❦ 22 juillet 2015 17:22 +0530, Sachin Shetty :
> We have started using Http trailers in http chunked request. Http trailers
> are pretty well defined in the spec but seems like not widely used.
Are they supported by browsers? Last time I checked, this was not the
case (at least for the Cookies
❦ 21 juillet 2015 00:55 +0200, thierry.fourn...@arpalert.org :
> On my computer (debian), the classic command line build used on the
> last dev version with your patch uses the -ldl two times:
>
>make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 \
> USE_LUA=1 LUA_LIB=/opt/lua5
❦ 13 juillet 2015 19:58 +0200, Vincent Bernat :
> I suppose that either -ldl could be added to OPTIONS_LDFLAGS append,
> like this is done for -lm. Or USE_DL section could be moved towards the
> end. I think the first solution is better since libdl seems to be a
> dependency of l
❦ 13 juillet 2015 19:16 +0200, "bjun...@gmail.com" :
> make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_LUA=yes
> LUA_LIB=/opt/lua53/lib/ LUA_INC=/opt/lua53/include/ LDFLAGS=-ldl
>
>
>
> resulting error:
>
> .
> .
> .
> gcc -ldl -o haproxy src/haproxy.o src/sessionhash.o src/base64.
❦ 11 juillet 2015 14:20 +0200, Lukas Tribus :
> Thanks for the detailed repro. This bug is fixed in release 1.5.10 by commit
> ed061c0590 ("BUG/MEDIUM: config: do not propagate processes between stopped
> processes") [1].
>
> Quoting from the commit:
> "Immo Goltz reported a case of segfault whi
❦ 23 juin 2015 11:32 +0200, "Hoggins!" :
> On my opinion, the problem is not the antispam filter, it's the right to
> communicate on that mailing-list. How come a mail such as
> 3207947...@qq.com is allowed to post things about those damn LED bulbs ?
> Isn't there a simple way to avoid such nois
❦ 1 juin 2015 12:24 +0200, Willy Tarreau :
> Yep, there's the git tree here and you can get a snapshot there :
>
>http://git.1wt.eu/web?p=libslz.git
>http://git.1wt.eu/web?p=libslz.git;a=snapshot;sf=tgz
For some reason, I am unable to clone the repository:
$ GIT_CURL_VERBOSE=1 git clo
❦ 1 juin 2015 12:24 +0200, Willy Tarreau :
> On Mon, Jun 01, 2015 at 11:32:18AM +0200, Vincent Bernat wrote:
>> ??? 1 juin 2015 09:46 +0200, Willy Tarreau :
>>
>> > - support for stateless zip compression with libslz (merged) : this
>> > doesn'
❦ 1 juin 2015 09:46 +0200, Willy Tarreau :
> - support for stateless zip compression with libslz (merged) : this
> doesn't waste memory anymore and compresses about 3 times faster
> than zlib, at a lower compression ratio.
Do you not provide a shared library on purpose? Will you acce
❦ 7 mai 2015 13:11 +0100, Neil - HAProxy List
:
> I'm after a 'definitivish' reference for setting up conntrack
>
> I've been hit by having too small table on some new VMs as ubuntu, by
> default, sizes the table by memory size.
>
> Before that I was completely ignorant of the role of conntrac
❦ 5 avril 2015 09:33 GMT, Cohen Galit :
> Hello HAProxy team,
>
> How can I perform a graceful shutdown to HAProxy?
>
> I mean, not by killing process with pid.
You can send the USR1 signal. HAProxy will stop once all connections
have been closed.
