Re: [PATCH] DOC: fix successful typo

applied, thanks Bertrand. Willy

Re: Host header and sni extension differ

On Fri, May 17, 2019 at 09:23:59PM +0200, Tim Düsterhus wrote: > Willy: I wonder if that's something HAProxy itself should detect: When a > client certificate is provided for a connection and the Host header does > not match the SNI then an 421 is sent automatically (that behaviour of > course bein

Re: [PATCH] MINOR: sample: add ssl_sni_check converter

Hi guys, On Fri, May 17, 2019 at 09:58:17PM +0200, bjun...@gmail.com wrote: > Am Fr., 17. Mai 2019 um 21:15 Uhr schrieb Tim Düsterhus : > > > > Willy, > > > > Am 23.12.18 um 21:20 schrieb Moemen MHEDHBI: > > > Hi, > > > > > > The attached patch adds the ssl_sni_check converter which returns true >

Re: ssl_fc_sni vs req.ssl_sni

On Fri, 17 May 2019 at 21:44, Aleksandar Lazic wrote: > > Here you need to use req.ssl_sni as you don't terminate SSL in that > > frontend, and need to look at SNI to be able to route it > > appropriately. That's the use-case for SNI and is fine (unless you > > have overlapping certificates).

Re: [PATCH] MINOR: sample: add ssl_sni_check converter

Am Fr., 17. Mai 2019 um 21:15 Uhr schrieb Tim Düsterhus : > > Willy, > > Am 23.12.18 um 21:20 schrieb Moemen MHEDHBI: > > Hi, > > > > The attached patch adds the ssl_sni_check converter which returns true > > if the sample input string matches a loaded certificate's CN/SAN. > > > > This can be usef

Re: ssl_fc_sni vs req.ssl_sni

Hi. Fri May 17 21:31:41 GMT+02:00 2019 Lukas Tribus : > Hello, > > > On Fri, 17 May 2019 at 21:10, Aleksandar Lazic wrote: > > > Ok, that's correct, except for the use of ssl_fc_has_sni, which I'd > > > advise to not use. > > > Instead, when you terminate SSL, just use the Host header fo

Re: ssl_fc_sni vs req.ssl_sni

Hello, On Fri, 17 May 2019 at 21:10, Aleksandar Lazic wrote: > > Ok, that's correct, except for the use of ssl_fc_has_sni, which I'd > > advise to not use. > > Instead, when you terminate SSL, just use the Host header for any HTTP > > routing decisions. ssl_fc_sni is almost always misused, you c

Re: Host header and sni extension differ

Joao, Willy, Am 17.05.19 um 12:14 schrieb Joao Morais: >> Absolutely, I've already read about this though I don't know the >> implementations details. Similar concepts have been discussed quite >> a bit on the HTTP WG, though I don't undertand the details of each >> variation. The main thing is th

Re: [ANNOUNCE] haproxy-2.0-dev3

Aleks, Am 17.05.19 um 10:34 schrieb Aleksandar Lazic: > I don't see a difference from concept point of view if there is a autobuild > from > docker hub or a open repository which pushes the image after the build. There is: For the autobuild I can know *for sure* that the contents match the label

Re: [PATCH] MINOR: sample: add ssl_sni_check converter

Willy, Am 23.12.18 um 21:20 schrieb Moemen MHEDHBI: > Hi, > > The attached patch adds the ssl_sni_check converter which returns true > if the sample input string matches a loaded certificate's CN/SAN. > > This can be useful to check for example if a host header matches a > loaded certificate CN/

Re: Host header and sni extension differ

Willy, Am 17.05.19 um 09:04 schrieb Willy Tarreau: > Now I understand better how you want to use your strcmp() converter :-) > In fact I already explained that in my initial patch: https://www.mail-archive.com/haproxy@formilux.org/msg29786.html But I found something interesting while searching

Re: ssl_fc_sni vs req.ssl_sni

Am 17.05.2019 um 20:51 schrieb Lukas Tribus: > Hello, > > > On Fri, 17 May 2019 at 16:42, Aleksandar Lazic wrote: >> After some reading and testing I have created that config file. >> >> https://gist.github.com/git001/73d1b7bcc3813ba40028c887e4f3e7f6 >> >> From my understanding is the workflow l

