Re: Is there a way to extract list of bound IPs via stats socket ?

Hello, Am 01.09.2017 um 15:46 schrieb Mariusz Gronczewski: > Hi, > > I've been working on a piece of code to announce IPs (via ExaBGP) only if: > > * HAProxy is running > * HAProxy actually uses a given IP > * a frontend with given IP is up for few seconds. > > I could do that via lsof but

Re: HAProxy 1.7.9 very slow with HTTP compression

Hi Nick, Am 31.08.2017 um 14:16 schrieb Nick Stolwijk: > Today we noticed something strange after updating our HAProxy to 1.7.9. A > request which took a mere second before now takes a whopping 45 seconds. > > After some playing around, we found that if we turned off the compression on >

Re: Enable SSL Forward Secrecy

Hello, > Hehe yikes! This was it. It’s normal that someone get’s lost in all > this cipher crap and it should be written in the HaProxy manual as > an important step on how to harden security. Its not a good idea to suggest specific cipher settings in the manual, as the situation may change

Re: Two way authentication issue

Hello, Am 25.08.2017 um 17:27 schrieb Markus Rietzler: > you can do or use client authentication with ssl certificates on haproxy. My point is: you cannot enable SSL client certificate authentication on a specific URI. You need to server based renegotiation for that, which haproxy does not

Re: Two way authentication issue

Hello, Am 25.08.2017 um 01:47 schrieb Keresztes Péter-Zoltán: > Hello > > Basically what I need is when I browse /service/ws to use client certificate > authentication otherwise for everything else to use normal ssl termination this is not possible with Haproxy. Also, never ever bind to the

Re: Bug

Hello, Am 21.08.2017 um 09:48 schrieb Andrzej Sobociński: > > Hey, > > I found bug in haproxy 1.7, also not working in ver 1.6 > > Condition not work property in option http-response > > Can you fix that? Thx > >   > > CFG: > >   > > frontend https-secure.pl > >   acl is_domain hdr(host) -i

AW: Re: CPU 100% when waiting for the client timeout

Hello, > Has this bug fix now in 1.6.13 or 1.7.8 ? > > We have confirmed this bug still exists in 1.6.3. Yes, the fix is in 1.7.4 and 1.6.12. Regards, Lukas

Re: maxconn not respecting idle connections?

Hello, Am 09.08.2017 um 11:12 schrieb Willy Tarreau: > > There might be something which can work, which is > to chain to a TCP listener. It will enforce the maxconn count at the TCP > level. Or a simpler workaround, disable http keepalive on the backend with "option http-server-close".

Re: maxconn without queue?

Hello, Am 02.08.2017 um 14:41 schrieb Claudio Kuenzler: > Quick update: I set a really short timeout on the queue (timeout queue 100) > so HAProxy returns a 503 to the 7th connection almost immediately as well. > That's what I was about to propose, yes. You should even be able to set "timeout

Re: Problem with BOM in healthcheck-file?

Hello, Am 20.07.2017 um 17:28 schrieb rai...@ultra-secure.de: > > >> od -c bomfile. > > > 000 377 376 s \0 e \0 r \0 v \0 e \0 r \0 _ \0 > 020 u \0 p \0 \r \0 \n \0 > 030 > Obviously haproxy can't match this. Not only because of the BOM, but also

Re: Does anyone heard about DPDK

Hello, Am 15.07.2017 um 14:18 schrieb Andrew Smalley: > On 15 July 2017 at 10:32, Aleksandar Lazic wrote: >> Hi, >> >> Network acceleration with DPDK >> https://lwn.net/Articles/725254/ >> >> -- >> Best Regards >> Aleks I believe eBPF + XDP is more interesting at this

Re: Debian upgrade to haproxy 1.7.5: tcp-check fails with Socket error, info: "No port available for the TCP connection"

Hello! Am 29.06.2017 um 16:14 schrieb Philipp Kolmann: > Hi Lukas, > > On 06/19/17 21:23, Lukas Tribus wrote: >> Am 19.06.2017 um 11:27 schrieb Philipp Kolmann: >>> This config works in 1.5.8 but fails to tcp-check in 1.7.5. >>> >>> The errors in the lo

Re: 2x filter + keep-alive regressions (1.7 affected)

Hi Christopher, Am 06.07.2017 um 23:01 schrieb Christopher Faulet: > > Hi guys, > > Attached patches should fix this bug. The real fix is in the last one. > But all the 3 must be backported in 1.7. I made tests with the Lukas > config and http-keep-alive timeout is now respected. But because

Re: Seeing server termination_state SD after updating from 1.6.11 to 1.7.5

Hi Christopher, Am 30.06.2017 um 11:14 schrieb Christopher Faulet: > >> We are seeing this as well on 1.7.5. The problem seems to be >> intermittent--it doesn't happen very often when I hit a system with almost >> no load, but is happening very frequently on a high load system. I don't >>

Re: ssl: crashing since 8d85aa (BUG/MAJOR: map: fix segfault ...)

