process of release to debian, backports ?

Just Curious ... (probably a Vincent et al question?) What considerations/timings trigger gating an haproxy release getting into debian (and backports) archives ? Severity of problems fixed in release (e.g. CVE, ...) ? Available bandwidth/fatigue of uploaders ? Debian guidelines ? As always -

Re: Puzzlement : empty field vs. ,field() -m

list etiquette guide exist ? ) > On Mon, Apr 17, 2023 at 09:17:03PM -0600, Jim Freeman wrote: > > Aleksandar - thanks for the feedback ! (haproxy -vv : attached) > > > > I'd spent a good long while scouring the config docs (and Google) seeking > > enlightenment, but ...

Re: Puzzlement : empty field vs. ,field() -m

() work ... On Mon, Apr 17, 2023 at 5:29 PM Aleksandar Lazic wrote: > Hi. > > On 18.04.23 00:55, Jim Freeman wrote: > > In splitting out fields from req.cook, populated fields work well, but > > detecting an unset field has me befuddled: > > > >acl COOK_META_MI

Puzzlement : empty field vs. ,field() -m

In splitting out fields from req.cook, populated fields work well, but detecting an unset field has me befuddled: acl COOK_META_MISSING req.cook(cook2hdr),field(3,\#) ! -m found -m str '' does not detect that a cookie/field is empty ? Running the attached 'hdrs' script against the attached

Re: changed IP messages overrunning /var/log ?

, "systemctl reload-or-restart haproxy" - no joy (systemd 247.3-7+deb11u1). Installed systemd/bullseye-backports (251.3-1~bpo11+1) - and the noise is now gone. Phew ... On Thu, Nov 10, 2022 at 11:39 AM Jim Freeman wrote: > Heroku, for instance, uses constantly rotating/changing pools o

Re: changed IP messages overrunning /var/log ?

0, 2021 at 11:00 PM Willy Tarreau wrote: > On Fri, Apr 16, 2021 at 08:18:30AM -0600, Jim Freeman wrote: > > Root cause - haproxy intentionally double logs : > > https://github.com/haproxy/haproxy/blob/master/src/server.c > > srv_update_addr(...) { ... /* generates a lo

Re: [ANNOUNCE] haproxy-2.2.18

Great to hear - thanks ! On Sat, Nov 6, 2021 at 12:58 AM Vincent Bernat wrote: > ❦ 5 November 2021 17:05 -06, Jim Freeman: > > > Might this (or something 2.4-ish) be heading towards bullseye-backports ? > > https://packages.debian.org/search?keywords=haproxy > > htt

Re: [ANNOUNCE] haproxy-2.2.18

Might this (or something 2.4-ish) be heading towards bullseye-backports ? https://packages.debian.org/search?keywords=haproxy https://packages.debian.org/bullseye-backports/ Thanks, ...jfree On Fri, Nov 5, 2021 at 8:51 AM Christopher Faulet wrote: > Hi, > > HAProxy 2.2.18 was released on

Re: PH disconnects, but "show errors" has 0 entries ?

observations and befuddlement ... https://www.mail-archive.com/haproxy@formilux.org/msg41308.html "This computer stuff is hard ..." On Tue, Oct 19, 2021 at 3:24 AM Christopher Faulet wrote: > Le 10/13/21 à 8:30 PM, Jim Freeman a écrit : > > In adding a couple of new securi

Re: PH disconnects, but "show errors" has 0 entries ?

Many thanks for your insight and response - I'll check that out. On Tue, Oct 19, 2021 at 3:24 AM Christopher Faulet wrote: > Le 10/13/21 à 8:30 PM, Jim Freeman a écrit : > > In adding a couple of new security response headers via haproxy.cfg (one > is 112 > > bytes, th

Re: PH disconnects, but "show errors" has 0 entries ?

Nope - never mind. Plenty of successful traffic with the sec-ch-ua* headers. I'll keep poking re: PH/500 w/o "show errors", and confess here when/how I find it is the result of being ignernt. On Mon, Oct 18, 2021 at 11:41 AM Jim Freeman wrote: > Ran tcpdump on the proxy in sea

Re: PH disconnects, but "show errors" has 0 entries ?

Ran tcpdump on the proxy in search of useful detail. Saw these unfamiliar (to me) headers on the PH/500 'd request : sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90" sec-ch-ua-mobile: ?0 Googled, found : https://www.chromium.org/updates/ua-ch, was a tad FUD'd by === Possible Site

PH disconnects, but "show errors" has 0 entries ?