--
The devil can cite Scripture for his purpo
❦ 24 mars 2015 07:45 -0400, jeff saremi :
> #!/bin/sh
> pidfile=/data/haproxy.pidhaproxy -db \
> -f /haproxy-1.5.8/haproxy.cfg -p $pidfile \
> -sf $(cat $pidfile)
The shell does variable substitution first, then execute the
line. Hence, $pidfile is expanded to "", not to "/data/haproxy
❦ 10 mars 2015 15:48 GMT, Jonathan Matthews :
> http://backports.debian.org/wheezy-backports/overview/ reports that
> it's up to date with 1.5, but is only making 1.5.8 available. Does
> anyone have any insight into why this might be and how/if one might
> help the situation?
To be in "wheezy-b
❦ 25 février 2015 16:17 +0100, Mathieu Sergent :
> I want to know if a MIB for HAProxy is available ?
IT depends what you call a MIB.
Aloha (the packaged HAProxy by HAProxy Tech) comes with a MIB:
https://www.haproxy.com/download/aloha/mibs/EXCELIANCE-MIB.txt
But you need an implementation.
❦ 24 février 2015 15:17 +0100, Nenad Merdanovic :
> +tls-ticket-keys
> + Sets the TLS ticket keys file to load the keys from. The keys need to be 48
> + bytes long, encoded with base64 (ex. openssl rand -base64 48). Number of
> keys
> + is specified by the TLS_TICKETS_NO build option (defau
/20a4d774095eecfd8cb9
--
Vincent Bernat — vincent.ber...@exoscale.ch
❬❱ http://www.exoscale.ch
❦ 16 février 2015 14:31 +0100, Lukas Tribus :
>> As I understand wikipedia - it is discouraged to use ECMP for
>> loadbalancing.. "Load balancing by per-packet multipath routing is
>> generally deprecated due to the impact of rapidly changing latency,
>> packet reordering.."
>
> Nobody does per-
❦ 16 février 2015 14:07 +0100, Klavs Klavsen :
>> You use ECMP for load-balancing between different servers in a
>> single PoP/DC and anycast to route the request to the nearest PoP/DC.
>>
>
> As I understand wikipedia - it is discouraged to use ECMP for
> loadbalancing.. "Load balancing by per-
❦ 22 janvier 2015 11:47 +0800, "hu.zhang" :
> Thank you for your quick reply. I did a test in this way. I found the
> maximum connection time into 3S. Our client is particularly concerned
> about the http response time. Do you have another way to add/remove
> the servers?
[...]
> Please see http
❦ 12 décembre 2014 02:08 GMT, David Adams :
> I ran strace on it just before CRASHTIME. It stopped on cue, with an
> exit code of 134.
>
> The strace output is here: haproxy strace - Pastebin.com
>
> As you'll see, it looks very strange - immediately after a series of
> futex calls (I've no idea
❦ 11 décembre 2014 17:03 GMT, David Adams :
> I tried this. I ran it like this:
>
> /usr/local/sbin/haproxy -db -f /etc/haproxy/haproxy.cfg
>
> which obviously didn't return as the process ran. Then at the
> crashtime (a few seconds past 17:00), that process terminated and the
> terminal just sh
and multiplies are generally performed optimally :-)
So, here is an updated patch:
>From ec4e0abebcb2258cba550820b316d30137310a52 Mon Sep 17 00:00:00 2001
From: Vincent Bernat
Date: Wed, 10 Dec 2014 10:31:37 +0100
Subject: [PATCH] BUG/MEDIUM: sample: fix random number upper-bound
random() will
❦ 10 décembre 2014 06:00 +0100, Willy Tarreau :
>> > Assuming that RAND_MAX is always a power of two - 1, 32 could be
>> > replaced by a precomputed value of ffs(RAND_MAX+1)-1.