Hi Emeric, Am 05.07.2017 um 13:58 schrieb Emeric Brun: > >> Another bisect (this time with -dM or -DDEBUG_MEMORY), another commit... >> Now it points to 23e9e931 (MINOR: log: Add logurilen tunable). >> >> > Hi Lukas, > > Indeed this commit introduced a regression. > > The commit in attachment

Re: ssl: crashing since 8d85aa (BUG/MAJOR: map: fix segfault ...)

Am 04.07.2017 um 23:18 schrieb Willy Tarreau: > On Tue, Jul 04, 2017 at 10:57:08PM +0200, Lukas Tribus wrote: >> The call trace doesn't really look different when I used -dM or >> -DDEBUG_MEMORY. >> >> I was able to get a different trace by actually connecti

Re: ssl: crashing since 8d85aa (BUG/MAJOR: map: fix segfault ...)

Hi, Am 04.07.2017 um 22:35 schrieb Willy Tarreau: > > This one should theorically not be caused by an issue in the task scheduler, > unless we're reusing something already freed. We could retry it with -dM > and/or -DDEBUG_MEMORY to force earlier corruption to pop up. The call trace doesn't

Re: ssl: crashing since 8d85aa (BUG/MAJOR: map: fix segfault ...)

Hi Willy, Am 04.07.2017 um 22:24 schrieb Willy Tarreau: > Hi Lukas, > > On Tue, Jul 04, 2017 at 09:56:09PM +0200, Lukas Tribus wrote: >> Hi Emeric, >> >> >> since 8d85aa4 ("BUG/MAJOR: map: fix segfault during 'show >> map/acl' on cli") my setup

ssl: crashing since 8d85aa (BUG/MAJOR: map: fix segfault ...)

Hi Emeric, since 8d85aa4 ("BUG/MAJOR: map: fix segfault during 'show map/acl' on cli") my setup crashes when a request comes in going through SSL termination. memory corruption, invalid pointers, double free is what haproxy randomly crashes with. Here 2 crashes with full backtrace: *** Error

2x filter + keep-alive regressions (1.7 affected)

Hello Christopher, William, Willy, et all! Matt McDonagh reported a regression on discourse [1] in 1.7.6, that causes haproxy to ignore "timeout http-keep-alive" when going through filters (aka compression is enabled) and also causes logging to be delayed. Because timeouts are ignored and wrong

Re: Reg: HAProxy 1.6.12 on RHEL7.2 (MAXCONN in FRONT-END/LISTEN BLOCK)

d prevented people - in this case Jarno - from trying to explain the same thing all over again). Its about helping people out, but that doesn't work in the long term when we have people deliberately spread questions about the same topic across different channels (mailing list, discourse). Lukas Tribus: &

Re: Reg: HAProxy 1.6.12 on RHEL7.2 (MAXCONN in FRONT-END/LISTEN BLOCK)

Hello, Am 27.06.2017 um 12:04 schrieb Velmurugan Dhakshnamoorthy: > Dear, > The HAProxy 1.6.12 has been implemented on Red Hat Linux 7.2(3.10) and we > have set the maxconn to 100 in listen block(front-end). Our objective is to > queue connections more than 100 into linux kernel syn log until

Re: Reverse Gateway Throught Security Zones

Hello Himer, this is probably not the response you wanna hear ... Am 22.06.2017 um 22:47 schrieb Himer Martinez: > Hello Guys, > > Sorry to botter you with my specific questions :-) > > Let's imagine a paranoic security team who forbide http and tcp flows between > the dmz zone and the green

Re: HAProxy makes backend unresponsive when handling multiple thousand connections per second

Hello, > Daniel, if using ssl to the backends shouldn't you use http mode? > Per your config you are using tcp which is default one. Afaik tcp > is for ssl passthrough. For the record, this is not true. Just because you need TCP mode for TLS passthrough, doesn't mean you have to use HTTP mode