In adding a couple of new security response headers via haproxy.cfg (one is 112 bytes, the other 32), a few requests are now getting 500 status (PH session state) responses, but "show errors" has 0 entries? Most responses succeed (all have the additional headers), so it's not a problem with the

Re: Proxy Protocol - any browser proxy extensions that support ?

! On Fri, Jun 4, 2021 at 4:43 PM Aleksandar Lazic wrote: > > On 04.06.21 21:32, Jim Freeman wrote: > > https://developer.chrome.com/docs/extensions/reference/proxy/ > > supports SOCKS4/SOCKS5 > > > > Does anyone know of any in-browser VPN/proxy extensions that supp

Proxy Protocol - any browser proxy extensions that support ?

https://developer.chrome.com/docs/extensions/reference/proxy/ supports SOCKS4/SOCKS5 Does anyone know of any in-browser VPN/proxy extensions that support Willy's Proxy Protocol ? https://www.haproxy.com/blog/haproxy/proxy-protocol/ enumerates some of the state of support, but doesn't touch on

Re: Illegal instruction - 2.2 on AMD/Sempron ?

66bb18 <+88>: rol$0x7,%rax 0x5566bb1c <+92>: mov0x8(%rsp),%rdi 0x5566bb21 <+97>: xor%fs:0x28,%rdi 0x5566bb2a <+106>: lea(%rax,%rax,8),%rax 0x5566bb2e <+110>: jne0x5566bb45 0x00005566bb30 &l

Illegal instruction - 2.2 on AMD/Sempron ?

Stock 1.8.19-1+deb10u3 on Debian10 runs fine, but when I install 2.2.8-1~bpo10+1 from buster-backports, I get "Illegal instruction" ? Is my CPU just too historic ? # strace -f ./haproxy -f ~/haproxy.cfg ... openat(AT_FDCWD, "/etc/haproxy/errors/504.http", O_RDONLY) = 4 fstat(4,

Re: changed IP messages overrunning /var/log ?

Root cause - haproxy intentionally double logs : https://github.com/haproxy/haproxy/blob/master/src/server.c srv_update_addr(...) { ... /* generates a log line and a warning on stderr */ ... } On Thu, Apr 15, 2021 at 11:06 PM Jim Freeman wrote: ... > The duplication of logging the

Re: changed IP messages overrunning /var/log ?

org/download/1.8/src/CHANGELOG * 2019/11/25 : 1.8.23 * BUG: dns: timeout resolve not applied for valid resolutions On Thu, Apr 15, 2021 at 1:43 AM Jim Freeman wrote: > > Migrating from stock stretch-backports+1.8 to Debian_10/Buster+2.0 (to > purge 'reqrep' en route to 2.2), /var/log/

Re: changed IP messages overrunning /var/log ?

... On Thu, Apr 15, 2021 at 2:02 AM Jarno Huuskonen wrote: > > Hello, > > On Thu, 2021-04-15 at 01:43 -0600, Jim Freeman wrote: > > This is puzzling, since haproxy.cfg directs all logs to local* > > After some investigation, it turns out that the daemon.log and syslog > > ent

changed IP messages overrunning /var/log ?

Migrating from stock stretch-backports+1.8 to Debian_10/Buster+2.0 (to purge 'reqrep' en route to 2.2), /var/log/ is suddenly filling disk with messages about changed IPs : === 2021-04-14T01:08:40.123303+00:00 ip-10-36-217-169 haproxy[569]: my_web_service changed its IP from 52.208.198.117 to

Re: ELB scaling => sudden backend tragedy

at a safe non-default for accepted_payload_size to address this issue in future. Thanks to all, ...jfree On Thu, Oct 24, 2019 at 2:29 PM Jim Freeman wrote: > https://github.com/haproxy/haproxy/issues/341 > > On Thu, Oct 24, 2019 at 11:44 AM Lukas Tribus wrote: > >> Hello, &g

Re: ELB scaling => sudden backend tragedy

https://github.com/haproxy/haproxy/issues/341 On Thu, Oct 24, 2019 at 11:44 AM Lukas Tribus wrote: > Hello, > > On Thu, Oct 24, 2019 at 5:53 PM Jim Freeman wrote: > > > > Yesterday we had an ELB scale to 26 IP addresses, at which time ALL of > the servers in that back

ELB scaling => sudden backend tragedy

Yesterday we had an ELB scale to 26 IP addresses, at which time ALL of the servers in that backend were suddenly marked down, e.g. : Server www26 is going DOWN for maintenance (unspecified DNS error) Ergo, ALL requests to that backend got 503s ==> complete outage Mayhap

Re: 'sni' parameter - reasonable default/implicit setting ?

