Re: Old style OCSP not working anymore?

On 2023-07-21 11:51, Jarno Huuskonen wrote: If I change the order of ipv4 / ipv6 binds (so bind ipv6@:::443 name v6ssl... is first) then haproxy(2.8.1) sends ocsp with ipv6 connection and not with ipv4. Hmmm, I cannot reproduce this, but this might be because I have multiple frontends with

Re: Old style OCSP not working anymore?

On 2023-07-20 11:14, William Lallemand wrote: On Thu, Jul 20, 2023 at 10:23:21AM +0200, Sander Klein wrote: On 2023-07-19 11:00, William Lallemand wrote: "show ssl ocsp-resonse" gives me a lot of output like: Certificate ID key : *LONGID* Certificate path : /parth/to/cert.pem Cert

Re: Old style OCSP not working anymore?

On 2023-07-19 11:00, William Lallemand wrote: On Mon, Jul 17, 2023 at 08:12:59PM +0200, Sander Klein wrote: On 2023-07-17 15:17, William Lallemand wrote: > On Thu, Jul 13, 2023 at 05:01:06PM +0200, Sander Klein wrote: >> Hi, >> >> I tried upgrading from 2.6.14 to 2.8.1, bu

Re: Old style OCSP not working anymore?

On 2023-07-17 15:17, William Lallemand wrote: On Thu, Jul 13, 2023 at 05:01:06PM +0200, Sander Klein wrote: Hi, I tried upgrading from 2.6.14 to 2.8.1, but after the upgrade I couldn't connect to any of the sites behind it. While looking at the error it seems like OCSP is not working

Re: Old style OCSP not working anymore?

Hi, On 2023-07-14 01:56, Shawn Heisey wrote: On 7/13/23 09:01, Sander Klein wrote: I tried upgrading from 2.6.14 to 2.8.1, but after the upgrade I couldn't connect to any of the sites behind it. While looking at the error it seems like OCSP is not working anymore. Right now I have a setup

Old style OCSP not working anymore?

Hi, I tried upgrading from 2.6.14 to 2.8.1, but after the upgrade I couldn't connect to any of the sites behind it. While looking at the error it seems like OCSP is not working anymore. Right now I have a setup in which I provision the certificates with the corresponding ocsp file next to

Re: SPOE

On 2023-06-15 22:11, Sander Klein wrote: Hi, Is there a way to filter which URL's go through SPOE and which are just handled directly in a single frontend? I can't seem to find it in the documentantion. I'm currently on HAProxy 2.6.14. Right after I mailed this I read SPOE.txt a bit better

SPOE

Hi, Is there a way to filter which URL's go through SPOE and which are just handled directly in a single frontend? I can't seem to find it in the documentantion. I'm currently on HAProxy 2.6.14. Regards, Sander Klein

Issue with uploads and HAProxy 2.4.11

ted]:80 cookie cookie1 server server2 [redacted]:80 cookie cookie2 # Sorry Server server outage 127.0.0.1:80 backup retries 1 --- If any more info is needed, please let me know. Regards, Sander Klein

Re: Table sticky counters decrementation problem

On 2021-03-30 19:15, Willy Tarreau wrote: On Tue, Mar 30, 2021 at 07:07:41PM +0200, Sander Klein wrote: On 2021-03-30 18:14, Willy Tarreau wrote: > No, my chance is already gone :-) > > OK, I'm pushing this one into 2.3, re-running the tests a last time, > and issuing 2.3.9. W

Re: Table sticky counters decrementation problem

On 2021-03-30 18:14, Willy Tarreau wrote: No, my chance is already gone :-) OK, I'm pushing this one into 2.3, re-running the tests a last time, and issuing 2.3.9. We'll be able to issue 2.2.12 soon finally, as users of 2.2 are still into trouble between 2.2.9 and 2.2.11 depending on the bug

Re: Table sticky counters decrementation problem

On 2021-03-30 15:13, Willy Tarreau wrote: diff --git a/src/time.c b/src/time.c index 0cfc9bf3c..fafe3720e 100644 --- a/src/time.c +++ b/src/time.c @@ -268,7 +268,7 @@ void tv_update_date(int max_wait, int interrupted) old_now_ms = global_now_ms; do { new_now_ms =

Re: Table sticky counters decrementation problem

On 2021-03-30 10:17, Lukas Tribus wrote: Hello Thomas, this is a known issue in any release train other than 2.3 ... https://github.com/haproxy/haproxy/issues/1196 However neither 2.3.7 (does not contain the offending commits), nor 2.3.8 (contains all the fixes) should be affected by this.

