or anything).
Any thoughts on what might've changed in 2.4.16 to cause this? Is there any
way to ask haproxy to log something specifically when it hits whatever
internal error causes an I state?
I'm going to roll back to 2.4.15 for now.
James Brown
ot;, ":scheme", and
> ":path" issues if the servers are known *not* to be vulnerable to the
> issue described in the ":method" attack above. This probably is the
> easiest solution when using trusted mainstream backend servers such as
> Apache, NGINX or Varnish, especially since very few configurations make
> use of H2 to communicate with servers.
>
> - placing the two following rules at the beginning of every HTTP frontend:
>
> http-request reject if { method -m reg [^A-Z0-9] }
> http-request set-uri %[url]
>
> - in version 2.0, disabling HTX processing will force the request to be
> reprocessed by the internal HTTP/1 parser (but this is not compatible
> with H2 servers nor FastCGI servers):
>
> no option http-use-htx
>
> - commenting out "alpn h2" advertisement on all "bind" lines in frontends,
> and disabling H2 processing entirely by placing the following line in
> the global section:
>
> tune.h2.max-concurrent-streams 0
>
> - in versions 2.2 and above it is possible to refine filtering per frontend
> by disabling "alpn h2" per bind line and by disabling HTTP/1 to HTTP/2
> upgrade by placing this option in the respective frontends:
>
> option disable-h2-upgrade
>
>
> Many thanks to Tim for helping getting these issues resolved!
> Willy
>
>
--
James Brown
Engineer
Thanks!
On Fri, Jun 11, 2021 at 11:36 AM Tim Düsterhus wrote:
> James,
>
> On 6/11/21 8:28 PM, James Brown wrote:
> > Is there any reason (performance or otherwise) to use http-response
> instead
> > of just turning everything into http-after-response?
>
> Th
Is there any reason (performance or otherwise) to use http-response instead
of just turning everything into http-after-response?
On Fri, Jun 11, 2021 at 11:07 AM Tim Düsterhus wrote:
> James,
>
> On 6/11/21 8:03 PM, James Brown wrote:
> > Is there any way to set a HTTP heade
-header Foo Bar
bind localhost:
redirect prefix https://www.example.com
It appears that the Foo header is not set when the redirect is emitted. Is
there any way to configure HAproxy to process `http-response` statements on
a redirect?
--
James Brown
Engineer
Ah, never mind, I see that this was already fixed in master
in 3ddec3ee7d344112b4e4fbde317f8886a20d66a0.
On Fri, Jan 29, 2021 at 6:01 PM James Brown wrote:
> As of haproxy 2.2.7, the core.get_info() lua function no longer works.
> Calling it raises a runtime error of the following:
>
timeout connect 1s
frontend test_fe
mode http
bind localhost:
default_backend test_be
backend test_be
mode http
server localhost 127.0.0.1:9998
--
James Brown
Engineer
intuition is that this is probably a bug with peer synchronization
because it only seems to happen when the "peers lb" line as at the end of
the block.
--
James Brown
Engineer
>> one... and there will likely be some that don't make the Nov 30th deadline
>>> to retire all Centos 6 servers.
>>>
>>>
>>> On Sun, Nov 15, 2020 at 11:15 AM Илья Шипицин
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> we still run cirrus-ci builds.
>>>> CentOS 6 is EOL.
>>>>
>>>> should we drop it?
>>>>
>>>> Ilya
>>>>
>>>
>>
>> --
>> James Brown
>> Engineer
>>
>
--
James Brown
Engineer
15 AM Илья Шипицин
> wrote:
>
>> Hello,
>>
>> we still run cirrus-ci builds.
>> CentOS 6 is EOL.
>>
>> should we drop it?
>>
>> Ilya
>>
>
--
James Brown
Engineer
Thanks Christopher, I'll give it a shot today.
On Fri, Sep 18, 2020 at 6:39 AM Christopher Faulet
wrote:
> Le 18/09/2020 à 10:47, Christopher Faulet a écrit :
> > Le 18/09/2020 à 01:33, James Brown a écrit :
> >> git bisect says that this regression was cau
ing called in v2.2.2). Did something
break in how custom matchers are called?
On Thu, Sep 17, 2020 at 3:48 PM James Brown wrote:
> One of our configurations includes the following snippet:
>
> acl allowed_method method HEAD GET POST PUT PATCH DELETE OPTIONS
> ttp-request deny if !allowed
2.2.3, this blocks PATCH requests. It seems to *only* be broken
for PATCH requests.
The word "PATCH" does not occur in the diff between 2.2.2 and 2.2.3, which
is concerning.
--
James Brown
Engineer
now a
403. I believe the correct URL is
https://www.arpalert.org/src/haproxy-lua-api/2.2dev/index.html.