Re: Trouble getting rid of Connection Keep-Alive header

Hi Mats, Am 21.06.2017 um 14:30 schrieb Mats Eklund: > > Hi, > > > Thanks, here's the full config: > So for the record, what you are trying to achieve is to disable HTTP keep-alive between haproxy and the browser? In the default section, replace: option http-server-close with: option

Re: Trouble getting rid of Connection Keep-Alive header

Hello Mats, Am 21.06.2017 um 07:59 schrieb Mats Eklund: > > > Hi, > > > I am running a load balanced Tomcat application on Openshift Online v2, with > HAProxy ver. 1.4.22 as load balancer. > > > I would like to have HTTP connections closed after each response is returned. > But am unable to

BUG: frontend IP/port logging broken since 9b061e332

Hello, as per Mathias Weiersmueller's report on discourse [1], there is a bug in TCP logging when using a custom log-format, accessing the frontend IP or port (%fi/%fp or the deprecated form %Fi/%Fp) in conjunction with other log variables like %Tw or %B. Repro config: global log syslog

Re: HAProxy 1.5.18 - rare handshake failure - Bad Record MAC

Hello, Am 20.06.2017 um 17:00 schrieb Teichmann, Janek: >> I'm not sure if this was backported in RedHat/CentOS. Is the package >> uptodate (should be openssl-1.0.1e-60.el7.x86_64 afaik)? > By now openssl is recent (your version is right), but there are for long no > openssl bugfixes. I

Re: HAProxy 1.5.18 - rare handshake failure - Bad Record MAC

Hello Janek, Am 19.06.2017 um 14:13 schrieb Teichmann, Janek: > Hi, > > I have a problem with HAProxy 1.5.18 on a Centos 7.2.1511. I installed the > HAProxy from the epel repository. So just the normal packages. > The problem is a rarely appearing ssl handshake error. HAProxy is terminating >

Re: Debian upgrade to haproxy 1.7.5: tcp-check fails with Socket error, info: "No port available for the TCP connection"

Hello, Am 19.06.2017 um 11:27 schrieb Philipp Kolmann: > This config works in 1.5.8 but fails to tcp-check in 1.7.5. > > The errors in the logfile look like this: > > Jun 19 10:52:57 testha2 haproxy[5042]: Server mail-exchtest-smtp/mbx13a is > DOWN, reason: Socket error, info: "No port

Re: Logging SSL pre-master-key

Hi Patrick, Am 13.06.2017 um 01:31 schrieb Patrick Hemmer: > > > On 2017/6/12 15:14, Lukas Tribus wrote: >> Hello, >> >> >> Am 12.06.2017 um 19:35 schrieb Patrick Hemmer: >>> Would we be able to get a new sample which provides the SSL session >>&

Re: Issue while using Proxy protocol in TCP mode

Hello Vijay, Am 13.06.2017 um 10:07 schrieb Vijay Bais: > Hello, > > I am using HAProxy version 1.5-dev25-a339395. This is an unstable, more than 3 years old development version of haproxy. There is no way we can support this release here. Upgrade to a stable release, first of all. > >

Re: Logging SSL pre-master-key

Hello, Am 12.06.2017 um 19:35 schrieb Patrick Hemmer: > Would we be able to get a new sample which provides the SSL session > master-key? > This is so that when performing packet captures with ephemeral ciphers > (DHE), we can decrypt the traffic in the capture. There is no master key. What you

Re: Scaling HAProxy over multiple cores with session stickyness

Hello Peter, Am 09.06.2017 um 10:27 schrieb Peter Kenens: > > I understand that more than 1 HAProxy process can be configured > (nbproc) and via cpu-map and bind-process you can specify to which > cores these processes might bind. > > I also understand that the table with cookies is kept in

Re: Updates to the stable release process

Hello! Am 08.06.2017 um 17:30 schrieb Willy Tarreau: > Hi all, > > William has joined Cyril an me in the stable maintenance team. We're now > three to have direct commit access, so don't be surprized if you see > new names in "git log --format=fuller" or in the gitweb interface. > That's a very

Re: HAProxy 1.7.5 cookie JSESSIONID prefix not working

Hello Norman, Am 31.05.2017 um 00:13 schrieb Norman Branitsky: > > You are correct. > > I was setting the jvmRoute parameter to be the server id (AWS EC2 > InstanceID) in my regular apps served by HAPRoxy 1.5.18. > > The HAProxy 1.7.5 testing is using a different app that obviously > doesn't