Re: Stick table counter not working after upgrade to 2.2.11

On 2021-03-23 09:32, Willy Tarreau wrote: Guys, These two patches address it for me, and I could verify that they apply on top of 2.2.11 and work there as well. This time I tested with two counters at different periods 500 and 2000ms. I've just applied your patches and tested. It seems to

Stick table counter not working after upgrade to 2.2.11

Hi, I have upgraded to haproxy 2.2.11 today and it seems like my stick table counter is not working anymore. It is only increasing on every hit and never decreases anymore. Downgrading back to 2.2.10 fixes this issue. The setup is a replicated stick table like: ``` table apikey type ipv6

Re: Haproxy 2.2.0 segfault

On 2020-07-20 21:41, Sander Klein wrote: On 2020-07-20 19:16, Christopher Faulet wrote: Le 20/07/2020 à 17:22, Sander Klein a écrit : On 2020-07-20 16:38, Christopher Faulet wrote: Could you retry with the latest 2.2 snapshot (http://www.haproxy.org/download/2.2/src/snapshot/haproxy-ss

Re: Haproxy 2.2.0 segfault

On 2020-07-20 19:16, Christopher Faulet wrote: Le 20/07/2020 à 17:22, Sander Klein a écrit : On 2020-07-20 16:38, Christopher Faulet wrote: Could you retry with the latest 2.2 snapshot (http://www.haproxy.org/download/2.2/src/snapshot/haproxy-ss-LATEST.tar.gz) ? Yes, I just did. Still

Re: Haproxy 2.2.0 segfault

On 2020-07-20 16:38, Christopher Faulet wrote: Could you retry with the latest 2.2 snapshot (http://www.haproxy.org/download/2.2/src/snapshot/haproxy-ss-LATEST.tar.gz) ? Yes, I just did. Still a segfault. Just in case the new core is below. Reading symbols from haproxy...Reading symbols from

Re: Haproxy 2.2.0 segfault

In the meantime I've captured a coredump. It gives the following output: GNU gdb (Debian 8.2.1-2+b3) 8.2.1 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and

Haproxy 2.2.0 segfault

Hi, Last Thursday I've upgraded to HAProxy 2.2.0 from Vincent Bernat's marvelous repository, but now I experience segfaults. I haven't investigated it further since I just discovered it. But, it seems related to reloading HAProxy with config changes. The logs show: Jul 20 09:51:05 lb01-a

Sudden queueing to backends

rver name2 abc:abc:abc::2:80 cookie name2 # Sorry Server server outage 127.0.0.1:80 backup retries 1 Regards, Sander Klein

Re: FW: HAProxy: Information request

Hi, please be aware you are posting to a public mailinglist. You might want to check where you sent your emails. Regards, Sander Klein On 2020-02-27 22:14, EMEA Request wrote: Hi Team, Apologies for delayed response. Can you please help with the details provided below and provide a quote

Re: Truncated response on 2.0.8

On 2019-10-26 18:10, Ing. Andrea Vettori wrote: Hello, I'm using haproxy 2.0.8 and ssl termination with h2 and http1.1 protocols. Since today we always used http1.1 on the backends. I’ve tried to use http2 on the development backend but I get truncated response (not always but very often).

rate limiting

Hi, I was looking at implementing rate limiting in our setup. But, since we are handling both IPv4 and IPv6 in the same frontends and backends, I was wondering how I could do that. AFAIK a stick table is either IPv4 or IPv6 and you can only have one stick table per frontend or backend. Is

Re: Random 502's and instant 504's after upgrading

On 2019-07-22 13:05, Sander Klein wrote: On 2019-07-22 10:59, Christopher Faulet wrote: Le 20/07/2019 à 19:50, Sander Klein a écrit : Sorry, I forgot to mention, I pushed another patch that may help you. In HAProxy 2.0, it is the commit 0bf28f856 ("BUG/MINOR: mux-h1: Close server conne

