Re: pcre vs pcre2, which one to use?

Hi Abhijeet, On Wed, Feb 07, 2024 at 01:19:27PM -0800, Abhijeet Rastogi wrote: > Hi HAproxy community, > > I see that Makefile > suggests that > pcre1 is a recommended version to use, is that still true or a comment that > got out of

Re: ACL and operator

On Sat, Feb 03, 2024 at 01:18:30PM +, Tristan wrote: > > > > On 3 Feb 2024, at 15:18, Willy Tarreau wrote: > > > > Quite honestly, we've though about it several times but you can't enforce > > such a change on 20 years of configs everywhere. > > That

Re: ACL and operator

On Sat, Feb 03, 2024 at 10:31:02AM +, Tristan wrote: > Hi Willy, > > > On 3 Feb 2024, at 12:48, Willy Tarreau wrote: > > > in fact we could check for > >> the presence of "and" or "or" on a line, or some other suspicious > >> cons

Re: ACL and operator

On Sat, Feb 03, 2024 at 09:10:42AM +0100, Willy Tarreau wrote: > On Fri, Feb 02, 2024 at 06:43:12PM +, Lukas Tribus wrote: > > On Fri, 2 Feb 2024 at 18:42, John Lauro wrote: > > > > > > Seems like a lint style checker that doesn't require AI. > >

Re: ACL and operator

On Fri, Feb 02, 2024 at 06:43:12PM +, Lukas Tribus wrote: > On Fri, 2 Feb 2024 at 18:42, John Lauro wrote: > > > > Seems like a lint style checker that doesn't require AI. > > For example, it could recognize that the / in /api isn't valid for > > req.hdr(host) > > [...] > > The _ in path_beg

Re: [PATCH] DOC: install: enable WOLFSSL_GETRANDOM

Hi Lukas! On Thu, Feb 01, 2024 at 02:52:10PM +, Lukas Tribus wrote: > On Thu, 1 Feb 2024 at 12:08, William Lallemand wrote: > > > > That's interesting, however I'm surprised the init does not work before the > > chroot, > > we are doing a RAND_bytes() with OpenSSL before the chroot to

Re: Optimizing HAProxy CPU usage for SSL

Hi Miles, On Thu, Feb 01, 2024 at 05:09:20PM +1100, Miles Hampson wrote: > Hi, > > We recently hit an issue where we observed the > haproxy_frontend_current_sessions reported by the prometheus endpoint > plateau at 4095 and some requests start dropping. Increasing the global and > listen maxconn

[ANNOUNCE] haproxy-2.9.4

ntry Thayne McCombs (1): DOC: configuration: clarify http-request wait-for-body Willy Tarreau (5): BUG/MEDIUM: mux-h2: refine connection vs stream error on headers MINOR: mux-h2/traces: add a missing trace on connection WU with negative inc BUG/MINOR: jwt: fix jwt_verify c

Re: [PATCH] CLEANUP: log: deinitialization of the log buffer in one function

Hi Miroslav, On Tue, Jan 30, 2024 at 03:42:20AM +0100, Miroslav Zagorac wrote: > Hello all, > > In several places in the source, there was the same block of code that was > used to deinitialize the log buffer. There were even two functions that > did this, but they were called only from the

Re: [PATCH] DOC: configuration: clarify http-request wait-for-body

Hi Thayne, On Sun, Jan 28, 2024 at 10:07:32PM -0700, Thayne McCombs wrote: > Make it more explicit what happens in the various scenarios that cause > HAProxy to stop waiting when "http-request wait-for-body" is used. > > Also fix a couple of grammatical errors. > > Fixes: #2410 > Signed-Off-By:

Re: [PATCH 0/3] fix speling remnants, enable spel chek on push

On Fri, Jan 26, 2024 at 09:22:58PM +0100, ??? wrote: > ??, 26 ???. 2024 ?. ? 20:01, Willy Tarreau : > > > On Fri, Jan 26, 2024 at 05:30:31PM +0100, Willy Tarreau wrote: > > > On Wed, Jan 24, 2024 at 02:26:13PM +0100, Ilya Shipitsin wrote: > > > > it is v

[ANNOUNCE] haproxy-3.0-dev2

rts MEDIUM: ssl: implements 'default-crt' keyword for bind Lines CI: github: update wolfSSL to 5.6.6 DOC: INSTALL: require at least WolfSSL 5.6.6 Willy Tarreau (23): DEV: patchbot: produce a verdict for too long commit messages DEV: phash: add a trivial perfect hash

