Re: one health check instead of muli check when using master-worker model

2019-04-22 Thread Lukas Tribus
Hello, On Mon, 22 Apr 2019 at 10:53, Marco Corte wrote: > > Hi! > > But may I use only one health check process ,and all the process share > > the result > > of the health check, then there are only one check every 3 sec, how to > > archive this? > > I would try the "track" option: Track

Re: [PR] IPv6: properly format an address coming from IPv6 socket as hex in lf_ip

2019-04-18 Thread Lukas Tribus
Hi Willy, On Fri, 8 Mar 2019 at 14:23, PR Bot wrote: > > Dear list! > > Author: Radek Zajic > Number of patches: 1 > > This is an automated relay of the Github pull request: >IPv6: properly format an address coming from IPv6 socket as hex in >lf_ip > > Patch title(s): >IPv6:

Re: [PATCH] FEATURE/MEDIUM: enable travis-ci builds

2019-04-16 Thread Lukas Tribus
Hello Ilya , On Tue, 16 Apr 2019 at 20:18, Илья Шипицин wrote: > > Hello, > > let us enable travis-ci on https://github.com/haproxy/haproxy > (more builds will be added later) Who is going to maintain this - now and once the dust settles? I agree this would be a very useful addition, *if

Re: segfault using cache with 1.9.4

2019-04-10 Thread Lukas Tribus
On Wed, 10 Apr 2019 at 17:07, Juan Pablo Mora wrote: > acl is_static url_beg /lgt/lgtfrontend/library/ or > /lgt/lgtfrontend/pdfjs/ or /lgt/lgtfrontend/img/ That's not the correct syntax. That would be: acl is_static url_beg /lgt/lgtfrontend/library/ acl is_static url_beg

Re: The headers added by haproxy are randomly overwritten by incoming client data when http-use-htx

2019-04-09 Thread Lukas Tribus
Hello, On Tue, 9 Apr 2019 at 16:21, Radu Carpa wrote: > > Hello, > > We encounter a nasty bug when htx is enabled. > Under certain conditions, the incoming client data can overwrite part of > the buffer with data prepared for backend servers. This is most likely:

[PATCH] BUG/MINOR: ssl: fix warning about ssl-min/max-ver support

2019-03-05 Thread Lukas Tribus
In 84e417d8 ("MINOR: ssl: support Openssl 1.1.1 early callback for switchctx") the code was extended to also support OpenSSL 1.1.1 (code already supported BoringSSL). A configuration check warning was updated but with the wrong logic, the #ifdef needs a && instead of an ||. Reported in #54.

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-02-14 Thread Lukas Tribus
Hello, FYI the behavior was also changed on the openssl side (and will be in 1.1.1b): https://github.com/openssl/openssl/commit/4af5836b55442f31795eff6c8c81ea7a1b8cf94b So applications fixes are only necessary for 1.1.1a. Lukas

Re: haproxy segfault

2019-02-13 Thread Lukas Tribus
Hi Hugues, On Thursday, 14 February 2019, Hugues Alary wrote: > Hi, > > I am also running into this issue using 1.9.4 (i.e. the current "latest" > docker image) with absolutely no load at all (1 client): > > [ALERT] 044/001000 (1) : sendmsg()/writev() failed in logger #1: No such > file or

Re: haproxy segfault

2019-02-12 Thread Lukas Tribus
On Tue, 12 Feb 2019 at 21:46, Mildis wrote: > > > Le 12 févr. 2019 à 21:26, Christopher Faulet a écrit : > > > Hi, > > A recent fix about a double free has been merge in HAProxy 1.9: > > http://git.haproxy.org/?p=haproxy-1.9.git;a=commit;h=451c5a88 > > Maybe you've hit this bug. > > > Did this

Re: Anyone heard about DPDK?

2019-02-10 Thread Lukas Tribus
On Sun, 10 Feb 2019 at 10:48, Aleksandar Lazic wrote: > > Hi. > > I have seen this in some twitter posts and asked me if it's something useable > for a Loadbalancer like HAProxy ? > > https://www.dpdk.org/ > > To be honest it looks like a virtual NIC, but I'm not sure. See:

Re: H2: interoperability issue due to lack of CONTINUATION frame support

2019-02-07 Thread Lukas Tribus
Hello, On Sat, 1 Sep 2018 at 20:02, Lukas Tribus wrote: > > Hi Willy, > > > haproxy is currently unable to handle CONTINUATION [1] frames (see > commit 61290ec77 - [2]). > > If a client emits a CONTINUATION frame, we will break the connection > and send G

Re: [PATCH 2/2] DOC: ssl: Specify stronger example ciphers

2019-02-04 Thread Lukas Tribus
Hello, On Mon, 4 Feb 2019 at 20:48, Bertrand Jacquin wrote: > > Since TLS ciphers are not well understand, it is very common parameters > from documentation are used as is. Since RC4 should not be used anymore > I believe it is wiser to show example including stronger ciphers to > avoid

Re: Opinions about DoH (=DNS over HTTPS) as resolver for HAProxy

2019-02-04 Thread Lukas Tribus
Hello, On Mon, 4 Feb 2019 at 12:14, Aleksandar Lazic wrote: > > Hi. > > I have just opened a new Issue about DoH for resolving. > > https://github.com/haproxy/haproxy/issues/33 > > As I know that this is a major change in the Infrastructure I would like to > here what you think about this