Re: HAProxy 1.7.5 cookie JSESSIONID prefix not working

Hello Norman, Am 30.05.2017 um 18:06 schrieb Norman Branitsky: > > The server’s identifier is not added to the cookie. > Did you specify the cookie value on the server line [1], as per [2]: > The value of the cookie will be the value > indicated after the >

Re: [PATCH] MEDIUM: ssl: disable SSLv3 per default for bind

Hello, Am 23.05.2017 um 17:17 schrieb Emmanuel Hocdet: > Hi, > > I think it’s time to disable SSLv3 on bind line per default. > All configurations should have no-sslv3 (or used a ssllib without sslv3). > SSLv3 can be enable with "ssl-min-ver SSLv3. > > What do you think? +1 agreed, no need to

Re: Haproxy first core 100%

Hello Haim, Am 25.05.2017 um 09:23 schrieb Haim Ari: > > Hello, > > > I'll try do describe the issue as clear as possible: > > > We set up an haproxy Cluster on Ubuntu16.04 + pacemaker + corosync > > We faced an issue where after working for a few hours with single core > (the haproxy process

Re: Bug: DNS changes in 1.7.3+ break UNIX socket stats in daemon mode with resolvers on FreeBSD

Hi, Am 11.05.2017 um 21:13 schrieb Jim Pingle: > On 05/11/2017 01:58 PM, Frederic Lecaille wrote: >> I have reproduced (at home) the stats socket issue within a FreeBSD 9.3 VM. >> >> Replacing your call to close() by fd_delete() which removes the fd from >> the fd set used by kevent *and close

Re: Bug: DNS changes in 1.7.3+ break UNIX socket stats in daemon mode with resolvers on FreeBSD

Hi Baptiste, commit 26c6eb838 breaks kqueue; in the child process we see: 3069: kevent(0,{ 4,EVFILT_READ,EV_ADD,0x0,0x0,0x0 1,EVFILT_READ,EV_ADD,0x0,0x0,0x0 5,EVFILT_READ,EV_ADD,0x0,0x0,0x0 },3,0x0,0,0x0) ERR#9 'Bad file descriptor' full truss output below. I had to remove Jim from CC, as my

Re: haproxy not creating stick-table entries fast enough

Hello, Am 09.05.2017 um 02:52 schrieb redundantl y: > The way ab is being executed is inline with our real world use. A > separately hosted application will generate HTML with several (20-30) > elements that will be loaded simultaneously by the end user's > browser. There isn't a delay, the

Re: haproxy not creating stick-table entries fast enough

Hello, Am 09.05.2017 um 00:38 schrieb redundantl y: > I am running haproxy 1.5.18-3 on CentOS 7 and need to use the > stick-table feature to make sure traffic for a specific user persists > to a given server. > > Things work fine when connections come in slowly, however when there's > numerous

Re: Automatic Certificate Switching Idea

Hello, Am 30.04.2017 um 22:16 schrieb Daniel Schneller: > Hi! > > Yes, you got it right. I have no idea if there are technical limitations in > the SSL library or other parts of the code that would make several > certificate/key pairs for the same domain infeasible. > > If there were hard

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

Hello, Am 08.05.2017 um 10:56 schrieb Daniel Schneller: > Just my 2c, I very much support Kevin’s argument. > Even though we are not (yet) verifying backends — because currently we > _are_ in a private LAN — we are planning to deploy parts of our > application to public cloud infrastructure

[PATCH v3] MINOR: ssl: add prefer-client-ciphers

Currently we unconditionally set SSL_OP_CIPHER_SERVER_PREFERENCE [1], which may not always be a good thing. The benefit of server side cipher prioritization may not apply to all cases out there, and it appears that the various SSL libs are going away from this recommendation ([2], [3]), as

AW: [PATCH v2] MINOR: ssl: add prefer-client-ciphers

> I'm just waiting for Emeric's approval to merge it. Don't commit yet, there's a little bug in it, I will send a v3 shortly. Sorry about that, lukas

AW: [PATCH v2] MINOR: ssl: add prefer-client-ciphers

>> SSL_OP_CIPHER_SERVER_PREFERENCE is not evil. But yeah - we do want to have >> maximal flexibility in every case. > > Does this mean that this should also be backported to 1.7 in your opinion ? > Maybe even older versions ? Yes, at this point (since the v2 patch doesn't change the default

