Just Curious ... (probably a Vincent et al question?)
What considerations/timings trigger gating an haproxy release getting into
debian (and backports) archives ?
Severity of problems fixed in release (e.g. CVE, ...) ?
Available bandwidth/fatigue of uploaders ?
Debian guidelines ?
As always -
list etiquette guide exist ? )
> On Mon, Apr 17, 2023 at 09:17:03PM -0600, Jim Freeman wrote:
> > Aleksandar - thanks for the feedback ! (haproxy -vv : attached)
> >
> > I'd spent a good long while scouring the config docs (and Google) seeking
> > enlightenment, but ...
()
work ...
On Mon, Apr 17, 2023 at 5:29 PM Aleksandar Lazic wrote:
> Hi.
>
> On 18.04.23 00:55, Jim Freeman wrote:
> > In splitting out fields from req.cook, populated fields work well, but
> > detecting an unset field has me befuddled:
> >
> >acl COOK_META_MI
In splitting out fields from req.cook, populated fields work well, but
detecting an unset field has me befuddled:
acl COOK_META_MISSING req.cook(cook2hdr),field(3,\#) ! -m found -m str ''
does not detect that a cookie/field is empty ?
Running the attached 'hdrs' script against the attached
, "systemctl reload-or-restart haproxy" - no joy
(systemd 247.3-7+deb11u1).
Installed systemd/bullseye-backports (251.3-1~bpo11+1) - and the noise is
now gone. Phew ...
On Thu, Nov 10, 2022 at 11:39 AM Jim Freeman wrote:
> Heroku, for instance, uses constantly rotating/changing pools o
0, 2021 at 11:00 PM Willy Tarreau wrote:
> On Fri, Apr 16, 2021 at 08:18:30AM -0600, Jim Freeman wrote:
> > Root cause - haproxy intentionally double logs :
> > https://github.com/haproxy/haproxy/blob/master/src/server.c
> > srv_update_addr(...) { ... /* generates a lo
Great to hear - thanks !
On Sat, Nov 6, 2021 at 12:58 AM Vincent Bernat wrote:
> ❦ 5 November 2021 17:05 -06, Jim Freeman:
>
> > Might this (or something 2.4-ish) be heading towards bullseye-backports ?
> > https://packages.debian.org/search?keywords=haproxy
> > htt
Might this (or something 2.4-ish) be heading towards bullseye-backports ?
https://packages.debian.org/search?keywords=haproxy
https://packages.debian.org/bullseye-backports/
Thanks,
...jfree
On Fri, Nov 5, 2021 at 8:51 AM Christopher Faulet
wrote:
> Hi,
>
> HAProxy 2.2.18 was released on
observations and befuddlement ...
https://www.mail-archive.com/haproxy@formilux.org/msg41308.html
"This computer stuff is hard ..."
On Tue, Oct 19, 2021 at 3:24 AM Christopher Faulet
wrote:
> Le 10/13/21 à 8:30 PM, Jim Freeman a écrit :
> > In adding a couple of new securi
Many thanks for your insight and response - I'll check that out.
On Tue, Oct 19, 2021 at 3:24 AM Christopher Faulet
wrote:
> Le 10/13/21 à 8:30 PM, Jim Freeman a écrit :
> > In adding a couple of new security response headers via haproxy.cfg (one
> is 112
> > bytes, th
Nope - never mind. Plenty of successful traffic with the sec-ch-ua*
headers.
I'll keep poking re: PH/500 w/o "show errors", and confess here when/how I
find it is the result of being ignernt.
On Mon, Oct 18, 2021 at 11:41 AM Jim Freeman wrote:
> Ran tcpdump on the proxy in sea
Ran tcpdump on the proxy in search of useful detail.
