Hi,
you're right.
If you need to scale *a lot* your SSL processing capacity in HAProxy,
you must use multiple processes.
That said, multiproc model has some counter parts (stats, server
status, health checks are local to each process, stick-tables can't be
synchronized, etc..).
With
Hi Chris,
No, there's one regexp on a rarely-used backend.
Here's our (redacted) config:
https://gist.github.com/chrisotherwise/cfdd04216d622437f5fe
Here's the output from haproxy -vv:
https://gist.github.com/chrisotherwise/23067a39fd59449d52f1
Here's the output from sar when we were
Hi,
Thanks for your reply. We have tried this approach and while it gives
some benefit, the haproxy process itself
remains cpu-bound, with no idle time at all - with both pidstat and perf
reporting that it uses close to 100%
of available cpu while running.
I think SSL/TLS termination is
Hi Alexey,
All,
I've tripled the default buffer size, doubled maxconn and added
accept invalid http request from client and server. This got rid of a
large number of the 400 ' s but not all. Any ideas what it could be?
There's nothing else specific in the logs and haproxy-status is all
Hi Lukas,
I had decoded the error message and it didn't make sense. There is no
connection limit reached, there are no filters. If you look at the
rest of the log line, there were no cookies. In fact, the last part a
security check which detected and blocked a dangerous error
We need to check how haproxy 1.5 ssl-hello-chk behaves, if it's
still SSLv3 only, it would probably be a good time to upgrade this
to TLS (at least v1.0).
Enable SSLv3 on your server or disabled ssl-hello-chk to workaround
the issue.
It is, though I would rather add an additional keyword,
Hi Shawn,
If we get mod_spdy installed on Apache, what's required to make that
available through haproxy? The documentation I've found is somewhat
confusing.
From what I've been able to piece together, it sounds like we would need
to have a virtualhost on Apache that provides SPDY on a
On Fri, Nov 21, 2014 at 06:23:43PM +0100, Willy Tarreau wrote:
There were changes to the acl part but in theory this should not
impact performance, especially not like this. Are you sure you
compiled 1.5 the same way as you did for 1.4 ? Please run
haproxy -vv for both versions and output the
We need to check how haproxy 1.5 ssl-hello-chk behaves, if it's
still SSLv3 only, it would probably be a good time to upgrade this
to TLS (at least v1.0).
Enable SSLv3 on your server or disabled ssl-hello-chk to workaround
the issue.
It is, though I would rather add an additional keyword,
Hi Brian,
I’m trying to debug some ssl haproxy issue (we’re not terminating at
the proxy).
It appears to dislike the SSL connection (client to VIP, and VIP to
real server). I’m trying to figure out if this is a configuration issue
(which doesn’t seem likely, we have private
Getting the same sort of reply:
# openssl s_client -connect 216.121.28.78:443
No, I meant to connect to the origin server, not
haproxy itself, but from the proxy VM:
openssl s_client -connect 216.121.17.252:443
Regards,
Lukas
Hi Brian,
Le 18/11/2014 20:12, Brian Menges a écrit :
$ curl --ssl --ciphers ALL -v 216.121.28.78:443
First issue here, please prefix your URL with https://
Otherwise curl will try to send plain HTTP on port 443.
The --ssl parameter makes sure here that curl indeed uses
SSL. A https://
Hi,
I actually suspect most of that time due to our own code running in
Liferay/Tomcat, but I'd like to be able to say that I've done everything
I can to eliminate TCP, HTTP, and SSL as bottlenecks. If haproxy with a
recent openssl will automatically do dynamic record sizes without
config,
Be advisted that OCSP stapling is slowly dying , check [2] and
[3].
I hope not. OCSP without stapling is dying, yes, but OCSP stapling along
with the X.509 Must Staple extension [1], and mode likely the X.509 TLS
feature extension [2], are a scalable way of solving a real problem.
[1]
Hi Lukas
Thanks for your replay.
