Loading multiple TLS certificates

2019-05-13 Thread Norman Branitsky
the certificate, the intermediates, and the key, or should I create a single PEM file containing all 6 certificates, 6 keys, and 1 intermediate file? Norman Branitsky Senior Cloud Architect MicroPact Toronto 416.916.1752 (61752)

HAProxy in front of Docker Enterprise problem

2019-02-12 Thread Norman Branitsky
this doesn't work - the client gets the SSL certificate provided by the HAProxy server instead of the certificate provided by the Manager node. This causes the Manager node to barf. Do I have to make HAProxy listen on 8443 and just do a tcp frontend/backend for the Manager nodes? Norman Branitsky

Re: Setting a unique header per server in a backend

2018-12-16 Thread Norman Branitsky
Don't forget the "X-" header prefix is deprecated: https://tools.ietf.org/html/rfc6648 Norman Branitsky On Dec 16, 2018, at 03:50, Willy Tarreau mailto:w...@1wt.eu>> wrote: Hi Sachin, On Sat, Dec 15, 2018 at 10:32:21PM +0530, Sachin Shetty wrote: Hi, We have a tricky re

RE: Redirect Syntax

2018-12-11 Thread Norman Branitsky
This is what I do. Either use a combined "listen" or a separate "frontend" and "backend". frontend main bind 0.0.0.0:80 option forwardfor except 127.0.0.0/8 option httplog http-request redirect scheme https code 301 if !{ ssl_fc } frontend main_ssl # Bind SSL port

Random with Two Choices Load Balancing Algorithm

2018-12-06 Thread Norman Branitsky
NGINX just announced the following load balancing method as default for their Ingress Controller for Kubernetes. Will this appear on the HAProxy roadmap? Support for the New Random with Two Choices Load‑Balancing Algorithm In NGINX Plus

RE: SSL certs

2018-11-27 Thread Norman Branitsky
Alberto wrote: For example, if you've bought your wildcard cert from comodo, it would go like this: cat STAR_your_domain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt STAR_your_domain.key > STAR_your_domain.pem I don’t believe you should

RE: URL rewrite

2018-08-31 Thread Norman Branitsky
Message- From: Norman Branitsky Sent: Monday, August 27, 2018 6:53 PM To: 'Tim Düsterhus' ; haproxy Subject: RE: URL rewrite Your examples are all correct. -Original Message- From: Tim Düsterhus Sent: Monday, August 27, 2018 6:22 PM To: Norman Branitsky ; haproxy Subject: Re: URL

RE: URL rewrite

2018-08-27 Thread Norman Branitsky
Your examples are all correct. -Original Message- From: Tim Düsterhus Sent: Monday, August 27, 2018 6:22 PM To: Norman Branitsky ; haproxy Subject: Re: URL rewrite Norman, Am 27.08.2018 um 23:45 schrieb Norman Branitsky: > I need to rewrite my URLs according to the following patt

URL rewrite

2018-08-27 Thread Norman Branitsky
I need to rewrite my URLs according to the following pattern: cloud.example.com/?query becomes: .cloud.example.com/main?query HAProxy will terminate SSL - I have a wildcard certificate for *.cloud.example.com. As the target servers are running Docker Enterprise, I do not need DNS entries for

RE: Docker Swarm configuration

2018-08-23 Thread Norman Branitsky
Actually items 2 and 3 below are what I want: If hostname "ucp.mydomain.com" then "reencrypt" i.e. https -> https else normal SSL termination - "edge" i.e. https -> http. -Original Message- From: Aleksandar Lazic Sent: Thursday, August 23, 2018 4:

RE: Docker Swarm configuration

2018-08-23 Thread Norman Branitsky
aproxy@formilux.org; Norman Branitsky ; haproxy Subject: Re: Docker Swarm configuration Hi. How about to use the following setup. frontend tcp mode tcp bind 443 use_backend default backend default mode http bind 444 ... You can take a look into the openshift router for a more de