That looks right on - thanks for the pointer ! I couldn't tell from the brief gander I took - works the same for 'server-template' as for 'server' ? On Sat, Jul 27, 2019 at 2:53 AM Aleksandar Lazic wrote: > Hi. > > Am 27.07.2019 um 00:24 schrieb Jim Freeman: > > For outgoing

'sni' parameter - reasonable default/implicit setting ?

For outgoing TLS connections, might haproxy be taught to use a reasonable default/implicit value 'sni' [1] expression/behavior that would 'first do no harm'[2], and usually be correct, in the absence of an explicit expression ? (Understood that haproxy depends on an SSL lib) E.g.; req.hdr(host)

Re: redirect vs. logging Location hdr

Much thanks for the insights, clarifications, and solution possibilities. Will chew on this for a bit ... On Wed, Jun 27, 2018 at 10:40 PM, Willy Tarreau wrote: > On Wed, Jun 27, 2018 at 04:08:27PM -0600, Jim Freeman wrote: > > With a configuration having many 'redirect's (and wantin

redirect vs. logging Location hdr

With a configuration having many 'redirect's (and wanting to know which 'Location' a given request was redirected to), I configured capture response header Location len 64 log-format %hs , but see no log entries for redirects I know haproxy is generating. With further testing, I know that

Re: [PATCH][MINOR] config: Implement 'parse-resolv-conf' directive for resolvers

u <w...@1wt.eu> wrote: > >> Hi Jim, >> >> On Thu, May 24, 2018 at 08:50:29AM -0600, Jim Freeman wrote: >> > I'm not seeing any signs of this feature sliding into 1.9 source - any >> > danger of it not going in to the current dev branch? >> > A

Re: [PATCH][MINOR] config: Implement 'parse-resolv-conf' directive for resolvers

I'm not seeing any signs of this feature sliding into 1.9 source - any danger of it not going in to the current dev branch? Are there further concerns/problems/... standing in the way ? (it addresses one of my few haproxy gripes) ...jfree [ grateful/impressed haproxy user - thanks to all

Re: Haproxy 1.8 with OpenSSL 1.1.1-pre4 stops working after 1 hour

Or kludge around it with eg; http://www.issihosts.com/haveged/ ? On Wed, May 23, 2018 at 1:48 PM, Lukas Tribus wrote: > Hello, > > > On 23 May 2018 at 18:29, Emeric Brun wrote: > > This issue was due to openssl-1.1.1 which re-seed after an elapsed time > or

Re: DNS resolver and mixed case responses

It will be important to know which behavior AWS's Route53/DNS servers use ? Using stock Debian/Stretch BIND9 (1:9.10.3.dfsg.P4-12.3+deb9u4), we see haproxy downing backend servers with "Server is going DOWN for maintenance (unspecified DNS error)."

Re: 1.8 resolvers - start vs. run

fill comfortable enough, please send me / the ml a patch and I can > review it. > If you have any questions on the design, don't hesitate to ask. > > Baptiste > > > On Mon, Jan 8, 2018 at 1:56 PM, Jim Freeman <sovr...@gmail.com> wrote: > >> No new libs needed. &

Re: 1.8 resolvers - start vs. run

No new libs needed. libc/libresolv 's res_ninit() suffices ... http://man7.org/linux/man-pages/man3/resolver.3.html On Fri, Dec 29, 2017 at 2:26 PM, Lukas Tribus <lu...@ltri.eu> wrote: > Hi Jim, > > > On Fri, Dec 29, 2017 at 10:14 PM, Jim Freeman <sovr...@gmail.com&g

Re: 1.8 resolvers - start vs. run

> On 29 December 2017 at 21:26, Lukas Tribus <lu...@ltri.eu> wrote: > > Hi Jim, > > > > > > On Fri, Dec 29, 2017 at 10:14 PM, Jim Freeman <sovr...@gmail.com> wrote: > >> Looks like libresolv 's res_ninit() parses out /etc/resolv.conf 's > >&g