I got this from the document:
leastconn : Use
of this algorithm is recommended where very long sessions are
expected, such as LDAP, SQL, TSE, etc... but is not very well
suited for protocols using short sessions such as HTTP.
Why the leastconn is
Hi Shawn,
I've been tasked with making our websites more responsive, particularly
with TLS. I was given this video to watch:
https://www.youtube.com/watch?v=0EB7zh_7UE4
This video specifically mentions haproxy, and I can see conversations
including Ilya on my mailing list history, which
Hello folks,
I'm not sure what to use, and if it's possible.
I have a website : http://www.radiom.fr. The whole site is served by a
couple of backend servers. Everything works fine.
I would like to know if it's possible to have http://www.radiom.fr/foo/
served by another backend.
Thank
Hi,
Hi haproxy team,
I met a trouble for haproxy, I found my backend servers sometimes
parts of them got very busy, too much more connections in srv_conn,
maybe the backend database have slow response to the backend web
server.
So my question is , is there anyway to configure haproxy
Hi,
Our application runs on Tomcat on RHEL. I've been able to get haproxy
to work well with our 2 backend servers that host the application.
That was with haproxy v1.4.x with non-ssl. But when I try to set it
up with haproxy 1.5.x with ssl I can only get one backend server to
work in
Could someone be kind enough to take a stab at this? It is really
important for us to know this. And the documentation just is not clear
at all.
Whats wrong with the existing replies?
http://thread.gmane.org/gmane.comp.web.haproxy/18827/focus=18984
Lukas
timeout tarpit 29s
acl SRC_abuser hdr_ip(X-Forwarded-For,-1) 1.2.3.4
acl busy be_sess_rate gt 10
reqitarpit . if SRC_abuser busy
Our logs are telling us that the tarpitted connections are sending an
http status of 500, but after 30 ms ?
It should be 29s (if the 'timeout tarpit 29s'
Hi,
You can disable SSLv3 among other things just fine in haproxy 1.5:
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#no-sslv3%20%28Bind%20options%29
sorry, for not being clear.
i'd like this:
src/ssl_sock.c:
1469 long ssloptions =
1470 SSL_OP_ALL | /* all known
main reasoning: all known workarounds for bugs as of compile time
might change in future (as new openssl bugs are being uncovered).
I still don't get it.
These are not openssl bugs, but workarounds in openssl for bugs in other
ssl libraries or applications.
not in all cases, some options
is there any sensible reason that value of ssloptions is hardcoded
instead of passed with config (ie. similiary to
ssl-default-bind-ciphers)?
i'd like to add NO_SSLv3 which is apparently not in 1.5.6 and in future
it may be likely to add some other options to avoid openssl bugs in
Previous mail was somehow messed up, here is my proper response:
is there any sensible reason that value of ssloptions is hardcoded
instead of passed with config (ie. similiary to
ssl-default-bind-ciphers)?
i'd like to add NO_SSLv3 which is apparently not in 1.5.6 and in future
it may be
Hi Conrad,
Hey all,
can someone give me a very brief summary of how haproxy handles its
connection pooling when the backend server sends Connection: close
and/or HTTP/1.0?
Simple: there is no connection pooling at all (yet). When a backend emits
Connection: close:
- the Connection: close
Hi Jeff,
could i install multiple instances of HAProxy on one machine?
Why would you do that exactly? Please explain, because I feel
like you are doing it for the wrong reasons. Maybe what you
are trying to achieve can be done more efficiently.
How?
Would you like to *install* multiple
One reason for that would be to separate the flow and configuration of
different systems.
