On 19.05.2014 06:51, Willy Tarreau wrote:
Hi Rémi,
On Mon, May 12, 2014 at 06:34:01PM +0200, Remi Gacogne wrote:
Hi,
On 05/05/2014 12:06 PM, Sander Klein wrote:
I've added a 2048bit dhparam to my most used certificates and I don't
see a big jump in resource usage.
This was not a big
Hi,
What happens if you also have DH appended to your certificates? You set
global.tune.ssl_max_dh_param to 1024 but you have a 4096bit DH in your
certificate file, which one is used then? An answer could be 'Don't do
that' :-) but I was curious.
The certificate's dh_param is used. To avoid
Hi Willy,
I'd have applied a very simple change to your patch : I'd have initialized
global.tune.ssl_max_dh_param to zero by default, and emitted a warning here :
+ if (global.tune.ssl_max_dh_param = 1024) {
+ /* we are limited to DH parameter of 1024
Hi,
What happens if you also have DH appended to your certificates? You set
global.tune.ssl_max_dh_param to 1024 but you have a 4096bit DH in your
certificate file, which one is used then? An answer could be 'Don't do
that' :-) but I was curious.
The certificate's dh_param is used. To avoid
On Mon, May 19, 2014 at 09:47:45AM +0200, Remi Gacogne wrote:
Hi Willy,
I'd have applied a very simple change to your patch : I'd have initialized
global.tune.ssl_max_dh_param to zero by default, and emitted a warning here
:
+ if (global.tune.ssl_max_dh_param = 1024) {
Hi,
This is a minor fix, but the SSL_CTX_set_options() and
SSL_CTX_set_mode() functions take a long, not an int parameter. As
SSL_OP_ALL is now (since OpenSSL 1.0.0) defined as 0x8BFFL, I think
it is worth fixing.
Best regards,
--
Rémi Gacogne
Aqua Ray
SAS au capital de 105.720 Euros
RCS
Ah yes, you're right. But anyway the purpose was to explain the principle.
Do you want to update your patch and resubmit then ?
Yes, of course, thank you. What do you think about Lukas idea to change
the name of the setting, in order to clarify the fact that it only
applies as a fallback when
On Mon, May 19, 2014 at 10:43:22AM +0200, Remi Gacogne wrote:
Ah yes, you're right. But anyway the purpose was to explain the principle.
Do you want to update your patch and resubmit then ?
Yes, of course, thank you. What do you think about Lukas idea to change
the name of the setting,
On Mon, May 19, 2014 at 10:37:20AM +0200, Remi Gacogne wrote:
This is a minor fix, but the SSL_CTX_set_options() and
SSL_CTX_set_mode() functions take a long, not an int parameter. As
SSL_OP_ALL is now (since OpenSSL 1.0.0) defined as 0x8BFFL, I think
it is worth fixing.
Applied, thank
Yes, of course, thank you. What do you think about Lukas idea to change
the name of the setting, in order to clarify the fact that it only
applies as a fallback when there is no DH parameters in the certificate
file?
I think it's a good idea, it could avoid some confusion in the future.
Hi Guys,
We have been using haproxy in our company for months and have loved our
experience. However we recently ran into a strange issue even though no changes
happened on the haproxy side.
We are currently using haproxy 1.4.24 on Debian 7. Our backend consists of 6
Windows 2008 R2 servers
Hello,
we're trying to set up HAProxy 1.5-dev25 to terminate SSL and load
balance to various back-ends. From our benchmarks it seems we need to
run haproxy with nbproc higher than 1 to scale out SSL handshakes. So we
tested the setup described here:
John, Willy already replied to your original thread. I suggest you engage
with his detailed reply, there, instead of starting a new thread.
I will do so.
Sorry, I’m new to the forum.
Thanks for the head’s up!
From: jonat...@jpluscplusm.com [mailto:jonat...@jpluscplusm.com] On Behalf Of
Jonathan Matthews
Sent: Monday, May 19, 2014 12:24 PM
To: JDzialo John
Cc: haproxy
Subject: Re: HAProxy connection remains but web page stream is
Hey Willy,
On 05/19/2014 06:30 AM, Willy Tarreau wrote:
Here is a nice way to trigger it:
- run haproxy in deamon mode, but with nbproc 1
- open a HTTP keep-alive connection (and keep it open)
- send USR1 to the only worker (it should stay running, because of the
ongoing connection)
It seems like the warning would be emitted in cases when DH exchange is
disabled. ECDH is supported by nearly all new browsers and devices (that we
care about anyway) and so have DH disabled and only ECDH enabled when PFS
can be used -- specifically to avoid the large DH overhead especially for
Hi Bryan,
On Mon, May 19, 2014 at 12:49:21PM -0700, Bryan Talbot wrote:
It seems like the warning would be emitted in cases when DH exchange is
disabled. ECDH is supported by nearly all new browsers and devices (that we
care about anyway) and so have DH disabled and only ECDH enabled when PFS
On Mon, May 19, 2014 at 04:26:53PM +, JDzialo John wrote:
I will do so.
Sorry, I???m new to the forum.
Huh ? In what being new on the forum explains this surprizing behaviour ?
Are we doing something really unexpected here by responding to questions
from people who seek for some help ?
Hi Conrad,
On Mon, May 19, 2014 at 07:26:54PM +0200, Conrad Hoffmann wrote:
Works all the time for me. Running lsof before and after the signal
neatly shows how the worker closed the listening socket but the parent
still has it.
I'm just confused with what the parent here can be since
The attached patch implements a new append-header configuration
directive. Currently we can modify the header with set-header or
add-header, but we do not have a way to append to the header, and in
some cases it is desirable.
The patch is against dev24. I have not tested if it cleanly applies to
I'm sorry some confusion on my side!
Truthfully, yes, I am surprised by the response time and great information I
have received from you so far.
I greatly appreciate it.
I will continue to respond through this email string if that is proper
procedure.
-Original Message-
From:
Hello,
I've upgraded from 1.5-dev21 to 1.5-dev25 and this line of the
configuration file
use_backend WWW-DOMAIN if { ssl_fc_sni host.domain.com }
stopped working.
here is the error message:
[ALERT] 138/201051 (3212) : parsing [/etc/haproxy/haproxy.conf:118] : error
detected while
Hi Florian,
On Mon, May 19, 2014 at 05:05:15PM +0200, Florian Munz wrote:
Hello,
we're trying to set up HAProxy 1.5-dev25 to terminate SSL and load
balance to various back-ends. From our benchmarks it seems we need to
run haproxy with nbproc higher than 1 to scale out SSL handshakes. So
just made a 1.5-dev25-16 tarball, installed it and it works perfectly.
thank you!
Pedro
On Mon, May 19, 2014 at 2:27 PM, Willy Tarreau w...@1wt.eu wrote:
Hello Pedro,
On Mon, May 19, 2014 at 02:19:58PM -0600, Pedro Salgado wrote:
Hello,
I've upgraded from 1.5-dev21 to 1.5-dev25 and
Willy:
The idea is to take the original header, and preserve its contents
appending the additional information to it. For example, if we have
http-response append-header Set-Cookie ;a=b
Then if haproxy sees
Set-Cookie: foo=bar
It will forward out
Set-Cookie: foo=bar;a=b
instead.
Perhaps
Hi Sasha,
On Mon, May 19, 2014 at 05:14:48PM -0600, Sasha Pachev wrote:
Willy:
The idea is to take the original header, and preserve its contents
appending the additional information to it. For example, if we have
http-response append-header Set-Cookie ;a=b
Then if haproxy sees
26 matches
Mail list logo