Re: Random 502's and instant 504's after upgrading

On 2019-07-22 10:59, Christopher Faulet wrote: Le 20/07/2019 à 19:50, Sander Klein a écrit : Sorry, I forgot to mention, I pushed another patch that may help you. In HAProxy 2.0, it is the commit 0bf28f856 ("BUG/MINOR: mux-h1: Close server connection if input data remains in h1_detach()&

Re: Random 502's and instant 504's after upgrading

On 2019-07-19 14:05, Christopher Faulet wrote: Le 19/07/2019 à 09:36, Sander Klein a écrit : --- HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Jul 2019 07:32:03 GMT Content-Type: application/json; charset=UTF-8 Transfer-Encoding: chunked Vary: Accept-Encoding Vary

Re: Random 502's and instant 504's after upgrading

Hi Lukas and Christopher, I've combined the answer of your 2 mails. On 2019-07-18 17:17, Lukas Tribus wrote: Could be related to: https://github.com/haproxy/haproxy/issues/176 Probably, but I'm not doing HTTP/1 and I have not found a request to reproduce it with. It happens at random.

Re: Random 502's and instant 504's after upgrading

On 2019-07-18 09:15, Sander Klein wrote: Hi, Last night I tried upgrading from haproxy 1.9.8 to 2.0.2. After upgrading I get random 502's and random instant 504's when visiting pages. Just tested with 'no option http-use-htx' in the defaults section and then my problems went away. Seems

Random 502's and instant 504's after upgrading

Hi, Last night I tried upgrading from haproxy 1.9.8 to 2.0.2. After upgrading I get random 502's and random instant 504's when visiting pages. For the 502's I see the following in the log: Jul 18 08:14:09 HOST haproxy[2003]: xxx:xxx:xxx:xxx:xxx::xxx [18/Jul/2019:08:14:09.133] cluster1-in~

Re: CPU Spikes

On 2019-07-09 08:53, Sander Klein wrote: It could be useful to issue "show activity" twice 1 second apart when this happens, and maybe even "show fd" and "show sess all" if you don't have too many connections. Right, I will do the above steps. But, since this o

Re: Runaway process

On 2019-07-12 04:27, Willy Tarreau wrote: If you can at least show the backtrace, this could be useful and we can see if the core would be needed or not. Maybe this will match another known bug. This is the BT of yesterday: --- GNU gdb (Debian 7.12-6) 7.12.0.20161007-git Copyright (C) 2016

Re: Runaway process

On 2019-07-11 12:27, Tim Düsterhus wrote: Try attaching to the process with `gdb -p 12345` with 12345 being the process ID. Then: 1. Get a backtrace for all threads: thread apply all bt 2. Generate a core file: generate-core-file If you are also able to connect to the stats socket of that

Runaway process

Hi, I seem to have runaway HAProxy process since yesterday evening around 20:50. This process is eating up 100% CPU continously. (HAProxy 1.9.8) Of course I can just kill it and go on with my life, but I was wondering if there was any interest to see if we can uncover a bug here. If so,

Re: CPU Spikes

Hey Willy, On 2019-07-09 08:09, Willy Tarreau wrote: What's you CPU like between the peaks ? 1%, 10%, 50% ? Just to get a rough estimate of whether it's something reaching a critical point or if it's something doing its mess alone in its corner. In between the spikes it's about 7% System,

CPU Spikes

Hi, I'm having an issue with HAProxy causing CPU spikes with certain traffic. We have a client who is downloading lots of URL's during the night. When the download starts there is not much other traffic going on and there doesn't seem to be any problem. But, when the morning comes, 'normal'

Re: Using haproxy together with NFS

Hi, You might want to have a look at IPVS for instance in combination with Keepalived. You can then even use udp mounts if you want. Just my 2 cents. Regards, Sander > On 2 Aug 2018, at 18:40, Lucas Rolff wrote: > > I indeed removed the send-proxy - then I had to put the IP of haproxy

Re: SNI matching issue when hostname ends with trailing dot

Hi Warren, As far as I know this is by design. If you do not want this behavior you need to use strict-sni in your bind statement. Regards Sander > On 27 Jul 2018, at 12:47, Warren Rohner wrote: > > Hi HAProxy list > > Just thought I'd resend this report from May in case it was missed.