Re: [PATCH 0/3] fix speling remnants, enable spel chek on push

On Fri, Jan 26, 2024 at 05:30:31PM +0100, Willy Tarreau wrote: > On Wed, Jan 24, 2024 at 02:26:13PM +0100, Ilya Shipitsin wrote: > > it is very fast check, should not affect developer velocity much > > OK now pushed, thank you Ilya! Ilya, I reverted the last one (automatic check o

Re: PATCH 3/3: BUILD/MEDIUM: deviceatlas: addon code update

On Fri, Jan 26, 2024 at 06:35:09PM +, David Carlier wrote: > > > > It broke the CI on the "all features" build: > > > > > > https://github.com/haproxy/haproxy/actions/runs/7671640626/job/20910459829 > > > > /usr/bin/ld: cannot find -lcurl: No such file or directory > > /usr/bin/ld: cannot find

Re: PATCH 3/3: BUILD/MEDIUM: deviceatlas: addon code update

On Fri, Jan 26, 2024 at 06:57:57PM +0100, Willy Tarreau wrote: > On Fri, Jan 26, 2024 at 05:38:20PM +, David Carlier wrote: > > I m good with your version. Thanks ! > > Great, now merged, thanks! > Willy It broke the CI on the "all features" build: https:

Re: PATCH 3/3: BUILD/MEDIUM: deviceatlas: addon code update

On Fri, Jan 26, 2024 at 05:38:20PM +, David Carlier wrote: > I m good with your version. Thanks ! Great, now merged, thanks! Willy

Re: PATCH 3/3: BUILD/MEDIUM: deviceatlas: addon code update

On Fri, Jan 26, 2024 at 04:41:36PM +, David Carlier wrote: > Hi, > > Please find the revised patch. OK thanks, it looks good and addresses the build issue. I noticed that when building with the dummy lib, we continue to link with -lstdc++ even if it's not used (unless DEVICEATLAS_NOCACHE=1)

Re: [PATCH 0/3] fix speling remnants, enable spel chek on push

On Wed, Jan 24, 2024 at 02:26:13PM +0100, Ilya Shipitsin wrote: > it is very fast check, should not affect developer velocity much OK now pushed, thank you Ilya! Willy

Re: PATCH 3/3: BUILD/MEDIUM: deviceatlas: addon code update

Hi David, On Thu, Jan 25, 2024 at 09:26:24AM +, David Carlier wrote: > Finally the last piece related to the da's dummy update and da.c changes. Thanks. I'm getting the following build error: addons/deviceatlas/da.c: In function 'da_haproxy_checkinst': addons/deviceatlas/da.c:284:25:

Re: HAProxy Technologies NERC CIP 13 Vendor Questionnaire

On Tue, Jan 23, 2024 at 12:11:56PM +0100, ??? wrote: > how can HAProxy be related, for example, to "NERC requires CORE to revoke > access within 24 hours when remote or onsite > access is no longer needed by your personnel to CORE systems or > facilities." ? Ilya, please avoid responding

Re: [PATCH] MEDIUM: sample: Modify fetchers for req.hdrs and res.hdrs to selectively include / exclude headers

of a hiccup on the send side, so thanks for resending! Some comments below. > > From: Ruei-Bang Chen > Sent: Tuesday, December 12, 2023 5:32 PM > To: Willy Tarreau > Cc: haproxy@formilux.org > Subject: Re: [PATCH] MEDIUM: sample: Modify fetchers f

[ANNOUNCE] haproxy-2.9.3

BUILD: quic: missing include for quic_tp BUG/MINOR: mux-quic: do not prevent non-STREAM sending on flow control Frederic Lecaille (1): BUG/MEDIUM: quic: keylog callback not called (USE_OPENSSL_COMPAT) Willy Tarreau (1): BUG/MINOR: mux-h2: also count streams for refused ones ---

Re: [PATCH] fix runtime 'FATAL ERROR: invalid code detected -- cannot go further' when building with Buildroot

Hello Aleksandr, On Tue, Jan 16, 2024 at 09:28:57PM +0200, Aleksandr Makarov wrote: > In buildroot, forcing HAPROXY_CFLAGS on the haproxy build command line > overrides CFLAGS > which were internally set by the package Makefile. > > In such a way, a bunch of flags that were deduced by the

Re: [PATCH 0/3] spell check improvements

On Thu, Jan 11, 2024 at 08:49:08PM +0100, Ilya Shipitsin wrote: > few words are added to whitelists, few typos fixed Applied, thank you Ilya! Willy

Re: [PATCH] DOC: configuration: corrected description of keyword tune.ssl.ocsp-update.mindelay

Hi Miroslav, On Tue, Jan 09, 2024 at 09:14:24PM +0100, Miroslav Zagorac wrote: > Hello all, > > I'm not sure, but it seems to me that in the doc/configuration.txt > documentation, the paragraph related to the keyword > tune.ssl.ssl-ctx-cache-size was also copied for the description of > the

Re: Which fetcher to use for detecting a connection refused event?