If i use the same installation for multiple systems (propelled by
different teams and agendas)
then each time the config file is touched, all systems are likely to be
affected and hence the
Hi,
backend test_a
option httpchk
http-request set-header Host 10.0.0.1
reqrep ^([^\ ]*)\ /service1(.*) \1\ /serviceA\2
rspirep ^(Location:)\ https://([^/]*)/(.*)$\1\
http://\2/service1/\3
server one 10.0.0.1:8550
The problem: The site
I check service with:
curl --insecure -E test.pem https://10.0.0.1:8550/serviceA/myapp?wsdl // Work
Ok
curl --insecure www.example.com/service1/myapp?wsdl // Fail
curl --insecure -E test.pem www.example.com/service1/myapp?wsdl // Fail
In haproxy how repalce the
Hi,
I'm using HAProxy on Debian Wheezy to balance a web app and I'm
currently having huge problems with HAProxy and it's balancing
on our backend servers. I have a backend with 4 servers. When a
traffic spike hits the frontend for those servers, they get close
to their configured max
Hi all,
I am currently trying to have basic user authentication enabled using a
hash starting with $2y$
While this hash is working very fine in combination with PHP's
password_hash(), it seems the same hash string is not working for basic
authentication in haproxy.cfg. I'm not entirely
Hy,
I've got a problem with a specific URL which runs through haproxy and
produces a HTTP 400 BADREQ.
it seems haproxy doesnt like the encoding of the URL, when i remove the
umlaut in it it gets through correctly
i've tested it with haproxy 1.5.5-1~bpo70+1 from debian. (1.4 works)
URL is
Hi Heiko,
I did a couple of new tests. But as my self-compiled version 1.5.5 did
behave weird sometimes I decided to have a try with the 1.5.2 from Red
Hat which was packaged with RHEL 6.6. I will do a re-test tomorrow but:
- the self-compiled version tried to use TLS 1.2 a couple of times
Hello,
I would like to increase the timeout delay for the actual L7 HTTP checks
on the backends. I have a (quite slow) application that (of course),
need a lot of improving. Anyway, it sometimes takes more than 2000ms to
answer, I guess, because one of the nodes display as L7TOUT/200 in 2001
On other thing that cames to my mind is intermediate certificates.
Are intermediate certificates correctly installed on haproxy?
Here we got the problem and now it is clear to me — all the behavior we
saw in the tcpdumps. The browsers have the intermediate cert installed
and that´s why it
Hi Heiko,
Also, please try the bind keywords no-tlsv12, no-tlsv11 and
ciphers TLS_RSA_WITH_RC4_128_SHA. If this makes it work, please apply
the attached debug patch and just run it with force-tlsv10, I would like
to know if that call fails.
I added the parameters except
Hi Dennis,
Now from what I read on the net about haproxy I expected that the
load-balancing isn't that cpu intensive and that most of the cpu usage
should be generated by the ssl offloading but what I'm seeing is that
the two cores 0 and 4 are at 20% idle while the rest is at 80-90% idle
Hi Heiko,
#-
# test configuration
#-
frontend test1
bind *:443 ssl crt /etc/pki/tls/certs/domain.com-haproxy.pem
#ciphers HIGH:RC4-SHA:!ADH
#ciphers
Used the bind parameter before which did / does not help and
created a tcpdump with the mentioned settings (DH = 1024 Bit
and force tls) with your requested parameters.
Something doesn't add up.
The handshake you sent me is still negotiating TLSv1.2 and
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Hi Heiko,
Currently, I start haproxy manually with this command (in the same shell I
edit the config file, thus I have to stop haproxy with CTRL-C for changes):
—
haproxy -d -f /etc/haproxy/haproxy.cfg
—
I see. Can you run it through strace -tt, Not that I expect to see why the TLS
Hi Heiko!
Due to connection limit problems I´d like to remove stunnel from a
configuration in front of haproxy.
The original setup was:
- stunnel was responsible for the SSL(https) connection
- using localhost the web traffic was transferred to haproxy
- haproxy divided traffic into web
Hi Dmitry,
show pools after few days of uptime:
Dumping pools usage. Use SIGQUIT to flush them.
- Pool pipe (32 bytes) : 961 allocated (30752 bytes), 5 used, 3 users [SHARED]
- Pool capture (64 bytes) : 0 allocated (0 bytes), 0 used, 1 users [SHARED]
- Pool channel (80 bytes) : 4136
Hi Dmitry,
I am using haproxy-1.5.4 on FreeBSD-10.