>>
>> ebtree defines a fls64() function which seems best suited (RAND_MAX+1
>> could overflow). Here is a proposed pat
❦ 8 décembre 2014 23:20 +0100, Vincent Bernat :
> Assuming that RAND_MAX is always a power of two - 1, 32 could be
> replaced by a precomputed value of ffs(RAND_MAX+1)-1.
ebtree defines a fls64() function which seems best suited (RAND_MAX+1
could overflow). Here is a proposed patch fo
❦ 8 décembre 2014 11:30 -0600, Vivek Malik :
> I am using rand(x) in configuration to make some routing decisions. I
> am basically load balancing between backends and using the following
> configuration
>
> use_backend bk_1 { rand(100) le 50 }
> default_backend bk_2
>
> However, I am not seein
❦ 25 novembre 2014 16:46 +0100, Emeric Brun :
> Indeed on haproxy.com appliances, we made the choice to dedicate several
> cores/CPUs for NICs interrupts (manual bind, no usage of irqbalance) and
> to dedicate one other for the haproxy process with nbproc=1.
On a related topic, did you get a ch
❦ 7 octobre 2014 14:18 +0200, Willy Tarreau :
>> I waited about a month. Here is a pull request and you can see the
>> diff also https://github.com/haproxy/haproxy/pull/3
>
> OK, I didn't notice that haproxy-* would automatically ignore doc/haproxy-*
> simply because there are currently such fi
❦ 5 septembre 2014 20:38 +0300, Juho Mäkinen :
> Restricting the list to subscribed user (subonlypost) is not a
> good thing either
>
> May I ask why this is not a good thing? I see no valid reason why not
> subscribed members should be allowed to post. The subscription already
> checks
❦ 23 juillet 2014 16:48 +0200, Nicolas Grilly :
> If I'm correct on the above, then I don't understand why the problem
> is limited to connections during the 3WHS. Why established connections
> are not lost? Why are they "transferred" correctly from the old to the
> new process?
>From my unders
❦ 22 juillet 2014 19:06 +0200, Nicolas Grilly :
> Willy wrote on StackOverflow that, when using SO_REUSEPORT, there is
> still a tiny possibility that a connection arrived in the queue of the
> leaving process at the moment it closes it, and thus the connection is
> "lost", and that there is no
❦ 17 juillet 2014 16:36 +0400, Aleksandr Vinokurov :
> I'm asked to evaluate possible pitfalls about subj. Can you point me
> to any info?
Without a POSIX layer like Cygwin, this is unlikely to work. With
Cygwin, poll() is mapped to select() so you won't be able to handle many
connections with
❦ 9 juillet 2014 14:28 GMT, Зайцев Сергей Александрович
:
> I want to automatically udpate HaProxy's configuration depending on my
> app's state. I mean, that when I have a number of components running,
> I update my ZooKeeper configuration as soon as new node joins the
> cluster ( an leaves i
❦ 6 juillet 2014 19:00 +0200, Pavlos Parissis :
> It works and I can get up to 34K transactions/sec as reported by siege,
> I am quite happy with that. But the statistics are not correct. The
> stats pages reports 1/12th of sessions.
With your configuration, a request to the statistic socket w
❦ 30 juin 2014 15:54 +0200, Klavs Klavsen :
> As far as I can gather - that would mean it will run out of ports, when
> it hits about 64k connections being open.
>
> But perhaps ports can be reused, if they are used against different
> backends ? (ie. the max open connection amount in the linux
❦ 23 juin 2014 18:14 +0200, Markus Rietzler :
> to switch off tls compression (because of beast/crime attack) with tls
> v1.0 and compression. can i deactivate it in haproxy too?
haproxy disables SSL compression and there is no flag to enable
it. However, disabling SSL compression is not avail
❦ 29 mai 2014 01:04 +0200, Willy Tarreau :
>> "const char * hello" means hello is a pointer to a const char. You may want
>> to say "const char * const hello". But gcc doesn't seem to handle it
>> either (but clang does).