Hi, On Tue, Jan 09, 2024 at 04:52:49PM -0500, J B wrote: > Hi folks. Just following up here. Still wondering about the prior request. > After some more research, it seems that "txn.sess_term_state" is only > available in HAProxy 2.9. Might there be a fetcher in 2.8 that can achieve > something

Re: [PATCH] MINOR: ot: logsrv struct becomes logger

Hi Miroslav, On Mon, Jan 08, 2024 at 01:12:25PM +0100, Miroslav Zagorac wrote: > Hello all, > > after the patch 18da35c "MEDIUM: tree-wide: logsrv struct becomes logger", the > OpenTracing filter can no longer be compiled in debug mode. This patch fixes > it. > > This patch should be

Re: [PATCH 0/1] Update ssl_fc_curve/ssl_bc_curve sample fetch

On Mon, Jan 08, 2024 at 08:01:07PM +, Mariam John wrote: > Thank you Willy for the update. Appreciate it. Please take your time. I > totally understand. Just wanted to make sure it wasn't lost or forgotten > about. I knew you would naturally start to worry about it, I even mentioned it in the

Re: [PATCH 0/1] Update ssl_fc_curve/ssl_bc_curve sample fetch

Hi Mariam, On Mon, Jan 08, 2024 at 02:40:22PM +, Mariam John wrote: > Happy new year!! Just wanted to see if this patch could move forward. I have > made the changes recommended by William. Yeah, we spoke about it this morning with William, he's still unpiling his mailbox :-) Rest assured

Re: [ANNOUNCE] haproxy-3.0-dev1

On Sun, Jan 07, 2024 at 01:59:20PM +0100, Tim Düsterhus wrote: > Willy, > > On 1/6/24 15:08, Willy Tarreau wrote: > > HAProxy 3.0-dev1 was released on 2024/01/06. It added 136 new commits > > after version 3.0-dev0. I figured we're already one month after 2.9 wa

Re: [ANNOUNCE] haproxy-3.0-dev1

Hi Tim, On Sun, Jan 07, 2024 at 01:01:34PM +0100, Tim Düsterhus wrote: > Willy, > > On 1/6/24 15:08, Willy Tarreau wrote: > >multiple frontend nodes, etc. One of the issue is directly related to > >the current lack of ability to force to close a connection f

[ANNOUNCE] haproxy-3.0-dev1

ort CLEANUP: mworker/cli: add comments about pcli_find_and_exec_kw() BUILD: ssl: update types in wolfssl cert selection callback MINOR: ssl: activate the certificate selection callback for WolfSSL CI: github: switch to wolfssl git-c4b77ad for new PR BUG/MINOR: resolve

Re: exchange services

Hello Dario, thanks for your report. On Wed, Dec 13, 2023 at 07:22:03PM +, Dario Girella wrote: > Hello, > i just upgrade my haproxy version from 2.8.5 to 2.9, all seems fine but i > receive error from outlook trying to configure mailbox by autodiscover. > Also problem to open owa. >

Re: [*EXT*] Re: Public-facing haproxy : recommandation about headers

Hi Ionel, On Fri, Dec 08, 2023 at 10:35:52PM +0100, Ionel GARDAIS wrote: > Thanks Tristan. > > So typically I'd say to add to every single http frontend: > http-request set-header X-Forwarded-For %[src] > http-request set-header X-Forwarded-Host %[hdr(Host)] > http-request set-header

Re: [ANNOUNCE] haproxy-2.9.0

Hi Tim! On Tue, Dec 05, 2023 at 08:00:43PM +0100, Tim Düsterhus wrote: > Willy, > > On 12/5/23 17:24, Willy Tarreau wrote: > > HAProxy 2.9.0 was released on 2023/12/05. It added 25 new commits > > after version 2.9-dev12. > > Congratulations! :-) > > > Le

[ANNOUNCE] haproxy-2.9.0

terhus (4): DOC: config: add missing colon to "bytes_out" sample fetch keyword (2) REGTESTS: sample: Test the behavior of consecutive delimiters for the field converter BUG/MINOR: sample: Make the `word` converter compatible with `-m found` DOC: Clarify the differences

Re: [PATCH 3/3] DOC: Clarify the differences between field() and word()

Hi Tim, On Thu, Nov 30, 2023 at 04:41:18PM +0100, Tim Duesterhus wrote: > word() mentions that delimiters at the start and end are ignored, but it does > not mention that consecutive delimiters are merged. (...) Series just merged as well, I didn't notice it while I was typing the announce

Re: [PATCH] DOC: config: add missing colon to "bytes_out" sample fetch keyword (2)