Upon startup, it looks like this:
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
8459 www 1 37 0 86376K 28824K CPU16 16 0:16 26.56% haproxy
(about 80MB RES)
Its 80MB SIZE and 28M RES here.
PID USERNAME THR PRI NICE
Date: Mon, 13 Oct 2014 18:21:25 +0200
Subject: Sessions idle not closed by HAProxy
From: webmas...@ajeux.com
To: haproxy@formilux.org
Hello,
I'm having trouble with some connections active for hours on HAProxy
(1.5.2) but not doing anything.
Hi Olivier,
Is this this patch that fixed the issue ?
http://git.haproxy.org/?p=haproxy-1.5.git;a=commit;h=fc566b541e4c67cfbd8d6b40b627ce27dfc8a7cb
No, this one:
http://git.haproxy.org/?p=haproxy-1.5.git;a=commit;h=f94735eb76e634d7531f9c903113f64820c4cec0
Regards,
Lukas
Hi Jeff,
I have both a patch and build instructions for OpenBSD builds
with SSL support here:
https://gist.github.com/jbuchbinder/ab33b7528b75fa99fcca
Why would you build openssl yourself and especially why would you
install it to your system paths? This likely breaks your system. I
Hi Sebastian,
Undefined first referenced
symbol in file
__sync_sub_and_fetch src/shctx.o
__sync_val_compare_and_swap src/shctx.o
__sync_lock_test_and_set src/shctx.o
ld: fatal: symbol referencing errors. No output written to haproxy
collect2: ld returned 1 exit status
make: *** [haproxy]
Try (please ignore the tunnel test from my previous mail):
frontend external
bind :80
acl DYN path_beg /events
use_backend backend_httpclose if DYN
default_backend test
backend test
server test localhost:3000
backend backend_httpclose
option httpclose
server test localhost:3000
As
Hi,
I am using haproxy with Apache to keep alive an EC2 server. Sometimes
haproxy stops taking new requests during this period we can't open our
website, If I reload haproxy service it starts working normally.
Please clarify what can't open means exactly, what error your see in the
I didn't see any error on browser and haproxy log. Browser gets stuck
in forever wait until i reload/restart haproxy service
Because your queue timeout is 24 hours, so haproxy waits for 24 hours
until it returns a 503.
of increasing timeout clients our checkout page show blank page on
Hi Clark,
I found the problem to be this line in the frontend:
tcp-request content track-sc1 urlp(apiKey) if !source_is_abuser
The solution for me was to check that the url parameter apiKey exists,
and only store it in the sticktable if it exists. Then my connections
were expiring
Hi Diana,
In our HAProxy, we have maxconn defined in both global and defaults
sections, and there are total 5 frontend listeners configured:
global
maxconn 10240
…
defaults
mode http
maxconn 5000
….
frontend FE-1
…
frontend FE-2
…
frontend FE-3
…
frontend FE-4
Hi,
I notice there was an announce for 1.5.4 at the beginning of September
but this is not listed as the current version
on http://www.haproxy.org/#down
Willy just updated the website, thanks.
Thanks,
Lukas
Then you can see the client has used http piping (pretty dumb
considering the browser should know this connection is occupied)
to send requests for /21.png /22.png /23.png ( the hanging resources)
[...]
Exactly. The fact the client is requesting static resource on a pipelined
HTTP connection
Hi Alexander,
Is it possible to bind both HTTP and HTTPS on the same port with haproxy.
Something like this:
frontend data-in
mode http
bind 0.0.0.0:8080
crt if ssl /path/to/crt
Obviously above doesn't work. Is there something similar?
There may be something, but you will have to put
Hi David,
Howdy,
I'm using HAProxy to choose among a series of dynamically allocated
HTTP backends. Basically, a user goes to URL A and clicks on the start
my service link. A new browser window/tab is popped up and they get
the new service/URL in the tab.
