unsubscribe

2016-03-25 Thread Jessie P
unsubscribe

unsubscribe

2016-03-25 Thread Zhongbao Nie
unsubscribe *** Please note that this message and any attachments may contain confidential and proprietary material and information and are intended only for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any review, use,

unsubscrib

2016-03-25 Thread Zhongbao Nie
unsubscrib *** Please note that this message and any attachments may contain confidential and proprietary material and information and are intended only for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any review, use, disclosure,

[PATCH] BUG/MEDIUM: Fix RFC5077 resumption when more than TLS_TICKETS_NO are present

2016-03-25 Thread Nenad Merdanovic
Olivier Doucet reported the issue on the ML and tested that when using more than TLS_TICKETS_NO keys in the file, the CPU usage is much higeher than expected. Lukas Tribus then provided a test case which showed that resumption doesn't work at all in that case. This fix needs to be backported to

Re: Weird stick-tables / peers behaviour

2016-03-25 Thread Willy Tarreau
On Fri, Mar 25, 2016 at 01:53:50PM +0100, Willy Tarreau wrote: > I think it's even different (but could be wrong) since Christian spoke > about counters suddenly doubling. The issue you faced Sylvain which I > still have no idea how to fix unfortunately is that the peers applet > is not always

Re: TLS Tickets and CPU usage

2016-03-25 Thread Willy Tarreau
On Fri, Mar 25, 2016 at 03:43:31PM +0100, Nenad Merdanovic wrote: > Hello Willy, > > On 03/25/2016 03:29 PM, Nenad Merdanovic wrote: > [..snip..] > > Ah, just ignore this :) I've now realized what you meant. :-) > Sure, I'll > rewrite the patch like that. To me it doesn't make much difference

Re: TLS Tickets and CPU usage

2016-03-25 Thread Nenad Merdanovic
Hello Willy, On 03/25/2016 03:29 PM, Nenad Merdanovic wrote: [..snip..] Ah, just ignore this :) I've now realized what you meant. Sure, I'll rewrite the patch like that. To me it doesn't make much difference in readability and they do accomplish the same purpose, so we can do it as you prefer.

Re: TLS Tickets and CPU usage

2016-03-25 Thread Nenad Merdanovic
Hello Willy, On 03/25/2016 01:37 PM, Willy Tarreau wrote: > Hi Nenad, > > On Fri, Mar 25, 2016 at 11:35:01AM +0100, Nenad Merdanovic wrote: >> diff --git a/src/ssl_sock.c b/src/ssl_sock.c >> index 1017388..767d6e9 100644 >> --- a/src/ssl_sock.c >> +++ b/src/ssl_sock.c >> @@ -5406,7 +5406,7 @@

Re: TLS Tickets and CPU usage

2016-03-25 Thread Olivier Doucet
2016-03-25 11:35 GMT+01:00 Nenad Merdanovic : > Hey Olivier, > > Can you try the attached patch? I need to run some more tests, but I > think this should fix it. > A summary of all tests performed : WITHOUT PATCH: With 0 ticket in file : HAProxy refuse to start "

Re: servers multiple sources

2016-03-25 Thread Willy Tarreau
On Tue, Mar 22, 2016 at 11:16:04AM +0100, Beluc wrote: > well, it's can become a real mess with lot of server and source :) No because you just have to assign a source range to your loopback and use all this range for all your servers. James is right. There's no way you'll establish more than 64k

Re: Haproxy and FastCGI sockets

2016-03-25 Thread Willy Tarreau
Hello Stojan, On Thu, Mar 24, 2016 at 08:25:02PM +0100, Stojan Ran??i?? wrote: > Hello, > > we're using Haproxy 1.5.5-1 to load balance traffic between frontentds > running Lighttpd with mod_FastCGI and backends running a custom Perl app, > based on FastCGI. Traffic between front and backends

Re: SO_REUSEPORT and process load distribution

2016-03-25 Thread Willy Tarreau
Hi Conrad, On Thu, Mar 24, 2016 at 08:40:40AM +0100, Conrad Hoffmann wrote: > Hello, > > I know SO_REUSEPORT has been discussed here a few times and I am aware that > haproxy uses it to make restarts less disruptive, as a new instance can > bind() to the listen ports without the need to stop the

Re: Exchange 2013 / NTLM Connections

2016-03-25 Thread Willy Tarreau
On Thu, Mar 24, 2016 at 01:27:59PM +0100, Baptiste wrote: > Hi Graham, > > The http-keep-alive mode is recommended, with the "option > prefer-last-server" (which should be implicitly set by HAProxy in your > case). > Hopefully you're not using the http-reuse option. FWIW, http-reuse correctly