On Thu, Nov 30, 2023 at 08:15:32PM +0100, Tim Duesterhus wrote: > This reapplies 1eb049dc677f2de950158615ed3d8306ee5102d6, as the change was > accidentally reverted in 5ef48e063ecf992646c7af374153f106050fb8ec. Oops, thanks for catching this one, Tim! Now applied, thank you! Willy

[ANNOUNCE] haproxy-2.9-dev12

DOC: management: add documentation about customized payload pattern BUG/MINOR: acme.sh: update the deploy script MINOR: acme.sh: use the master CLI for hot update Willy Tarreau (14): MINOR: task/profiling: do not record task_drop_running() as a caller OPTIM: pattern: save me

Re: [PATCH] DOC: config: Add argument for tune.lua.maxmem

On Wed, Nov 29, 2023 at 12:08:12PM +0100, Olivier Duclos wrote: > Make it clear that tune.lua.maxmem expects a number. Applied, thank you Olivier! Willy

Re: [PATCH] Add HAPROXY_SERVER_CHECK_PORT to the external check

Hello, On Fri, Nov 24, 2023 at 01:56:14PM +, Payne Max wrote: > Thank you for participating, Willy! > > Yes you're right. > > I can agree only partially with your proposal, it have sense, but let's > imagine we have this backend section: > > backend be_myapp > server srv1 10.0.0.1:80

Re: [PATCH] Add HAPROXY_SERVER_CHECK_PORT to the external check

On Fri, Nov 24, 2023 at 10:04:42AM +, Payne Max wrote: > Christopher, thanks for you review, I'm only saving general approach to the > indentation and to follow it I need to move other lines ... > > User passes some check port to the `backed.server` line and I want to provide > this port to

Re: [PATCH] DOC: configuration.txt: add log-balance documentation

On Wed, Nov 22, 2023 at 04:13:22PM +0100, Aurelien DARRAGON wrote: > > Got it, sorry for the noise then. > > No worries, thank you for noticing it! I missed that one before dev11 but it's merged now. Thank you guys! willy

[ANNOUNCE] haproxy-2.9-dev11

BUG/MINOR: quic: Possible RX packet memory leak under heavy load Ilya Shipitsin (2): CLEANUP: assorted typo fixes in the code and comments CI: limit codespell checks to main repo, not forks William Lallemand (1): BUG/MINOR: startup: set GTUNE_SOCKET_TRANSFER correctl

Re: [PR] DOC: updated 51Degrees repo URL for v.3.2.10

On Mon, Nov 20, 2023 at 08:23:02PM +, PR Bot wrote: > Author: Eugene Dorfman > Number of patches: 1 > > This is an automated relay of the Github pull request: >DOC: updated 51Degrees repo URL for v.3.2.10 > > Patch title(s): >DOC: updated 51Degrees repo URL for v.3.2.10 > > Link:

Re: [PATCH 0/2] spelling fixes

On Tue, Nov 21, 2023 at 07:54:15PM +0100, Ilya Shipitsin wrote: > yet spelling fixes Merged, thank you Ilya! Willy

Re: Logging port #

On Sat, Nov 18, 2023 at 03:20:51PM +0100, Christoph Kukulies wrote: > I would like to see more precisely what requests arrive at haproxy at which > port and how they are routed to the backend server (port). > > At the moment I don't see any connects in /var/log/haproxy/haproxy.log > > and at

[ANNOUNCE] haproxy-2.9-dev10

lock BUG/MINOR: shctx: Remove old HA_SPIN_INIT Tim Duesterhus (1): CLEANUP: Re-apply xalloc_size.cocci (3) William Lallemand (9): MINOR: errors: ha_alert() and ha_warning() uses warn_exec_path() MINOR: errors: does not check MODE_STARTING for log emission MEDIUM: errors: mov

Re: Understanding haproxy's regex

On Fri, Nov 17, 2023 at 10:26:32AM +0100, Christoph Kukulies wrote: > I have the following line in my config: > > backend website > http-request replace-header Destination ^([^\ :]*)\ /(.*) \1\ /opencms/\2 > server www.mydomain.org 127.0.0.1:8080 > > > Actually I'm used the write

Re: Does fullconn do anything in backends where minconn/maxconn are not used on any server?