Re: support for FreeBSD accept filters

2019-02-01 Thread Lukas Tribus
Hello Richard, On Sat, 2 Feb 2019 at 00:28, Richard Russo wrote: > > My system is running a tcp proxy where the main limit on capacity seems to be > in > ephemeral port selection to the limited number of backends, and we have a > rather > high number of connections that never exchange data;

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-01-23 Thread Lukas Tribus
On Wed, 23 Jan 2019 at 09:52, Willy Tarreau wrote: > > On Wed, Jan 23, 2019 at 12:07:04AM -0800, Dirkjan Bussink wrote: > > Of course, you're right. New version of the patch attached! > > Now merged, thank you! It's obvious, but because the commit message doesn't not explicitly mention it: This

Re: Some test case for HTTP/2 failed, are those bugs?

2019-01-22 Thread Lukas Tribus
Hello, On Tue, 22 Jan 2019 at 03:04, 高和东 wrote: > > Dear willy: > > I am a follower of haproxy. I tested HTTP/2 fuction in haproxy_1.8.17 > with the tool h2spec, but some test cases failed. I wonder if those are bugs > for haproxy. > See the tool here

[ANNOUNCE] HAProxy issue tracker is now open

2019-01-19 Thread Lukas Tribus
Hi, as mentioned previously on the list, Tim Düsterhus, Willy and myself have been discussing and working on the github issue tracker, setting up issue templates and labels with the purpose to fully open it for everyone. We have now reached that goal and consider the issue tracker ready for

Re: haproxy issue tracker discussion

2019-01-18 Thread Lukas Tribus
Hello Aleksandar, On Fri, 18 Jan 2019 at 12:54, Aleksandar Lazic wrote: > > Hi. > > As there are now the github templates in the repo can / should we start to > create issues & features on github? Yes, you can go ahead and start filing bugs and features. There's some minor tweaking yet to

Re: error while extracting 1.8.17 tar file

2019-01-18 Thread Lukas Tribus
Hello Girish, On Fri, 11 Jan 2019 at 01:53, Monitoring Naaptol wrote: > > Hi > > we are getting error while extracting tar file 1.8.17 on windows This is a symbolic link, and Windows does not support symbolic links, which is why extracting that particular file on that OS fails. I suggest you

reg-tests situation in haproxy 1.8

2019-01-18 Thread Lukas Tribus
Hello, currently we have 4 reg-tests in haproxy-1.8, backported due to the actual bugfix commit, which included a test. We also have a broken symbolic link in reg-tests/lua/common.pem, which causes at least some confusion [1]. We don't have any test infrastructure in haproxy-1.8 (Makefile,

Re: haproxy issue tracker discussion

2019-01-13 Thread Lukas Tribus
Hello, On Sat, 12 Jan 2019 at 13:38, Willy Tarreau wrote: > > The situation on GitHub does not need to mirror the situation on > > haproxy.org. You could still use separated repositories on haproxy.org > > to separate permissions and push the "validated" commits to GitHub. This > > is what the

Re: haproxy issue tracker discussion

2019-01-11 Thread Lukas Tribus
Hi Tim, Willy, apologies for not responding sooner, I always have to force myself to policy/organizational discussions, when I can also read stack or straces :) >> When should the binary "issue open" / "issue closed" property be >> toggled? When the issue is fixed in Dev? When the issue is

haproxy issue tracker discussion

2019-01-06 Thread Lukas Tribus
Hello everyone, as per Tim's suggestion I'm restarting the discussion about the issue tracker, started in "haproxy 1.9 status update" (2018-05-25), Message-ID 20180525161044.ga6...@1wt.eu: https://www.mail-archive.com/haproxy@formilux.org/msg30139.html > It would be nice to show what's pending

Re: Seamless reloads: file descriptors utilization in LUA

2019-01-02 Thread Lukas Tribus
Hello, On Wed, 2 Jan 2019 at 14:54, Lukas Tribus wrote: > > Hello, > > On Sun, 15 Jul 2018 at 07:19, Wert wrote: > > > > Hello, > > > > 1. When in LUA > > - I open some socket and left it unclosed (even UDP-sender socket) > > - Or open some file

Re: Seamless reloads: file descriptors utilization in LUA

2019-01-02 Thread Lukas Tribus
Hello, On Sun, 15 Jul 2018 at 07:19, Wert wrote: > > Hello, > > 1. When in LUA > - I open some socket and left it unclosed (even UDP-sender socket) > - Or open some files (for example, I use LUA-maxmind lib that opens GEO-DB > file) > > It is never destroyed. With each reload amount of used

[PATCH] MINOR: lb: allow redispatch when using constant hash

2019-01-02 Thread Lukas Tribus
From: Willy Tarreau Redispatch traditionally only worked for cookie based persistence. Adding redispatch support for constant hash based persistence - also update docs. Reported by Oskar Stenman on discourse:

Re: [PATCH] BUG/MINOR: lb: fix redispatch for hash based lb-algo's

2018-12-30 Thread Lukas Tribus
Hi Willy, On Thu, 27 Dec 2018 at 15:54, Willy Tarreau wrote: > > I'm not 100% sure whether "option redispatch" was only intended to > > break cookie persistence, but not other lb algorithms. Docs are > > ambiguous about this. > > I think you meant hashing instead of cookie persistence. But

Re: [PATCH] BUG/MINOR: lb: fix redispatch for hash based lb-algo's

2018-12-27 Thread Lukas Tribus
Hi, On Wed, 26 Dec 2018 at 23:04, Lukas Tribus wrote: > > redispatch never worked for hash based alghoritms, as the code For the commit: s/alghoritms/algorithms/ Lukas

Re: [PATCH] BUG/MINOR: lb: fix redispatch for hash based lb-algo's

2018-12-26 Thread Lukas Tribus
Hello, On Wed, 26 Dec 2018 at 23:04, Lukas Tribus wrote: > > redispatch never worked for hash based alghoritms, as the code > (BE_LB_LKUP_CHTREE -> chash_get_next_server()) would only have been > called for BE_LB_KIND_RR, which doesn't make sense. Fix this by also > going d

[PATCH] BUG/MINOR: lb: fix redispatch for hash based lb-algo's

2018-12-26 Thread Lukas Tribus
redispatch never worked for hash based alghoritms, as the code (BE_LB_LKUP_CHTREE -> chash_get_next_server()) would only have been called for BE_LB_KIND_RR, which doesn't make sense. Fix this by also going down this code path when the BE_LB_KIND is BE_LB_KIND_HI. Reported by Oskar Stenman on

Re: Send-proxy not modifying some traffic with proxy ip/port details instead retaining same client ip port

2018-12-26 Thread Lukas Tribus
Hello Roobesh, On Wed, 26 Dec 2018 at 11:49, Mohandass, Roobesh wrote: > RGM: This is reproducible anywhere production/lab but when we see this > behavior is a questions > as I said out of so many large number of requests only for some we will > observe this behavior > (but can be caught very

Re: Send-proxy not modifying some traffic with proxy ip/port details instead retaining same client ip port

2018-12-26 Thread Lukas Tribus
Hello Roobesh, On Wed, 26 Dec 2018 at 08:31, Mohandass, Roobesh wrote: > > Hello, > > > > We are using haproxy version 1.8.14-1 in a docker container running ubuntu > 14.04 / kernel: 4.15.0-39-generic (Base host where container is running 18.04 > / kernel 4.15.0-39-generic) > > getsockopt(fd,

1.9 BUG: redispatch broken

2018-12-22 Thread Lukas Tribus
Hello Oliver, redispatch is broken since commit 25b401536 ("BUG/MEDIUM: connection: Just make sure we closed the fd on connection failure"). It simply fails to connect to the next server. 1.9 is affected. Repro: global log 10.0.0.4:514 len 65535 local1 debug maxconn 1000 defaults log global

Re: How to remove accept-encoding header to backend while still keeping gzip?

2018-12-11 Thread Lukas Tribus
On Tue, 11 Dec 2018 at 15:13, wrote: > > Hi, > > I have haproxy in front of my app servers, these app servers do not handle > accept-encoding properly. Don't do anything manually and use the "compression offload" feature, which has been introduced for this *exact* use case:

Re: RSA and ECC not working as expected

2018-12-05 Thread Lukas Tribus
Hello, On Tue, 4 Dec 2018 at 20:10, Mildis wrote: > Thanks Lukas. > I knew I saw something like that in the docs since 1.6 but an official blog > note had priority on my mind :) > Maybe amending the post could help others wandering around the web for a > solution ... Agreed, Nenad amended the

Re: [ANNOUNCE] haproxy-1.9-dev9 : the last mile

2018-12-03 Thread Lukas Tribus
Hi Christopher, On Mon, 3 Dec 2018 at 22:55, Christopher Faulet wrote: > > Le 03/12/2018 à 21:48, Lukas Tribus a écrit : > > > > I gave HTX it a quick spin and what I noticed is that with htx enabled > > and a plaintext http/1.1 port 80 backend, it works fine when the

Re: RSA and ECC not working as expected

2018-12-03 Thread Lukas Tribus
Hello Mildis, On Mon, 3 Dec 2018 at 22:19, Mildis wrote: > > Hi, > > I'm using 1.8.14 and I tried to follow > https://www.haproxy.com/blog/serving-ecc-and-rsa-certificates-on-same-ip-with-haproxy/ > but all I'm getting in the log is I'd recommend to ignore this blog post. Haproxy can do

Re: [ANNOUNCE] haproxy-1.9-dev9 : the last mile

2018-12-03 Thread Lukas Tribus
Hello Willy, On Sun, 2 Dec 2018 at 20:30, Willy Tarreau wrote: > > Hi, > > HAProxy 1.9-dev9 was released on 2018/12/02. It added 147 new commits > after version 1.9-dev8. > > This version will give some of us a bit of relief. It is the first one in > one year which finally integrates all the

[PATCH] MINOR: ssl: free ctx when libssl doesn't support NPN

2018-11-26 Thread Lukas Tribus
The previous fix da95fd90 ("BUILD/MINOR: ssl: fix build with non-alpn/ non-npn libssl") does fix the build in old OpenSSL release, but I overlooked that the ctx is only freed when NPN is supported. Fix this by moving the #endif to the proper place (this was broken in c7566001 ("MINOR: server: Add