>
> Yes it does but it doesn't change its verdict. The test is really bogu
❦ 28 mai 2014 23:16 +0200, Willy Tarreau :
>> >> src/dumpstats.c:3059:4: error: format not a string literal and no format
>> >> arguments [-Werror=format-security]
>> >> chunk_appendf(&trash, srv_hlt_st[1]); /* DOWN (agent) */
>> >> ^
>> >>
>> >> srv_hlt_st[1] is "DOWN %s/%s", so this
❦ 28 mai 2014 22:59 +0200, Willy Tarreau :
>> When compiling with -Werror=format-security (which is a common settings
>> on a Debian-based distribution), we get:
>>
>> src/dumpstats.c:3059:4: error: format not a string literal and no format
>> arguments [-Werror=format-security]
>> chunk_
❦ 28 mai 2014 18:11 +0200, Willy Tarreau :
> Feedback welcome as usual,
When compiling with -Werror=format-security (which is a common settings
on a Debian-based distribution), we get:
src/dumpstats.c:3059:4: error: format not a string literal and no format
arguments [-Werror=format-security
❦ 23 mai 2014 20:22 +0300, pablo platt :
> Something like this for haproxy will bring confident and prevent
> confusion and questions.
> http://nginx.org/en/linux_packages.html
haproxy.debian.net is just a static page. We could host it on
haproxy.net if it helps (and apply the same CSS as the r
❦ 23 mai 2014 17:10 +0200, Ghislain :
> /etc/apt/preferences.d/haproxy
>
> Package: haproxy
> Pin: origin haproxy.debian.net, version 1.5*
> Pin-Priority: 995
>
> Package: *
> Pin: origin haproxy.debian.net
> Pin-Priority: -10
For me, pinning on both origin and version doesn't work. I suppose y
❦ 7 mai 2014 22:56 +0200, Vincent Bernat :
> So the main interest of those probes are:
>
> * low overhead, they can be left in production to be here when you
>really need them
And you enable/disable them while the program is running.
--
panic ("No CPUs found.
❦ 7 mai 2014 22:19 +0200, Willy Tarreau :
>> Here is a proof of concept. To test, use `make TARGET=linux2628
>> USE_DTRACE=1`. On Linux, you need systemtap-sdt-dev or something like
>> that. Then, there is a quick example in example/haproxy.stp.
>
> Interesting, but just for my understanding, w
ich work on optimized
executables. Ubuntu is providing debug symbols for almost
everything. Tracepoints are still interesting as they can be listed and
they are hand-picked.
>From 504504f2f8c13f077f09e0906cd7e7d3ca405acc Mon Sep 17 00:00:00 2001
From: Vincent Bernat
Date: Wed, 7 May 2014 18:18:07
❦ 26 avril 2014 12:51 CEST, Willy Tarreau :
>> - leave the situation as it is now, and let users concerned with security
>> use a static 2048 bits (or larger) static DH parameter in the certificate
>> file ;
>> - recommit the patch I submitted as it is, and let users concerned with
>> the CPU
❦ 26 avril 2014 10:20 CEST, Willy Tarreau :
>> > - ssl: Add standardized DH parameters >= 1024 bits
>> > (I still don't understand what this is about, I'm clearly far from
>> > being even an SSL novice). I have no idea whether it can be related
>> > or not, but at least you're usin
❦ 25 avril 2014 17:22 CEST, Willy Tarreau :
> - ssl: Add standardized DH parameters >= 1024 bits
> (I still don't understand what this is about, I'm clearly far from
> being even an SSL novice). I have no idea whether it can be related
> or not, but at least you're using SSL so eve
❦ 17 avril 2014 08:59 CEST, Vincent Bernat :
>> Is there a 1.5~dev22 deb package for Ubuntu 14.04 (trusty)?
>>
>> I've found the following ppa but it only has package for Ubuntu 13.10
>> and below.
>> https://launchpad.net/~vbernat/+archive/haproxy-1.5
>
&g
❦ 16 avril 2014 21:07 CEST, pablo platt :
> The Ubuntu PPA is great but it is not 'official' and I couldn't find
> Ubuntu 14.04 package.
