.181.85.41:63772
> [28/Nov/2023:16:10:19.728] http-in http-in/ 0/-1/-1/-1/0 301 97 - -
> LR-- 1/1/0/0/0 0/0 "GET / HTTP/1.1"
>
> This stems from a request I did that way:
>
> curl http://www.kukulies.org
>
Seems normal, status code is 301 and you have "redirect scheme https code
301 if !{ ssl_fc }"
Is this what you expect or do you think there're some errors ?
-Jarno
--
Jarno Huuskonen
our
> setups be my guests, otherwise it should be merged soon if William is ok
> with the patch.
Thanks Remi. Haproxy-2.8.1 + patch and haproxy returns OCSP response for
both binds.
-Jarno
--
Jarno Huuskonen
ecertfile.pem.ecdsa.ocsp in /etc/haproxy/ssl)
If I change the order of ipv4 / ipv6 binds (so bind ipv6@:::443 name
v6ssl... is first) then haproxy(2.8.1) sends ocsp with ipv6 connection and
not with ipv4.
-Jarno
--
Jarno Huuskonen
r haproxy
> group haproxy
> daemon
> maxconn 200
> maxconnrate 2500
> maxsslrate 2500
From your graphs (haproxy_process_current_ssl_rate /
haproxy_process_current_connection_rate) you might hit
maxconnrate/maxsslrate
-Jarno
--
Jarno Huuskonen
try using sc1 for the search url:
http-request track-sc1 src table search_table if
acl_matching_datamart_searchbyname !acl_exclude_cidr_lst
http-request deny deny_status 429 if { sc1_http_req_cnt(search_table) gt 5 }
backend search_table
stick-table type ... store http_req_cnt,http_req_rate...
-Jarno
--
Jarno Huuskonen
9 instead of
> 503. Is this possible ?
errorfile 503 /path/to/429.http
(http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#4-errorfile)
Or maybe it's possible with http-error
(http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#http-error)
-Jarno
--
Jarno Huuskonen
default-errorfiles if { status 504 }
default_backend test_be
backend test_be
server srv1 127.0.0.1:9000 id 1
listen responder
bind ipv4@127.0.0.1:9000
http-request deny deny_status 503
And I receive the correct error file.
-Jarno
--
Jarno Huuskonen
UA_LIB_NAME=lua5.3 LUA_INC=/usr/include/lua5.3 ;
>
>
> -PROCCTL +THREAD_DUMP -EVPORTS -OT -QUIC -PROMEX -MEMORY_PROFILING
-QUIC --> QUIC support missing.
-Jarno
--
Jarno Huuskonen
ackend_3 OK
>
> <
> test 3
> * Connection #0 to host 127.0.0.1 left intact
>
>
> When we use HTTP/2, switching to backend_2 does not work:
>
> root@ubuntu2004:/etc/haproxy# curl --http2 -kvhttps://127.0.0.1/2/x
> …
> < HTTP/2 200
> < date: Wed, 30 Mar 2022 12:09:04 GMT
> < server: Apache/2.4.41 (Ubuntu)
> < last-modified: Wed, 30 Mar 2022 11:28:30 GMT
> < etag: "7-5db6dd8521aec"
> < accept-ranges: bytes
> < content-length: 7
> < x-info: defaultbackend : default_1 <-- here we expect backend_2
> <
> test 2
> * Connection #0 to host 127.0.0.1 left intact
>
> Can you please check this?
>
> Kind Regards
> Ralf Saier
> Senior Software Developer
> Tel.+49 721 663035-253
> e-mailsa...@econda.de
>
> Angaben zum Absender:
> econda GmbH, Zimmerstr. 6, 76137 Karlsruhe
> Geschäftsführer: Christian Hagemeyer, Dr. Philipp Sorg
> Handelsregister: Amtsgericht Mannheim HRB 110559
>
>
>
>
--
Jarno Huuskonen
2.4/configuration.html#4-option%20tcplog)
with mode http. AFAIK it overrides your custom log-format.
-Jarno
--
Jarno Huuskonen
r,map_dom(/etc/haproxy/maps/hosts.map,be_default)])
-Jarno
> Would
> use_backend %[ssl_fc_sni,lower] # Layer 5
> or
> use_backend %[req.ssl_sni,lower] # Layer 6
> help with H2 ?