[PATCH] BUILD/MINOR: ssl: fix build with non-alpn/non-npn libssl

2018-11-25 Thread Lukas Tribus
In commit c7566001 ("MINOR: server: Add "alpn" and "npn" keywords") and commit 201b9f4e ("MAJOR: connections: Defer mux creation for outgoing connection if alpn is set"), the build was broken on older OpenSSL releases. Move the #ifdef's around so that we build again with older OpenSSL releases

Re: Sharing OpenSSL CTX between multiple sockets

2018-11-22 Thread Lukas Tribus
Hello Julian, On Thu, 22 Nov 2018 at 20:09, Julian Wiesener wrote: > > Hi Lukas, > > On Thu, 22 Nov 2018 19:39:11 +0100 > Lukas Tribus wrote: > > Trying to understand the use-case better here, binding to any IP is > > not acceptable? Your client *needs* to bind to

Re: Sharing OpenSSL CTX between multiple sockets

2018-11-22 Thread Lukas Tribus
Hello Julian, On Thu, 22 Nov 2018 at 18:11, Julian Wiesener wrote: > > Hello, > > one of our clients runs a haproxy setup with a 2000+ SSL-Certificates on > multiple IPs. > > As an OpenSSL CTX needs to be created for each certificate for each sockets, > restarting or reloading the config takes

Re: HAProxy bytes in/bytes out stats are not updated

2018-11-20 Thread Lukas Tribus
Hello Sergey, On Tue, 20 Nov 2018 at 20:30, Sergey Arlashin wrote: > > Also I just noticed, when I reload HAProxy in master worker mode with > SIGUSR2, stats > stop get updated for already established sessions. I need to reestablish the > sessions in > order to see stat updates. > > Is this a

Re: HTTP/2 header issue: "Accept-Ranges" -> "Accept-Language"

2018-11-19 Thread Lukas Tribus
Hi James, On Mon, 19 Nov 2018 at 19:29, James Brown wrote: > > Here's a strange thing I've noticed: > > When using HTTP/2, HAproxy is rewriting the "Accept-Ranges" response header > into "Accept-Language". Yup, exactly as you described, thanks for the report. I assume this is a bug in the

Re: HAProxy and Client Certificates for Admin site access

2018-11-03 Thread Lukas Tribus
Hi Matt, On Sat, 3 Nov 2018 at 20:32, Matthew Sanders wrote: > I ran into a few work arounds to the problem, but I fear there is a few > performance considerations with these > approaches and felt there must be a more native way HAProxy could help with > this situation. > > In this blog post:

Re: CLI proxy for master process

2018-11-02 Thread Lukas Tribus
Hello, On Fri, 26 Oct 2018 at 17:41, William Lallemand wrote: > Hi Aleks, > > With a nbproc setup, the first goal is to be able to access multiple stats > sockets from one socket. > > In a more "modern" nbthread setup, it's possible to have only one worker, but > we still fork a new process

Re: enabling H2 slows down my webapp, how to use keep-alive on backend ssl connection?

2018-10-29 Thread Lukas Tribus
On Mon, 29 Oct 2018 at 23:55, Igor Cicimov wrote: > > > However when enabling H2 on the frontend the connection to the webserver > > > (which itself is also made with SSL encryption) is made for every single > > > requested object i suspect this is the main reason for the slowdown, it > > > now

Re: enabling H2 slows down my webapp, how to use keep-alive on backend ssl connection?

2018-10-29 Thread Lukas Tribus
Hi, On Sun, 28 Oct 2018 at 23:47, PiBa-NL wrote: > > Hi List, > > When i enable H2 'alpn h2,http/1.1' on haproxy bind line with offloading > 'mode http'. The overall loading of a web-application i use takes longer > than without. (Tried with 1.9-dev5 and previous versions) > > The webapp loads

Re: Lots of PR state failed connections with HTTP/2 on HAProxy 1.8.14

2018-10-24 Thread Lukas Tribus
Hello James, On Wed, 24 Oct 2018 at 00:14, James Brown wrote: > > I tested enabling HTTP/2 on the frontend for some of our sites today and > immediately > started getting a flurry of failures. Browsers (at least Chrome) showed a lot > of SPDY > protocol errors and the HAProxy logs had a lot of

Re: HAproxy fails to start in CentOS with 'systemctl reload' ?