Basically, got to /service click
Hi Jeff,
[ALERT] 272/080419 (29422) : parsing [/etc/haproxy.cfg:295] : 'reqdeny' :
regular expression '^[^:]+:\s+.*?([^]+){5,}' : regex
'^[^:]+:\s+.*?([^]+){5,}' is invalid
Which version of haproxy were you able to use that regex with?
Make sure you compiled haproxy with PCRE
At the end, i have compiled Haproxy in OpenBSD 5.4 with SSL
.- Haproxy 1.5.4
.- install gmake and gcc from ports and compile with gmake USE_SSL
All Ok, thanks
Thats the correct thing todo, yes. BSD and OSX makefiles have since been
removed, because they lacked all the new
Hi Seri,
# cat host_to_backend.map
Host to Backend mapping list
# Edge Domain
I don't think you can do that, please remove any comments,
newlines and unnecessary spaces from those files.
Lukas
Hi Seri,
This configuration works well in 1.5.4 release version and b53934e.
but, in 5436afc commit, haproxy crashes frequently.
Thanks for this, this will help pinpointing the issues, however, I am still
unable to reproduce the crash.
Can you send a more complete configuration to reproduce
On Thu, Sep 4, 2014 at 3:51 AM, Steven Haigh net...@crc.id.au wrote:
Hi guys,
I've noticed that this list seems to get more spam than I've ever
experienced before on any mailing list.
Is there anyone administrating this list? Is spamassassin used on the list?
--
Steven Haigh
Hi
Ok, I wll compose an email and write to haproxy@formilux.org ?
Yes, on every mail, including your responses to me (at least in CC).
And please drop your if you have received this email in error signature when
your a posting, that just looks silly since your mail is public anyway.
Hi,
So 4096 Megabyte of Memory should be more than enough. Even MySQL and / or
Apache2 had way less allocated. Still my requests got lost in the place of
nowhere.
Later I run haproxy via the command line to see a debug log, everything
worked. Everything. I removed-m and everything worked
Hi Matthew,
I have some basic queries on setting haproxy up for a novice!
Just read the documentation and ask here.
Are you aware of any good support forums out there?
No forum, this mailing list is the proper way to ask for
help/advice/support haproxy.
There is also an irc channel,
Hi Ben,
Hi all,
I've started a patch to enable busy poll support for listener sockets.
It can be enabled by adding busy-poll in the bind line. For systems
that don't define SO_BUSY_POLL, building with the USE flag USE_BPS is
required.
I built tested this on a ubuntu trusty machine
Hi Jarno,
I'm testing ssl offloading with nbproc 1, and I'm having a
(random?) problems with chrome. (This is could related to
chrome 408 errors
(http://blog.haproxy.com/2014/05/26/haproxy-and-http-errors-408-in-chrome/)).
Note that the 408 bug should be fixed in Chrome 37, which was
Hi Patrick,
Hello everyone,
I’m trying to add HAProxy in such configuration :
Client-Internet-[Apache (including proxy-module Siteminder agent
for authentication/coarse-grained authorization)-HAProxy for load
balancing]-Front-end Web servers
Brackets define that Apache and
Hi Patrick,
Hi Lukas,
Thank you for your answer.
please remember to CC the list.
My question is quite different in fact
The same exact keywords (ssl/verify/crt to name a few) have different
meanings based on their location.
When reading the docs you must therefor be careful in which
Hi Jospeh,
Hi everyone,
I hope someone can help out. I have a customer who has an IPSEC
tunnel, using PAT so that our systems only see requests from a single
IP, from their facility to us, they are then passing through a firewall
to go into haproxy, old version part of vSheild so I don't
Hi Ludovic,
Hi,
Before 1.5 release of HAProxy, I used Nginx for SSL and serve static files.
But now, I use only Nginx to serve static files, because I've better
performances with HAProxy for SSL.
I know that HAProxy is only to proxy queries, but I've tried to server
a static file
Hi Ryan,
I apologize, but I am not sure the usual procedure regarding changes.
What is the next step? Should I put together a change that simply looks
for status codes less than 200, but that is not 101? Or did we need
more discussion?
