Re: Trouble with ECC/RSA shared IP/port SSL setup and using unix sockets (localhost method works)

2017-01-05 Thread Vitaly Pecharsky
Nenad That makes total sense - and solved the issue with sockets like a charm. Thanks for the tip on combining the certs, that makes configuration even simpler - that's the approach I am going with for production setup. No more multi-chained backends, yay! On Thu, Jan 5, 2017 at 7:06 PM,

Re: Trouble with ECC/RSA shared IP/port SSL setup and using unix sockets (localhost method works)

2017-01-05 Thread Nenad Merdanovic
Hello, On 1/6/2017 1:55 AM, Vitaly Pecharsky wrote: > haproxy -vv > HA-Proxy version 1.7.1 2016/12/13 > Copyright 2000-2016 Willy Tarreau As you are running 1.7 and OpenSSL 1.1.0, you don't need to do this any more. HAProxy can now natively support ECC/RSA/DSA based on client

Re: ALERT:sendmsg logger #1 failed: Resource temporarily unavailable (errno=11)

2017-01-05 Thread Igor Cicimov
On Fri, Jan 6, 2017 at 1:38 PM, Igor Cicimov wrote: > > > On Fri, Jan 6, 2017 at 12:20 AM, Patrick Hemmer > wrote: > >> >> >> On 2017/1/5 02:15, Igor Cicimov wrote: >> >> Hi all, >> >> On one of my haproxy's I get the following message

Re: ALERT:sendmsg logger #1 failed: Resource temporarily unavailable (errno=11)

2017-01-05 Thread Igor Cicimov
On Fri, Jan 6, 2017 at 12:20 AM, Patrick Hemmer wrote: > > > On 2017/1/5 02:15, Igor Cicimov wrote: > > Hi all, > > On one of my haproxy's I get the following message on reload: > > >[ALERT] > 004/070949

Trouble with ECC/RSA shared IP/port SSL setup and using unix sockets (localhost method works)

2017-01-05 Thread Vitaly Pecharsky
Hello We have been trying to test a shared IP/port ECC/RSA SSL implementation that is available in HAProxy, and largely followed this basic setup guide http://blog.haproxy.com/2015/07/15/serving-ecc-and-rsa-certificates-on-same-ip-with-haproxy/ and adapted it to our setup. It works fine using a

Re: ALERT:sendmsg logger #1 failed: Resource temporarily unavailable (errno=11)

2017-01-05 Thread Igor Cicimov
On Fri, Jan 6, 2017 at 12:37 AM, Jeff Palmer wrote: > Also, it'd be great if in the future you don't put an error message as > the subject. Especially one that starts with ALERT in all caps. > > I'm sure I'm not the only person who just spent a moment looking over > my

Re: SOLVED! (Was: 400 error on cookie string)

2017-01-05 Thread Willy Tarreau
On Thu, Jan 05, 2017 at 10:24:30PM +0300, Aleksey Gordeev wrote: > Hi, I'm "cas". My Name is Aleksey Gordeev. I was using my company email. > Please set me as a reporter. Perfect, thanks for clearing this up. You did a great job and I'm often embarrassed not to name good reporters (and many want

Re: SOLVED! (Was: 400 error on cookie string)

2017-01-05 Thread ge...@riseup.net
Hi Willy, all, On 17-01-05 20:17:56, Willy Tarreau wrote: > "cas", if you want to be credited as a reporter of the issue, you > need to raise your hand very quickly now, because once the patch is > merged it will be too late. His name is Aleksey Gordeev, see 9060941483541...@web3g.yandex.ru,

Re: SOLVED! (Was: 400 error on cookie string)

2017-01-05 Thread Aleksey Gordeev
Hi, I'm "cas". My Name is Aleksey Gordeev. I was using my company email. Please set me as a reporter. 2017-01-05 22:17 GMT+03:00 Willy Tarreau : > Small update on this, Axel Reinhold faced an apparently different > issue on an SVN server until we noticed the requests were sent in >

Re: SOLVED! (Was: 400 error on cookie string)

2017-01-05 Thread Willy Tarreau
Small update on this, Axel Reinhold faced an apparently different issue on an SVN server until we noticed the requests were sent in small chunks cut before the CRLF and experiencing the same problem. He could confirm the patch fixes the problem for him as well, so I'm going to merge the patch now.

SSL acl

2017-01-05 Thread Steven De Roover
Dear I have router running OpenWRT, which has haproxy 1.5.14-13 running. My main goal for using haproxy is having a reverse proxy to handle all my (sub)domains. Now, I also wanted to start using SSL certificates. However, I cannot seem to configure ACL's to let decide which server to use. The

Re: http reuse and proxy protocol

2017-01-05 Thread Arnall
Le 03/01/2017 à 18:18, Lukas Tribus a écrit : Hi Arnall, Am 03.01.2017 um 16:15 schrieb Arnall: Is it possible that with "http-reuse always" the yyy.yyy.yyy.yyy request has used the xxx.xxx.xxx.xxx connection between https and http frontend with proxy protocol forwarding xxx.xxx.xxx.xxx

Re: TLS-PSK support for haproxy?

2017-01-05 Thread Emeric Brun
On 01/05/2017 04:22 AM, Nenad Merdanovic wrote: > I have a working patch for this, but it's very ugly currently (minimal > error checking, no warnings/messages, no docs, very basic tests done > only, etc.) > > I expect to have a version for review by EOW (depending on the workload, > maybe a bit

Re: ALERT:sendmsg logger #1 failed: Resource temporarily unavailable (errno=11)

2017-01-05 Thread Jeff Palmer
Also, it'd be great if in the future you don't put an error message as the subject. Especially one that starts with ALERT in all caps. I'm sure I'm not the only person who just spent a moment looking over my monitoring dashboards to figure out what part of my network was in alarm. On Thu, Jan

Re: ALERT:sendmsg logger #1 failed: Resource temporarily unavailable (errno=11)

2017-01-05 Thread Patrick Hemmer
On 2017/1/5 02:15, Igor Cicimov wrote: > Hi all, > > On one of my haproxy's I get the following message on reload: > > >

Re: 400 error on cookie string

2017-01-05 Thread cas
Get one strange error that I never seen before   Total events captured on [05/Jan/2017:09:13:56.054] : 12 [05/Jan/2017:09:09:06.594] frontend http-in (#3): invalid request backend (#-1), server (#-1), event #11 src 70.192.67.217:3224, session #243701, session flags 0x0080 HTTP msg