Re: 1.8 resolvers - start vs. run

Great feedback - thanks ! I'll take a look at the code ... On Fri, Dec 29, 2017 at 12:59 PM, Lukas Tribus <lu...@ltri.eu> wrote: > Hello, > > > On Fri, Dec 29, 2017 at 7:00 PM, Jim Freeman <sovr...@gmail.com> wrote: > > I'm a bit befuddled by the different na

1.8 resolvers - start vs. run

I'm a bit befuddled by the different nameserver config 'twixt these 2 modes? [ Methinks I grok the need for an internal non-libc/libresolv resolver ] Why isn't the the /etc/resolv.conf start-time config used (or at least available) as a default run-time config (chroot notwithstanding)? Under what

in-house vulnerability scan vs. stats socket

FWIW / FYI - # haproxy -v HA-Proxy version 1.5.18 2016/05/10 An in-house vulnerability scanner found our haproxy stats sockets and started probing, sending bogus requests, HTTP_* methods, etc. The many requests, even though the request paths were not valid at the stats socket, made for a DoS

Re: resolvers default nameservers ?

y for auto- tweaking/configuring, so sensible inherent default cfg mechanisms rock. World class system software - thanks, and thanks, and thanks again ! On Tue, Apr 18, 2017 at 1:03 AM, Baptiste <bed...@gmail.com> wrote: > > > On Fri, Apr 14, 2017 at 4:58 PM, Jim Freeman

[PATCH]: CLEANUP

trivial typo in log.c From 6b51be4bc3b71eda400a7c0012a4642f393acaae Mon Sep 17 00:00:00 2001 From: Jim Freeman <sovr...@gmail.com> Date: Sat, 15 Apr 2017 08:01:59 -0600 Subject: [PATCH] CLEANUP - typo: simgle => single --- src/log.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion

resolvers default nameservers ?

The "resolvers" section doc discusses default values for all its paramaters except "nameservers". If I have a on-line "resolvers" eg; "resolvers default" with no parameters listed, are the system (or context eg; chroot) /etc/resolv.conf nameservers used? [ this would be a boon to cfg

typo nits @doc

https://cbonte.github.io/haproxy-dconv/1.8/configuration.html s/formated/formatted/g

simgle ?

https://github.com/haproxy/haproxy/search?q=simgle single ? simple ?

Re: 100% cpu , epoll_wait()

s/haproxy.log sourcetype = haproxy 4/21/16 3:05:06.722 PM { [-] bytes_c: 577 bytes_s: 2448514 cip: 10.107.152.81 con_act: 1133 con_back: 0 con_frnt: 0 con_srv: 0 date: 21/Apr/2016:21:05:06.722 hdrs: {Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) Apple

Re: 100% cpu , epoll_wait()

raph attached] On Thu, Apr 21, 2016 at 11:44 AM, Jim Freeman <sovr...@gmail.com> wrote: > Followup: alert triggered this AM - I'll provide what bits I was able > to glean. [ HA-Proxy version 1.5.17 ] > > A proxy's CPU1 pegged @10:21. To isolate the connections to a > non-listen

Re: 100% cpu , epoll_wait()

wrote: > Hi Jim, > > Le 15/04/2016 23:20, Jim Freeman a écrit : >> >> I have haproxy slaved to 2d cpu (CPU1), with frequent config changes >> and a '-sf' soft-stop with the now-old non-listening process nannying >> old connections. >> >> Sometimes CPU1

100% cpu , epoll_wait()

I have haproxy slaved to 2d cpu (CPU1), with frequent config changes and a '-sf' soft-stop with the now-old non-listening process nannying old connections. Sometimes CPU1 goes to %100, and then a few minutes later request latencies suffer across multiple haproxy peers. An strace of the nanny

Re: METH_CONNECT, HTTPS forward proxy

-resolvers On Tue, Mar 22, 2016 at 11:21 PM, Jim Freeman <sovr...@gmail.com> wrote: > a la squid, but w/o caching, and a syntax I'm more comfortable with, > and a resolvers mechanism that can handle AWS ELB elasticity. > > http://wiki.squid-cache.org/Features/HTTPS#CONNECT_

Re: METH_CONNECT, HTTPS forward proxy

PM, Jim Freeman <sovr...@gmail.com> wrote: > I see METH_CONNECT as a pre-defined acl, but much googling leaves me > without a clue as to how to use it. > > I hope to have haproxy act as a forward proxy target for browsers > using a proxy.pac file. I believe proxied traffic (