I would like to hear Willy's opinion about
Hi,
Thank for the remark, but I already now this fact, it's because of that
I've enabled cache in Nginx.
Well, this is not the proper place to discuss why nginx doesn't perform
well (you should talk to nginx folks), but I suppose its not really caching
the file in memory (perhaps you are just
Hi!
Hi Lukas :
- Thanks for the reply.
- We have a (A) node for example that will stream tcp data towards a
mediation B node.
- The A node only can support 1 destionation IP address and tcp port.
- In our case we have 3 mediation nodes (B , C and D).
I see, but your requirement is not
Hi,
- Can haproxy be use as a tcp proxy to forward traffic to many backend
server without any load balancing?
You can certainly configure it to just failover from one server to another,
is that what you mean?
- Just perform as tcp forwarding to many clients with no balancing
algorithms.
Hi Ryan,
I recently started investigating using HAProxy to ensure that multiple
WebSocket connections from the same browser (or device) end up
communicating with the same application server. Forwarding all
connections from the same origin to the respective application server
greatly
Hi Thomas,
In fact the boringssl build is not optimized for production use, it
would need some manual changes before building.
What about polarssl or cyassl ? Whats your opinion about that if you
going to reduce footprint (e.g. size if the lib)
I don't have a strong opinion about it, the
Hi,
Have you run any performance benchmark against those SSL libraries?
No, I didn't.
In fact the boringssl build is not optimized for production use, it
would need some manual changes before building.
LibreSSL should be quite ok, here's a benchmark with nginx:
OCSP).
I think it would be a good thing to get this into the development tree, so
that people can start playing with it.
cheers,
Lukas
Lukas Tribus (4):
BUILD: ssl: handle boringssl in openssl version detection
BUILD: ssl: disable OCSP when using boringssl
BUILD: ssl: don't call
boringssl.
Signed-off-by: Lukas Tribus luky...@hotmail.com
---
src/haproxy.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/haproxy.c b/src/haproxy.c
index 9f742c7..74b2687 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -269,10 +269,15 @@ void display_build_opts
Google's boringssl doesn't currently support OCSP, so
disable it if detected.
OCSP support may be reintroduced as per:
https://code.google.com/p/chromium/issues/detail?id=398677
In that case we can simply revert this commit.
Signed-off-by: Lukas Tribus luky...@hotmail.com
---
include/proto
get_rfc2409_prime_1024() and friends are not available in Google's
boringssl, so use the fallback in that case.
Signed-off-by: Lukas Tribus luky...@hotmail.com
---
src/ssl_sock.c | 16
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
, but thats better
than compiler warnings and crashes.
This may be replaced one day by properly implementing the the new style
cipher_list, in the meantime this workaround allows to build and use
boringssl.
Signed-off-by: Lukas Tribus luky...@hotmail.com
---
src/ssl_sock.c | 14 +++---
1
Hi Remi!
Well, I really hope you're right. This patch looks in the cipher's
description instead of its name. Sorry about the mess.
in src/ssl_sock.c:1582:11:
ciphers = ctx-cipher_list;
can we use the API instead of accessing cipher_list directly?
With [1] perhaps?
Background: I'm
Hi Dan!
The documentation for leastconn says The server with the lowest
number of connections receives the connection -- does this mean a new
HTTP connection, or a new request on an existing connection (e.g. with
HTTP keep-alive)?
In our use case, we have a relatively small (a few
Hi Dan,
Instead, for your environment you should use http-server-close:
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#option%20http-server-close
Does this actually close the HTTP session, close the sockets, etc?
Yes.
Because of the large number of requests per second
Hi,
I have a strange and reproducible problem with Chrome and an html5
video player. The video starts playing and after 15-20 secods it stops
with this error
Failed to load resource: net::ERR_CONTENT_LENGTH_MISMATCH
The same video plays perfectly on safari and firefox, windows
Hi,
I tried it and it happens again... neither nginx nor haproxy report an
error... it's all on Chrome's side.
Then you didn't configure logging probably. Fix it, and post the exact
log output when this happens.