> https://launchpad.net/~vbernat/+archive/haproxy-1.5
>
> Ubuntu 14.04 LTS will be out tomorrow which means that haproxy-1.5
> will be included only in the nex
❦ 12 avril 2014 12:49 CEST, pablo platt :
> Is there a 1.5~dev22 deb package for Ubuntu 14.04 (trusty)?
>
> I've found the following ppa but it only has package for Ubuntu 13.10
> and below.
> https://launchpad.net/~vbernat/+archive/haproxy-1.5
I will update the repository this week-end to get
❦ 6 mars 2014 16:15 CET, Jonathan Matthews :
> 1) On restart/reload/disabled-server-now-enabled-via-admin-interface,
> haproxy considers a server to be 1 health check away from going down,
> but considers it *initially* up.
On reload, haproxy could wait for a whole round of healthcheck before
❦ 23 février 2014 12:25 CET, Willy Tarreau :
>> I suppose this is in combination with SO_REUSEADDR (otherwise, bind()
>> would fail). It's good to know:
>>
>> tcpESTAB 0 0 192.168.116.1:3754474.125.132.104:80
>>
>> tcpESTAB 0 0 192.168.116.
❦ 23 février 2014 10:31 CET, Willy Tarreau :
>> > It depends if you have some servers in common or not. The system will
>> > always allow multiple outgoing connections to share the same local
>> > source ip:port as long as they don't go to the same destination ip:ports
>> > since a connection is
❦ 22 février 2014 14:55 CET, Willy Tarreau :
> It depends if you have some servers in common or not. The system will
> always allow multiple outgoing connections to share the same local
> source ip:port as long as they don't go to the same destination ip:ports
> since a connection is defined by
❦ 23 novembre 2013 10:47 CET, Willy Tarreau :
>> > However you must absolutely figure what core shares L2 with what other
>> > core. I suspect you'll have core 0 + core 3, core 1 + core 4, core 2 +
>> > core 5. But that's only a guess.
>>
>> I don't know if this is reliable, but you can have th
❦ 23 novembre 2013 10:13 CET, Willy Tarreau :
> However you must absolutely figure what core shares L2 with what other
> core. I suspect you'll have core 0 + core 3, core 1 + core 4, core 2 +
> core 5. But that's only a guess.
I don't know if this is reliable, but you can have this information
❦ 6 juin 2013 09:08 CEST, Vincent Bernat :
> If you want to use prebuilt packages for HAProxy for Debian or Ubuntu,
> here is what is available:
[...]
Hi!
You can now find the same information on this page:
http://haproxy.debian.net/
HAProxy 1.5 for Wheezy has also been added thr
❦ 30 septembre 2013 13:01 CEST, Apollon Oikonomopoulos :
>> My version of pcre-config (8.30, also tested with 8.31) includes:
>>
>> libS=
>> if test ${prefix}/lib/x86_64-linux-gnu != /usr/lib ; then
>> libS=-L${prefix}/lib/x86_64-linux-gnu
>> fi
>
> Update:
>
> Debian's 8.31 (testing/unstable
❦ 30 septembre 2013 11:30 CEST, Willy Tarreau :
>> I would use `pcre-config --libs` and `pcre-config --cflags` instead. The
>> user can still override this on make command line.
>>
>> PCRE_CFLAGS := $(shell pcre-config --cflags)
>> PCRE_LIBS := $(shell pcre-config --libs)
>
> But these would st
❦ 29 septembre 2013 22:27 CEST, Vincent Bernat :
> LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
> $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
> $(AM_LDFLAGS) $(LDFLAGS) -o $@
> haproxy: ...
> $(AM_V_CCLD)$(LINK) $(
❦ 29 septembre 2013 18:30 CEST, Willy Tarreau :
> So maybe we should in fact stop setting PCREDIR to $(pcre-config --prefix),
> which will result in PCRE_INC/PCRE_LIB remaining silent unless PCREDIR is
> forced. I suspect the following patch should fix it :
>
> diff --git a/Makefile b/Makefile
>
❦ 10 septembre 2013 10:18 CEST, Josip Lazic :
>> > Something i do in my personal package is to include halog tool, which is
>> > in contrib directory, would be great if you can include that too.