Docker Swarm configuration

2018-08-23 Thread Norman Branitsky
My plan was to by default terminate SSL and send http traffic to the worker servers on port 88 while traffic with a "ucp.mydomain.com" header would be passed thru as https to the UCP management servers on port 8443. Docker Enterprise Manager nodes insist on seeing incoming commands as https and

RE: Missing SRV cookie

2018-07-23 Thread Norman Branitsky
onté Sent: Monday, July 23, 2018 3:31 PM To: Norman Branitsky Cc: haproxy Subject: Re: Missing SRV cookie Hi Norman, Le 23/07/2018 à 18:36, Norman Branitsky a écrit : > My client's environment had 3 HAProxy servers. > > Due to a routing issue, my client's users could only see the ol

Missing SRV cookie

2018-07-23 Thread Norman Branitsky
My client's environment had 3 HAProxy servers. Due to a routing issue, my client's users could only see the old HAProxy 1.5 server when connecting from their data center. They could not see the 2 new HAProxy 1.7 servers. The routing issue was resolved last week and they could now see the 2 new

RE: JWT payloads break b64dec convertor

2018-05-28 Thread Norman Branitsky
https://en.wikipedia.org/wiki/The_C_Programming_Language -Original Message- From: Aleksandar Lazic Sent: Monday, May 28, 2018 12:34 PM To: Jonathan Matthews Cc: Willy Tarreau ; haproxy Subject: Re: JWT payloads break b64dec convertor On 28/05/2018 15:10, Jonathan Matthews wrote: >On

Eclipse 403 access denied

2018-05-11 Thread Norman Branitsky
After upgrading to the latest version of Eclipse and installing our custom Eclipse Plugin, my developers are now being blocked by HAProxy. Here's a sample of the problem: May 11 15:03:37 localhost haproxy[13089]: 66.192.142.9:43041 [11/May/2018:15:03:37.932] main_ssl~

RHEL distribution still uses HAProxy 1.5

2018-05-01 Thread Norman Branitsky
We opened a ticket with RHEL Support to ask when they would upgrade to at least HAProxy 1.7. This was their reply: Most recent comment: On 2018-05-01 10:22:28, Patil, Ravindra commented: "Hello The reason 1.7 (as well and 1.6 and 1.8) are not in RHEL is due to backward compatibility. We can't

Docker EE Plugins

2018-03-14 Thread Norman Branitsky
In this document:

RE: Poll: haproxy 1.4 support ?

2018-01-02 Thread Norman Branitsky
Unfortunately, Red Hat continues to distribute 1.5 in RHEL 7. How do we get them to upgrade to 1.7 ? From: Falco Schmutz / premaccess [mailto:fschm...@premaccess.com] Sent: January-02-18 10:27 AM To: Jonathan Matthews Cc: haproxy Subject: Re: Poll:

RE: HAProxy as a frontend for Docker Swarm deployment

2017-11-06 Thread Norman Branitsky
I believe Docker Swarm has a similar API. Is the code for you listener public? From: Soluti Quintiliano [mailto:quintili...@soluti.com.br] Sent: November-06-17 2:08 PM To: Norman Branitsky <norman.branit...@micropact.com> Cc: haproxy@formilux.org Subject: Re: HAProxy as a frontend for

HAProxy as a frontend for Docker Swarm deployment

2017-11-06 Thread Norman Branitsky
d on Docker Service label." Having read the docs, it appears to be reasonable for internal exposure only. With respect to dynamic configuration based on Docker Service label, how does this compare vis a vis HAProxy? Norman Norman Branitsky Cloud Architect MicroPact (o) 416.916.1752 (c) 416.843.06

RE: HTTP DELETE command failing

2017-11-03 Thread Norman Branitsky
This particular DELETE was designed to return a 204 – no payload expected. So the test which insisted on payload was incorrect. Problem solved. Thanks. From: Igor Cicimov [mailto:ig...@encompasscorporation.com] Sent: November-02-17 8:56 PM To: Norman Branitsky <norman.branit...@micropact.com&