>
> Thanks,
> Ionel
>
>
--
Jarno Huuskonen
the latest git, applying the patch manually or running a
20210820 snapshot would fix this.
Yes, 2.4.3+"BUG/MEDIUM: h2: match absolute-path not path-absolute for
:path" and https://www.example.com// appears to work again.
-Jarno
--
Jarno Huuskonen
Same thing happens to me with 2.4.3 and 2.2.16.
Seems to happen only for https://www.example.com// but not for
https://www.example.com/somepath//something
-Jarno
--
Jarno Huuskonen
prohibited.
If received in error, please notify us immediately by return email and
destroy the original message.
--
Jarno Huuskonen
he right direction, please?
>
> There is nothing specific about it, you use just like every other ACL.
>
> http-request deny if REQ_CONTENT
>
> http-request deny unless REQ_CONTENT
>
>
> Lukas
>
>
>
>
--
Jarno Huuskonen
expected behaviour ? If so, how can I change my acls to correct
> it ?
Does it work if you use
hdr_dom(https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#7.3.6-req.hdr)
for the host header acl:
(acl is_domain_name hdr_dom(host) -i domain.name)
(or some other match that ignores port in Host header).
-Jarno
--
Jarno Huuskonen
gt; > option httpchk
> > > http-check expect status 200
> > > default-server inter 3s fall 3 rise 2 on-marked-down shutdown-
> > > sessions
> > > server postgresql_10.128.0.10_5432 10.128.0.10:5432 maxconn 100
> > > check port 8008
> > >
e tcp:
defaults
log global
mode tcp
...
-Jarno
>
> On Wed, 21 Apr 2021 at 16:25, Jarno Huuskonen
> wrote:
> >
> > Hi,
> >
> > On Wed, 2021-04-21 at 21:55 +0700, thủy bùi wrote:
> > > Dear HAproxy dev,I have install all the requirement of HAproxy
u're running on CentOS/RHEL 7 ? Do you have selinux enabled
(getenforce) ? You'll probably need to allow haproxy to connect to all ports
(or allow required ports). (setsebool -P haproxy_connect_any=On might help).
(Your logs should show if connections are denied).
-Jarno
--
Jarno Huuskonen
ved in the logging, when the haproxy.cfg
> settings only designate local* facilities ?
Are you running haproxy as systemd service ? Those logs could be
coming from systemd (haproxy stdout/stderr).
-Jarno
--
Jarno Huuskonen
er binary content in a way that can be reliably transferred (e.g.
- an SSL ID can be copied in a header).
+ an SSL ID can be copied in a header). For base64url("URL and Filename
Safe
+ Alphabet" (RFC 4648)) variant see "ub64enc".
bool
Returns a boolean TRUE if the input value of type signed integer is
-Jarno
--
Jarno Huuskonen
Hello,
On Thu, 2021-04-01 at 16:03 +0200, William Lallemand wrote:
> On Thu, Apr 01, 2021 at 02:26:07PM +0200, William Lallemand wrote:
> > On Thu, Apr 01, 2021 at 10:19:31AM +0000, Jarno Huuskonen wrote:
> > > Hello,
> > >
> > > I'm seeing a regression with
server crash 192.168.1.105:8081 id 1 check
(And cert1.pem is multiple files:
cert1.pem.ecdsa
cert1.pem.ecdsa.ocsp
cert1.pem.ocsp
cert1.pem.rsa
cert1.pem.rsa.ocsp
)
-Jarno
--
Jarno Huuskonen
y in PEM format?
It should be possible (had this working years ago):
(https://www.mail-archive.com/haproxy@formilux.org/msg20883.html
http://shibboleth.net/pipermail/users/2015-July/022674.html)
Something like:
http-request add-header X-SSL-Client-Cert -BEGIN\ CERTIFICATE-\
%[ssl_c_der,base6
se all sockets once a user runs out of data
> to use.
>
> Solution B)
> A way to use LUA during the actual tunneling (after the HTTP tunnel is
> established) so that we can reauthenticate users and log the usage
> ourselves.