>>
>> OK, will do.
>
> Do you know when you will be able to include halog? Thanks.
It has been incl
❦ 20 août 2013 23:37 CEST, Erwin Schliske :
> is it possible to use SSL with PFS (Perfect Forward Secrecy) in
> HaProxy 1.5?
Yes. There is nothing to do. It works out of the box. If you modify
default ciphers, just ensure that they contain the appropriate DHE or
ECDH ciphers. You can check this
❦ 24 juillet 2013 11:07 CEST, Willy Tarreau :
> Indeed. I have no idea why we're observing these differences, and I
> don't know if the libc uses heuristics to decide to memset() the
> area or not.
Unless there is an alternative malloc hooked, the libc heavily relies on
the fact that the kernel
❦ 2 juillet 2013 10:39 CEST, Hudec Peter :
> But for Debian this version is in experimental now ;( I will look if some
> already done for Wheezy.
It's really easy to backport the version in experimental for Wheezy:
dget http://http.debian.net/debian/pool/main/h/haproxy/haproxy_1.5~dev19-1.dsc
❦ 24 juin 2013 14:50 CEST, Hervé COMMOWICK :
> Something i do in my personal package is to include halog tool, which is
> in contrib directory, would be great if you can include that too.
OK, will do.
--
printk("MASQUERADE: No route: Rusty's brain broke!\n");
2.4.3. linux/net/ipv4/netf
❦ 8 juin 2013 00:49 CEST, hapr...@serverphorums.com :
> While it's great to have more Ubuntu packages, especially for the dev
> version, I took a look at the Ubuntu ecosystem and basically all the
> packages are missing the USE_ZLIB to enable gzip compression.
Gzip compression has been added to
❦ 8 juin 2013 00:49 CEST, hapr...@serverphorums.com :
> While it's great to have more Ubuntu packages, especially for the dev
> version, I took a look at the Ubuntu ecosystem and basically all the
> packages are missing the USE_ZLIB to enable gzip compression.
It will be added in the next uploa
❦ 6 juin 2013 10:55 CEST, Willy Tarreau :
> Thank you very much for this work, I'm sure this will be appreciated a lot
> and will improve user experience by definitely getting rid of the old bogus
> versions.
BTW, I am not alone on this. Debian packages are also maintained by
Apollon Oikonomop
Hi!
If you want to use prebuilt packages for HAProxy for Debian or Ubuntu,
here is what is available:
If you want HAProxy 1.4:
1. For Debian Sid (unstable) and Debian Jessie (testing), just "apt-get
install haproxy".
2. For Debian Wheezy (stable), "apt-get install haproxy -t
wheezy-ba
❦ 17 avril 2013 01:00 CEST, Willy Tarreau :
>> I've just recompiled haproxy 1.5 with the latest commits.
>> The patch containing a box to filter proxies is useful but I think we
>> should remove the "autofocus" keyword from the generated html.
>>
>> Currently, it prevents using the keyboard to
Hi!
Actually, the Unix stats socket is global. It is possible to pin it to
some processes, but it is not possible to have one Unix socket per
process. Has someone already tried to add the appropriate code to
declare several Unix sockets?
Thanks.
--
printk("Entering UltraSMPenguin Mode...\n");
❦ 10 janvier 2013 00:24 CET, Willy Tarreau :
>> It depends how AES-NI is compiled in your OpenSSL. On Ubuntu, AES-NI
>> support is builtin and selected automatically. But if people are using
>> implementations from Intel for older versions of OpenSSL, the engine
>> needs to be selected by hand.