Re: Haproxy 1.8.4 400's with http/2

ease share the configuration; also you may want to try enabling proxy_ignore_client_abort in the nginx backend [1]. cheers, lukas [1] http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ignore_client_abort On 21 February 2018 at 15:29, Sander Klein <roe...@roedie.nl> wrote: Hi All

Haproxy 1.8.4 400's with http/2

Hi All, Today I tried enabling http/2 on haproxy 1.8.4. After enabling all requests to a certain backend started to give 400's while requests to other backend worked as expected. I get the following in haproxy.log: Feb 21 14:31:35 localhost haproxy[22867]:

Re: h2 bad requests

Hi Lucas, On 2017-12-28 22:38, Lucas Rolff wrote: Hi Sander, Which exact browser version do you use? There’s an ongoing thread already (https://www.mail-archive.com/haproxy@formilux.org/msg28333.html ) regarding the same issue. I just noticed and was reading up. I can reproduce this

h2 bad requests

Hi, I'm playing around with http2 on haproxy 1.8.2 but when I enable it I get HTTP 400's on some requests. When sending a show errors to the admin socket I get no errors at all. Disabling http2 makes the rror go away. The logfile shows: Dec 28 22:09:02 hostname haproxy[23043]: x.x.x.x:58219

Re: [ANNOUNCE] haproxy-1.8.0

officially released! Woohoo! Thanks for the work. Greets, Sander Klein 0x2E78FBE8.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature

Re: Experimental / broken HTTP/2 support

On 2017-10-16 14:19, Willy Tarreau wrote: On Mon, Oct 16, 2017 at 01:28:12PM +0200, Pavlos Parissis wrote: I guess following step-by-step approach, 1st client side, it makes sense as it reduces the size of breakage:-) Yes but not only this. It's also the fact that the main benefits of H2

Re: Experimental / broken HTTP/2 support

Hi Willy, On 2017-10-15 19:02, Willy Tarreau wrote: If everything goes well, the final rebased and cleaned up code should be available for a release candidate by the end of the month. Great, I will wait and see what you have available at the end of the month. I'm in no hurry, I just wanted

Re: Experimental / broken HTTP/2 support

Hi, I haven't been paying much attention to the list lately, but I am wondering what the current status of http/2 support is in 1.8-(dev|snapshot). Is it in a usable-but-needs testing state? Or more like stay-away-because-it-kills-kittens state? Greets, Sander On 2017-08-18 16:49, Willy

Re: ASML SW quote request for resale

Hi Brigitta, You are contacting the haproxy mailing list which is used for support. The haproxy gpl edition is free for use by anyone. But if you want commercial support you probably want to contact cont...@haproxy.com Regards, Sander > On 4 Aug 2017, at 12:55, Brigitta Csaszar

Re: haproxy fails to properly direct connection to correct back end.

Hi P S, I have to say, the way you type your emails makes one really want to help you. You seem to be positive, constructive and I don't see any whining. And yes, I'm a sarcastic person. So, for your first problem. I don't know what goes wrong, but with me if haproxy fails to start, it

Re: Certificate order

Hi Sander, On 2017-04-06 10:45, Sander Hoentjen wrote: Hi guys, We have a setup where we sometimes have multiple certificates for a domain. We use multiple directories for that and would like the following behavior: - Look in dir A for any match, use it if found - Look in dir B for any match,

Re: CalDav with HAProxy

On 2016-11-11 15:28, Alexandre Besnard wrote: I use HAProxy as a reverse proxy to terminate SSL connections towards all my VMs. So far so good except with Owncloud and CalDav. When Owncloud is hidden behind HAProxy, I am not able to configure my CalDav account under the Calendar app in Mac OS