2018-10-23 Thread Lukas Tribus
Hello, On Tue, 23 Oct 2018 at 02:25, Imam Toufique wrote: > > Hi Brain, > > That seems to have worked! Thanks!I did not know the wrapper was not > needed. Let's see if it dies again ( hopefully not ) . > > Thanks again! For the record: - you can find the systemd unit file, including a

Re: sample/fetch support for TLS extensions

2018-10-18 Thread Lukas Tribus
Hello Alexey, On Tue, 16 Oct 2018 at 14:18, Alexey Elymanov wrote: > > I would like to propose a little patch, based on current ssl_capture > (ssl_sock.c) scheme. > Purpose is to be able to sample/fetch TLS extensions, it could be useful for > debugging or fingerprinting purposes (for

please ignore

2018-10-16 Thread Lukas Tribus
just sending from a different email address to collect permanent auto-replies (as in "no longer works here")

Re: Seamless reload and servers connections status

2018-10-16 Thread Lukas Tribus
Hi Sébastien, On Tue, 16 Oct 2018 at 09:45, Sébastien Kurtzemann wrote: > Our goal is to > - have some initial "free" servers in a tcp backend (for example 5 pods) > - when a connection start : one and only one "free" server handle it and it > become "busy" (we do this with maxconn=1) > - add

Re: Seamless reload and servers connections status

2018-10-15 Thread Lukas Tribus
Hello Sébastien, On Mon, 15 Oct 2018 at 16:40, Sébastien Kurtzemann wrote: >> No. Only *restart* closes existing front and backend connections. >> Reload (both seamless and regular) closes them gracefully, so no >> request is lost. > > > Okay. I think I confound connections and servers

Re: Seamless reload and servers connections status

2018-10-15 Thread Lukas Tribus
Hello, On Sat, 13 Oct 2018 at 10:34, Sébastien Kurtzemann wrote: > > Hi, > > I’ve got a question about haproxy "seamless reload" : when this > operation is perform does all backend servers connections be reset ? No. Only *restart* closes existing front and backend connections. Reload (both

Re: HAProxy "http-request auth" vs Safari WebSockets -- can this marriage be saved?

2018-10-11 Thread Lukas Tribus
Hello Jeremy, On Thu, 11 Oct 2018 at 03:04, Jeremy Friesner wrote: > > [Error] WebSocket connection to 'wss://localhost:8080/' failed: > Invalid HTTP version string: HTTP/1.0 Sounds like it doesn't like the 401 response in HTTP/1.0. Can you try the attached patch (which upgrades 401

Re: Fix some warnings and a small bug in debug logic

2018-10-07 Thread Lukas Tribus
Hello Dirkjan, On Sat, 6 Oct 2018 at 13:01, Dirkjan Bussink wrote: > > Hi all, > > On 14 Sep 2018, at 14:43, Dirkjan Bussink wrote: > > > While working on the OpenSSL 1.1.1 and TLS 1.3 cipher support issue, I also > > saw a number of compiler warnings that led me to investigate a bit. It > >

Re: TLS 1.3 options available with OpenSSL 1.1.1

2018-10-07 Thread Lukas Tribus
On Sat, 6 Oct 2018 at 13:03, Dirkjan Bussink wrote: > > Hi Emeric, > > > On 24 Sep 2018, at 15:33, Emeric Brun wrote: > > > > Seems good for me except for documentation: > > > > Could you precise in the old "ciphers" description that this applies only > > for TLSv <= 1.2. (and add a ref to the

Re: Redirecting one https site to another

2018-10-03 Thread Lukas Tribus
Hi Mark, On Thu, 4 Oct 2018 at 00:03, Mark Holmes wrote: > > Hi, > > > > I’m not sure if this is possible as haproxy isn’t terminating SSL in this > instance, > but I’d like to redirect https://urlone.co.uk to https://www.urlone.co.uk > [...] > Is what I am trying to achieve possible? Grateful

Re: Redirect to HTTPS

2018-10-02 Thread Lukas Tribus
On Tue, 2 Oct 2018 at 20:34, Dustin Schuemann wrote: > > I would like to redirect everything from HTTP to HTTPS except a specific URL. You mean Host header? Because that's what you configured. > redirect scheme https if !{ ssl_fc } OR !{ hdr(Host) -m -I www.blah.com } The logic is flawed. If

[PATCH] DOC: clarify force-private-cache is an option

2018-09-30 Thread Lukas Tribus
"boolean" may confuse users into thinking they need to provide additional arguments, like false or true. This is a simple option like many others, so lets not confuse the users with internals. Also fixes an additional typo. Should be backported to 1.8 and 1.7. --- doc/configuration.txt | 4 ++--

Re: Problems setting up SMTP health checks with Sophos email gateway

2018-09-28 Thread Lukas Tribus
Hello, On Thu, 27 Sep 2018 at 19:05, Gibson, Brian (IMS) wrote: > > EHLO domain.com\r\n > > Which throws an error “501 Syntactically invalid EHLO argument(s)” > > > > If I telnet to the host, and manually use EHLO domain.com it works fine, > but if I do EHLO domain.com\r\n it reproduces the

Re: h2 + text/event-stream: closed on both sides by FIN/ACK?

2018-09-24 Thread Lukas Tribus
On Mon, 24 Sep 2018 at 16:36, Willy Tarreau wrote: > > On Mon, Sep 24, 2018 at 02:30:35PM +, Pierre Cheynier wrote: > > OK, I conclude this SSE pattern is not working out-of-the-box when using h2 > > as of > > now. Is it still true even if setting the user set the proper connection > >

Re: Problem with option tune.ssl.force-private-cache

2018-09-24 Thread Lukas Tribus
Hello, On Mon, 24 Sep 2018 at 14:42, Maciej Małeta wrote: > > Hi, > > i have problem with my haproxy 1.8.14 > when i want start it, i get error: tune.ssl.force-private-cache' cannot > handle unexpected argument 'false' > in version 1.5 it's work fine > what is wrong in 'false' option? > I

Re: h2 + text/event-stream: closed on both sides by FIN/ACK?