❦ 5 janvier 2013 09:06 CET, Willy Tarreau :
> Did you get a significant performance gain with padlock ? I've not had
> the chance to test one yet. I don't even know if it requires an engine
> or not. At least with aes-ni, it's included in the native code, you
> don't need the engine (and the pe
❦ 12 décembre 2012 14:45 CET, Baptiste :
> Maybe some of you already experimented source port exhaustion.
> Here is a blog post giving some information about it:
>
> http://blog.exceliance.fr/2012/12/12/haproxy-high-mysql-request-rate-and-tcp-source-port-exhaustion/
Great post!
But, you should
❦ 24 novembre 2012 12:01 CET, Vincent Bernat :
> #ifdef TCP_FASTOPEN
> -/* parse the "defer-accept" bind keyword */
> +/* parse the "tfo" bind keyword */
> static int bind_parse_tfo(char **args, int cur_arg, struct proxy *px, struct
> bind_conf *conf, char
❦ 24 novembre 2012 10:36 CET, Willy Tarreau :
>> There are no dumb questions.
>> What you're saying is not doable for now in HAProxy.
>> Maybe Willy will tell you wether he can do it or not.
>
> Someone else asked for it a few weeks ago and I've added it to the todo
> list, it's something easy t
With this option enabled, a TCPv6 socket will only listen for IPv6
packets. With this option absent, a TCPv6 socket will accept both IPv6
and IPv4 packets.
The system setting (net.ipv6.bindv6only) is ignored because many
people disagree with the default proposed by RFC 3493 (which is to
listen to
❦ 25 juillet 2012 12:00 CEST, "Stojan Rancic (Iprom)" :
> is it possible to create a stats socket (or per-process stats socket)
> when haproxy is configured with 'nbproc=2' or higher ?
Hi!
I am unsure if this is possible with a socket. However, you can do it
for the web interface.
listen moni
❦ 27 juin 2012 20:13 CEST, Willy Tarreau :
>> Default value for maxconn in the context of a proxy is 2000 and is
>> unrelated to any other value (like global ulimit-n or global
>> maxconn). Without an explicit a user may think that the default value
>> is either no limit or equal to the global m
Default value for maxconn in the context of a proxy is 2000 and is
unrelated to any other value (like global ulimit-n or global
maxconn). Without an explicit a user may think that the default value
is either no limit or equal to the global maxconn value.
---
doc/configuration.txt |2 ++
1 file
That's how I understand it at least.
Yes. And solve session problem by using some kind of persistence, for
example source hashing load balancing algorithm.
--
Vincent Bernat ☯ http://vincent.bernat.im
panic ("No CPUs found. System halted.\n");
2.4.3 linux/arch/parisc/kernel/setup.c
the servers) :
> - to prevent memory allocation
> - to take into account every "s" parameters
> - of course, it can be optimized to prevent the 2nd pass if the
> parameters are already ordered.
Maybe, it's not worth it.
--
Vincent Bernat ☯ http://vincent.bernat.im
die_if_kernel("Whee... Hello Mr. Penguin", current->tss.kregs);
2.2.16 /usr/src/linux/arch/sparc/kernel/traps.c
When enabling/disabling a server with POST to the stats page, the
order of the required params is important: the server name had to be
first. This patch allows to handle those parameters in any order.
---
src/proto_http.c | 45 +
1 files changed, 25 in
hink this would amend the difference with stud.
--
Vincent Bernat ☯ http://vincent.bernat.im
Make sure every module hides something.
- The Elements of Programming Style (Kernighan & Plauger)
tunnel and stud have the same performance. For stunnel, you need
to use OpenSSL 1.0.0c or later to fix a performance problem. With
hyperthreading, I even got better results with stunnel.
If you use stunnel, use at least 4.45. It features sendproxy support.