RE: HTTP DELETE command failing

2017-11-02 Thread Norman Branitsky
To: haproxy@formilux.org Subject: Re: HTTP DELETE command failing HAProxy is replying 403, which means that the DELETE request was explicitly denied by your conf. In order for us to help you, we need to have a look to your conf ++ On 02/11/2017 17:17, Norman Branitsky wrote: In HAProxy version 1.7.5, I see

HTTP DELETE command failing

2017-11-02 Thread Norman Branitsky
0 0/0 "DELETE /etk-training-ora1/private/api/users/62469 HTTP/1.1" In the GET and POST commands, path_beg matches /etk-training-ora1. It appears that in the DELETE command path_beg returns nothing or something else. Suggestions, please? Norman Norman Branitsky Cloud Architect MicroPa

RE: HAProxy 1.7.8 compile problem with new OpenSSL

2017-08-24 Thread Norman Branitsky
red” option for the “./config” command. I see you use the following 2 make options: USE_PCRE_JIT=1 USE_REGPARM=1 I didn’t notice them in the docs. Are they recommended? From: Denis Astahov [mailto:de...@trinimbus.com] Sent: August-24-17 11:26 AM To: Norman Branitsky <norman.branit...@micropact.c

RE: HAProxy 1.7.8 compile problem with new OpenSSL

2017-07-28 Thread Norman Branitsky
de/openssl SSL_LIB=/usr/local/ssl/lib Thank you all and sundry. -Original Message- From: Willy Tarreau [mailto:w...@1wt.eu] Sent: July-28-17 6:18 AM To: Norman Branitsky <norman.branit...@micropact.com> Cc: haproxy@formilux.org Subject: Re: HAProxy 1.7.8 compile problem with new OpenSS

RE: HAProxy 1.7.8 compile problem with new OpenSSL

2017-07-26 Thread Norman Branitsky
=/usr install Then I tried ./config --prefix=/usr make make test make INSTALL_PREFIX=/ install -Original Message- From: Gibson, Brian (IMS) [mailto:gibs...@imsweb.com] Sent: July-26-17 5:47 PM To: haproxy@formilux.org; Norman Branitsky <norman.branit...@micropact.com> Subje

RE: HAProxy 1.7.8 compile problem with new OpenSSL

2017-07-26 Thread Norman Branitsky
cb' collect2: error: ld returned 1 exit status make: *** [haproxy] Error 1 The original ssl was installed in /usr/lib64 - should I force the new one to install in the same directories overwriting the old? From: Gibson, Brian (IMS) [mailto:gibs...@imsweb.com] Sent: July-26-17 3:12 PM

HAProxy 1.7.8 compile problem with new OpenSSL

2017-07-26 Thread Norman Branitsky
reference to `SSL_CTX_set_alpn_select_cb' collect2: error: ld returned 1 exit status make: *** [haproxy] Error 1 Norman Norman Branitsky Cloud Architect MicroPact (o) 416.916.1752 (c) 416.843.0670 (t) 1-888-232-0224 x61752 www.micropact.com<http://www.micropact.com/> Think it > Track it > Done

RE: AWS ELB as a backend

2017-07-24 Thread Norman Branitsky
You dropped “server1” from the server line. So it’s reading the server address as the server-name and “check” as the server-address: server server-name server-address [check] [resolvers resolver-name] From: DHAVAL JAISWAL [mailto:dhava...@gmail.com] Sent: July-24-17 12:56 PM To: Aleksandar Lazic

RE: HAProxy failover - DNS change cached by IE for a long time

2017-07-08 Thread Norman Branitsky
Comments inline. From: Igor Cicimov [mailto:ig...@encompasscorporation.com] Sent: July-08-17 11:20 PM To: Norman Branitsky <norman.branit...@micropact.com> Cc: HAProxy <haproxy@formilux.org> Subject: RE: HAProxy failover - DNS change cached by IE for a long time Of course it can wo