Saw these unfamiliar (to me) headers on the PH/500 'd request :
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90"
sec-ch-ua-mobile: ?0
Googled, found : https://www.chromium.org/updates/ua-ch, was a tad FUD'd by
===
Possible Site
In adding a couple of new security response headers via haproxy.cfg (one is
112 bytes, the other 32), a few requests are now getting 500 status (PH
session state) responses, but "show errors" has 0 entries? Most responses
succeed (all have the additional headers), so it's not a problem with the
!
On Fri, Jun 4, 2021 at 4:43 PM Aleksandar Lazic wrote:
>
> On 04.06.21 21:32, Jim Freeman wrote:
> > https://developer.chrome.com/docs/extensions/reference/proxy/
> > supports SOCKS4/SOCKS5
> >
> > Does anyone know of any in-browser VPN/proxy extensions that supp
https://developer.chrome.com/docs/extensions/reference/proxy/
supports SOCKS4/SOCKS5
Does anyone know of any in-browser VPN/proxy extensions that support
Willy's Proxy Protocol ?
https://www.haproxy.com/blog/haproxy/proxy-protocol/ enumerates some
of the state of support, but doesn't touch on
66bb18 <+88>: rol$0x7,%rax
0x5566bb1c <+92>: mov0x8(%rsp),%rdi
0x5566bb21 <+97>: xor%fs:0x28,%rdi
0x5566bb2a <+106>: lea(%rax,%rax,8),%rax
0x5566bb2e <+110>: jne0x5566bb45
0x00005566bb30 &l
Stock 1.8.19-1+deb10u3 on Debian10 runs fine, but when I install
2.2.8-1~bpo10+1 from buster-backports, I get "Illegal instruction" ?
Is my CPU just too historic ?
# strace -f ./haproxy -f ~/haproxy.cfg
...
openat(AT_FDCWD, "/etc/haproxy/errors/504.http", O_RDONLY) = 4
fstat(4,
Root cause - haproxy intentionally double logs :
https://github.com/haproxy/haproxy/blob/master/src/server.c
srv_update_addr(...) { ... /* generates a log line and a warning on
stderr */ ... }
On Thu, Apr 15, 2021 at 11:06 PM Jim Freeman wrote:
...
> The duplication of logging the
org/download/1.8/src/CHANGELOG
* 2019/11/25 : 1.8.23
* BUG: dns: timeout resolve not applied for valid resolutions
On Thu, Apr 15, 2021 at 1:43 AM Jim Freeman wrote:
>
> Migrating from stock stretch-backports+1.8 to Debian_10/Buster+2.0 (to
> purge 'reqrep' en route to 2.2), /var/log/
...
On Thu, Apr 15, 2021 at 2:02 AM Jarno Huuskonen wrote:
>
> Hello,
>
> On Thu, 2021-04-15 at 01:43 -0600, Jim Freeman wrote:
> > This is puzzling, since haproxy.cfg directs all logs to local*
> > After some investigation, it turns out that the daemon.log and syslog
> > ent
Migrating from stock stretch-backports+1.8 to Debian_10/Buster+2.0 (to
purge 'reqrep' en route to 2.2), /var/log/ is suddenly filling disk
with messages about changed IPs :
===
2021-04-14T01:08:40.123303+00:00 ip-10-36-217-169 haproxy[569]:
my_web_service changed its IP from 52.208.198.117 to
at a safe non-default for accepted_payload_size to
address this issue in future.
Thanks to all,
...jfree
On Thu, Oct 24, 2019 at 2:29 PM Jim Freeman wrote:
> https://github.com/haproxy/haproxy/issues/341
>
> On Thu, Oct 24, 2019 at 11:44 AM Lukas Tribus wrote:
>
>> Hello,
&g
https://github.com/haproxy/haproxy/issues/341
On Thu, Oct 24, 2019 at 11:44 AM Lukas Tribus wrote:
> Hello,
>
> On Thu, Oct 24, 2019 at 5:53 PM Jim Freeman wrote:
> >
> > Yesterday we had an ELB scale to 26 IP addresses, at which time ALL of
> the servers in that back
Yesterday we had an ELB scale to 26 IP addresses, at which time ALL of the
servers in that backend were suddenly marked down, e.g. :
Server www26 is going DOWN for maintenance (unspecified DNS error)
Ergo, ALL requests to that backend got 503s ==> complete outage
Mayhap
That looks right on - thanks for the pointer !