>
> Am Di., 26. Jan. 2021 um 15:12 Uhr schrieb Jarn
e http close and the https
> close server options. Unfortunately without success
> Thanks in advance
>
option logasap ?
(https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#4.2-option%20logasap)
-Jarno
--
Jarno Huuskonen
oxy with tls1.0:
openssl s_client -connect your-haproxy-ip:443 -tls1
You can try to enable tls1.0 on server bind with:
ssl-min-ver TLSv1.0
https://cbonte.github.io/haproxy-dconv/2.3/configuration.html#5.1-ssl-min-ver
(Also AFAIK up2date java-1.7 should be able to use tls1.2).
-Jarno
--
Jarno Huuskonen
m is served with
status=200 to haproxy ?
When you test /oab/healthcheck.htm with browser what url do you use:
https://correct.domain.com/oab/healthcheck.htm
or https://ip.addr.es.s/oab/healthcheck.htm ? Do you get different result
with ip or hostname ?
-Jarno
--
Jarno Huuskonen
t I don't think you'll find a proxy that has all the features you'll need
especially if you need to support multiple DB protocols (mysql, postgresql,
oracle, mssql).
-Jarno
--
Jarno Huuskonen
like this:
option httpchk
http-check connect ssl
http-check send meth GET uri /oab/healthcheck.htm ver HTTP/1.1 hdr Host
somehost.example.org
http-check expect status 200
(
https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#4.2-http-check%20connect
)
-Jarno
--
Jarno Huuskonen
n already implemented or can be
> used by any third party tool.
--
Jarno Huuskonen
-on-404
or setting server weight to 0 or state to drain:
https://cbonte.github.io/haproxy-dconv/2.2/management.html#9.3-set%20server
Maybe you could set all servers in backend to weight 0/drain or use
somekind of acl+use_backend ?
Can you show a short/sanitized example config about your tcp back
converter:
>
> ssl_c_sha256,sha2(256)
I think the first fetch should be ssl_c_der ?
(ssl_c_der,sha2(256))
-Jarno
--
Jarno Huuskonen
digest from haproxy-2.2 to required version ?)
-Jarno
--
Jarno Huuskonen
alstat abns@statssrv
frontend stats
bind abns@statssrv
stats enable
stats uri /stats
stats refresh 10s
Can you share your haproxy -vv ? There could be a better way to do this.
-Jarno
--
Jarno Huuskonen
try the latest 2.2 snapshot, it should be good. You may also
> try to
> cherry-pick the commit 8cabc9783 to the 2.0.
Thanks Christopher (and Tim), I'll try with 2.2 snapshot (and/or)
8cabc9783 and report how it goes.
-Jarno
--
Jarno Huuskonen
h2 : mode=HTXside=FE|BE mux=H2
h2 : mode=HTTP side=FEmux=H2
: mode=HTXside=FE|BE mux=H1
: mode=TCP|HTTP side=FE|BE mux=PASS
Available services : none
Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace
)
--
Jarno Huuskonen
tive on some http headers ?
Have you tried comparing http/1.1 and http/2 request headers going to
keycloak server ?
(
https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#h1-case-adjust
)
-Jarno
--
Jarno Huuskonen
X-Forwarded-For)
(
https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#7.3.6-req.hdr_ip
)
Do you get any entries in the stick-table (show table ... command to
stats socket).
-Jarno
>http-request deny deny_status 429 if { sc0_conn_cur ge 20 }
>
> but it doesn't seem to work the way I want ...
--
Jarno Huuskonen
is:
> (CLIENT SERVERS INDC) ---> 587 (HAPROXY) ---> (ANTISPAM) ---> (INTERNET)
Do you control the antispam servers and do the antispam servers support
for example proxy-protocol (postfix, exim etc) ?
(https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#5.2-send-proxy)
-Jarno
--
Jarno Huuskonen
> create a file on disk, and given it resides in a Git repository, I can
> easily `git diff ./tests/responses` to see if anything changed, but
> this is too "barbaric"...) :)
Have you looked into varnishtest(vtest) ? There're examples in haproxy source
reg-tests directory.