Re: ssl_fc_sni vs req.ssl_sni

Hello, On Fri, 17 May 2019 at 16:42, Aleksandar Lazic wrote: > After some reading and testing I have created that config file. > > https://gist.github.com/git001/73d1b7bcc3813ba40028c887e4f3e7f6 > > From my understanding is the workflow like this, it this right. > > ``` > client -> tcp listener

Re: ssl_fc_sni vs req.ssl_sni

Hi. Looks like my last mail was not passed to the list. Am 16.05.2019 um 22:27 schrieb Lukas Tribus: > Hello! > > > On Thu, 16 May 2019 at 18:37, Aleksandar Lazic wrote: >> >> Hi. >> >> I use the following lines: >> >> use_backend xmppc2s-backend if { req.ssl_sni -i domain.im } >> use_b

Re: Host header and sni extension differ

Hi Willy, > Em 17 de mai de 2019, à(s) 04:03, Willy Tarreau escreveu: > > Hi Jarno, > > On Thu, May 16, 2019 at 06:49:56PM +0300, Jarno Huuskonen wrote: >> Do the myapp.io and anotherapp.com share same certificate (ie. >> certificate has both myapp.io and anotherapp.com SAN) ? >> >> AFAIK br

Re: Host header and sni extension differ

Hey guys, > Em 16 de mai de 2019, à(s) 15:05, Tim Düsterhus escreveu: > > Am 16.05.19 um 17:49 schrieb Jarno Huuskonen: >> Do the myapp.io and anotherapp.com share same certificate (ie. >> certificate has both myapp.io and anotherapp.com SAN) ? >> >> AFAIK browser can reuse the same tls conne

Re: [ANNOUNCE] haproxy-2.0-dev3

пт, 17 мая 2019 г. в 13:39, Aleksandar Lazic : > Am 16.05.2019 um 10:00 schrieb Илья Шипицин: > > > > чт, 16 мая 2019 г. в 02:02, Aleksandar Lazic > >: > > > > Am 15.05.2019 um 18:52 schrieb Willy Tarreau: > > > Hi, > > > > > [snipp] > > > > I'd like to

Re: ssl_fc_sni vs req.ssl_sni

Am 16.05.2019 um 20:30 schrieb Tim Düsterhus: > Aleks, > > Am 16.05.19 um 18:36 schrieb Aleksandar Lazic: >> I will only accept requests which have sni and only when they are client >> requests. > > Consider using strict-sni then: > https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#5

Re: [ANNOUNCE] haproxy-2.0-dev3

Am 16.05.2019 um 10:00 schrieb Илья Шипицин: > > чт, 16 мая 2019 г. в 02:02, Aleksandar Lazic >: > > Am 15.05.2019 um 18:52 schrieb Willy Tarreau: > > Hi, > > [snipp] > > I'd like to emit a new -dev release next week with the rest of the > pending >

Re: [ANNOUNCE] haproxy-2.0-dev3

Tim, Am 16.05.2019 um 20:19 schrieb Tim Düsterhus: > Aleks, > > Am 16.05.19 um 01:04 schrieb Aleksandar Lazic: >>> As a avid Docker user: I tend to absolutely avoid any Docker images that >>> are not built using Docker Hub's autobuilder, because I cannot verify >>> the Dockerfile myself (or canno

Re: significantly different address sanitizer findings for "x86_64" and "ppc64le"

пт, 17 мая 2019 г. в 11:57, Willy Tarreau : > Hi Ilya, > > On Thu, May 16, 2019 at 02:04:06PM +0500, ??? wrote: > > Hello, > > > > I'm going to enable address sanitizer in travis-ci. > > > > x86_64: (known leak) > > https://travis-ci.org/chipitsine/haproxy-1/jobs/533196875 > > > > ppc64le

Re: Host header and sni extension differ

On Thu, May 16, 2019 at 08:05:33PM +0200, Tim Düsterhus wrote: > With HAProxy 1.9 you should be able to use the strcmp converter I > contributed like this: > > http-request set-var(txn.host) hdr(host) > # Check whether the client is attempting domain fronting. > acl ssl_sni_http_host_m

Re: Host header and sni extension differ

Hi Jarno, On Thu, May 16, 2019 at 06:49:56PM +0300, Jarno Huuskonen wrote: > Do the myapp.io and anotherapp.com share same certificate (ie. > certificate has both myapp.io and anotherapp.com SAN) ? > > AFAIK browser can reuse the same tls connection if the certificate > covers both names. Absolu