I couldn't tell from the brief gander I took - works the same for
'server-template' as for 'server' ?
On Sat, Jul 27, 2019 at 2:53 AM Aleksandar Lazic wrote:
> Hi.
>
> Am 27.07.2019 um 00:24 schrieb Jim Freeman:
> > For outgoing
For outgoing TLS connections, might haproxy be taught to use a reasonable
default/implicit value 'sni' [1] expression/behavior that would 'first do
no harm'[2], and usually be correct, in the absence of an explicit
expression ? (Understood that haproxy depends on an SSL lib)
E.g.; req.hdr(host)
Much thanks for the insights, clarifications, and solution possibilities.
Will chew on this for a bit ...
On Wed, Jun 27, 2018 at 10:40 PM, Willy Tarreau wrote:
> On Wed, Jun 27, 2018 at 04:08:27PM -0600, Jim Freeman wrote:
> > With a configuration having many 'redirect's (and wantin
With a configuration having many 'redirect's (and wanting to know which
'Location' a given request was redirected to), I configured
capture response header Location len 64
log-format %hs
, but see no log entries for redirects I know haproxy is generating.
With further testing, I know that
u <w...@1wt.eu> wrote:
>
>> Hi Jim,
>>
>> On Thu, May 24, 2018 at 08:50:29AM -0600, Jim Freeman wrote:
>> > I'm not seeing any signs of this feature sliding into 1.9 source - any
>> > danger of it not going in to the current dev branch?
>> > A
I'm not seeing any signs of this feature sliding into 1.9 source - any
danger of it not going in to the current dev branch?
Are there further concerns/problems/... standing in the way ? (it
addresses one of my few haproxy gripes)
...jfree
[ grateful/impressed haproxy user - thanks to all
Or kludge around it with eg; http://www.issihosts.com/haveged/ ?
On Wed, May 23, 2018 at 1:48 PM, Lukas Tribus wrote:
> Hello,
>
>
> On 23 May 2018 at 18:29, Emeric Brun wrote:
> > This issue was due to openssl-1.1.1 which re-seed after an elapsed time
> or
It will be important to know which behavior AWS's Route53/DNS servers use ?
Using stock Debian/Stretch BIND9 (1:9.10.3.dfsg.P4-12.3+deb9u4), we see
haproxy downing backend servers with
"Server is going DOWN for maintenance (unspecified DNS error)."
fill comfortable enough, please send me / the ml a patch and I can
> review it.
> If you have any questions on the design, don't hesitate to ask.
>
> Baptiste
>
>
> On Mon, Jan 8, 2018 at 1:56 PM, Jim Freeman <sovr...@gmail.com> wrote:
>
>> No new libs needed.
&
No new libs needed.
libc/libresolv 's res_ninit() suffices ...
http://man7.org/linux/man-pages/man3/resolver.3.html
On Fri, Dec 29, 2017 at 2:26 PM, Lukas Tribus <lu...@ltri.eu> wrote:
> Hi Jim,
>
>
> On Fri, Dec 29, 2017 at 10:14 PM, Jim Freeman <sovr...@gmail.com&g
> On 29 December 2017 at 21:26, Lukas Tribus <lu...@ltri.eu> wrote:
> > Hi Jim,
> >
> >
> > On Fri, Dec 29, 2017 at 10:14 PM, Jim Freeman <sovr...@gmail.com> wrote:
> >> Looks like libresolv 's res_ninit() parses out /etc/resolv.conf 's
> >&g
Great feedback - thanks !
I'll take a look at the code ...