Lukas
Hi,
My configuration is on the first email... anyway, the only lines that
appear on /var/log/haproxy.log are:
for chrome
Aug 1 16:52:31 ritapavone haproxy[3671]: 79.152.236.x:53792
[01/Aug/2014:16:52:26.878] public static/statsrv1 0/0/0/0/5011 206
3838688 - - cD-- 0/0/0/0/0 0/0
Hi,
I was interested in knowing if, besides setting timeout client to a
high value, there are any other options for mitigating this issue...
Our production servers had timeout client 5000 and that showed
intermittent problems, so we ended up changing it to timeout client
6.
Hi,
I don't see why it would fail, you could share a tcpdump capture of the
TLS handshake?
https://www.cloudshark.org/captures/c237da70245a
194.19.225.226 - client ip (latest Chrome)
213.175.75.10 - backend ip (spdy on port 88)
213.175.75.238 - haproxy
Looks ok as well (but the actual
Hi Reinis,
Hello,
I'm trying to implement the haproxy nginx spdy / ssl offloading setup, but
somehow it is not working for me.
For simplicity I used https://gist.github.com/igrigorik/8960971 haproxy
config, but while testing with Chrome and FF the spdy is never enabled nor
the spdy
Hi Igor,
Hi,
Had upgrade from 1.5dev 21 to 1.6dev, the CPU usage became insane to
100%, in dev21, it's about 0%. Config file:
https://gist.github.com/0c21a67c7be1e7a62a2f
Is 1.5.2 stable affected as well? What exact commit are you using
in 1.6dev (please post haproxy -vv output)?
Hi Igor, hi Thomas,
On 18.07.2014 19:22, Igor wrote:
Hi, I use git commit e63a1eb290a1c407453dbcaa16535c85a1904f9e, 1.5.2
same result like git version.
Ok, can you still post the haproxy -vv output please. Best thing would
be if you could git bisect this in the haproxy-1.5 repository. Could
Hi Willy, hi Dave,
Hi Dave,
On Thu, Jul 17, 2014 at 02:34:01PM -0400, Dave McCowan wrote:
Here is the corrected (and retested) :-) patch.
Commit comment: Use temporary trash chunk, instead of global trash chunk in
make_proxy_line_v2() to avoid memory overwrite.
Thank you, I've just
Hi Igor,
./haproxy -vv
HA-Proxy version 1.6-dev0-41 2014/07/12
Copyright 2000-2014 Willy Tarreau w...@1wt.eu
Build options :
TARGET = linux2628
CPU = native
CC = gcc
CFLAGS = -O2 -march=native -g -fno-strict-aliasing
OPTIONS = USE_LINUX_SPLICE=1 USE_REGPARM=1 USE_OPENSSL=1
Hi Serghei,
Hi guys.
In my config file there is a string:
log 127.0.0.1 local6 info
After haproxy restart i receive UDP listener which listens on
*:non-priv port.
Is there a way to restrict it to some interface/address?
127.0.0.1 for example?
It's not currently possible to restrict this
Hi Steven,
The idea is that haproxy takes the SSL connect, then forwards plain TCP
to the mail server on port 25 - thereby providing an SMTP over SSL
connection.
Please keep in mind that implicit SSL on a dedicated TCP port (SMTPS, port
465) will work, but STARTSSL on port 25 will not work,
Hi Patrick,
It would be nice to be able to control the usage of TCP_NODELAY. Right
now it looks like haproxy immediately turns the flag on upon any
frontend or server connection. When doing bulk data transfers, this can
have a negative impact on performance.
HAProxy uses MSG_MORE to
Hi Merton,
I tried compiling with make CFLAGS=-g -O0, but it complained that
the TARGET variable must be specified. So I compiled using:
make CFLAGS=-g -O0 TARGET=linux2628 USE_OPENSSL=1. Funny enough, the
compiled binary did not crash anymore. I then tried: make CFLAGS=-g
-O0
1001 - 1100 of 1576 matches
Mail list logo