Re: Haproxy dont Work

> On 21 mei 2016, at 20:19, Pavlos Parissis <pavlos.paris...@gmail.com> wrote: > >> On 21/05/2016 05:29 μμ, Sander Klein wrote: >> >>> On 21 mei 2016, at 17:01, PiBa-NL <piba.nl@gmail.com> wrote: >>> >>> Op 21-5-2016 om 15:44 schre

Re: Haproxy dont Work

On 2016-05-21 19:25, Marc Iglesias Hernandez wrote: Hello? 2016-05-21 18:30 GMT+02:00 Marc Iglesias Hernandez : You've done the test configuration? Please I asked you before, keep it on the list. Would you be so kind to read

Re: Haproxy dont Work

> On 21 mei 2016, at 17:01, PiBa-NL <piba.nl@gmail.com> wrote: > > Op 21-5-2016 om 15:44 schreef Sander Klein: >> On 2016-05-21 14:53, Marc Iglesias Hernandez wrote: >>> I need to know how to set haproxy for users when they have gone >>> throug

Re: Haproxy dont Work

On 2016-05-21 14:53, Marc Iglesias Hernandez wrote: I need to know how to set haproxy for users when they have gone through the haproxy have your real IP address, and not the haproxy. Please keep it on the list. You've got 2 options 1. Add and X-Forwarded-For header:

Re: Haproxy dont Work

ou give us a little more info. For instance any error you are getting, the config you use, the Haproxy version. You know, the usual stuff. Greets, Sander Klein

RE: ssl parameters ignored

Hi, On 2015-11-26 01:17, Lukas Tribus wrote: Sander, I can't reproduce what you are saying about the actual SSL configuration though; no-sslv3 no-tlsv10 no-tlsv11 works as expected for me (only tlsv1.2 possible). Please double check (curl -kv --tlsv1.1 https://localhost). I must have had a

Re: ssl parameters ignored

Hi Nenad, On 2015-11-24 16:15, Nenad Merdanovic wrote: Can you post a minimal configuration (or full) which reproduces this? Yes, here it is: global log /dev/loglocal0 log /dev/loglocal1 notice chroot /var/lib/haproxy stats socket

RE: ssl parameters ignored

Hi, On 2015-11-23 22:36, Lukas Tribus wrote: Are you sure that the executable was cleanly build (first "make clean", only then "make ...")? I don't know. I got pre made packages from "http://haproxy.debian.net jessie-backports-1.6 main" maintained by Vincent Bernat if I'm correct. Can you

ssl parameters ignored

Hi All, I'm running haproxy 1.6.2 and it seems it ignores the values given with ssl-default-bind-options and/or ssl-default-server-options. I have the following in my global conf: ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 ssl-default-bind-ciphers

Re: ssl parameters ignored

Hey Lukas, On 2015-11-23 21:27, Lukas Tribus wrote: 1.5.15 is probably affected as well (the error above comes from a build fix for libssl that has been backported to 1.5). Heh, didn't notice that release, else I would have tested with that one... Can you provide "haproxy -vv" output of

Microsoft Edge 408

Hi, I have some clients that complain about getting 408 errors with Microsoft Edge. I haven't been able to catch such a request yet, but I am wondering if this is the same as the Google Chrome preconnect problem. Anyone by any chance got the same experience or any ideas on this? Greets,

Re: Question regarding haproxy nagios setup

On 2015-06-19 16:08, Mauricio Aguilera wrote: El problema es por el ; antes del csv de la url Tengo el mismo problema y pude detectar que Nagios corta ahí el comando y obviamente se ejecuta mal, intenté pasarle los valores con y ' ', pero nada... Se les ocurre algo? Me gustaría tratar de

Re: HA proxy configuartion

On 2015-05-04 07:35, ANISH S IYER wrote: Hi while configuring Ha proxy. mv /etc/haproxy/haproxy.cfg{,.original} what is the meaning of this line. what you mean by original It will move the file haproxy.cfg to haproxy.cfg.original. So, it is the same as mv /etc/haproxy/haproxy.cfg

Re: HA proxy configuartion

Hey, please keep it on the list... On 2015-05-04 10:19, ANISH S IYER wrote: Hi thanks for your fast replay after configuring the HA proxy the log file seems like May 4 03:42:00 discourse haproxy[3590]: Proxy haproxy_in started. May 4 03:42:00 discourse haproxy[3590]: Proxy haproxy_in