On Fri, Dec 29, 2017 at 12:59 PM, Lukas Tribus <lu...@ltri.eu> wrote:
> Hello,
>
>
> On Fri, Dec 29, 2017 at 7:00 PM, Jim Freeman <sovr...@gmail.com> wrote:
> > I'm a bit befuddled by the different na
I'm a bit befuddled by the different nameserver config 'twixt these 2 modes?
[ Methinks I grok the need for an internal non-libc/libresolv resolver ]
Why isn't the the /etc/resolv.conf start-time config used (or at least
available) as a default run-time config (chroot notwithstanding)?
Under what
FWIW / FYI -
# haproxy -v
HA-Proxy version 1.5.18 2016/05/10
An in-house vulnerability scanner found our haproxy stats sockets and
started probing, sending bogus requests, HTTP_* methods, etc.
The many requests, even though the request paths were not valid at the
stats socket, made for a DoS
y
for auto- tweaking/configuring, so sensible inherent default cfg
mechanisms rock.
World class system software - thanks, and thanks, and thanks again !
On Tue, Apr 18, 2017 at 1:03 AM, Baptiste <bed...@gmail.com> wrote:
>
>
> On Fri, Apr 14, 2017 at 4:58 PM, Jim Freeman
trivial typo in log.c
From 6b51be4bc3b71eda400a7c0012a4642f393acaae Mon Sep 17 00:00:00 2001
From: Jim Freeman <sovr...@gmail.com>
Date: Sat, 15 Apr 2017 08:01:59 -0600
Subject: [PATCH] CLEANUP - typo: simgle => single
---
src/log.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion
The "resolvers" section doc discusses default values for all its
paramaters except "nameservers".
If I have a on-line "resolvers" eg;
"resolvers default"
with no parameters listed, are the system (or context eg; chroot)
/etc/resolv.conf nameservers used? [ this would be a boon to cfg
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html
s/formated/formatted/g
https://github.com/haproxy/haproxy/search?q=simgle
single ?
simple ?
s/haproxy.log sourcetype = haproxy
4/21/16
3:05:06.722 PM
{ [-]
bytes_c: 577
bytes_s: 2448514
cip: 10.107.152.81
con_act: 1133
con_back: 0
con_frnt: 0
con_srv: 0
date: 21/Apr/2016:21:05:06.722
hdrs: {Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) Apple
raph attached]
On Thu, Apr 21, 2016 at 11:44 AM, Jim Freeman <sovr...@gmail.com> wrote:
> Followup: alert triggered this AM - I'll provide what bits I was able
> to glean. [ HA-Proxy version 1.5.17 ]
>
> A proxy's CPU1 pegged @10:21. To isolate the connections to a
> non-listen
wrote:
> Hi Jim,
>
> Le 15/04/2016 23:20, Jim Freeman a écrit :
>>
>> I have haproxy slaved to 2d cpu (CPU1), with frequent config changes
>> and a '-sf' soft-stop with the now-old non-listening process nannying
>> old connections.
>>
>> Sometimes CPU1
I have haproxy slaved to 2d cpu (CPU1), with frequent config changes
and a '-sf' soft-stop with the now-old non-listening process nannying
old connections.
Sometimes CPU1 goes to %100, and then a few minutes later request
latencies suffer across multiple haproxy peers.
An strace of the nanny
-resolvers
On Tue, Mar 22, 2016 at 11:21 PM, Jim Freeman <sovr...@gmail.com> wrote:
> a la squid, but w/o caching, and a syntax I'm more comfortable with,
> and a resolvers mechanism that can handle AWS ELB elasticity.
>
> http://wiki.squid-cache.org/Features/HTTPS#CONNECT_
PM, Jim Freeman <sovr...@gmail.com> wrote:
> I see METH_CONNECT as a pre-defined acl, but much googling leaves me
> without a clue as to how to use it.
>
> I hope to have haproxy act as a forward proxy target for browsers
> using a proxy.pac file. I believe proxied traffic (
I see METH_CONNECT as a pre-defined acl, but much googling leaves me
without a clue as to how to use it.