AW: [PATCH v2] MINOR: ssl: add prefer-client-ciphers

> Can client "override" servers ssl-default-server-ciphers/bind ciphers( > or is the cipher suite selected from ssl-default-server-ciphers/ciphers)? Both the server and the client have a list of supported cipher suites, ordered by preference. With SSL_OP_CIPHER_SERVER_PREFERENCE enabled, the

Re: [PATCH v2] MINOR: ssl: add prefer-client-ciphers

Hello, Am 03.05.2017 um 20:05 schrieb Aleksandar Lazic: Am Wed, 3 May 2017 16:23:52 + schrieb Lukas Tribus <luky...@hotmail.com>: Currently we unconditionally set SSL_OP_CIPHER_SERVER_PREFERENCE [1], which may not always be a good thing. I fully agree with you. One of my custom

[PATCH v2] MINOR: ssl: add prefer-client-ciphers

Currently we unconditionally set SSL_OP_CIPHER_SERVER_PREFERENCE [1], which may not always be a good thing. The benefit of server side cipher prioritization may not apply to all cases out there, and it appears that the various SSL libs are going away from this recommendation ([2], [3]), as

AW: [RFC-PATCH] MINOR: ssl: add prefer-server-ciphers again

Hi Manu, >> I care primarily about vanilla OpenSSL, and in don't get a sense that there >> is an >> interest to implement this for TLSv1.2. > > It make sense with AEAD ciphers like AES-GCM and CHACHA20-POLY1305. and it’s > compatible with TLSv1.2. What I was trying to say above is: my

AW: [RFC-PATCH] MINOR: ssl: add prefer-server-ciphers again

Hello, > Hi Lukas, > > The response is in our link: > [2] https://github.com/openssl/openssl/issues/541 > > No need to disable this option per default and option is needed for security. The point is: when the admin is aware of TLS security, he can easily add a new config option on a major

[RFC-PATCH] MINOR: ssl: add prefer-server-ciphers again

Currently we unconditionally set SSL_OP_CIPHER_SERVER_PREFERENCE [1], which may not always be a good thing. The benefit of server side cipher prioritization may not apply to all cases out there, and it appears that the various SSL libs are going away from this recommendation ([2], [3]), as

[PATCH] doc: update RFC references

--- A few doc and code comment updates bumping RFC references to the new ones. --- doc/configuration.txt | 12 ++-- include/common/defaults.h | 2 +- include/proto/proto_http.h | 2 +- include/types/proto_http.h | 4 ++-- src/haproxy.c | 4 ++-- src/proto_http.c

Re: Fwd: Haproxy-1.5.12 High memory usage problem

Hello lizj3624, we are gonna need the configuration, at least redacted. Especially important are timeouts and maxconn values. Also provide the output of haproxy -vv. Am 21.04.2017 um 08:56 schrieb lizj3624 lizj3624: Why run a period of time, while dealing with a large number of HTTP

Re: Certificate order

Hello, Am 20.04.2017 um 15:05 schrieb Sander Hoentjen: A new patch, that puts the order like this: config: crt A crt B [...] If A contains wildcard, and B contains exact match, then wildcard is used. This last one is different behavior from what is implemented now. People rely on the

Re: HaProxy Hang

Hello, Am 05.04.2017 um 00:27 schrieb David King: Hi Dave Thanks for the info, So interestingly we had the crash at exactly the same time, so we are 3 for 3 on that The setups sounds very similar, but given we all saw issue at the same time, it really points to something more global. We

Re: ssl & default_backend

Am 04.04.2017 um 19:12 schrieb Lukas Tribus: Hello, Am 03.04.2017 um 13:29 schrieb Antonio Trujillo Carmona: It's well documented that Windows XP with Internet Explorer don't support sni, so I try to redirect call through "default_backend", but I got ERROR-404, it work fine with

Re: ssl & default_backend

Hello, Am 03.04.2017 um 13:29 schrieb Antonio Trujillo Carmona: It's well documented that Windows XP with Internet Explorer don't support sni, so I try to redirect call through "default_backend", but I got ERROR-404, it work fine with all other combination of OS/surfer. I know that, and

Re: ssl & default_backend

Hello Antonio, Am 31.03.2017 um 19:36 schrieb Antonio Trujillo Carmona: El 30/03/17 a las 10:51:58, Antonio Trujillo Carmona escribió: I'm try to use haproxy for balancing Citrix. I prove with: acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni

Re: client connections being help open, despite option foceclose

Hello, Am 31.03.2017 um 19:59 schrieb Patrick Kaeding: Okay, thanks Holger! We were hitting the maxconn limit, which is what sparked this investigation. When we were at that limit, the discrepancy between frontend and backend was higher than when I could observe it above (we restarted

Re: Overwrite "sec-websocket-key"

Hi, Am 24.03.2017 um 17:54 schrieb Thomas Sheppard: Hi everyone, Could someone help us with some info on how to rewrite a request header before its passed to the backend servers? Trying http-request add-header sec-websocket-key abc123 or reqadd sec-websocket-key:\ abc123 Does not work

Re: [PATCH][RFC] MEDIUM: global: add a 'grace' option to cap the soft-stop time

Am 22.03.2017 um 22:28 schrieb Cyril Bonté: I'm OK with "hard-stop-after", I'll try to send the new patch tonight ;-) Great, thanks! Lukas

Re: [PATCH][RFC] MEDIUM: global: add a 'grace' option to cap the soft-stop time

Hey, Am 16.03.2017 um 01:27 schrieb Willy Tarreau: > >> Thanks for raising that point. The choice was intended and may be subject to >> discussion. >> >> timeout keywords are (most of them, except maybe "timeout mail") defined in >> defaults/frontend/backend/listen sections, whereas this one

Re: Issue with multiple users on same LAN at client

Hello Tony, Am 18.03.2017 um 14:29 schrieb Tony Zakula: Hi, We are having an issue when multiple users are on the same lan connecting to out network. We are running a network hosting maybe 20 servers/domains behind one HA proxy. Users on different networks connect fine. We are

Re: issues with ALPN and h2 on frontend

Hi Matt, Am 16.03.2017 um 21:29 schrieb Matt Jamison: So from what I can find, mode http and alpn h2 are not supported together? That's not it. HTTP/2 is not supported in any haproxy release, period. That fact that you can tunnel arbitrary TCP payload through haproxy, while TLS terminating

Re: Considering HAProxy to Bump TLS 1.1 Traffic to TLS 1.2

Hello Ryan, Am 16.03.2017 um 17:02 schrieb Ryan Collier: We have a legacy application that can only use TLS 1.1 due to the version of Java it supports (1.6). We connect to a third party for credit card authorizations, and they are going to be upgrading their web services endpoint to only

Re: Client Cert Improvements

Hi, Am 04.03.2017 um 15:27 schrieb mlist: I said I'm using dedicated ip:443 bind as a clean solution because "the current haproxy client certificate management implementation is not optimal nor flexible nor scalable in other configurations" so, in this test we can waste one public IP and an

Re: Client Cert Improvements

Hi Roberto, Am 04.03.2017 um 11:51 schrieb mlist: Hi, after discussing about haproxy client certificate management with other forum users/devel, I ask if it is possible to improve haproxy client certificates management with this case specs: Allow haproxy to manage client certificates

Re: add header into http-request redirect

Hi Igor, Am 26.02.2017 um 23:19 schrieb Igor Cicimov: |I don't see how is the hsts header being inserted in the redirect?| || You right, it doesn't. May bad, I didn't read the article properly. However the example in the email from Thierry should do the trick; I thought the article does

Re: add header into http-request redirect

Hi, Am 26.02.2017 um 19:02 schrieb thierry.fourn...@arpalert.org: Hi, If I understand, the 301 is produced by haproxy. If it is the case, there are an ugly soluce. Haproxy can't add header to a redirect because redirect is a final directive. After executing the redirect no more action are

Re: Processes dying and not regenerating

Am 26.02.2017 um 17:22 schrieb Stuart Rench: Crashing. And is happening near daily. Then we need to fix that. Can you provide configuration, output of haproxy -vv and generate a core + backtrace? Do you use LUA? Did 1.6.x crash as well? Thanks, Lukas

Re: Processes dying and not regenerating

Hi Stuart, Am 25.02.2017 um 19:56 schrieb Stuart Rench: I am running haproxy (v 1.7.2 and previously 1.6.x) with nbproc = 4 and only a simple cpu-map in the global section putting 1 process per core. I am seeing behavior where one or more processes die but are not regenerated by haproxy

Re: Client Certificates need dedicated IP:443 bind

Ciao Roberto, Am 25.02.2017 um 00:47 schrieb mlist: Hi Lukas, probably you're saying something like this: Yes, exactly. But : 1. I don't know if this solution can have negative impact in performance or other complex configuration It will have an impact of course; but TCP