--
James Brown
Engineer
o' keyword)
fcgi : mode=HTTP side=BEmux=FCGI
: mode=HTTP side=FE|BE mux=H1
h2 : mode=HTTP side=FE|BE mux=H2
: mode=TCPside=FE|BE mux=PASS
Available services : none
Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
[CACHE] cache
[FCGI] fcgi-app
--
James Brown
Engineer
wrote:
> On Mon, Apr 06, 2020 at 01:50:56PM -0700, James Brown wrote:
> > I actually messed up testing last week; reverting Tim's commit appears to
> > fix it.
>
> OK that's very useful, thanks! However you didn't respond to my other
> question:
>
> > > > James,
I actually messed up testing last week; reverting Tim's commit appears to
fix it.
On Fri, Apr 3, 2020 at 5:41 AM Willy Tarreau wrote:
> On Fri, Apr 03, 2020 at 02:27:05PM +0200, Willy Tarreau wrote:
> > On Thu, Apr 02, 2020 at 12:32:32PM -0700, James Brown wrote:
> > > I re
wrote:
> James,
>
> Am 02.04.20 um 19:53 schrieb James Brown:
> > I'm upgrading one of our test clusters from 2.0.13 to 2.0.14 and our
> > regular graceful-restart process is failing with:
> >
> > [ALERT] 092/174647 (114374) : [/usr/sbin/haproxy.main()] S
/usr/sbin/haproxy -f /path/to/haproxy.config -p
/home/srvelb/run/haproxy.pid -sf 70409 -x /path/to/admin/mode/socket
and also hasn't changed since the addition of domain-socket FD passing in
1.8.
I notice a bunch of peer-related commits got pulled into 2.0.14...
Anyone else seen this?
--
James
24, 2020 at 08:28:33AM +0100, Christopher Faulet wrote:
> > > > Le 23/01/2020 à 19:59, James Brown a écrit :
> > > > > I spent a couple of minutes and made the attached (pretty bad)
> patch to
> > > > > add a del-header-by-prefix.
> > > &g
> > ==19765== main thread stack using the --main-stacksize= flag.
> > ==19765== The main thread stack size used in this run was 8388608.
> > ==19765==
> > ==19765== HEAP SUMMARY:
> > ==19765== in use at exit: 2,005,950 bytes in 224 blocks
> > ==19765== total heap usage: 269 allocs, 45 frees, 2,115,657 bytes
> allocated
> > ==19765==
> > ==19765== LEAK SUMMARY:
> > ==19765==definitely lost: 0 bytes in 0 blocks
> > ==19765==indirectly lost: 0 bytes in 0 blocks
> > ==19765== possibly lost: 864 bytes in 3 blocks
> > ==19765==still reachable: 2,005,086 bytes in 221 blocks
> > ==19765== suppressed: 0 bytes in 0 blocks
> > ==19765== Rerun with --leak-check=full to see details of leaked memory
> > ==19765==
> > ==19765== For counts of detected and suppressed errors, rerun with: -v
> > ==19765== Use --track-origins=yes to see where uninitialised values come
> from
> > ==19765== ERROR SUMMARY: 5 errors from 3 contexts (suppressed: 0 from 0)
> > fish: “valgrind ./haproxy -d -f ./cras…” terminated by signal SIGKILL
> (Forced quit)
>
> Best regards
> Tim Düsterhus
>
--
James Brown
Engineer
Glad to do any other debugging you'd like. Just running `make
TARGET=linux-glibc USE_NS=` or `make TARGET=osx`; nothing fancy.
On Thu, Jan 23, 2020 at 12:00 PM Willy Tarreau wrote:
> On Thu, Jan 23, 2020 at 11:54:17AM -0800, James Brown wrote:
> > Whe
oop (data=) at
src/haproxy.c:2630
#4 run_thread_poll_loop (data=) at src/haproxy.c:2783
#5 0x004bdba5 in main (argc=, argv=) at src/haproxy.c:3483
Segfault is on the same line on OS X and Linux.
On Thu, Jan 23, 2020 at 11:49 AM Willy Tarreau wrote:
> On Thu, Jan 23, 2020 at 11:05:57
Update: I rebased back to the last non-segfaulting commit and this patch's
functionality appears to work in very limited testing.
On Thu, Jan 23, 2020 at 10:59 AM James Brown wrote:
> I spent a couple of minutes and made the attached (pretty bad) patch to
> add a del-header-by-
else suits your
fancy.
On Thu, Jan 23, 2020 at 9:26 AM James Brown wrote:
> Yes, they’re all identified by a prefix.
>
> On Thu, Jan 23, 2020 at 02:03 Willy Tarreau wrote:
>
>> Hi James,
>>
>> On Wed, Jan 22, 2020 at 04:19:41PM -0800, James Brown wrote:
>&g
Yes, they’re all identified by a prefix.