Re: Help haproxy

On 02.02.2015 12:09, Mathieu Sergent wrote: Hi, I try to set up a load balancing with HAProxy and 3 web servers. I want to receive on my web servers the address' client. I read that it is possible with the option source ip usesrc but you need to be root. If you want to not be root, you have

Re: Help haproxy

Hi Mathieu, Pleas keep the list in the CC. On 02.02.2015 15:26, Mathieu Sergent wrote: Thanks for your reply. I just used the option forwardfor in the haproxy configuration. And i can find client's address from my web server (with tcpdump). But if i don't use the option forwardfor, the web

Re: Help haproxy

On 02.02.2015 16:33, Mathieu Sergent wrote: Hi Sander, Yes i reloaded the haproxy and my web server too. But no change. And i'm not using proxy protocol. To give you more precisions, on my web server i used tcpdump functions which give me back the header of the requete http. And in this i

Re: Serveur Haproxy

On 20.01.2015 10:54, andriatsiresy johary wrote: J'ai mis en place un système de load balancing d'un cluster de base de données, avec HAProxy, sur une debian 7, j'ai activer la page de statistique de HAProxy et je ne sais pas ou trouver le code source de ce page, pourriez-vous m'aider s'il vous

Regex

Hi, I'm testing some stuff with quite a big regex and now I am wondering what would be more efficient. Is it more efficient to load the regex with -i or is it better to specify it in the regex So, -i (some|words) or ((S|s)(O|o)(M|m)(E|e)|(W|w)(O|o)(R|r)(D|d)(S|s)) Greets, Sander

Re: Just had a thought about the poodle issue....

On 18.10.2014 16:37, David Coulson wrote: You mean like this? http://blog.haproxy.com/2014/10/15/haproxy-and-sslv3-poodle-vulnerability/ On 10/18/14, 10:34 AM, Malcolm Turnbull wrote: I was thinking Haproxy could be used to block any non-TLS connection Like you can with iptables:

Re: [ANNOUNCE] haproxy-1.5.0

On 19.06.2014 21:54, Willy Tarreau wrote: Hi everyone, The list has been unusually silent today, just as if everyone was waiting for something to happen :-) Today is a great day, the reward of 4 years of hard work. I'm announcing the release of HAProxy 1.5.0. Congratulations! Now people

Re: [PATCH] Add a configurable support of standardized DH parameters = 1024 bits, disabled by default

On 19.05.2014 06:51, Willy Tarreau wrote: Hi Rémi, On Mon, May 12, 2014 at 06:34:01PM +0200, Remi Gacogne wrote: Hi, On 05/05/2014 12:06 PM, Sander Klein wrote: I've added a 2048bit dhparam to my most used certificates and I don't see a big jump in resource usage. This was not a big

RE: [PATCH] Add a configurable support of standardized DH parameters = 1024 bits, disabled by default

On 02.05.2014 16:52, Lukas Tribus wrote: Hi Remi, The default value for max-dh-param-size is set to 1024, thus keeping the current behavior by default. Setting a higher value (for example 2048 with a 2048 bits RSA/DSA server key) allows an easy upgrade to stronger ephemeral DH keys (and back

RE: [PATCH] Add a configurable support of standardized DH parameters = 1024 bits, disabled by default

On 02.05.2014 16:52, Lukas Tribus wrote: Hi Remi, The default value for max-dh-param-size is set to 1024, thus keeping the current behavior by default. Setting a higher value (for example 2048 with a 2048 bits RSA/DSA server key) allows an easy upgrade to stronger ephemeral DH keys (and back

RE: CPU increase between ss-20140329 and ss-20140425

Hey All, Sorry for my late response, but we have a national holiday here... 'Kings day' would be the translation ;-) On 26.04.2014 13:53, Lukas Tribus wrote: Hi, - recommit the patch I submitted as it is, and let users concerned with the CPU impact use static DH parameter in the

RE: CPU increase between ss-20140329 and ss-20140425

On 26.04.2014 16:07, Lukas Tribus wrote: Hi, I've disabled sslv3 and use certificates with 4096bits keys. I know 4096 bits keys are a bit over the top, but while testing the impact seemed to be acceptable so I thought 'What the heck, let's just use it' Thats it, with Remi's patch your

CPU increase between ss-20140329 and ss-20140425

Hi, I noticed a dramatic increase in CPU usage between HAProxy ss-20140329 and ss-20140425. With the first haproxy uses around 20% of CPU and with the latter it eats up 80-90% of cpu and sites start to become sluggish. Health checks take much more time to complete 1100ms vs 2ms normal.