METH_CONNECT, HTTPS forward proxy

I see METH_CONNECT as a pre-defined acl, but much googling leaves me without a clue as to how to use it. I hope to have haproxy act as a forward proxy target for browsers using a proxy.pac file. I believe proxied traffic (both HTTP and HTTPS) usually goes to the same proxy port, with HTTPS

Re: case @req.hdr puzzlement

Indeed - I hardcode the frontend_name in the .cfg (instead of using %f), and it works. Thanks much! On Fri, Mar 18, 2016 at 3:30 PM, Cyril Bonté <cyril.bo...@free.fr> wrote: > Hi Jim, > > Le 18/03/2016 21:52, Jim Freeman a écrit : >> >> I'm trying to add a header

case @req.hdr puzzlement

I'm trying to add a header only if the last occurrence of it is not the frontend_name (%f), but the header field name comparison seems to be case sensitive when it should not be ? haproxy.cfg listen foo.bar bind :10001 mode http log 127.0.0.1:514 local2 debug info acl XOH_OK

acl's re-calculated after reqrep ?

[ using 1.6.3 on Debian8 ] Are acl's re-calculated after a 'reqrep' of the request line? I'm seeing evidenced that they are, but am finding no mention in the docs/google, and am somewhat taken aback. ...jfree

DOC: set-log-level in Logging section preamble

As best I can tell, no mention is made of set-log-level in the Logging [Section 8] of the doc. Something akin to the following in the doc would have saved a good chunk of time/angst in addressing a logging issue I encountered : diff --git a/doc/configuration.txt b/doc/configuration.txt index

rspitarpit ?

We're getting some congestion from blind-shooting (or maybe just stupid-shooting) scrapers who make (mostly bad) requests, with occasional successes. We'd like to tarpit unsuccessful responses. Any experience on how to accomplish that ? ( A rspitarpit directive would be awesome ) Kudos on an

puzzled : timeout tarpit

We have : defaults ... timeout connect 5000 timeout client 30 timeout server 30 ... backend foo ... timeout tarpit 29s acl SRC_abuserhdr_ip(X-Forwarded-For,-1) 1.2.3.4 acl busy be_sess_rate gt 10 reqitarpit . if SRC_abuser busy Our logs are

Re: acl set as side effect of reqrep ?

On Wed, Aug 27, 2014 at 4:39 AM, Baptiste bed...@gmail.com wrote: On Tue, Aug 26, 2014 at 5:31 PM, Jim Freeman jfree...@gmail.com wrote: Is there an easy/efficient way to set an acl as a direct side-effect of a reqrep (not) matching/replacing ? Thanks, ...jfree Hi Jim, Please clearly

acl set as side effect of reqrep ?

Is there an easy/efficient way to set an acl as a direct side-effect of a reqrep (not) matching/replacing ? Thanks, ...jfree

'observe layer4' - passive healthcheck ?

In a 2-tier haproxy setup (tier1 instances/VMs do domain steering (and some SSL termination) across many 10s of backends to tier2 path-steering instances),. I'd like to scale either/both tiers horizontally without compounding #tier1 instances * #backends * #tier2 instances healthcheck

Re: SIGQUIT, silence

used for debugging purposes. [ BTW - many, many thanks for this insanely great and useful software ] ...jfree On Sat, Jan 25, 2014 at 3:49 AM, Willy Tarreau w...@1wt.eu wrote: On Thu, Jan 23, 2014 at 04:19:35PM -0700, Jim Freeman wrote: Using haproxy-1.5-dev19 on Debian/Wheezy, and haproxy

Re: SIGQUIT, silence

Ah - tragic :-) - it's been handy for us to search/share our system stuff using log analytics ... Thanks again, and again, and again ... On Sat, Jan 25, 2014 at 10:18 AM, Willy Tarreau w...@1wt.eu wrote: On Sat, Jan 25, 2014 at 10:15:30AM -0700, Jim Freeman wrote: Since the man page

SIGQUIT, silence

Using haproxy-1.5-dev19 on Debian/Wheezy, and haproxy-1.5-dev21 on CentOS6.2, killing haproxy with SIGQUIT gets me nothing in the system logs. SIGHUP gets proxy/server status info into the logs just fine. I'm using them the same way, but SIGQUIT seems to just do ... nothing? Nut loose on the