2018-09-23 Thread Lukas Tribus
Hello, On Fri, 21 Sep 2018 at 15:45, Pierre Cheynier wrote: > Let me know if you see something obvious here, or if this is candidate to a > bug. > > We have a service using SSE through text/event-stream content-type. > > In HTTP/1.1 we have a normal stream as expected : > < HTTP/1.1 200 OK > <

Re: Intermittent HTTP 503 Error (Service Unavailable) with about 250 Connections

2018-09-19 Thread Lukas Tribus
Hello, On Wednesday, 19 September 2018, Shishir Kumar Yadav < shis...@purestorage.com> wrote: > I am able to get logs and I see these errors - > > 2018-09-18 23:39:22+00:00 127.0.0.1 haproxy[569]: Connect() failed for > backend ir-http-server-backend: no free ports. > Make sure you enable

Re: [ANNOUNCE] haproxy-1.9-dev2

2018-09-18 Thread Lukas Tribus
Hi Manu, On Fri, 14 Sep 2018 at 15:45, Emmanuel Hocdet wrote: > > Hi, > > Quick test with 1.9-dev2, and i see latency (in seconds) to connect to > haproxy with SSL (tcp mode). > It’s ok in master with 9f9b0c6a. > No time to investigate more for the moment. I cannot reproduce it in a simple

Re: Intermittent HTTP 503 Error (Service Unavailable) with about 250 Connections

2018-09-18 Thread Lukas Tribus
Hello, On Tue, 18 Sep 2018 at 02:36, Shishir Kumar Yadav wrote: > > Hi All, > > I am using haproxy 1.8.3 Which has 169 unfixed bugs: http://www.haproxy.org/bugs/bugs-1.8.3.html I'd strongly suggest you use latest stable, although that doesn't mean it has something to do with your specific

Re: TLS 1.3 options available with OpenSSL 1.1.1

2018-09-13 Thread Lukas Tribus
Hello Dirkjan, On Thu, 13 Sep 2018 at 16:44, Dirkjan Bussink wrote: > So with a new API call, does that mean adding for example a `ciphersuites` > option that works similar to `ciphers` today that it accepts a string and then > calls `SSL_CTX_set_ciphersuites`? Yes, that's what I'd have in

Re: TLS 1.3 options available with OpenSSL 1.1.1

2018-09-13 Thread Lukas Tribus
Hi Dirkjan, On Thu, 13 Sep 2018 at 15:35, Dirkjan Bussink wrote: > > Hi all, > > With the release of OpenSSL 1.1.1, TLS 1.3 is now also available. It already > is working fine in my testing with HAProxy 1.8, there is however one issue. > Currently there is no way to control the ciphers for

Re: Hang in haproxy 1.8.13

2018-09-11 Thread Lukas Tribus
On Tue, 11 Sep 2018 at 11:55, David King wrote: > > Apologies, i forgot to mention this is running on FreeBSD 11.1 > > I've just run the same tests on Centos and there is no issue Could you retry with the current development tree (1.9) from git? There are a number of fixes waiting to be

Re: ppa1~xenial with TLS v1.3 support

2018-09-05 Thread Lukas Tribus
Hello, On Wed, 5 Sep 2018 at 11:31, Haim Ari wrote: > > Hello, > > Is there a way to add TLS v1.3 without compiling haproxy ? (and still use PPA > version for Ubuntu) No. TLSv1.3 requires OpenSSL 1.1.1, which is still in beta phase, and even if it becomes stable, it will require some time

Re: [PATCH] BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1

2018-09-03 Thread Lukas Tribus
Hello Mano, On Mon, 3 Sep 2018 at 18:26, Emmanuel Hocdet wrote: > > Hi Lukas, Emeric > > This patch fix the issue. If you can check it. I confirm the patch fixes the original test case and also works fine in my Chrome on XP testbed (TLSv1.2, no ECC support). As you mentioned for clients using

Re: H2: interoperability issue due to lack of CONTINUATION frame support

2018-09-02 Thread Lukas Tribus
Hello, On Sun, 2 Sep 2018 at 17:24, Willy Tarreau wrote: > > Hi Lukas, > > On Sun, Sep 02, 2018 at 11:55:29AM +0200, Lukas Tribus wrote: > > Ok. I think with OpenSSL 1.1.1 we may be able to configure ALPN > > differently for RSA vs ECC certificates (of the same hostname)

Re: BUG: ssl: regression with openssl 1.1.1 when using <= TLSv1.2

2018-09-02 Thread Lukas Tribus
Hello, On Sat, 1 Sep 2018 at 20:49, Lukas Tribus wrote: > > I've confirmed the change in behavior only happens with an ECC > > certificate, an RSA certificate is not affected. > > Just to confirm that this is still an actual problem with current > haproxy and openssl 1.

Re: H2: interoperability issue due to lack of CONTINUATION frame support

2018-09-02 Thread Lukas Tribus
Hello Willy, On Sat, 1 Sep 2018 at 21:00, Willy Tarreau wrote: > I wanted to address it but the CONTINUATION frame is the worst design > mistake of the H2 protocol and results in layering violations which > make it particularly problematic to implement. In short, while all > frames are

Re: Force response to send HTTP/2 GOAWAY?