--
Vincent Bernat ☯ http://vincen
On Mon, 12 Dec 2011 13:23:11 +0100, Sander Klein wrote:
I started doing this because there is no nonlocal_bind option for
IPv6 (or I didn't search well enough (-: )
From the source code, it seems that IPv4 non local bind sysctl
also
applies to IPv6. Since 2.6.30.
Hmmm, then I'm going to lo
On Mon, 12 Dec 2011 13:04:22 +0100, Sander Klein wrote:
I started doing this because there is no nonlocal_bind option for
IPv6 (or I didn't search well enough (-: )
From the source code, it seems that IPv4 non local bind sysctl also
applies to IPv6. Since 2.6.30.
Hmmm, then I'm going to look
On Mon, 12 Dec 2011 11:13:05 +0100, Sander Klein wrote:
I started doing this because there is no nonlocal_bind option for
IPv6 (or I didn't search well enough (-: )
From the source code, it seems that IPv4 non local bind sysctl also
applies to IPv6. Since 2.6.30.
On Mon, 12 Dec 2011 11:28:21 +0200, Graeme Donaldson wrote:
When haproxy is bound to an IP address managed by VRRP, this IP
address may
be absent when haproxy starts. What is the best way to handle this?
1. Start haproxy only when the host is master.
2. Use transparent mode.
3. Patch haprox
Hi!
When haproxy is bound to an IP address managed by VRRP, this IP address
may be absent when haproxy starts. What is the best way to handle this?
1. Start haproxy only when the host is master.
2. Use transparent mode.
3. Patch haproxy to use IP_FREEBIND option.
and without tickets correctly.
For example, with nginx, you need to configure a session cache.
--
Vincent Bernat ☯ http://vincent.bernat.im
Keep it right when you make it faster.
- The Elements of Programming Style (Kernighan & Plauger)
force the
use of DHE cipher and it is possible for an attacker to downgrade to the
less secure cipher with SSL 3.0 (downgrade attack).
--
Vincent Bernat ☯ http://vincent.bernat.im
Make it right before you make it faster.
- The Elements of Programming Style (Kernighan & Plauger)
nted to "config". When running step 5 again
> it seemed to jump into an endless making of openssl :/
> Meaning that it is starting to do something but it never finish,
> waited for ~20min.
Symlink seems a wrong idea. Why doesn't it seem to do the ./Configure properly?
On Fri, 04 Nov 2011 09:41:00 +0100, Aleksandar Lazic wrote:
you must use
http://www.stunnel.org/static/stunnel.html
protocol = proxy
In this case, you need the latest stunnel (4.45).
ED_CACHE=1
9. You get your stud linked against OpenSSL 1.0.0e. Now, on your
server, install libssl1.0.0_1.0.0e-2ubuntu4~bpoXXX1.deb then
stud.
--
Vincent Bernat ☯ http://vincent.bernat.im
/*
* For moronic filesystems that do not allow holes in file.
* We may
patch to backport it.
https://gist.github.com/1272151/b1a61124d1568eb795fa82b24b875889cbd0005c
--
Vincent Bernat ☯ http://vincent.bernat.im
panic("floppy: Port bolixed.");
2.2.16 /usr/src/linux/include/asm-sparc/floppy.h
active SSL connection can take a lot more memory than a session but I
don't know how much exactly. If you have long running connection, this
will be more an issue than session cache.
--
Vincent Bernat ☯ http://vincent.bernat.im
Watch out for off-by-one errors.
- The Elements of P
pendencies got broken.
Memory usage can be divided by 10 with OpenSSL 1.0.0. You need to ensure
that you use a stud version using SSL_MODE_RELEASE_BUFFERS to take
advantage of it.
--
Vincent Bernat ☯ http://vincent.bernat.im
Follow each decision as closely as possible with its ass
1.0.0 will
help a lot here.
--
Vincent Bernat ☯ http://vincent.bernat.im
Make sure special cases are truly special.
- The Elements of Programming Style (Kernighan & Plauger)
201 - 300 of 312 matches
Mail list logo