-Jarno
--
Jarno Huuskonen
I tried to use config from my dedicated servers:
> cookie serverid insert indirect nocache maxidle 15m maxlife 1h
> server s1 10.0.1.3:80 cookie s1 check
>
>
> But it works only when docker service " nginx-service " runned, after
> scaling or when i'm replacing containers it doesn't work. :(
--
Jarno Huuskonen
struct stream *stream;
+printf("%s %d\n", __FUNCTION__, __LINE__);
if (requester->resolution == NULL)
return 0;
--
Jarno Huuskonen
ain_resolver resolvers:
hold valid 15s
For me increasing hold valid makes be_named requests take even longer
and if I add timeout client(to defaults) < hold valid then (be_named) requests
fail with:
cR-- status
-Jarno
--
Jarno Huuskonen
l host from layer4 then for example:
use_backend specialhost if { dst 10.10.10.10 }
might work.
-Jarno
--
Jarno Huuskonen
; > configurable.
> >
> > Thus I was thinking about marking them deprecated for 2.1 and then
> > removing them from 2.3. Or even better, removing them from 2.1, but
> > since we have not sent a prior deprecation warning, it would really
> > require confirmation that really nobody is using them at all anymore
> > (which I think is likely the case starting with 1.5).
> >
> > Any opinion on this ?
> >
> > Thanks,
> > Willy
> >
>
>
--
Jarno Huuskonen
Hi,
Thanks Willy for looking into this !
On Tue, Oct 08, Willy Tarreau wrote:
> On Fri, Oct 04, 2019 at 07:28:15PM +0300, Jarno Huuskonen wrote:
> > I sent pcap/strace offlist.
>
> Thanks, that was very useful.
>
> > (strace -f -o -ttt, tcpdump -n -p -s 16384 -w ... hos
Hi Willy,
On Fri, Oct 04, Willy Tarreau wrote:
> Hi Jarno,
>
> On Wed, Oct 02, 2019 at 01:08:14PM +0300, Jarno Huuskonen wrote:
> > Hello,
> >
> > I was testing haproxy -> uwsgi(alert.io) and noticed a possible regression
> > with healthchecks(httpchk).
&
quest replace-uri ^/api/?(.*) /\1
# inter fast for uwsgi hr_read() testing
default-server inter 6s downinter 25s rise 2
server alertaapi1 127.0.0.1:8080 id 1 check
-Jarno
--
Jarno Huuskonen
oxy logs for these failed req/responses ?
-Jarno
--
Jarno Huuskonen
ipv4 mapped ipv6 addresses (::ffff:127.0.0.1).
-Jarno
--
Jarno Huuskonen
run with for example haproxy -d -f tmp.conf and
curl http://127.0.0.1:8080 and you should see the headers from haproxy debug
output.
-Jarno
--
Jarno Huuskonen
ression 'rstatus'.
>
>
>
> The "rstatus" is available only under "http-check expect". Are there any
> equivalence to the regext status matching?
You can use multiple conditions:
http-response set-header Cache-Control max-age=60 if { status ge 300 } { status
lt 400 }
should match if status is between 300-399.
-Jarno
--
Jarno Huuskonen
t; group root mode 600 ssl crt /etc/haproxy/test-rsa.pem alpn
> h2,http/1.1 process 3
> bind unix@/run/haproxy-10320-ecc.sock accept-proxy user haproxy
> group root mode 600 ssl crt /etc/haproxy/test-ecc.pem alpn
> h2,http/1.1 process 4-8
--
Jarno Huuskonen
, and
> not the client.
>
> If anyone could please review the haproxy config / my setup, it
> would be appreciated.
>
> Many thanks
> Brent Clark
>
>
--
Jarno Huuskonen
er
connection (for example from same ip/port) using matching sni/host in your
logs ?
-Jarno
--
Jarno Huuskonen
Any ideas what might be the reason? Right now, I'd guess that's a
> Problem with H/2 and those sockets on the HAProxy side.
I think the problem is that "bind unix@/run/haproxy-444_2-h2test.sock"
expects/speaks http/1.1.