2018-09-02 Thread Lukas Tribus
Hello Joseph, On Sun, 2 Sep 2018 at 03:42, Joseph Sible wrote: > > When using HTTP/2, is there a way to force haproxy to send a GOAWAY > frame after a given response? I expected that "option forceclose" > might do this, but I tested it and it doesn't seem to. My use-case for > this is having a

Re: BUG: ssl: regression with openssl 1.1.1 when using <= TLSv1.2

2018-09-01 Thread Lukas Tribus
Hello Emeric, On Wed, 30 May 2018 at 19:34, Lukas Tribus wrote: > >> Do you have any specific parameter related to ssl in your global section? > > I've confirmed the change in behavior only happens with an ECC > certificate, an RSA certificate is not affected

H2: interoperability issue due to lack of CONTINUATION frame support

2018-09-01 Thread Lukas Tribus
Hi Willy, haproxy is currently unable to handle CONTINUATION [1] frames (see commit 61290ec77 - [2]). If a client emits a CONTINUATION frame, we will break the connection and send GOAWAY due to INTERNAL_ERROR. This of course leads to interoperability issues. Notably, older Chrome/Chromium

Re: How to verify HAProxy build on Solaris/SPARC ?

2018-08-31 Thread Lukas Tribus
Hello, On Fri, 31 Aug 2018 at 04:30, Willy Tarreau wrote: > I'd like to ask you to test something just in case it helps. Could > you please modify your makefile to add "-pthread" to "-DUSE_THREAD" > like this : > > ifneq ($(USE_THREAD),) > BUILD_OPTIONS += $(call ignore_implicit,USE_THREAD)

Re: Issue with TCP splicing

2018-08-24 Thread Lukas Tribus
Hello Julien, On Thu, 23 Aug 2018 at 20:49, Julien Semaan wrote: > > Hi Olivier, > > Sorry for the delay, obtaining the core dump from a production environment > was a bit tricky. > > So, I have attached the core dump to this email. I hope this will help you > identify the issue. The

[PATCH] DOC: dns: explain set server ... fqdn requires resolver

2018-08-14 Thread Lukas Tribus
Abhishek Gupta reported on discourse that set server [...] fqdn always fails. Further investigation showed that this requires the internal DNS resolver to be configured. Add this requirement to the docs. Must be backported to 1.8. --- doc/management.txt | 3 ++- 1 file changed, 2 insertions(+),

Haproxy 1.8 segfaults on misconfigured set server fqdn command

2018-08-14 Thread Lukas Tribus
Hello, the "set server / fqdn " admin socket command requires the internal DNS resolver to be configured and enabled for that specific server. This is undocumented, and I will provide a doc fix soon. However, when the resolver is not configured, and when haproxy is compiled with thread

Re: haproxy and changing ELB IPs

2018-08-07 Thread Lukas Tribus
Hello, > We recently had an outage for short time related to NameServer's h/w failure > (both primary and secondary went down). > We were told that it is possible for these IPs to change in the future. It > never happened so far though. So you don't have changing nameservers at all, but it is

Re: haproxy and changing ELB IPs

2018-08-04 Thread Lukas Tribus
On Sat, 4 Aug 2018 at 14:21, Igor Cicimov wrote: > > Hi, > > On Sat, Aug 4, 2018 at 1:50 AM, K3 wrote: >> >> Hi, >> We are running into a problem and would like to hear any advice. >> >> Our Setup: >> We use haproxy 1.7.7 with two backends. >> One of the backends is AWS ELB >> The haproxy is

Re: SNI matching issue when hostname ends with trailing dot

2018-07-31 Thread Lukas Tribus
Hello Warren, On Tue, 22 May 2018 at 15:48, Warren Rohner wrote: > The other day I inadvertently appended a trailing dot to the hostname > for one of our sites (e.g. https://www.example.com.), and when I did > this HAProxy returned the default cert to the browser rather than the > expected cert

Re: Help with backend server sni setup

2018-07-30 Thread Lukas Tribus
On Mon, 30 Jul 2018 at 13:30, Aleksandar Lazic wrote: > > Hi. > > I have the following Setup. > > APP -> Internal Haproxy -(HTTPS)-> external HAProxy -> APP > > The external HAProxy is configured with multiple TLS Vhost. Never use SNI for Vhosting. It should work with the host header only. SNI

Re: Building HAProxy 1.8 fails on Solaris

2018-07-20 Thread Lukas Tribus
Hello, On Fri, 20 Jul 2018 at 15:58, Olivier Houchard wrote: > > Hi LuKas, > > On Fri, Jul 20, 2018 at 01:53:35PM +0200, Lukas Tribus wrote: > > Hello Oliver, > > > > On Fri, 20 Jul 2018 at 11:55, Olivier Houchard > > wrote: > > > > > > Hi