Re: CPU increase between ss-20140329 and ss-20140425

Hey Willy, On 25.04.2014 14:39, Willy Tarreau wrote: On Fri, Apr 25, 2014 at 02:12:23PM +0200, Sander Klein wrote: Hi, I noticed a dramatic increase in CPU usage between HAProxy ss-20140329 and ss-20140425. With the first haproxy uses around 20% of CPU and with the latter it eats up 80-90

Re: CPU increase between ss-20140329 and ss-20140425

On 25.04.2014 15:46, Willy Tarreau wrote: Just to make sure I didn't give you a bogus report is upgraded/downgraded a couple of times, but every time I install 20140425 the CPU spikes and sites become sluggish. OK. Does it happen immediately or does it take some time ? It happens

Re: CPU increase between ss-20140329 and ss-20140425

On 25.04.2014 15:46, Willy Tarreau wrote: On Fri, Apr 25, 2014 at 03:34:14PM +0200, Sander Klein wrote: I currently don't have compression enabled in my config. I disabled it some time ago because of CPU usage ;-) Ah too bad, it would have been an easy solution! With the current snapshot I

Re: CPU increase between ss-20140329 and ss-20140425

On 25.04.2014 17:22, Willy Tarreau wrote: On Fri, Apr 25, 2014 at 04:56:06PM +0200, Sander Klein wrote: I've done a search and it breaks between 20140413 and 20140415. OK, that's already very useful. I'm assuming this covers the period between commits 01193d6ef and d988f2158. During

Re: Generating a haproxy cluster

Hi On 24.03.2014 18:35, Andy Walker wrote: For what it's worth, haproxy can be running on a server, and listening on IP addresses that aren't actually associated with that server. In linux, just make sure NET.IPV4.IP_NONLOCAL_BIND is set to 1, and this will allow haproxy to bind to addresses

Re: Generating a haproxy cluster

Hey, On 26.03.2014 12:17, Jarno Huuskonen wrote: Hi, On Wed, Mar 26, Sander Klein wrote: Hi On 24.03.2014 18:35, Andy Walker wrote: For what it's worth, haproxy can be running on a server, and listening on IP addresses that aren't actually associated with that server. In linux, just make

Re: System tuning for Haproxy

On 12.03.2014 10:36, William Lewis wrote: Hi, I’m looking for any advice in tuning kernel parameters for haproxy. Current sysctl.conf is net.ipv4.icmp_echo_ignore_broadcasts = 1 fs.file-max = 800 vm.swappiness = 20 net.ipv4.tcp_fin_timeout = 15 net.ipv4.tcp_max_syn_backlog = 32768

Re: [PATCH] MINOR: set IP_FREEBIND on IPv6 sockets in transparent mode

On 03.03.2014 21:31, Willy Tarreau wrote: On Mon, Mar 03, 2014 at 09:10:51PM +0100, Lukas Tribus wrote: Lets set IP_FREEBIND on IPv6 sockets as well, this works since Linux 3.3 and doesn't require CAP_NET_ADMIN privileges (IPV6_TRANSPARENT does). This allows unprivileged users to bind to

Support IP_FREEBIND

Hi, would it be possible to support IP_FREEBIND with HAProxy-1.5 on linux? I'm asking because nonlocal_bind only works for IPv4 and it seems linux upstream does not want to support nonlocal_bind for IPv6. A thread about this can be found here:

Re: Support IP_FREEBIND

On 03.03.2014 14:45, Sander Klein wrote: Hi, would it be possible to support IP_FREEBIND with HAProxy-1.5 on linux? I'm asking because nonlocal_bind only works for IPv4 and it seems linux upstream does not want to support nonlocal_bind for IPv6. A thread about this can be found here: http

Re: http-keep-alive broken?