I hope to have haproxy act as a forward proxy target for browsers
using a proxy.pac file. I believe proxied traffic (both HTTP and
HTTPS) usually goes to the same proxy port, with HTTPS
Indeed - I hardcode the frontend_name in the .cfg (instead of using
%f), and it works.
Thanks much!
On Fri, Mar 18, 2016 at 3:30 PM, Cyril Bonté <cyril.bo...@free.fr> wrote:
> Hi Jim,
>
> Le 18/03/2016 21:52, Jim Freeman a écrit :
>>
>> I'm trying to add a header
I'm trying to add a header only if the last occurrence of it is not
the frontend_name (%f), but the header field name comparison seems to
be case sensitive when it should not be ?
haproxy.cfg
listen foo.bar
bind :10001
mode http
log 127.0.0.1:514 local2 debug info
acl XOH_OK
[ using 1.6.3 on Debian8 ]
Are acl's re-calculated after a 'reqrep' of the request line?
I'm seeing evidenced that they are, but am finding no mention in the
docs/google, and am somewhat taken aback.
...jfree
As best I can tell, no mention is made of set-log-level in the Logging
[Section 8] of the doc.
Something akin to the following in the doc would have saved a good chunk of
time/angst in addressing a logging issue I encountered :
diff --git a/doc/configuration.txt b/doc/configuration.txt
index
We're getting some congestion from blind-shooting (or maybe just
stupid-shooting) scrapers who make (mostly bad) requests, with
occasional successes.
We'd like to tarpit unsuccessful responses.
Any experience on how to accomplish that ?
( A rspitarpit directive would be awesome )
Kudos on an
We have :
defaults
...
timeout connect 5000
timeout client 30
timeout server 30
...
backend foo
...
timeout tarpit 29s
acl SRC_abuserhdr_ip(X-Forwarded-For,-1) 1.2.3.4
acl busy be_sess_rate gt 10
reqitarpit . if SRC_abuser busy
Our logs are
On Wed, Aug 27, 2014 at 4:39 AM, Baptiste bed...@gmail.com wrote:
On Tue, Aug 26, 2014 at 5:31 PM, Jim Freeman jfree...@gmail.com wrote:
Is there an easy/efficient way to set an acl as a direct side-effect
of a reqrep (not) matching/replacing ?
Thanks,
...jfree
Hi Jim,
Please clearly
Is there an easy/efficient way to set an acl as a direct side-effect
of a reqrep (not) matching/replacing ?
Thanks,
...jfree
In a 2-tier haproxy setup (tier1 instances/VMs do domain steering (and some
SSL termination) across many 10s of backends to tier2 path-steering
instances),.
I'd like to scale either/both tiers horizontally without compounding
#tier1 instances * #backends * #tier2 instances
healthcheck
used for
debugging purposes.
[ BTW - many, many thanks for this insanely great and useful software ]
...jfree
On Sat, Jan 25, 2014 at 3:49 AM, Willy Tarreau w...@1wt.eu wrote:
On Thu, Jan 23, 2014 at 04:19:35PM -0700, Jim Freeman wrote:
Using haproxy-1.5-dev19 on Debian/Wheezy, and haproxy
Ah - tragic :-) - it's been handy for us to search/share our system stuff
using log analytics ...
Thanks again, and again, and again ...
On Sat, Jan 25, 2014 at 10:18 AM, Willy Tarreau w...@1wt.eu wrote:
On Sat, Jan 25, 2014 at 10:15:30AM -0700, Jim Freeman wrote:
Since the man page
Using haproxy-1.5-dev19 on Debian/Wheezy, and haproxy-1.5-dev21 on
CentOS6.2, killing haproxy with SIGQUIT gets me nothing in the system logs.
SIGHUP gets proxy/server status info into the logs just fine.
I'm using them the same way, but SIGQUIT seems to just do ... nothing?
Nut loose on the
62 matches
Mail list logo