On Thu, Jan 23, 2020 at 02:03 Willy Tarreau wrote:
> Hi James,
>
> On Wed, Jan 22, 2020 at 04:19:41PM -0800, James Brown wrote:
> > We're upgrading from 1.8 to 2.x and one of the things I've noticed is
> that
> > reqidel and rs
load balancer. That is harder to do if we
can't delete all headers matching a certain regex...
--
James Brown
Engineer
t; solution, but I assume this will be a quick fix for Willy.
> >
> > Gloups! I'm quite ashamed, totally ashamed, almost red. I'll take a
> > look at this tomorrow. Thanks for the report!
>
> I've just pushed the fix. I'm attaching the backported version for your
> convenience (as it will not apply as-is to 1.8).
>
> Thanks!
> Willy
>
--
James Brown
Engineer
:]+:' | sed -e 's/< //' | tr '[:upper:]' '[:lower:]')
14c14
< accept-ranges:
---
> accept-language:
The backend in this case is HTTP/1.1; HAproxy is doing the 1.1 -> 2
conversion itself. This is with HAproxy 1.8.14. I have not tested with
HAproxy 1.9.
Any thoughts?
--
James Brown
Systems Engineer
Available filters :
>
> [SPOE] spoe
>
> [COMP] compression
>
> [TRACE] trace
>
> --
>
> Information in this e-mail may be confidential. It is intended only for
> the addressee(s) identified above. If you are not the addressee(s), or an
> employee or agent of the addressee(s), please note that any dissemination,
> distribution, or copying of this communication is strictly prohibited. If
> you have received this e-mail in error, please notify the sender of the
> error.
>
--
James Brown
Engineer
:
> Am 24.10.2018 um 09:18 schrieb Igor Cicimov:
> >
> >
> > On Wed, 24 Oct 2018 5:06 pm Aleksandar Lazic > <mailto:al-hapr...@none.at>> wrote:
> >
> > Hi.
> >
> > Am 24.10.2018 um 03:02 schrieb Igor Cicimov:
> > &
:23 PM Aleksandar Lazic wrote:
> Hi.
>
> SPDY is not HTTP/2 .
>
> Please can you share the config and the haproxy version.
>
> Best regards
> Aleks
>
> ------
> *Von:* James Brown
> *Gesendet:* 24. Oktober 2018 00:13:37 MESZ
> *
eep-alive 5m
tcp-request inspect-delay 4s
option http-server-close
Additionally, we set maxconn to a very high value (20480).
Backends generally have timeout server set to a largeish value (90-300
seconds, depending on the backend).
Anything jump out at anyone?
--
James Brown
System
ic
> IP ranges or IP addresses.
>
>
> Best Regards / Mit freundlichen Grüßen
>
> Bjoern
>
--
James Brown
Engineer
fragile...
--
James Brown
Engineer
es. Then its
> much easier to see frequent state changes.
>
> Thanks for your thoughts
>
>
--
James Brown
Engineer
I had to move it down a couple of lines because I'm on 1.7.5 not master but
it seems to work fine.
Thanks for the quick response as always, Willy.
On Wed, May 3, 2017 at 10:23 PM, Willy Tarreau <w...@1wt.eu> wrote:
> On Wed, May 03, 2017 at 08:21:12PM -0700, James Brown wrote:
> &
If the send-proxy-v2 flag is set on a server, the PROXY (v2) is emitted on
agent checks.
If send-proxy is set on a server, no PROXY protocol is emitted on agent
checks.
I rather think that the correct behavior is not to send the PROXY protocol
on agent checks...
--
James Brown
Engineer
proxy to die when the
> last client leaves.
>
>
> Regards
>
> Andrew Smalley
>
> Loadbalancer.org Ltd.
>
>
>
> On 12 April 2017 at 19:32, James Brown <jbr...@easypost.com> wrote:
>
>> This just hit us again on a different set of load balancers... if
This just hit us again on a different set of load balancers... if there's a
listen socket overflow on a domain socket during graceful, haproxy
completely deletes the domain socket and becomes inaccessible.
On Tue, Feb 21, 2017 at 6:47 PM, James Brown <jbr...@easypost.com> wrote:
> U
Unfortunately, that feature only works with OpenSSL 1.0.2 (which,
incidentally, would be a good thing to note in the documentation)...
On Wed, Feb 22, 2017 at 4:39 PM, Lukas Tribus <lu...@gmx.net> wrote:
> Hello James,
>
>
> Am 23.02.2017 um 01:11 schrieb James Brown:
>
&g
dsa_supported. I suppose we could also
just add a fetcher that exposes the entire client cipher-suite list as a
string and then use a regexp to determine if, e..g, the string "-ECDSA"
occurs in that list, but that seems somewhat failure-prone.