Re: Weird stick-tables / peers behaviour

2016-03-25 Thread Willy Tarreau
On Fri, Mar 25, 2016 at 09:28:32AM +0100, Sylvain Faivre wrote: > On 03/24/2016 04:07 PM, Christian Ruppert wrote: > >Hi all, > > > >I've just upgraded some hosts to 1.6.4 (from 1.5) and immediately got a > > > [...] > > > >and two for doing some "curl -Lvs http://127.0.0.1:8080; by hand. > >If

Re: Weird stick-tables / peers behaviour

2016-03-25 Thread Willy Tarreau
Hi Lukas, On Thu, Mar 24, 2016 at 04:20:34PM +0100, Lukas Tribus wrote: > > Hi all, > > > > I've just upgraded some hosts to 1.6.4 (from 1.5) and immediately got a > > bunch of SMS because we're using stick-tables to track the connections > > and monitor http_req_rate. The stick-tables data will

Re: src_get_gpc0 seems not to work after commit f71f6f6

2016-03-25 Thread Willy Tarreau
Hi, On Wed, Mar 23, 2016 at 04:40:24PM +0900, Sehoon Kim wrote: > Hi, > > As below, I use stick-table for temporary acl. > After commit f71f6f6, src_get_gpc0 seems not to work. > > So, I revert commit f71f6f6, and it works!! (...) > tcp-request connection accept if {

Re: TLS Tickets and CPU usage

2016-03-25 Thread Willy Tarreau
Hi Nenad, On Fri, Mar 25, 2016 at 11:35:01AM +0100, Nenad Merdanovic wrote: > diff --git a/src/ssl_sock.c b/src/ssl_sock.c > index 1017388..767d6e9 100644 > --- a/src/ssl_sock.c > +++ b/src/ssl_sock.c > @@ -5406,7 +5406,7 @@ static int bind_parse_tls_ticket_keys(char **args, int > cur_arg,

RE: TLS Tickets and CPU usage

2016-03-25 Thread Lukas Tribus
> Hey Olivier, > > Can you try the attached patch? I need to run some more tests, but I > think this should fix it. It definitely fixes the test case here. thanks, Lukas

RE: SSL Cipher stats

2016-03-25 Thread Stefan Johansson
Thanks for your suggestion, sorry for the late reply. I gave it some thought and we decided to simply just shut SSLv3 and RC4 off completely right away. We were going to use the stats to check how much traffic would be lost, but we managed to get browser statistics elsewhere, which pointed to

Re: servers multiple sources

2016-03-25 Thread Aleksandar Lazic
Hi. Am 25-03-2016 11:05, schrieb Beluc: Hi, @James Brown : sure ;) I configure a server to use source a.b.c.d:1-6 and I got "Connect() failed for backend abcd: no free ports." Maybe a problem with kernel I use ... or the range is not high enough

Re: TLS Tickets and CPU usage

2016-03-25 Thread Nenad Merdanovic
Hey Olivier, Can you try the attached patch? I need to run some more tests, but I think this should fix it. Regards, Nenad On 3/24/2016 10:05 PM, Olivier Doucet wrote: > Hi again, > > > 2016-03-24 21:15 GMT+01:00 Lukas Tribus >: > > Hi

Re: servers multiple sources

2016-03-25 Thread Beluc
Hi, @James Brown : sure ;) I configure a server to use source a.b.c.d:1-6 and I got "Connect() failed for backend abcd: no free ports." Maybe a problem with kernel I use ... Regards, 2016-03-22 18:45 GMT+01:00 James Brown : > Templating out (or

Re: Weird stick-tables / peers behaviour

2016-03-25 Thread Sylvain Faivre
On 03/24/2016 04:07 PM, Christian Ruppert wrote: Hi all, I've just upgraded some hosts to 1.6.4 (from 1.5) and immediately got a [...] and two for doing some "curl -Lvs http://127.0.0.1:8080; by hand. If you do some on the first and some on the second host you'll notice different values on

Re: using use_backend rules with map files

2016-03-25 Thread Thierry FOURNIER
Hi, When use_backend is choosed, the evaluation of other use_backend conditions stops. Your configuration just miss a test like this: acl test_path path,map_beg(/etc/haproxy/path2backends.map) -m bool true use_backend bk_%[path,map_beg(/etc/haproxy/path2backends.map)] if test_path