-Jarno
--
Jarno Huuskonen
Hi,
On Tue, Mar 26, Christopher Faulet wrote:
> Le 26/03/2019 à 08:48, Jarno Huuskonen a écrit :
> >Testing with 2.0-dev2(2.0-dev2 2019/03/26) I get kind of strange results
> >with http2:
> >- curl seems to retry in a infinite loop
> >- firefox tries few t
Hello,
On Fri, Mar 01, Christopher Faulet wrote:
> Le 01/03/2019 à 14:36, Jarno Huuskonen a écrit :
> >Hi,
> >
> >Pinging this thread incase if this an actual error/bug and not
> >a configuration error.
> >(current 2.0-dev1-8dca19-40 2019/03/01 sends 400 error
he variables, start the container and open the script in the
> browser. After 10-15 requests you should get a SC 400
>
> At first sight, it looks like jetty is doing something terribly wrong. But,
> and that's the problem, it does not occur if I have just http/1.1 enabled
>
t; -Ursprüngliche Nachricht-
> Von: Jarno Huuskonen
> Gesendet: Dienstag, 19. März 2019 17:34
> An: Maximilian Böhm
> Cc: haproxy@formilux.org
> Betreff: Re: 400 SC on h2 xhr post
>
> Hi,
>
> On Tue, Mar 19, Maximilian Böhm wrote:
> > The problem I experien
he requests? Right now, I can't imagine
> the error is on side of the client nor on the backend (the backend is not
> changed).
If the 400 errors happen within 3mins, have you tried changing
client/keep-alive timeouts to see if anything changes ?
> timeout queue 2m
> timeout client 2m
> timeout http-keep-alive 2m
-Jarno
--
Jarno Huuskonen
acl is_redirect_match path,map_beg(redir.map) -m found
http-request redirect code 302 location %[path,map_beg(redir.map)] if
is_redirect_match
and in the redir.map file:
/a/b/ab/somewhere
/a/c/ac/somewhere
/a1/b /a1b/somewhere
-Jarno
--
Jarno Huuskonen
aproxy-as-an-api-gateway-part-2-authentication/
-Jarno
--
Jarno Huuskonen
Hi,
Pinging this thread incase if this an actual error/bug and not
a configuration error.
(current 2.0-dev1-8dca19-40 2019/03/01 sends 400 error to client when
http/2 is used).
-Jarno
On Sat, Feb 02, Jarno Huuskonen wrote:
> (This is kind of related to this thread:
> https://ww
move the errorfile 503 to frontend/backend ?
> 2)
> When I enable removing the server-header from the backend with
> "rspidel ^Server:.*", then the haproxy-workers are terminating with
> Segmentation fault and the website via haproxy is not working:
Does http-response del-hea
>
> Thanks
> badari
>
>
>
> On Wed, Feb 20, 2019 at 11:13 PM Jarno Huuskonen
> wrote:
>
> > Hi,
> >
> > On Wed, Feb 20, Badari Prasad wrote:
> > > Thank you for responding. Came up with based on the inputs:
> > >
> > >
>
> use_backend nodes
>
> With this config I was able to rate limit per url basis.
>
> Thanks
> badari
>
>
>
> On Tue, Feb 19, 2019 at 10:01 PM Jarno Huuskonen
> wrote:
>
> > Hi,
> >
> > On Mon, Feb 11, Badari Prasad wrote:
>
#7.3.1-concat)
(so something like:
http-request set-var(req.mypath) path
http-request set-var(req.myvar) req.hdr(host),concat(,req.mypath)
(but I guess there are other ways to do this)).
-Jarno
--
Jarno Huuskonen
2019 at 7:34 PM Jarno Huuskonen
> wrote:
>
> > Hi,
> >
> > On Mon, Feb 11, Badari Prasad wrote:
> > > Thank you for the response. I came up with my own haproxy cfg, where
> > i
> > > would want to rate limit based on event name and client id in ur
rce ip addresses
are) or each source ip can send 1000 tps to /api/v1/client1/transfer_data ?
-Jarno
--
Jarno Huuskonen
Hi,
On Thu, Feb 07, Willy Tarreau wrote:
> On Thu, Feb 07, 2019 at 04:50:12PM +0200, Jarno Huuskonen wrote:
> > Hi,
> >
> > On Thu, Feb 07, Steve GIRAUD wrote:
> > > Thanks Jarno for the investigation.
