachment in the previous post was from an unrelated context. > Apologies. Thank you for your assistance. > > > > *From:* Coscend@HAProxy

RE: HAProxy failover - DNS change cached by IE for a long time

2017-07-08 Thread Igor Cicimov
to do. *From:* Igor Cicimov [mailto:ig...@encompasscorporation.com] *Sent:* July-08-17 9:14 AM *To:* Norman Branitsky <norman.branit...@micropact.com> *Cc:* HAProxy <haproxy@formilux.org> *Subject:* RE: HAProxy failover - DNS change cached by IE for a long time On 8 Jul 201

RE: HAProxy failover - DNS change cached by IE for a long time

2017-07-08 Thread Igor Cicimov
On 8 Jul 2017 2:58 am, "Norman Branitsky" wrote: I changed the TTL on my application’s DNS entry, to no avail. Try tuning these parameters in jvm, assuming Sun oracle jdk here: -Dsun.net.inetaddr.ttl=value -Dsun.net.inetaddr.negative.ttl=value If security

  1   2   3   >