Hello, On Wed, Nov 15, 2023 at 05:30:06PM -0600, JJ Graham wrote: > Hi there, > > Does fullconn do anything in backends where minconn/maxconn are not used on > any server? The documentation and previous answers to similar questions > seem to imply the answer is "no" but the fact that it gets set

Re: [PATCH 2/4] MEDIUM: connection: Send out generically allocated proxy-v2-options

Hi Alexander, On Fri, Nov 10, 2023 at 08:44:31PM +, Stephan, Alexander wrote: > > I don't see how this is possible: > > > >list_for_each_entry(srv_tlv, >pp_tlvs, list) { > >if (srv_tlv == NULL) > > break; > > > For srv_tlv to be NULL, it would

Re: "external-check" does not work properly in Rocklinux8

Hello, On Thu, Nov 09, 2023 at 05:09:19PM +0800, ?? wrote: > hi, 1?docker pull haproxy:2.8.3 > 2?haproxy.conf:external-check command /var/lib/haproxy/test.sh > > > When the container is running in the RockLinux environment, the > test.sh script is not called for execution. On the contrary,

Re: [PATCH] MEDIUM: sample: Modify fetchers for req.hdrs and res.hdrs to selectively include / exclude headers

Hi Ruei-Bang, On Fri, Nov 10, 2023 at 01:33:01AM +, Ruei-Bang Chen wrote: > Hi team, > > Based on the feedback from > https://www.mail-archive.com/haproxy@formilux.org/msg44153.html, I have > attached a patch for modifying fetchers for req.hdrs and res.hdrs to > selectively include / exclude

Re: [PATCH] CLEANUP: Re-apply xalloc_size.cocci (3)

On Sun, Nov 05, 2023 at 08:02:37PM +0100, Tim Duesterhus wrote: > This reapplies the xalloc_size.cocci patch across the whole `src/` tree. Applied, thank you Tim! Willy

[ANNOUNCE] haproxy-2.9-dev9

for TLSv1.3 and sigalgs BUG/MEDIUM: ssl: segfault when cipher is NULL MEDIUM: systemd: be more verbose about the reload CI: github: update wolfSSL to 5.6.4 DOC: install: update the wolfSSL required version Willy Tarreau (8): DEBUG: mux-h2/flags: fix list of h2c flags us

Re: Use 'http-request replace-header' instead.

Hello Christoph, On Wed, Nov 01, 2023 at 11:09:27AM +0100, Christoph Kukulies wrote: > During migration from an older site to a newer one with newer haproxy I find > that I have syntax errors in > haproxy.cfg: > > > The 'reqirep' directive is not supported anymore since HAProxy 2.1. Use >

Re: Update track function with example

Hello Kurtis, On Thu, Oct 26, 2023 at 12:20:17PM +1000, Kurtis Miller wrote: > https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#5.2-track > > Please add the following examples: > > backend A > server a1 1.1.1.1:80 track B/b1 > server a2 1.1.1.2:80 track B/b1 > >

Re: [PATCH 2/4] MEDIUM: connection: Send out generically allocated proxy-v2-options

Alexander, I now merged your patch with the SMP_VAL_ change, after verifying that the reg-test is still OK. Thus 2.9-dev9 will contain it. Thanks! Willy

Re: [PATCH 2/4] MEDIUM: connection: Send out generically allocated proxy-v2-options

On Fri, Nov 03, 2023 at 08:35:08PM +, Stephan, Alexander wrote: > Hi Willy, > > Thanks for the review. No problem for calling me Stephan, I am totally used > to that, my teachers did that for years. Oh I was sure you were used to but anyway I don't like calling people incorrectly. > > Yeah

Re: [PATCH 2/4] MEDIUM: connection: Send out generically allocated proxy-v2-options

Hi Alexander, (and BTW sorry for having called you Stephan twice in the last thread, each time I have to make a mental effort due to how your first and last names are presented in your e-mail address). On Sat, Oct 28, 2023 at 07:32:20PM +, Stephan, Alexander wrote: > I've just finished the

Re: [PATCH 2/4] MEDIUM: connection: Send out generically allocated proxy-v2-options

On Fri, Nov 03, 2023 at 05:15:03PM +, Stephan, Alexander wrote: > Hi Willy, > > Sorry, my email client probably did something weird... > I attached them now, should hopefully prevent any reformatting. Thanks for the fast response. I'll check them keeping in mind your last comments in your

Re: [PATCH 2/4] MEDIUM: connection: Send out generically allocated proxy-v2-options

On Fri, Nov 03, 2023 at 05:14:33PM +0100, Willy Tarreau wrote: > Hi Stephan, > > On Fri, Nov 03, 2023 at 01:54:26PM +, Stephan, Alexander wrote: > > Hi Willy, > > > > Did you receive the other two mails with the updated patches? I couldn't > > fi

Re: [PATCH 2/4] MEDIUM: connection: Send out generically allocated proxy-v2-options

Hi Stephan, On Fri, Nov 03, 2023 at 01:54:26PM +, Stephan, Alexander wrote: > Hi Willy, > > Did you receive the other two mails with the updated patches? I couldn't find > it the reply to first page in the archive although I CCed the list. That's > why I wanted to double-check, not to run in

