Re: SSL handshake failure

Hi Samat, On Mon, Feb 11, 2013 at 08:23:54PM +0400, Samat Galimov wrote: > First connectin, gracefully started & closed: > 0001:https.accept(0005)=0007 from [5.9.11.40:25188] > 0002:decipher.accept(0006)=0009 from [5.9.11.40:25188] > 0002:decipher.clicls[0009:] > 0002:decipher.

Re: urls in stick-table, any timeline?

of course not. It is in the dev18 release, which seems to be quite stable! Baptiste On Sat, Apr 27, 2013 at 2:58 AM, S Ahmed wrote: > Is this in the latest stable release? > > > On Thu, Apr 25, 2013 at 11:38 AM, Baptiste wrote: >> >> Hi, >> >> So basically, you want to rate limit on the URL inc

Re: how hard is it to understand the codebase?

Hi, If you want to learn C, then don't start with HAProxy!!! Read the code a bit later, once you're familiar, cause you'll learn many C advanced tips :) Baptiste On Sat, Apr 27, 2013 at 2:59 AM, S Ahmed wrote: > I'm not that well versed in the c language, but on a scale of 1-10, how hard > is i

RE: Keeping LB pools status in sync

Hey Bryan, That's exactly what I want, thanks! Looks like usage of track is pretty straightforward too. Re: Davids response, port 6060 only returns an auth prompt and depends on the application on port 80 working. If something weird happens to the application on port 80 that auth prompt will s

Re: Follow-up on thread 'SSL handshake failure' from 2/5/2013

$ openssl ciphers -v 'ALL:!SSLv2:!eNULL:!aNULL:!LOW:!EXPORT:!kECDH:!MD5:@STRENGTH' \ | while read C dumb; do echo -n "# $C " openssl s_client -connect 176.31.104.63:443 -cipher $C < /dev/null > /dev/null 2>&1 \ && echo OK \ || echo FAIL \ done \ | sort -k 3 \

Re: Follow-up on thread 'SSL handshake failure' from 2/5/2013

Hi, If it can help, I've been in touch with Emeric about SSL handshake failure since some times now but it's maybe preferable to use the ML to share experience. I'm using the following cipher filter list : 'ALL:!SSLv2:!eNULL:!aNULL:!LOW:!EXPORT:!kECDH:!MD5:@STRENGTH' The PEM file I used is

RE: how hard is it to understand the codebase?

I'm not that well versed in the c language, but on a scale of 1-10, how hard is it for someone to understand the codebase? Do you think this is something someone who wants to learn C could understand after a few months?

Re: urls in stick-table, any timeline?

Is this in the latest stable release? On Thu, Apr 25, 2013 at 11:38 AM, Baptiste wrote: > Hi, > > So basically, you want to rate limit on the URL including the query string. > something like: > > frontend webservice > [...] > acl url_to_protect path /something/object /something_else/whatever >

Re: Keeping LB pools status in sync

It sounds like you're asking how to use a server's health state in one backend as the health state in another. If so you can use the "track" option on the servers backend pool1 server server1 1.1.1.1:6060 track pool2/server1 server server2 1.1.1.2:6060 track pool2/server2 backend pool2 ser

Re: Keeping LB pools status in sync

On 4/26/13 8:09 PM, Ahmed Osman wrote: Hello Everyone, I'm wondering if anyone is able to tell me if this is default behavior or if I need to configure this. In a nutshell I have this setup: LB_Pool1 Server1:6060 Server2:6060 LB_Pool2 Server1:80 Server2:80 I can do a check pretty easi

Keeping LB pools status in sync

Hello Everyone, I'm wondering if anyone is able to tell me if this is default behavior or if I need to configure this. In a nutshell I have this setup: LB_Pool1 Server1:6060 Server2:6060 LB_Pool2 Server1:80 Server2:80 I can do a check pretty easily on LB_Pool2 however I don't have a method fo

RE: Question on feature stability in 1.5

Hi Lukas Horribly late response but thanks for the thorough reply. I've been doing additional testing and HAProxy is filling all our needs thus far (I've got one implementation that I'll send to the DL separately). No bugs or odd behavior to report yet. - Ahmed Osman -Original Message

Re: HAProxy on FreeBSD 8.3 with transparent proxying (TProxy?)