Heyz, On 10.01.2014 09:14, Willy Tarreau wrote: Hi Sander, On Fri, Jan 10, 2014 at 08:57:18AM +0100, Sander Klein wrote: Hi, I'm sorry you haven't heard from me yet. But I didn't have time to look into this issue. Hope to do it this weekend. Don't rush on it, Baptiste has reported to me

Re: http-keep-alive broken?

Hi, I'm sorry you haven't heard from me yet. But I didn't have time to look into this issue. Hope to do it this weekend. Greets, Sander

Re: http-keep-alive broken?

On 06.01.2014 15:10, Willy Tarreau wrote: I would go even further (using git). What I understand here is that the issue was introduced after the epoll optimization and is hidden by this one. So I'd rather start by reverting that patch and then looking up for another faulty patch after those :

RE: http-keep-alive broken?

Hey, On 05.01.2014 17:33, Lukas Tribus wrote: Hi, Well, after spending some time compiling testing compiling testing I finally found that the patch 0103-OPTIM-MEDIUM-epoll-fuse-active-events-into--1.5-dev19.diff done between 20131115 and 20131116 is causing my problems. I also found that

RE: http-keep-alive broken?

Heyz, On 03.01.2014 22:52, Lukas Tribus wrote: Hi, The problem I'm having (also tested with ss-20140101 yesterday) happens with http-keep-alive enabled and also when just running in tunnel mode. But, when http-keep-alive is enabled I get the problem with ~98% of the requests and in tunnel

RE: http-keep-alive broken?

Hey, On 03.01.2014 22:52, Lukas Tribus wrote: You said that one of your backends is exchange 2012. What release are the other ntlm-auth backends exactly and is the issue the same on all of them? All backends are windows 2012 with the standard IIS that comes with it. I have the problem on

Re: http-keep-alive broken?

Hi Baptiste, Lukas, @Lukas: Sorry I misread your tunnel-mode for tcp-mode. Tunnel-mode works (almost) fine as you can read below. I have been investigating my problem a bit more, and then I remembered that I also updated haproxy a week before we started using our new Windows 2012 servers.

RE: http-keep-alive broken?

On 31.12.2013 00:50, Lukas Tribus wrote: Hi, Subject: http-keep-alive broken? Hi, I'm using haproxy ss-20131229 to reverse proxy some windows iis server with ntlm-auth enabled (one of them being exchange 2012). While I understood that using 'option http-keep-alive' would make ntlm-auth work,

Re: UDP loadbalancing

On , Willy Tarreau wrote: On Tue, Dec 31, 2013 at 12:44:26AM +0100, Lukas Tribus wrote: Hi, Hi, I know haproxy doesn't do UDP loadbalancing, but I figured someone here might now A nice tool which can doe this for me. (If haproxy could do it it would have been nice though... ;-) ) I've

UDP loadbalancing

Hi, I know haproxy doesn't do UDP loadbalancing, but I figured someone here might now A nice tool which can doe this for me. (If haproxy could do it it would have been nice though... ;-) ) I've looked at pen but it doesn't seem to do IPV6. LVS can do the trick but I need to reconfigure a

http-keep-alive broken?

Hi, I'm using haproxy ss-20131229 to reverse proxy some windows iis server with ntlm-auth enabled (one of them being exchange 2012). While I understood that using 'option http-keep-alive' would make ntlm-auth work, it doesn't work for me. Are there still some issue with http-keep-alive and

haproxy dev21 high cpu usage

Hi, I've enabled http-keep-alive in my config and now haproxy continuously peaks at 100% CPU usage where without http-keep-alive it only uses 10-13% CPU. Is this normal/expected behavior? Greets, Sander

Re: haproxy dev21 high cpu usage

On , Willy Tarreau wrote: On Tue, Dec 17, 2013 at 10:44:12AM +0100, Guillaume Castagnino wrote: Le mardi 17 décembre 2013 10:32:30 Sander Klein a écrit : Hi, I've enabled http-keep-alive in my config and now haproxy continuously peaks at 100% CPU usage where without http-keep-alive it only

  1   2   >