Re: haproxy 1.5.4 generating badreq 408's

ct 10s >timeout client 1m >timeout server 1m >timeout check 10s > > frontend pbutik > [...] >timeout client 30 > [...] Look at this timeout ;) 30ms timeout is quite short don’t you think ? Regards -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org

http-send-name-header buffer corruption (1.4.25)

OK, then 3 corrupted, then 3 OK again, then 3 failed, etc… Thank’s for your attention and the wonderfull product ! -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org

Re: forward backend response instead of 502

Le mercredi 02 juillet 2014 18:56:48 Willy Tarreau a écrit : > Hi guys, > > On Wed, Jul 02, 2014 at 05:19:20PM +0200, Guillaume Castagnino wrote: > > Le mercredi 02 juillet 2014 16:53:06 Lukas Tribus a écrit : > > > Hi Guillaume, > > > > > > > I made

Re: forward backend response instead of 502

e conforming to the RFC). But I would like to get the 413 error page issued from the backend, not the 502 from haproxy. And I see no option in haproxy to forward the error page instead of the 413. Thanks ! -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org early-answer-poc.pl Description: Perl program

Re: forward backend response instead of 502

Le mercredi 02 juillet 2014 10:45:57 Guillaume Castagnino a écrit : > Hi all, > > I’m currently facing an issue and I do not figure how to workaround > it. > > - Some big picture: > I have a backend that receive file uploads. It checks the upload size > and if the max

forward backend response instead of 502

around this. Thanks ! -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org

Re: haproxy dev21 high cpu usage

Indeed, I can confirm this behaviour when enabling server-side keepalive. -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org

Re: further tweaking SSL "score" on the SSL LABS test

either improve on the score, or > keep the same score while improving the number of Cipher Suites. > > Cheers > > Arne -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org

Re: failing to redirect http to https using HAProxy 1.5dev15

if ! secure > default_backend be_default > > backend be_default > balance roundrobin > option httpchk > cookie srv insert postonly indirect > server civ1 10.2.32.175:443 weight 1 maxconn 512 check cookie one > server civ2 10.2.32.176:443 weight 1 maxconn 512 check cookie two > > > Any help is much appreciated. > > Regards, > > Robbert -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org

Re: IPv6 bind

set, that's the philosophy we've always followed. We add > options to force a desired behaviour and without any option, the > system sets defaults. > > However, I will be happy to update the patch to have "v4v6" keyword > > instead of "v6only". > > I did not know it was possible to revert the system behaviour, so yes > please feel free to send such a patch to let the user force > IPV6_V6ONLY to zero ! "v4v6" seems appropriate to me too. > > Thanks, > Willy -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org

IPv6 bind

or '*' (v4) and '::' (v6), keeping the wildcards, and stop having v4 mapped addresses instead of plain ipv4 in http logs. Thanks ! -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org

Re: frontend configuration

Le vendredi 23 novembre 2012 14:13:40 Baptiste a écrit : > Hi Guillaume, > > In your ft configuration, just add the directive "option > socket-stats". Great, this is the option I missed, thanks ! -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org

frontend configuration

I use several binds splitting '::' into explicit v4 and v6 binds, I do not get this. And I found nothing in the doc about this, but I'm probably searching the wrong keywords. So how do you configure haproxy to have those lines in the frontend ? Thanks ! -- Guillaume Ca

Re: ACL issue with current HEAD ?

; > > > Could you add a option http-server-close in your frontend??? > > > > cheers > > > > On Wed, Nov 7, 2012 at 1:48 PM, Guillaume Castagnino wrote: > >> Hi, > >> > >> I just updated my haproxy to the current HEAD > >>

ACL issue with current HEAD ?

! -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org global log 127.0.0.1 local0 maxconn 2000 userhaproxy group haproxy daemon stats socket /var/run/haproxy.sock level admin mode 600 stats timeout 1d #debug

Re: Protocol plugin

cy may not be a factor at all. Do you have played with the "tcp-request inspect-delay " option ? Unless I'm mistaken, I think it can help you, when doing tcp content inspection. Regards, -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org

Re: Protocol plugin

extracting the SSL ID, you extract your client identifier, but this is more or less the same thing ! regards, -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org

[PATCH] DOC: duplicate ssl_sni section

--- doc/configuration.txt | 9 - 1 file changed, 9 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 7be3335..227b50f 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -8085,15 +8085,6 @@ req_ssl_ver SSL data layer, so this will not work wit