Hi Willy, Ill give it a try and send the patch as an attachment, though im not 100% comfortable with the code. I think i can do it. Will take me a few days though.. Thanks sofar. Op 26-4-2013 23:12, Willy Tarreau schreef: On Fri, Apr 26, 2013 at 11:03:00PM +0200, PiBa-NL wrote: Hi Willy / L

Re: VS: Haparoxy hangs in one minute on config reload

Hi Willy, Le 26/04/2013 11:50, Willy Tarreau a écrit : Hi again Cyril, On Thu, Apr 25, 2013 at 11:04:03PM +0200, Willy Tarreau wrote: So I'll see how to enable this by default for health checks. The code will be different for 1.4 and 1.5 but it's worth doing it anyway. OK i've fixed it now i

Re: HAProxy on FreeBSD 8.3 with transparent proxying (TProxy?)

On Fri, Apr 26, 2013 at 11:03:00PM +0200, PiBa-NL wrote: > Hi Willy / Lukas, > > It seams to me OpenBSD doesn't support the IP_BINDANY flag..: > http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/sys/netinet/in.h > it

Re: HAProxy on FreeBSD 8.3 with transparent proxying (TProxy?)

Hi Willy / Lukas, It seams to me OpenBSD doesn't support the IP_BINDANY flag..: http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/sys/netinet/in.h While FreeBSD does: http://svnweb.freebsd.org/base/head/sys/netinet/

Re: HAProxy on FreeBSD 8.3 with transparent proxying (TProxy?)

Hi Lukas, On Fri, Apr 26, 2013 at 10:26:33PM +0200, Lukas Tribus wrote: > Hi, > > throwing in my two cents here, based on a few uneducated guesses reading > the Makefile, etc. Feel free to disagree/correct/shout at me :) Thanks for sharing your thoughts, I feel less alone sometimes when I can di

RE: HAProxy on FreeBSD 8.3 with transparent proxying (TProxy?)

Hi, throwing in my two cents here, based on a few uneducated guesses reading the Makefile, etc. Feel free to disagree/correct/shout at me :) (actually I wrote this before Willy answered) > As for renaming the CONFIG_HAP_LINUX_TPROXY to something different would > require everyone that on a regu

haproxy ssl termination stats

Is there a way to debug ssl handshake failures? I occasionally see an error message in the logs which says "Connection error during SSL handshake". It rarely happens so debugging it is difficult with something like packet captures because we have over 5000 ssl requests per second. What I was hoping

Re: HAProxy on FreeBSD 8.3 with transparent proxying (TProxy?)

Now that I'm seeing the patch in its context, I think it's not the cleanest way to do it, because we redefine IPV6_TRANSPARENT and IP_TRANSPARENT when IP_FREEBIND is not defined, while we don't use this one and the other ones are defined below. Also I'm concerned about the result of running this wi

Re: HAProxy on FreeBSD 8.3 with transparent proxying (TProxy?)

Hi, On Fri, Apr 26, 2013 at 08:40:49PM +0200, PiBa-NL wrote: > Hi Willy, > > Sorry for the weird syntax.. I made the text 'bold', but that seams to > have come out differently... As you can guess, there is no "bold" attribute in source code, so it must necessarily appear differently at some poi

Re: Follow-up on thread 'SSL handshake failure' from 2/5/2013

On Fri, Apr 26, 2013 at 06:22:57PM +, Connelly, Zachary (CGI Federal) wrote: > Two things: > > > > 1. After taking the two patches, ran version and am definitely getting > different versions. I'll have to look into how this could be with the admins > some more. > > Built with OpenSS

Re: HAProxy on FreeBSD 8.3 with transparent proxying (TProxy?)

