RE: req_ssl_ver ACL not working

On 2015-10-08 18:24, Lukas Tribus wrote: Are you sure your TLSv1.2 client is actually sending jve.linuxwall.info as SNI value? I suggest to remove the SNI if statement while testing the TLS ACL. Argh... I can't count the number of times forgetting -servername in openssl s_client got me looking

Re: req_ssl_ver ACL not working

On Fri, Oct 09, 2015 at 12:24:11AM +0200, Lukas Tribus wrote: > > frontend https-in > > bind 0.0.0.0:443 > > mode tcp > > tcp-request inspect-delay 5s > > tcp-request content accept if { req_ssl_hello_type 1 } > > > > acl sni_jve req.ssl_sni -i jve.linuxwall.info > > acl tls12 req.payload(9,2) -m

Re: Minor SSL fixes

Le 09/10/2015 10:27, Willy Tarreau a écrit : Hi Christopher, I applied the first two ones, but the last one seems to be doing a lot of stuff at the same time. It's not even clear to me whether it fixes something or improves something or does both, but the review is quite hard. Is it possible to

Re: Minor SSL fixes

On Fri, Oct 09, 2015 at 11:59:00AM +0200, Christopher Faulet wrote: > Le 09/10/2015 10:27, Willy Tarreau a écrit : > >Hi Christopher, > > > >I applied the first two ones, but the last one seems to be doing > >a lot of stuff at the same time. It's not even clear to me whether > >it fixes something

Re: Minor SSL fixes

Hi Christopher, I applied the first two ones, but the last one seems to be doing a lot of stuff at the same time. It's not even clear to me whether it fixes something or improves something or does both, but the review is quite hard. Is it possible to cut it into functional parts ? In practice we

Re: HA-Proxy IP ranges for acl

Lukas, Le 08/10/2015 23:47, Lukas Tribus a écrit : > You really need to post the actual configuration, because we don't > have any idea what you are trying to do and how you configured it. > > But yes, 213.254.248.96/27 covers 32 IPs starting from 213.254.248.96 > until 213.254.248.127. Yes…

Re: [PATCH] MINOR: http: Add OPTIONS in supported http methods (found by, find_http_meth)

On Thu, Oct 08, 2015 at 02:03:19PM +0200, Christopher Faulet wrote: > Hi, > > The 'OPTIONS' method was not in the list of supported HTTP methods and > find_http_meth return HTTP_METH_OTHER instead of HTTP_METH_OPTIONS. Wow good catch, I feel ashamed or having missed it. It was already bogus in

Re: [PATCH] MINOR: lru: do not allocate useless memory in lru64_lookup

Hi Christopher, On Thu, Oct 08, 2015 at 11:57:02AM +0200, Christopher Faulet wrote: > Hi, > > lru64_lookup function was added in a previous patch of mine. This one > just remove a useless memory allocation. Applied with the text above as the commit description. In the future, please keep in

Re: Haproxy dropping request

Hi, On Fri, Oct 09, 2015 at 01:26:37PM +, Bosco Mutunga wrote: > Hi, > > I???m experiencing a strange issue whereby Haproxy completely hangs when it > receives a certain request, i have confirmed that the request is received > through the following tcpdump, but it does not appear in the

Re: HA-Proxy IP ranges for acl

Le 09/10/2015 12:36, Jarno Huuskonen a écrit : > Maybe req.hdr_ip would work better ? > (https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.6-req.hdr_ip) OK. Thanks.

Re: HA-Proxy IP ranges for acl

Hi, On Fri, Oct 09, Sébastien LECOMTE wrote: [...] > acl allowed_clients hdr_sub(X-Real-IP) 10.10.200.0/24 > 213.200.107.128/25 213.254.248.96/27 62.72.112.128/28 84.199.92.128/26 > 91.237.72.4 [...] > http-request allow if private_domain allowed_clients > http-request deny if

Re: Minor SSL fixes

Le 09/10/2015 12:19, Willy Tarreau a écrit : On Fri, Oct 09, 2015 at 11:59:00AM +0200, Christopher Faulet wrote: Le 09/10/2015 10:27, Willy Tarreau a écrit : Hi Christopher, I applied the first two ones, but the last one seems to be doing a lot of stuff at the same time. It's not even clear

Re: Minor SSL fixes

On Fri, Oct 09, 2015 at 01:46:50PM +0200, Christopher Faulet wrote: > ssl_ctx_lru_tree could be defined outside the ifdef, but it is only used > when SNI extension is available. So there is no reason to initialize it > if there is no SNI. > > Then, when SNI is available, the tree can be NULL if

RE: HA-Proxy IP ranges for acl

> acl allowed_clients hdr_sub(X-Real-IP) 10.10.200.0/24 [...] This is a *string* comparison. You will have to use "req.hdr_ip" [1]: acl allowed_clients req.hdr_ip(X-Real-IP,-1) 10.10.200.0/24 [...] Regards, Lukas [1]

Re: HA-Proxy IP ranges for acl

Le 09/10/2015 12:41, Lukas Tribus a écrit : > This is a *string* comparison. You will have to use "req.hdr_ip" [1]: > > acl allowed_clients req.hdr_ip(X-Real-IP,-1) 10.10.200.0/24 [...] Oh damned. Thanks a lot… I'll try this right now.

Re: Haproxy dropping request

Those are not the actual credentials, any idea what might be wrong? > On 9 Oct 2015, at 16:40, Baptiste wrote: > > Wonderfull, > > Please tell afbbank to change their password ! > > Baptiste > > > On Fri, Oct 9, 2015 at 3:26 PM, Bosco Mutunga

Re: Haproxy dropping request

cool :) Ok, we need configuration and log lines relative to this POST. Baptiste On Fri, Oct 9, 2015 at 3:43 PM, Bosco Mutunga wrote: > Those are not the actual credentials, any idea what might be wrong? > >> On 9 Oct 2015, at 16:40, Baptiste wrote:

Haproxy dropping request

Hi, I’m experiencing a strange issue whereby Haproxy completely hangs when it receives a certain request, i have confirmed that the request is received through the following tcpdump, but it does not appear in the haproxy logs, neither is it forwarded. 09:24:05.853373 IP (tos 0x0, ttl 58, id

Re: Haproxy dropping request

Wonderfull, Please tell afbbank to change their password ! Baptiste On Fri, Oct 9, 2015 at 3:26 PM, Bosco Mutunga wrote: > Hi, > > I’m experiencing a strange issue whereby Haproxy completely hangs when it > receives a certain request, i have confirmed that the

Re: Haproxy dropping request

Nothing appears on the logs with respect to this request > On 9 Oct 2015, at 16:59, Baptiste wrote: > > cool :) > Ok, we need configuration and log lines relative to this POST. > > Baptiste > > On Fri, Oct 9, 2015 at 3:43 PM, Bosco Mutunga >

L’actualité hebdomadaire par RFI - L’incroyable procès Savtchenko, une pilote...

L’actualité hebdomadaire par RFI - 09/10/2015 Visualisez cet email dans votre navigateur http://rfi.nlfrancemm.com/HM?b=5FRpeFwUC7h8nm5tw6aXwovaf6uX6GkR7VQMtcclsuuFpKSVys6vM0m21FUd7-EB=P8yc1pjx5AP8FjdAfiRrRw L’incroyable procès Savtchenko, une pilote ukrainienne jugée en Russie Appels sur