> >
> > No problem.
> >
> > > T
+ssl frontend works).
>
> I'm attaching my test config and the httpsrv.go that I used as a
> backend server.
> Maybe http2 gurus can take a look and see if the frame size error is
> expected or not ?
>
> -Jarno
>
> > De : Jarno Huuskonen
> > Envoyé : mercr
RAME_SIZE?) ?
(Same request with --http1.1 to haproxy+ssl frontend works).
I'm attaching my test config and the httpsrv.go that I used as a
backend server.
Maybe http2 gurus can take a look and see if the frame size error is
expected or not ?
-Jarno
> De : Jarno Huuskonen
> Envoyé : mercredi 6
e (very long) headers (how many bytes) ?
Is it by any chance larger than the bufsize or maxrewrite ?
> Default settings :
> maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
-Jarno
--
Jarno Huuskonen
# the H2 protocol is invalid since they are pseudo-headers
txreq \
-req GET \
-scheme "https" \
-url /path/to/file.ext
rxhdrs
expect resp.status == 502
#rxdata -all
} -run
} -run
--
Jarno Huuskonen
ike this work:
http-request set-var(req.dummy) nbsrv(GlobalRequestsTracker)
http-request deny deny_status 429 if {
sc0_http_req_rate(GlobalRequestsTracker),div(req.dummy) gt 10 }
-Jarno
--
Jarno Huuskonen
htx='#'] instead of -Dno-htx= ?
-Jarno
--
Jarno Huuskonen
>From 1a5a90641ec072d62babbb8ed65c6831998bbdee Mon Sep 17 00:00:00 2001
From: Jarno Huuskonen
Date: Wed, 9 Jan 2019 13:41:19 +0200
Subject: [PATCH 1/4] REGTESTS: test case for map_regm commit 271022150d
Minimal test case for map_regm commi
Hi,
Small patch for doc/configuration.txt that adds missing cache name
option to http-request cache-use / http-response cache-store.
Also adds optional if/unless condition doc to
10.2.2. Proxy section: http-request cache-use / http-response cache-store
-Jarno
--
Jarno Huuskonen
>F
TTPS_in functionality to fe frontend
Are there any more alternatives/tricks on using more than 1 core for
SSL and enabling HTTP/2 ? Are there any gotchas etc. to look out for
when converting nbproc to nbthread config ?
Thanks,
-Jarno
--
Jarno Huuskonen
Also link to ssl_fc_alpn.
---
doc/configuration.txt | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index dc1f222..03a567d 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -15472,13 +15472,13 @@ req.ssl_alpn :
Hello,
I started playing with reg-tests and came up with couple of regtests.
Is there a better subdirectory for these than http-rules ? Maybe
map/b0.vtc and converter/h* ?
I'm attaching the tests for comments.
-Jarno
--
Jarno Huuskonen
>From e75f2ef8b461caa164e81e2d39630e3b2e879
tically adds a Host header unless you are directly
> hitting an IP address.
Even curl [-v] http://ip.add.re.ss adds host header (Host:
ip.add.re.ss). (At least the version I'm using (the one that comes with
centos 7.6)).
-Jarno
--
Jarno Huuskonen
ealth check for server bk_8093_read/primary8093r failed,
> reason: Layer7 wrong status, code: 400, info: "No Host", check duration:
> 543ms, status: 0/2 DOWN.
Like Jonathan said "No Host" is telling you what's wrong.
(HTTP/1.1 requests expect Host: header).
-Jarno
--
Jarno Huuskonen
g | grep /nexus/v1
Is your logging working (you'll get logs in /opt/app/haproxy/log/haproxy.log) ?
grep 'Health check for' /opt/app/haproxy/log/haproxy.log
-Jarno
--
Jarno Huuskonen
ould be appreciated!
I think you can (ab)use http version to send body with option httpchk
(https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#option%20httpchk)
One example for sending xml post:
https://discourse.haproxy.org/t/healthcheck-with-xml-post-in-body/733
-Jarno
--
Jarno Huuskonen
.com/jhub.
-Jarno
--
Jarno Huuskonen
on www-ssh-proxy-backend.
(and/or longer timeout client on www-ssh-proxy).
