Re: move fcgi from nginx to haproxy

Le 20/12/2019 à 15:53, Aleksandar Lazic a écrit : Hi. Luckly that haproxy 2.1 have now the feature of fcgi proto it's now time to move from nginx to haproxy for the loadbalancing part for me. There are several features from nginx conf which I would like to port to haproxy conf therefore I need

Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option

On Sat, Dec 21, 2019 at 01:19:30AM +0100, Lukas Tribus wrote: > You can merge the patch I posted today, as there is consensus for this > particular fix: > https://www.mail-archive.com/haproxy@formilux.org/msg35760.html > > It should be backported to 2.0 (or even 1.9 - I forgot to mention that >

Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option

Hello, > Guys, I must confess I'm completely lost in your discussions. I intend > to produce another round of 2.1 and 2.0 tomorrow as time permits, so if > you want me to get anything merged into it, please let me know. Lukas, > I'll count on you to summarize and suggest what's expected from me

Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option

Guys, I must confess I'm completely lost in your discussions. I intend to produce another round of 2.1 and 2.0 tomorrow as time permits, so if you want me to get anything merged into it, please let me know. Lukas, I'll count on you to summarize and suggest what's expected from me to do at this

Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option

сб, 21 дек. 2019 г. в 01:44, Rosen Penev : > On Fri, Dec 20, 2019 at 10:54 AM Илья Шипицин > wrote: > > > > > > > > пт, 20 дек. 2019 г. в 22:39, Lukas Tribus : > >> > >> Hello Ilya, > >> > >> > >> > >> sorry about the delay ... > >> > >> > >> On Wed, 27 Nov 2019 at 07:11, Илья Шипицин > wrote:

Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option

On Fri, Dec 20, 2019 at 10:54 AM Илья Шипицин wrote: > > > > пт, 20 дек. 2019 г. в 22:39, Lukas Tribus : >> >> Hello Ilya, >> >> >> >> sorry about the delay ... >> >> >> On Wed, 27 Nov 2019 at 07:11, Илья Шипицин wrote: >> > >> > -#if (HA_OPENSSL_VERSION_NUMBER >= 0x101fL) >> > +#if

Re: [RFC PATCH] HTTPS connection reuse with SNI

Hi Julien - I'm not entirely sure I understand your comment. I think that you may be saying that the connection should never be flagged as private for SNI. That makes sense to me, and would be an easy alternative diff, but seems to run counter to Willy's intent in commit 387ebf84dd, as well as

[PATCH] isolating ssl lib with rpath instead of LD_LIBRARY_PATH

hello, initially modyfing LD_LIBRARY_PATH seemed to be good, but it turned out that other dynamically linked utilities also use ssl lib which is not wanted. using rpath in turn is more intelligent way of dynamic linking. Cheers, Ilya Shipitcin From e9f95cc6fd8b61ee1a4aef05adade30fa72e5cd7 Mon

Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option

пт, 20 дек. 2019 г. в 22:39, Lukas Tribus : > Hello Ilya, > > > > sorry about the delay ... > > > On Wed, 27 Nov 2019 at 07:11, Илья Шипицин wrote: > > > > -#if (HA_OPENSSL_VERSION_NUMBER >= 0x101fL) > > +#if (HA_OPENSSL_VERSION_NUMBER >= 0x101fL) || > defined(OPENSSL_NO_DEPRECATED) > >

Re: [RFC PATCH] BUILD: ssl: improve SSL_CTX_set_ecdh_auto compatibility

пт, 20 дек. 2019 г. в 22:47, Lukas Tribus : > SSL_CTX_set_ecdh_auto() is not defined when OpenSSL 1.1.1 is compiled > with the no-deprecated option. Remove existing, incomplete guards and > add a compatibility macro in openssl-compat.h, just as OpenSSL does: > > >

RE: customize format of haproxy X-ForwardedFor ssl_c_s_dn during SSL termination

Hello, This is an update on the offchance that some diligent team member is spinning their wheels on this. Some team members of mine are modifying the haproxy ssl.c file to make the format of the ssl_c_s_dn variable configurable, and editing for simplicity to use standard openssl function

[RFC PATCH] BUILD: ssl: improve SSL_CTX_set_ecdh_auto compatibility

SSL_CTX_set_ecdh_auto() is not defined when OpenSSL 1.1.1 is compiled with the no-deprecated option. Remove existing, incomplete guards and add a compatibility macro in openssl-compat.h, just as OpenSSL does:

Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option

Hello Ilya, sorry about the delay ... On Wed, 27 Nov 2019 at 07:11, Илья Шипицин wrote: > > -#if (HA_OPENSSL_VERSION_NUMBER >= 0x101fL) > +#if (HA_OPENSSL_VERSION_NUMBER >= 0x101fL) || > defined(OPENSSL_NO_DEPRECATED) > [...] > -#if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER

[PATCH] MINOR: ssl: add "ca-no-names-file" directive

patch update,Le 19 déc. 2019 à 17:08, Emmanuel Hocdet a écrit :With this proposition, ca-root-file should be rename to something like ca-end-file.Refer to https://github.com/haproxy/haproxy/issues/404 discussion.Le 19 déc. 2019 à 13:10, Emmanuel Hocdet a écrit

Re: [PATCHv3] openssl-compat: Fix getm_ defines

On Fri, Dec 20, 2019 at 04:17:44PM +0100, Lukas Tribus wrote: > On Fri, 20 Dec 2019 at 16:00, Willy Tarreau wrote: > > taking it now. > > Note that 1.9 needs to access OPENSSL_VERSION_NUMBER instead of > HA_OPENSSL_VERSION_NUMBER. Argh good catch, I'll fix it then. I didn't notice any issue

Re: [PATCHv3] openssl-compat: Fix getm_ defines

On Fri, 20 Dec 2019 at 16:00, Willy Tarreau wrote: > taking it now. Note that 1.9 needs to access OPENSSL_VERSION_NUMBER instead of HA_OPENSSL_VERSION_NUMBER. lukas

Re: [PATCHv3] openssl-compat: Fix getm_ defines

On Fri, Dec 20, 2019 at 02:50:46PM +0100, Lukas Tribus wrote: > Should be backported to 1.9. Thank you guys, I've been following remotely, cowardly waiting for this to settle :) taking it now. Thanks! Willy

move fcgi from nginx to haproxy

Hi. Luckly that haproxy 2.1 have now the feature of fcgi proto it's now time to move from nginx to haproxy for the loadbalancing part for me. There are several features from nginx conf which I would like to port to haproxy conf therefore I need some help ;-) nginx offers a quite good

Re: stick-tables and ip / ipv6 / (ipv4)

Hi Björn. On 20.12.19 14:53, Björn Jacke wrote: Hi, currently if you use stick-tables and you follow most of the examples and tutorials out there, you use it with "stick-table type ip ...". I guess that many people (like me in the beginning) don't realize that ip is IPv4 only and you have

stick-tables and ip / ipv6 / (ipv4)

Hi, currently if you use stick-tables and you follow most of the examples and tutorials out there, you use it with "stick-table type ip ...". I guess that many people (like me in the beginning) don't realize that ip is IPv4 only and you have to use type ipv6 to have support for IPv4 *and*

Re: [PATCHv3] openssl-compat: Fix getm_ defines

On Thu, 19 Dec 2019 at 21:54, Rosen Penev wrote: > > LIBRESSL_VERSION_NUMBER evaluates to 0 under OpenSSL, making the condition > always true. Check for the define before checking it. > > Signed-off-by: Rosen Penev > --- > v3: Added BoringSSL support > v2: Switched to HA_OPENSSL_VERSION_NUMBER