Re: [PATCH] MINOR: sample: Add fetcher for getting all cookie names

On Fri, Nov 03, 2023 at 08:55:54AM +, Ruei-Bang Chen wrote: > Hi Willy, > > The simplification makes sense! I don't mind you changing it at all. I really > appreciate the feedback from you. Perfect, that's merged now :-) Thank you for doing this work! Willy

Re: [PATCH] MINOR: sample: Add fetcher for getting all cookie names

Hi Ruei-Bang, On Fri, Nov 03, 2023 at 04:58:36AM +, Ruei-Bang Chen wrote: > Hi Willy and the team, > > I just want to send a friendly reminder that I am still looking for feedback > for this patch. Thanks! > I totally understand that there might be other priorities coming up. When you >

Re: [PATCH 2/4] MEDIUM: connection: Send out generically allocated proxy-v2-options

Hi Alexander, On Fri, Oct 27, 2023 at 02:12:10PM +, Stephan, Alexander wrote: > > BTW, please check if this works in default-server directives. > > struct srv_pp_tlv_list { > struct list list; > struct list fmt; > unsigned char type; > }; > > To allow for use with

Re: [PATCH] MINOR: sample: Add fetcher for getting all cookie names

Hi Ruei-Bang, On Fri, Oct 27, 2023 at 01:44:30AM +, Ruei-Bang Chen wrote: > Hi Willy, > > Thanks for the feedback! > > I have attached the 2 patches (with one being the same old patch and the > other having the diff since that older patch) to address the comments. > > Not sure if this is

Re: [PATCH] MINOR: lua: Add a flag to disable logging to stderr

On Tue, Oct 24, 2023 at 11:41:56AM +, Tristan wrote: > > On 23/10/2023 14:38, Tristan wrote: > > Thanks both for your time helping me with it :) > > > > On 23/10/2023 14:34, Aurelien DARRAGON wrote: > > > Just a side note regarding the comment from the 2nd patch: it's not > > > useful to

Re: 2.9-dev8: ha_panic from libcrypto/libssl (Ubuntu 22.04, OpenSSL 3.0.2)

Hello Valters, On Tue, Oct 24, 2023 at 02:03:03AM +0300, Valters Jansons wrote: > Hello, > > The trace log is uploaded at > https://gist.github.com/sigv/58a5d148579c75d39b2b7c76a3254fa5 > > We are running 2.9-dev8 for the server connection close fix for > "not-so-great" gRPC clients. We just

Re: [PATCH] MINOR: lua: Add a flag to disable logging to stderr

On Mon, Oct 23, 2023 at 01:07:37PM +, Tristan wrote: > Hi Willy, > > On 23/10/2023 10:16, Willy Tarreau wrote: > > No more comments, overall this looks good to me. Thus in summary, let's > > try to avoid the ambiguity of "tune.lua.log" alone, and re-adjus

Re: [PATCH 2/4] MEDIUM: connection: Send out generically allocated proxy-v2-options

Hi Alexander, On Mon, Oct 23, 2023 at 12:07:39PM +, Stephan, Alexander wrote: > We can ignore the last two commits for now (LOW: connection: Add TLV update > function and MEDIUM: tcp-act: Add new set-tlv TCP action for PPv2 TLVs). > Based on the first two commits, I created a diff that would

Re: [PATCH] MINOR: sample: Add fetcher for getting all cookie names

Hi Ruei-Bang, On Sat, Oct 21, 2023 at 12:46:18AM +, Ruei-Bang Chen wrote: > Hi team, > > As discussed in > https://www.mail-archive.com/haproxy@formilux.org/msg44161.html, I have > attached a patch for adding a new fetcher for getting all the cookie names > for request / response. > > I did

Re: [PATCH] DOC: internal: filters: fix reference to entities.pdf

Hi Alex, On Sun, Oct 22, 2023 at 06:42:38PM +0200, Aleksandar Lazic wrote: > Here the patch to fix the filter.txt file. Now applied, thank you! Willy

Re: [PATCH] MINOR: lua: Add a flag to disable logging to stderr

Hi Tristan, On Fri, Oct 20, 2023 at 04:19:34PM +, Tristan wrote: > Hi all again, > > Here is the updated patch set after changes based on feedback received. Thanks for doing this work. > The change is now split across 2 patches. > > Patch 0001 adding: > - tune.lua.log { on | off }

[ANNOUNCE] haproxy-2.9-dev8

l to build-ssl.sh CI: ssl: add git id support for wolfssl download CI: github: add a wolfssl entry to the CI CI: github: update wolfssl to git revision d83f2fa CI: github: add awslc 1.16.0 to the push CI Willy Tarreau (12): CLEANUP: connection: drop an uneeded l