Re: Building HAProxy 1.8 fails on Solaris

2018-07-20 Thread Lukas Tribus
Hello Oliver, On Fri, 20 Jul 2018 at 11:55, Olivier Houchard wrote: > > Hi, > > On Fri, Jul 20, 2018 at 12:22:20AM +, Thrawn wrote: > > So...is there a way to adapt this patch so it won't cause random SSL errors and is suitable to apply to the trunk? We don't really want to run a customised

Re: [PATCH] MEDIUM: proxy_protocol: Send IPv4 addresses when possible

2018-07-20 Thread Lukas Tribus
Hello, On Wed, 18 Jul 2018 at 14:30, Willy Tarreau wrote: > > Hi Tim, > > On Wed, Jul 18, 2018 at 01:48:01PM +0200, Tim Düsterhus wrote: > > This would solve the issue for my use case and should not break anything > > (a few UNKNOWNs will become TCP6 then). > > OK. > > > I can rework the patch,

Re: [PATCH] MEDIUM: proxy_protocol: Send IPv4 addresses when possible

2018-07-17 Thread Lukas Tribus
Hello Tim, On Fri, 29 Jun 2018 at 21:00, Tim Duesterhus wrote: > > This patch changes the sending side of proxy protocol to convert IP > addresses to IPv4 when possible (and converts them IPv6 otherwise). > > Previously the code failed to properly provide information under > certain

Re: Building HAProxy 1.8 fails on Solaris

2018-07-17 Thread Lukas Tribus
On Tue, 17 Jul 2018 at 01:09, Thrawn wrote: > > Ah, indeed, the GCC version provided on our server is 3.4.3. But the readme > on https://github.com/haproxy/haproxy says "GCC between 2.95 and 4.8". Can > the build be changed to continue supporting older GCC, or do the docs need an > update?

Re: TLS handshake works with certificate name mismatch using "verify required" and "verifyhost"

2018-07-16 Thread Lukas Tribus
On Mon, 16 Jul 2018 at 11:57, Martin RADEL wrote: > > Hi, > > I think we found the issue: > Seems that there was a misunderstanding from us regarding the haproxy > documentation with the "verifyhost" option. > > If I get it right, the documentation says that if we have a haproxy config > that >

Re: Bug when passing variable to mapping function

2018-07-16 Thread Lukas Tribus
Hello, On Fri, 29 Jun 2018 at 07:15, Jarno Huuskonen wrote: > > Hi, > > On Thu, Jun 28, Jarno Huuskonen wrote: > > I think this is the commit that breaks map_regm in this case: > > b5997f740b21ebb197e10a0f2fe9dc13163e1772 (MAJOR: threads/map: Make > > acls/maps thread safe). > > > > If I

Re: Building HAProxy 1.8 fails on Solaris

2018-07-16 Thread Lukas Tribus
Hello, On Mon, 16 Jul 2018 at 03:12, Thrawn wrote: > > Update: If I disable threading with > > USE_THREAD= > > then the build gets much further, but still fails eventually with: > > gcc -g -o haproxy src/ev_poll.o ebtree/ebtree.o ebtree/eb32sctree.o > ebtree/eb32tree.o ebtree/eb64tree.o

Re: TLS handshake works with certificate name mismatch using "verify required" and "verifyhost"

2018-07-14 Thread Lukas Tribus
Hello Martin, > we have a strange situation with our HAProxy, running on Version 1.8.8 with > OpenSSL. Please share the output of haproxy -vv. Did you build openssl yourself or is this a distribution provided openssl lib? I am asking because build issues can lead to very strange behavior. >

Re: Haproxy 1.8 with OpenSSL 1.1.1-pre4 stops working after 1 hour

2018-06-26 Thread Lukas Tribus
Hey guys, FYI after lots of discussions with openssl folks: https://github.com/openssl/openssl/issues/5330 https://github.com/openssl/openssl/pull/6388 https://github.com/openssl/openssl/pull/6432 OpenSSL 1.1.1 will now keep the FD open by default:

Re: HAProxy 1.8 built with rpath'd openssl links ok; but `haproxy -vv` reports "Built with" and "Running on" conflict

2018-06-23 Thread Lukas Tribus
On Sat, 23 Jun 2018 at 11:35, PGNet Dev wrote: > > > Sure. Your attitude and threats are not helpful in this conversation though. > > Threats? WTF are you talking about? Talking about: > I'll have to decide whether I'm more interested in haproxy, or a consistently > 'modern/current' openssl

Re: HAProxy 1.8 built with rpath'd openssl links ok; but `haproxy -vv` reports "Built with" and "Running on" conflict

2018-06-23 Thread Lukas Tribus
>> it's complicated to keep everything clean but any help is welcomed. > > Step 1 has been simply to understand the problem. Sure. Your attitude and threats are not helpful in this conversation though. > What I'm suggesting is that there's a possibility -- as per my other > post, still unclear

Re: HAProxy 1.8 built with rpath'd openssl links ok; but `haproxy -vv` reports "Built with" and "Running on" conflict

2018-06-22 Thread Lukas Tribus
Hello, right, your (second) build issue is caused by the --api=1.1.0 configuration, removing old interfaces. Drop it from your openssl configuration, and it will work fine. > particularly with tls1.3-capable openssl 1.1.1 "ComingSoon(tm)", might be > worth a review Haproxy 1.8 and -dev works

  1   2   3   4   5   6   7   8   9   10   >