Hi Willy, Sorry for the weird syntax.. I made the text 'bold', but that seams to have come out differently... Anyway i hope the 'patch' below is something you can work with.? As for renaming the CONFIG_HAP_LINUX_TPROXY to something different would require everyone that on a regular basis buil

RE: Follow-up on thread 'SSL handshake failure' from 2/5/2013

Two things: 1. After taking the two patches, ran version and am definitely getting different versions. I'll have to look into how this could be with the admins some more. Built with OpenSSL version : OpenSSL 1.0.0a 1 Jun 2010 Running on OpenSSL version : OpenSSL 0.9.8y 5 Feb 2013 (VERS

RE: Follow-up on thread 'SSL handshake failure' from 2/5/2013

Thanks Willy/Emeric! I will try and track down the OpenSSL and we have and ensure we got the right versions. I did add the ADDINC parameter to the build to explicitly point to the include linked with the lib and same error occurred. I will also download the two fixes from today and see if the de

Re: Problems using unique-id in logs

Hi, On Fri, Apr 26, 2013 at 06:10:24PM +0100, Pedro Mata-Mouros wrote: > Hi everyone, > > Having some trouble with using unique-id in logs, in 1.5-dev18. The following > conf file will completely ignore log-format in defaults. I have to move it to > the frontend in order for something to appear

Re: Follow-up on thread 'SSL handshake failure' from 2/5/2013

On Fri, Apr 26, 2013 at 06:25:38PM +0200, Willy Tarreau wrote: > We've checked with Emeric and I can confirm that the SSL struct changed > between the two versions, which exactly explains the 8 bytes offset we > found for ssl->sid_ctx_length which pointed to some wrong location. > > I have added a

Re: Follow-up on thread 'SSL handshake failure' from 2/5/2013

At least on Debian, you need to hack around the includes a bit if you compile with USE_PCRE=1 and have the libssl-dev package installed. Because both the PCRE headers and the system-provided openssl headers are located in /usr/include and USE_PCRE adds an include for that directory, the openss

Re: Follow-up on thread 'SSL handshake failure' from 2/5/2013

Zack, On Fri, Apr 26, 2013 at 02:12:46PM +, Connelly, Zachary (CGI Federal) wrote: > Emeric, > > I'm not sure about that either actually. We definitely only have 0.9.8~ > versions on the box and I explicitly reference the 0.9.8y library when I > compile the executable: > > TARGET=linux26 USE

RE: Follow-up on thread 'SSL handshake failure' from 2/5/2013

Emeric, I'm not sure about that either actually. We definitely only have 0.9.8~ versions on the box and I explicitly reference the 0.9.8y library when I compile the executable: TARGET=linux26 USE_PCRE=1 USE_OPENSSL=1 ADDLIB=-L/usr/local/openssl-0.9.8y/lib LDFLAGS+=-ldl Zack -Orig

Re: Follow-up on thread 'SSL handshake failure' from 2/5/2013

Hi don't understand: You said using openssl version 0.9.8y, but haproxy -vv shows OpenSSL 1.0.0a. Emeric On 04/25/2013 04:45 PM, Connelly, Zachary (CGI Federal) wrote: Lukas (et al), Here’s what I have so far: 1.use latest snapshot from [1] – *I’ll* *work on this today* 2.provide the output

Re: VS: Haparoxy hangs in one minute on config reload

Hi again Cyril, On Thu, Apr 25, 2013 at 11:04:03PM +0200, Willy Tarreau wrote: > So I'll see how to enable this by default for health checks. The code > will be different for 1.4 and 1.5 but it's worth doing it anyway. OK i've fixed it now in 1.4. In fact 1.5 already does this so no change was ne

CRL verification problem

Hi, all I have tested CRL verification for master of haproxy git repository under such conditions: * two CAs(CA1&CA2) used to do verification * CRL file specified, but contains CRL only issued by CA1 When I send request with certificate issued by CA2, the verification will fail with the reason of

Re: track & log sessions

Hi, Capture cookie doesn't change anything, it adds to the log line the cookie value! pretty simple and straight forward, and this is how people usually track users. Of course, you must enable HTTP logging, turn your frontend in HTTP mode as well. Baptiste On Fri, Apr 26, 2013 at 9:39 AM, Smain

track & log sessions

Hello all, My question is pretty simple. I just want to know if it's possible to track/log a session from the connexion to the disconnexion. I've seen that it was possible with the "capture cookie" statement but i don't want to change something from user side. Is there another way please ? Regard

RE: Follow-up on thread 'SSL handshake failure' from 2/5/2013

Hi! > report the exact snapshot you used. He is at current HEAD by using 20130425 with c621d36ba applied manually on it (linux 2.6.18 without tproxy support). He also saw the crashes in -dev18, but I had him update the code. Thanks, Lukas