Thoughts?
--
James Brown
Engineer
ual config.
--
James Brown
Systems
Engineer
; they should come back and try again.
>
> Does that sound like a sensible addition?
>
> Cheers,
> Daniel
>
>
>
> --
> Daniel Schneller
> Principal Cloud Engineer
>
> CenterDevice GmbH
> https://www.centerdevice.de
>
>
>
>
--
James Brown
Engineer
already code for sending a 100 Continue if the
`http-buffer-request` option is set, so I guess I'm just asking about
the feasibility of making that behavior a stand-alone option without
having to put the whole request in RAM.
--
James Brown
Engineer
(gentle bump)
On Mon, Apr 25, 2016 at 11:36 AM, James Brown <jbr...@easypost.com> wrote:
> Here's the top of the file. None of the backends override the
> load-server-state-from-file setting that's made in `defaults`. There
> are 106 backends defined.
>
>
> global
>
server 90s
On Sun, Apr 24, 2016 at 9:07 AM, Baptiste <bed...@gmail.com> wrote:
> On Thu, Apr 21, 2016 at 2:54 AM, James Brown <jbr...@easypost.com> wrote:
>> I'm trying to set up state-file saving on 1.6.4, but "show servers state"
>> doesn't return anything. It
-proxy flag available to control
whether the PROXY protocol is emitted).
It's not hard to make my agent support receiving the PROXY protocol,
but it's kind of strange, since nothing's actually being proxied.
Thoughts?
--
James Brown
Engineer
r all backends).
Any thoughts?
--
James Brown
Engineer
e calls are the same, OpenSSL
> seems to
> be doing more low level stuff in functions like _x86_DES_encrypt and
> _x86_DES_decrypt.
>
> So this commit does make OpenSSL uncomfortable in some way, although it is
> probably
> not related to the number of SSL_write calls.
>
> Not sure if this is helpful.
>
>
> cheers,
> lukas
>
>
>
--
James Brown
Engineer
nd source :)
> but sure, it works !
>
> 2016-03-21 19:21 GMT+01:00 James Brown <jbr...@easypost.com>:
> > Why not just add each server multiple times with a different src
> parameter
> > and a different name.
> >
> > Something like
> >
> > backend my_
ables -t nat -A POSTROUTING -o eth2 -j SNAT --to 10.0.0.1-10.0.10
>
> without success because kernel is hashing real source ip and real
> destination ip, so only one source ip nated is used (aka same as using
> one different source per server).
>
> Any idea on achieving this ? mayb
Wed, Feb 24, 2016 at 6:05 PM, James Brown <jbr...@easypost.com
> <javascript:_e(%7B%7D,'cvml','jbr...@easypost.com');>> wrote:
> >
> > We use a gpc0 counter for rate-limiting certain requests in our
> application. It was working fine with 1.5.14, but as soon as I
this?
--
James Brown
Engineer
Attached is a `git-format-patch`-formatted patch with some extra strduping
and freeing.
On Fri, Oct 30, 2015 at 11:39 PM, Willy Tarreau <w...@1wt.eu> wrote:
> Hi James,
>
> On Wed, Oct 28, 2015 at 10:27:22AM -0700, James Brown wrote:
> > Sorry for being thickheaded, W
t; On Thu, Oct 22, 2015 at 01:04:28PM -0700, James Brown wrote:
> > It would be... more convenient for my use case to be able to encode the
> > string in the config (we may have several backends for a different
> service
> > to correspond to phased deployment rollouts, and I'd
ing (eg: "backend=XXX; server=YYY\n") which is easy to
> expand with new tags in the future if needed (such as the LB node for
> example).
>
> Regards,
> Willy
>
>
--
James Brown
Engineer
of having an active session available, and I think it'd be a lot of work to
detangle it into a "build_logline_from_backend" that just took a backend or
somesuch).
On Thu, Oct 22, 2015 at 2:37 AM, Baptiste <bed...@gmail.com> wrote:
> On Thu, Oct 22, 2015 at 3:59 AM, James Brown <jbr.
y haproxy-1.5.14-1.fc22.x86_64
>
> libpcre.so.1()(64bit) is needed by haproxy-1.5.14-1.fc22.x86_64
>
> systemd is needed by haproxy-1.5.14-1.fc22.x86_64
> >>>
> Because of systemd dependency, we just can't install haproxy v1.5 in
> centos 6.5.
>
> Do you have an
Hello haproxy@:
My name is James Brown; I wrote a small piece of software called hacheck
(https://github.com/Roguelazer/hacheck) which is designed to be a healthcheck
proxy for decentralized load balancer control (remove a node from a load
balancer without knowing where the load balancers
60 matches
Mail list logo