[PATCH] Small doc fix

I noticed that the ssl_sni section is duplicated in configuration. Here is the (very) small fix. Thanks ! Guillaume Castagnino (1): DOC: duplicate ssl_sni section doc/configuration.txt | 9 - 1 file changed, 9 deletions(-) -- 1.7.12

Re: HTTP redirect using domain extract from original request

RI. I'm > > going to look into this. > > OK, finally here it is. Tested and works OK. Use it this way : > > redirect scheme https if !{ is_ssl } Hi, Wow that's wonderfull !! I will test this asap. Thanks ! -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org

Re: HTTP redirect using domain extract from original request

o that means one acl + one redirect rule per vhost, as I fear. I think I will keep my nginx redirect for now, since I want to upgrade *all* virtualhosts, preferably without bothering to list all of them :) Ideally, I would like to keep haproxy "vhost agnostic". Thanks ! -- Guillaume C

HTTP redirect using domain extract from original request

host, extracting the domain from the original request: redirect prefix https://$hdr_dom code 301 >From the doc, I see nothing, but I may miss the good trick :) Thanks ! -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org

Re: [ANNOUNCE] haproxy 1.5-dev12

Le lundi 10 septembre 2012 15:52:23 Willy Tarreau a écrit : > Hi Guillaume, > > On Mon, Sep 10, 2012 at 03:46:26PM +0200, Guillaume Castagnino wrote: > > Nice ! > > > > Just set up on my personnal server with 2 wildcard certificates. It > > seems to work li

Re: [ANNOUNCE] haproxy 1.5-dev12

:AES128-GCM- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH prefer-server-ciphers Thanks, great job ! -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org

Re: HAProxy with native SSL support !

haproxy+ssl, this is 800 MB for only 10k > connections! And remember, this is still beta-quality code. Don't > blindly put this in production (eventhough I did it on 1wt.eu : > https://demo.1wt.eu/). You have been warned! > > Please use the links below : > site index : http://haproxy.1wt.eu/ > sources : http://haproxy.1wt.eu/download/1.5/src/snapshot/ > changelog : > http://haproxy.1wt.eu/download/1.5/src/snapshot/CHANGELOG Exceliance > : http://www.exceliance.fr/en/ > > Have a lot of fun and please report your success/failures, > Willy -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org

Re: haproxy and interaction with VRRP

2. Use transparent mode. > 3. Patch haproxy to use IP_FREEBIND option. What about a 4: - Add net.ipv4.ip_nonlocal_bind=1 to your sysctl.conf settings. No need to patch anything -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org

Re: RE: x-forwarded-for and server side keep alive

x-forwarded-for value across multiple requests. So we would need to send the header with every request. > > My first question is: does anybody see anything wrong with those > assumptions ? > > Then: is there a way to have x-forwarded-for added to each request without > giving up on server-side keep alive ? > > > Thanks, > Julien > > > -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org

Re: hanging in syn_sent

cause the kernel silently drop/ignore some connections without any RST (usually when the client is behind a NAT) If your haproxy host uses this parameter, try disabling it ! -- Guillaume Castagnino ca...@xwing.info / guilla...@castagnino.org

Re: how to associate front and back ends?

will match all connections that are not caught by previous "use_backend" rules defined in the current front section. -- Guillaume Castagnino g.castagn...@pepperway.fr Tel : +33148242089

Re: Potential problem/incompatibility between haproxy smtpchk and grsecurity blackhole feature ?

tree which does not exhibit the issue, > so I'll contact Brad with that. Here is the last patch Brad provided me against the last grsec (if you want to check this one) : http://www.grsecurity.net/~spender/blackhole3.diff But despites this, I always get the same problem. Guillaume -- Guillaume Castagnino g.castagn...@pepperway.fr Tel : +33148242089

Re: Potential problem/incompatibility between haproxy smtpchk and grsecurity blackhole feature ?

g.info :)) I can of course provide more informations if you need. Thanks, Guillaume -- Guillaume Castagnino g.castagn...@pepperway.fr Tel : +33148242089

Potential problem/incompatibility between haproxy smtpchk and grsecurity blackhole feature ?

your feedback, Guillaume -- Guillaume Castagnino g.castagn...@pepperway.fr Tel : +33148242089 global log 127.0.0.1 local0 log 127.0.0.1 local1 notice userhaproxy group haproxy daemon defaults log global option httplog o