Re: Missing doc entities in doc/internals

On Fri, Oct 20, 2023 at 11:29:34PM +0200, Aleksandar Lazic wrote: > > On Fri, Oct 20, 2023 at 11:11:59PM +0200, Aleksandar Lazic wrote: > > > I can't find any doc about entities in the current git > > > > > > alex@alex-tuxedoinfinitybooks1517gen7 on 20/10/2023 at 23:06:19 > > >

Re: Missing doc entities in doc/internals

Hi Alex, On Fri, Oct 20, 2023 at 11:11:59PM +0200, Aleksandar Lazic wrote: > I can't find any doc about entities in the current git > > alex@alex-tuxedoinfinitybooks1517gen7 on 20/10/2023 at 23:06:19 > /datadisk/git-repos/haproxy $ find . -iname "*entities"* >

Re: [PATCH] MINOR: lua: Add a flag to disable logging to stderr

Hi Tristan, On Wed, Oct 18, 2023 at 04:25:47PM +, Tristan wrote: > > > > ... > > > One last thing, SEND_ERR() reports to stderr through ha_alert() and > > > hlua_sendlog() does it through fprintf(stderr, ) by appending a static > > > header containing the log level, the date and the pid:

Re: any way to get longer header names in haproxy?

Hello, On Wed, Oct 18, 2023 at 11:31:30AM -0700, Jerry Scharf (he/him/his) wrote: > We use haproxy for https termination for one of our services. We are trying > to upgrade to late model haproxy, but have run into a problem. In old > haproxy versions, it allowed 1k header names and we told our

Re: [PATCH] MINOR: lua: Add a flag to disable logging to stderr

On Wed, Oct 18, 2023 at 04:23:06PM +, Tristan wrote: > Hi Willy, > > > On 18/10/2023 07:47, Willy Tarreau wrote: > > Hi Tristan, > > > > ... > > > > I'm fine with the general approach, but I'm having two comments: > > > >- using th

Re: [PATCH] MINOR: lua: Add a flag to disable logging to stderr

Hi Aurélien, On Wed, Oct 18, 2023 at 09:32:19AM +0200, Aurelien DARRAGON wrote: > Hi Guys, > > I also have a suggestion, while at it: > > SEND_ERR() which is used to report unexpected Lua errors (because of > improper API usage, or due to external factors such as IO/memory issues) > currently

Re: [PATCH 2/4] MEDIUM: connection: Send out generically allocated proxy-v2-options

Hi Alexander, I'm starting from the doc as it eases the discussion. On Thu, Oct 05, 2023 at 11:05:50AM +, Stephan, Alexander wrote: > --- a/doc/configuration.txt > +++ b/doc/configuration.txt > @@ -16671,6 +16671,26 @@ proxy-v2-options [,]* > generated unique ID is also used

Re: [PATCH] MINOR: lua: Add a flag to disable logging to stderr

Hi Tristan, On Tue, Oct 17, 2023 at 06:19:57PM +, Tristan wrote: > By default, messages printed from LUA log functions are sent both to > the configured log target and additionally to stderr (in most cases). > This introduces tune.lua.also-log-to-stderr for disabling that > second copy of the

Re: [PATCH 0/4] Support server-side sending and forwarding of arbitrary PPv2 TLVs

Hi Alexander, On Tue, Oct 17, 2023 at 05:38:45PM +, Stephan, Alexander wrote: > Hi Willy, > > Do you know whether this can/will make it to the next release? It would be > crucial for us to know. I sincerely want it to, but the last annoyance around H2 etc derailed our activities a bit and

Re: [PATCH] MINOR: support for http-response set-timeout

On Mon, Oct 16, 2023 at 05:09:13PM +0300, Vladimir Vdovin wrote: > Added set-timeout action for http-response. Adapted reg-tests and > documentation. Now merged, thank you Vladimir! Willy

Re: CVE-2023-44487 and haproxy-1.8

On Mon, Oct 16, 2023 at 08:33:51PM +0200, Aleksandar Lazic wrote: > > On 2023-10-16 (Mo.) 20:12, Lukas Tribus wrote: > > On Mon, 16 Oct 2023 at 19:41, Aleksandar Lazic wrote: > > > > > > > > > > > > On 2023-10-16 (Mo.) 19:29, ??? wrote: > > > > Does 1.8 support http/2? > > > > > >

Re: [PATCH] MINOR: support for http-response set-timeout

Hi Vladimir, On Sun, Oct 15, 2023 at 06:00:01AM +0300, Vladimir Vdovin wrote: > Added set-timeout action for http-response. Adapted reg-tests and > documentation. Thanks for this. At first glance it looks good. I'm just seeing one small nit in the doc: > +http-response set-timeout { client |