Re: Feature request: routing a TCP stream based on Cipher Suites in a TLS ClientHello

Hi, Am 24.02.2017 um 08:29 schrieb Pavlos Parissis: That means RedHat7, which comes with openssl 1.0.1, users can't use this functionality! Yes; the functionality being both RSA and ECC certificates at the same time and only if you use vanilla openssl 1.0.1 (you could link haproxy to a

Re: Client Certificates need dedicated IP:443 bind

Hello, Am 24.02.2017 um 09:04 schrieb mlist: Hi, We configured haproxy for client certificates: bind :443 ssl crt ca-file verify optional Configuring in this way (at bind stage), however, haproxy always ask client certificate if present in the certificate store - for all domain, for

Re: https://www.haproxy.org SEC_ERROR_REVOKED_CERTIFICATE

Hello, Am 23.02.2017 um 22:28 schrieb Andrew Smalley: Hi All I confirm I get the same and Firefox will not even let me visit the site. Thankfully the http://blog.haproxy.com/ is non ssl so is still available. There are no HSTS or redirects headers forcing you to the https scheme; just

Re: Feature request: routing a TCP stream based on Cipher Suites in a TLS ClientHello

Hi, Am 23.02.2017 um 04:02 schrieb James Brown: Unfortunately, that feature only works with OpenSSL 1.0.2 (which, incidentally, would be a good thing to note in the documentation)... Good point; I did not remember this either ... we have to fix the docs. Lukas

Re: Feature request: routing a TCP stream based on Cipher Suites in a TLS ClientHello

Hello James, Am 23.02.2017 um 01:11 schrieb James Brown: Right now, the "best" way I'm aware of to serve both an RSA and an ECDSA certificate on the same IP to different clients is to use req.ssl_ec_ext to

Re: Possible bug with haproxy 1.6.9/1.7.0: multiproc + resolvers cause DNS timeouts

Hello, Am 29.11.2016 um 09:53 schrieb Willy Tarreau: Hi Joshua, [ccing Baptiste] On Tue, Nov 29, 2016 at 02:17:17AM -0500, Joshua M. Boniface wrote: Hello list! I believe I've found a bug in haproxy related to multiproc and a set of DNS resolvers. What happens is, when combining these two

[PATCH] MINOR: ssl: don't show prefer-server-ciphers output

The output of whether prefer-server-ciphers is supported by OpenSSL actually always show yes in 1.8, because SSL_OP_CIPHER_SERVER_PREFERENCE is redefined before the actual check in src/ssl_sock.c, since it was moved from here from src/haproxy.c. Since this is not really relevant anymore as we

Re: [PATCH] MINOR: compression: fix -vv output without zlib/slz

Hello, Am 11.01.2017 um 18:40 schrieb Aleksandar Lazic: Just for my curiosity, why someone want no compression? There are a number of reasons to compile with a smaller number of dependencies: - smaller builds for embedded systems - faster compilation for development - lack of trust in

Re: HTTP redirects while still allowing keep-alive

Hello, Am 11.01.2017 um 14:44 schrieb Willy Tarreau: On Wed, Jan 11, 2017 at 01:41:27PM +0200, Ciprian Dorin Craciun wrote: Unfortunately a lot of these sites have hard-coded resources with the `www` alternative domain and HTTP-only. Therefore at least until we rewrite those (which given

AW: [PATCH] MINOR: compression: fix -vv output without zlib/slz

> Ah crap, and I was particularly careful about it when I did it :-( There is more from this conversation: The prefer-server-ciphers output relies on the macro SSL_OP_CIPHER_SERVER_PREFERENCE, however it is (now) redefined before checking its presence in src/ssl_sock.c. We may just remove this

[PATCH] MINOR: compression: fix -vv output without zlib/slz

When haproxy is compiled without zlib or slz, the output of haproxy -vv shows (null). Make haproxy -vv output great again by providing the proper information (which is what we did before). This is for 1.8 only. --- src/compression.c | 2 ++ 1 file changed, 2 insertions(+) diff --git

Re: 400 error on cookie string

Hi Willy, Am 03.01.2017 um 21:10 schrieb Willy Tarreau: It was not dropped since the server SACKed it (but until it's within the window the stack is free to change its mind). In fact following a TCP stream in wireshark never gives any useful information. You *always* need the absolute