RE: HAProxy failover - DNS change cached by IE for a long time

2017-07-08 Thread Norman Branitsky
...@encompasscorporation.com] Sent: July-08-17 9:14 AM To: Norman Branitsky <norman.branit...@micropact.com> Cc: HAProxy <haproxy@formilux.org> Subject: RE: HAProxy failover - DNS change cached by IE for a long time On 8 Jul 2017 2:58 am, "Norman Branitsky" <norma

RE: HAProxy failover - DNS change cached by IE for a long time

2017-07-07 Thread Norman Branitsky
to display the dnserror page - probably for 20 minutes. From: Norman Branitsky [mailto:norman.branit...@micropact.com] Sent: June-27-17 10:44 AM To: haproxy@formilux.org Subject: HAProxy failover - DNS change cached by IE for a long time This sender failed our fraud detection checks and may

Replacing reqadd with http-request set-path

2017-06-28 Thread Norman Branitsky
equest redirect /datamart/wiLogin.do if path_root Are my "translations" correct? Norman Norman Branitsky Cloud Architect MicroPact (o) 416.916.1752 (c) 416.843.0670 (t) 1-888-232-0224 x61752 www.micropact.com<http://www.micropact.com/> Think it > Track it > Done

HAProxy failover - DNS change cached by IE for a long time

2017-06-27 Thread Norman Branitsky
page. What can I do to kick IE in the head and cause it to refresh its DNS cache? It doesn't seem to respect the TTL value. Norman Norman Branitsky Cloud Architect MicroPact (o) 416.916.1752 (c) 416.843.0670 (t) 1-888-232-0224 x61752 www.micropact.com<http://www.micropact.com/> Think it > Track it > Done

Missing security headers

2017-06-13 Thread Norman Branitsky
0; report-uri=https://xxx.report-uri.io/r/default/ct/reportOnly' rspadd 'Expect-Staple: report-uri=https://xxx.report-uri.io/r/default/staple/reportOnly' BUT they are not appearing when I use Firefox to view the Headers: [cid:image002.jpg@01D2E448.418FD850] What am I doing wrong? Norman Norman Brani

RE: HAProxy 1.7.5 cookie JSESSIONID prefix not working

2017-06-02 Thread Norman Branitsky
...@1wt.eu] Sent: June-02-17 10:52 AM To: Lukas Tribus <lu...@gmx.net> Cc: Norman Branitsky <norman.branit...@micropact.com>; Cyril Bonté <cyril.bo...@free.fr>; haproxy@formilux.org Subject: Re: HAProxy 1.7.5 cookie JSESSIONID prefix not working Hi Lukas, On Wed, May 31, 2017 a

RE: HAProxy 1.7.5 cookie JSESSIONID prefix not working

2017-05-30 Thread Norman Branitsky
To: Norman Branitsky <norman.branit...@micropact.com> Cc: Lukas Tribus <lu...@gmx.net>; haproxy@formilux.org Subject: Re: HAProxy 1.7.5 cookie JSESSIONID prefix not working Hi Norman, Le 30/05/2017 à 23:39, Norman Branitsky a écrit : > I modified the server line thus: &

RE: HAProxy 1.7.5 cookie JSESSIONID prefix not working

2017-05-30 Thread Norman Branitsky
@gmx.net] Sent: May-30-17 5:00 PM To: Norman Branitsky <norman.branit...@micropact.com>; haproxy@formilux.org Subject: Re: HAProxy 1.7.5 cookie JSESSIONID prefix not working Hello Norman, Am 30.05.2017 um 18:06 schrieb Norman Branitsky: > > The server's identifier is not

HAProxy 1.7.5 cookie JSESSIONID prefix not working

2017-05-30 Thread Norman Branitsky
; Secure; HttpOnly The server's identifier is not added to the cookie. Needless to say, my load balancing doesn't work. Norman Norman Branitsky Cloud Architect MicroPact (o) 416.916.1752 (c) 416.843.0670 (t) 1-888-232-0224 x61752 www.micropact.com<http://www.micropact.com/> Think it > Track it > Done