(You could also try to play with sshd_config: ClientAliveInterval and
TCPKeepAlive)
> Transferred: sent 3312, received 3184 bytes, in 50.3 seconds
-Jarno
--
Jarno Huuskonen
sport =
:ssh )')
to see if sshd is already listening on port 22).
If you've sshd running on port 22 then you have to use different port or
ipaddress for sshd / haproxy(www-ssh-proxy)
-Jarno
--
Jarno Huuskonen
Hi,
On Tue, Jul 17, Emeric Brun wrote:
> > On Fri, 29 Jun 2018 at 07:15, Jarno Huuskonen
> > wrote:
> >> On Thu, Jun 28, Jarno Huuskonen wrote:
> >>> I think this is the commit that breaks map_regm in this case:
> >>> b5997f740b21ebb197e10a0f2fe9dc13
et word(2) and reverse again. Is that possible? Or is there
> > an even better function I can use? I am thinking this must be a common use
> > case, but googling "haproxy" and "reverse" will naturally turn up lots of
> > results talking about "reverse proxying".
> >
> > If possible, I would like to avoid using maps to keep this thing as
> > generic as possible.
> >
> > Thanks a lot!
> >
> > Daniel
--
Jarno Huuskonen
Hi,
On Thu, Jun 28, Jarno Huuskonen wrote:
> I think this is the commit that breaks map_regm in this case:
> b5997f740b21ebb197e10a0f2fe9dc13163e1772 (MAJOR: threads/map: Make
> acls/maps thread safe).
>
> If I revert this commit from pattern.c:pattern_exec_match
> then the m
e broken on all 1.8.x.
I think this is the commit that breaks map_regm in this case:
b5997f740b21ebb197e10a0f2fe9dc13163e1772 (MAJOR: threads/map: Make
acls/maps thread safe).
If I revert this commit from pattern.c:pattern_exec_match
then the map_regm \1 backref seems to work.
-Jarno
--
Jarno Huuskonen
in tcp mode?
> >
>
> That can be done with the "proxy protocol". See more at
> https://www.haproxy.com/blog/haproxy/proxy-protocol/
There's also source usesrc clientip:
http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-source
if your backend servers don't support proxy-protocol.
-Jarno
--
Jarno Huuskonen
s-new-in-haproxy-1-6/
So for example:
frontend test_fe
bind ipv4@127.0.0.1:8080
declare capture request len 64
http-request capture req.hdr(Host) id 0
acl is_test capture.req.hdr(0) -m beg -i www.url1.url2.com
http-response add-header X-Custom-Header YES if is_test
-Jarno
--
Jarno Huuskonen
ll bytes are explicitly permitted
> > in the sun_path. Instead I'd suggest this :
> >
> > } else if (un1->sun_path[0] == 0 &&
> >memcmp(un1->sun_path, un2->sun_path, sizeof(un1->sun_path)
> > == 0)
> >
> > Jarno, if you still notice occasional failures, please try with this.
> >
>
> You're right, as unlikely as it can be in our current scenario, better safe
> than sorry.
> The attached patch is updated to reflect that.
Thanks !
My minimal test config with the patch works (on top of
1.8.9): (doing reloads/curl in loop).
I'll test with my normal/production config when I'll have more time
(probably few days).
-Jarno
--
Jarno Huuskonen
warded the request (and before server responds) then client has to
wait for timeout server (in reality I think everyone will just click
stop or reload instead of waiting for the really long timeout).
-Jarno
--
Jarno Huuskonen
path
If you just need to change the path then http-request set-path should be
enough(https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-http-request).
Something like:
acl new_dom hdr_dom(host) -i www.newdomain.com
acl old_path path_beg -i /images/logo.png
http-request set-path "/images/new-logo.png" if new_dom old_path
-Jarno
--
Jarno Huuskonen - System Administrator | jarno.huuskonen atsign uef.fi
fter a random time.
-Jarno
--
Jarno Huuskonen
yourpath
# bigfile is some random file much larger than 16k
and curl -v -X PUT -d@bigfile -d'customerId=912'
http://yourhost.yourdomain/yourpath
-Jarno
--
Jarno Huuskonen
1 - 100 of 236 matches
Mail list logo