Re: HAProxy's health checks and maxconn limits

Hi Jiri, Am 04.01.2017 um 11:38 schrieb Jiri Mencak: Hi, we are using HAProxy with its default 2000 maxconn limit and a listen block: listen stats :1936 mode http monitor-uri /healthz which we use to check HAProxy's "health" by external HTTP probes. The behaviour I'm seeing is

Re: [PR] Updating rpmbuild spec file Source0 directive

Hello! Am 03.01.2017 um 14:23 schrieb PR Bot: Dear list! Author: GitHub Number of patches: 1 This is an automated relay of the Github pull request: Updating rpmbuild spec file Source0 directive Patch title(s): Updating rpmbuild spec file Source0 directive Link:

Re: [ANNOUNCE] haproxy-1.7.1

Hi Igor, Am 16.12.2016 um 12:52 schrieb Igor Pav: Cool, even TLS 1.3 0 RTT feature requires no changes? Nope, the early-data mode will require API changes: https://github.com/openssl/openssl/issues/1541#issuecomment-269567480 Lukas

Re: http reuse and proxy protocol

Hi Arnall, Am 03.01.2017 um 16:15 schrieb Arnall: Is it possible that with "http-reuse always" the yyy.yyy.yyy.yyy request has used the xxx.xxx.xxx.xxx connection between https and http frontend with proxy protocol forwarding xxx.xxx.xxx.xxx instead of yyy.yyy.yyy.yyy ? Yes, that's what

Re: 400 error on cookie string

Hello, Am 28.12.2016 um 11:38 schrieb c...@xmonetize.net: Tcpdump shows normal http requests(attached) Ok, I've looked through those traces and a lot of those HTTP 400 errors come from Browser pre-connect feature - which is not a problem. However, the TCP session 410 (tcp.stream eq 410)

Re: SNI with multiple SSL certs

Hello, Am 28.12.2016 um 22:33 schrieb Roshan Pradeep: Thanks Lukas for the reply. Regarding the second part of your reply: Then do I need to use like this? use_backend backend_site1 if { ssl_fc_sni site1 } use_backend backend_site2 if { ssl_fc_sni site2 } Because to minimize the admin

Re: SNI with multiple SSL certs

Hi Roshan, Am 28.12.2016 um 13:11 schrieb Roshan Pradeep: Hi Guys Trying implement SNI with HAProxy 1.6 version. How I want is: 1. Load all the certs to a directory as pem format (one site cert chain in one file). So there are multiple files (may be 20-30 pem files in the folder) 2.

test - please ignore

this is a test - please ignore

Re: [PATCH] Inside a redirect, 'Set-Cookie' broke front NGINX connection

Hi Willy, Am 05.12.2016 um 19:31 schrieb Willy Tarreau: This extra CRLF marks the end of headers and everything which follows is a body, so nginx does the right thing by not seeing it since it's a bug. I've merged the fix now. I can confirm that the very first commit that brought this feature

Re: [ANNOUNCE] haproxy-1.7.1

Hi Igor, Am 14.12.2016 um 20:47 schrieb Igor Pav: Hi Lukas, in fact, openssl already gets early TLS 1.3 adoption in dev, will release in 1.1.1, and BoringSSL supports TLSv1.3 already. That's nice, and in fact since 1.1.1 will be API compatible with 1.1.0 [1] *and* support TLS 1.3 (or

Re: [ANNOUNCE] haproxy-1.7.1

Hi Igor, Am 14.12.2016 um 14:37 schrieb Igor Pav: That's great! Will HAProxy adopt TLS 1.3 soon? This actually depends way more on openssl than it depends on haproxy (which most likely only needs a few tweaks). TLS 1.3 is the primary focus of the next openssl release [1], which I assume

Re: problem with server and unix socket unix@

Hello Arnall, you said you tried different users, did you remove the "user nobody" configuration completely? Strace output would also help, just make sure you are looking at the correct process or use nbproc 1 to avoid any confusion while troubleshooting. Lukas

Re: Configure HAProxy to Bridge H2 or HTTPS/1.1 to HTTPS/1.1

Hi, Am 21.11.2016 um 18:44 schrieb Maximilian Böhm: Hello Lukas, thanks for your answer. Well, after re-adjusting my keywords for search I found the corresponding discussion: http://www.serverphorums.com/read.php?10,1453742 Is there a roadmap? Or maybe an update when the feature is planned

<    1   2   3   4   5   6   7   8   9   10   >