Re: Request for feedback: Add fetcher for getting all cookie names

Hi Ruei-Bang, On Fri, Oct 13, 2023 at 08:59:24PM +, Ruei-Bang Chen wrote: > Hi team, > > > This is related to my previous email regarding adding a fetcher for all > headers excluding cookies, but I think it might be helpful to open a separate > thread to discuss this alone as cookie is a

Re: Request for feedback: Add fetcher for all headers excluding cookies

Hi Ruei-Bang, On Fri, Oct 13, 2023 at 08:54:24PM +, Ruei-Bang Chen wrote: > Hi Willy, > > Thank you for the great suggestion! I agree that it would be more general for > other use cases to have support for only including or excluding certain > headers. > > I can look into the implementation

Re: Request for feedback: Add fetcher for all headers excluding cookies

Hi Ruei-Bang, On Thu, Oct 12, 2023 at 09:44:22PM +, Ruei-Bang Chen wrote: > Hi team, > > I am writing to gather feedback on an idea before doing the implementation. > > > We have a use-case where we need all headers except for cookies. Currently, > the fetcher "req.hdrs" / "res.hdrs"

Re: mfa issue

Hi Dario, On Wed, Oct 11, 2023 at 03:52:05PM +, Dario Girella wrote: > Hi, > i try to user MFA authentication on my exchange server behind haproxy. > First Access to OWA works fine, when then i allow access by MFA app owa page > doesn't open. > Need particular configuration? Unfortunately

Re: [ANNOUNCE] haproxy-2.9-dev7

On Wed, Oct 11, 2023 at 02:20:02PM +, Branitsky, Norman wrote: > The sample SAML authentication code saml.ini was provided by HAProxy > Enterprises support. > They also provided: > /opt/hapee-extras/bin/hapee-saml Ah OK I didn't catch that you were talking about this one, shame on me :-)

Re: [ANNOUNCE] haproxy-2.9-dev7

On Tue, Oct 10, 2023 at 01:20:13PM +, Tristan wrote: > That said, I do have some use-cases at the moment where I actively make use > of SRV records on the backends internally, for which losing support would be > a little annoying, so I can appreciate the will to keep them. These are among the

Re: [ANNOUNCE] haproxy-2.9-dev7

On Tue, Oct 10, 2023 at 03:04:26PM +0200, Aleksandar Lazic wrote: > > WASM on the other hand would provide more performance and compile-time > > checks but I fear that it could also bring new classes of issues such as > > higher memory usage, higher latencies, and would make it less convenient > >

Re: [ANNOUNCE] haproxy-2.9-dev7

Hi Norman, On Tue, Oct 10, 2023 at 11:44:52AM +, Branitsky, Norman wrote: > I use the SPOE for SAML authentication with Okta and Azure AD. OK, thanks a lot for sharing your use case. Just out of curiosity, is this a component that you developed yourself (or in your company) or something

Re: Options for mitigating CVE-2023-44487 with HAProxy

On Tue, Oct 10, 2023 at 10:03:32PM +, Lukas Tribus wrote: > On Tue, 10 Oct 2023 at 20:22, Willy Tarreau wrote: > > > > So at this point I'm still failing to find any case where this attack > > hurts haproxy more than any of the benchmarks we're routinely inflicting >

Re: Options for mitigating CVE-2023-44487 with HAProxy

ook harmful enough (otherwise I would have fixed it last week and it could have looked like a leak for those working on theirs). But you can now understand better why I was particularly interested in having a deeper look into it now that we had the details ;-) > > On 10 Oct 2023, at 19:24, Will

Re: Options for mitigating CVE-2023-44487 with HAProxy

On Tue, Oct 10, 2023 at 03:57:09PM +0200, Willy Tarreau wrote: > On Tue, Oct 10, 2023 at 03:49:21PM +0200, Willy Tarreau wrote: > > > Seems like a clever update to the "good old" h2 multiplexing abuse > > > vectors: > > > 1. client opens a lot of H2 str

Re: Options for mitigating CVE-2023-44487 with HAProxy

On Tue, Oct 10, 2023 at 03:49:21PM +0200, Willy Tarreau wrote: > > Seems like a clever update to the "good old" h2 multiplexing abuse vectors: > > 1. client opens a lot of H2 streams on a connection > > 2. Spams some requests > > 3. immediately sends h2 RST fra

Re: Options for mitigating CVE-2023-44487 with HAProxy

Hi Tristan, On Tue, Oct 10, 2023 at 12:56:12PM +, Tristan wrote: > Hi all, > > This just got disclosed: > - > https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/ > - >

<    1   2   3   4   5   6   7   8   9   10   >