Re: OCSP renewal with 2.8

On Fri, 2 Jun 2023 at 21:55, Willy Tarreau wrote: > Initially during the design phase we thought about having 3 states: > "off", "on", "auto", with the last one only enabling updates for certs > that already had a .ocsp file. But along discussions with some users > we were told that it was not

Re: OCSP renewal with 2.8

On Fri, Jun 02, 2023 at 01:29:31PM +0300, Matthias Fechner wrote: > Am 02.06.2023 um 04:13 schrieb Shawn Heisey: > > @Matthias I have no idea whether crt-list can load all certs in a > > directory like crt can.  If it can't, then you will probably need a > > script for starting/restarting haproxy

Re: Slower responses from me starting now

On 2023-06-02 18:44, Willy Tarreau wrote: Hi all, with 2.8 released and a nice weather here, I decided to take a few weeks of holidays (I think last time was in september 2016 so I don't remember how it feels). No travel plans in sight and mostly hacking stuff at home, catching up with

Re: Slower responses from me starting now

nice, nothing will stop us from rewriting HAProxy in rust пт, 2 июн. 2023 г. в 20:44, Willy Tarreau : > Hi all, > > with 2.8 released and a nice weather here, I decided to take a few weeks > of holidays (I think last time was in september 2016 so I don't remember > how it feels). No travel plans

Re: OCSP renewal with 2.8

Am 02.06.2023 um 04:13 schrieb Shawn Heisey: @Matthias I have no idea whether crt-list can load all certs in a directory like crt can.  If it can't, then you will probably need a script for starting/restarting haproxy that generates the cert list file.  If you wantthat script to be

Re: [PATCH] BUG/MINOR: Fix Lua's `get_stats` function

On Fri, Jun 02, 2023 at 10:11:36AM +0200, Tim Düsterhus wrote: > Hi > > On 6/2/23 08:42, Willy Tarreau wrote: > > Thank you for this. I've added a comment in the file about it, and a > > regtest to detect when this happens, since (null) appears in the header > > line of the "show stat" output in

Re: [PATCH] BUG/MINOR: Fix Lua's `get_stats` function

Hi On 6/2/23 08:42, Willy Tarreau wrote: Thank you for this. I've added a comment in the file about it, and a regtest to detect when this happens, since (null) appears in the header line of the "show stat" output in this case. Nice, thank you. I thought about including a test for that, but

Re: [PATCH] BUG/MINOR: Fix Lua's `get_stats` function

Hi Tim, On Thu, Jun 01, 2023 at 06:58:08PM +0200, Tim Duesterhus wrote: > Lua's `get_stats` function stopped working in > 4cfb0019e65bce79953164eddf54c1bbb61add62, due to the addition a new field > ST_F_PROTO without a corresponding entry in `stat_fields`. Thank you for this. I've added a

Re: OCSP renewal with 2.8

On 6/1/23 16:19, Shawn Heisey wrote: I asked ChatGPT for help, and with that info, I was able to work out what to do. - elyograg@smeagol:/etc/haproxy$ cat crt-list.txt /etc/ssl/certs/local/REDACTED1.combined.pem [ocsp-update on] /etc/ssl/certs/local/REDACTED2.combined.pem [ocsp-update on] -

Re: @Wolfssl: any plans to add "ECH (Encrypted client hello) support" and question about Roadmap

On Thu, Jun 01, 2023 at 02:15:57PM +0200, Aleksandar Lazic wrote: > Hi, > > As we have now a shiny new LTS let's take a look into the future :-) > > As the Wolfssl looks like a good future alternative for OpenSSL is there > any plan to add ECH (Encrypted client hello) ( >

Re: OCSP renewal with 2.8

On 6/1/23 15:42, Willy Tarreau wrote: So this means that the doc is still not clear enough and we need to improve this. And indeed, I'm myself confused because William told me a few days ago that "ocsp-update" was for crt-list lines only and it's found in the "bind line options" section. And of

Re: OCSP renewal with 2.8

On Thu, Jun 01, 2023 at 03:30:36PM -0600, Shawn Heisey wrote: > On 5/31/23 23:25, Matthias Fechner wrote: > > I just saw in the release notes for 2.8 that an automatic OCSP renewal > > is now included and I would like to get rid of my manual scripts that > > are currently injecting the OCSP

Re: OCSP renewal with 2.8

On 5/31/23 23:25, Matthias Fechner wrote: I just saw in the release notes for 2.8 that an automatic OCSP renewal is now included and I would like to get rid of my manual scripts that are currently injecting the OCSP information. I checked a little bit the documentation here:

Re: [ANNOUNCE] haproxy-2.8.0

On Wed, May 31, 2023 at 04:54:57PM +, Tristan wrote: > Congratulations to the team at large for the release! > There's definitely been more improvements and fixes than meets the eye from > the release notes alone! > > On 31/05/2023 16:14, Willy Tarreau wrote: > > > - QUIC: it has been

Re: [ANNOUNCE] haproxy-2.8.0

Congratulations to the team at large for the release! There's definitely been more improvements and fixes than meets the eye from the release notes alone! On 31/05/2023 16:14, Willy Tarreau wrote: - QUIC: it has been running almost flawlessly for a year on haproxy.org, and totally

Re: [ANNOUNCE] haproxy-2.8.0

On Wed, May 31, 2023 at 06:10:37PM +0200, Tim Düsterhus wrote: > Willy, > > On 5/31/23 17:14, Willy Tarreau wrote: > > HAProxy 2.8.0 was released on 2023/05/31. It added 27 new commits > > after version 2.8-dev13. > > Congratulations! Enjoy the release party :-) Thanks ;-) > Best regards > Tim

Re: [ANNOUNCE] haproxy-2.8.0

Willy, On 5/31/23 17:14, Willy Tarreau wrote: HAProxy 2.8.0 was released on 2023/05/31. It added 27 new commits after version 2.8-dev13. Congratulations! Enjoy the release party :-) Best regards Tim Düsterhus PS: Wouldn't be a "Tim email" without some minor nit. Just FYI: I made a small

Re: haproxy -dKcnv output

Is it? In all the programming languages I use, the colon is followed by the return type (which for iif is str). my claim of mainstream-ness, was mainly meaning the ": in => out" order (one example would be most ML languages, Typescript, Java...) as opposed to ": out <= in" which I haven't

Re: haproxy -dKcnv output

Tristan, On 5/31/23 12:28, Tristan wrote: If fetches already have the output type after the colon, then the converter should not have the input type after the colon, i.e.     iif(str,str): bool => str is confusing, because it looks like it returns a bool, ... I guess? While this is mainly

Re: haproxy -dKcnv output

If fetches already have the output type after the colon, then the converter should not have the input type after the colon, i.e.     iif(str,str): bool => str is confusing, because it looks like it returns a bool, ... I guess? While this is mainly a feelings thing, I'd say that it is more

Re: haproxy -dKcnv output

Hi all, On Wed, May 31, 2023 at 10:02:45AM +0200, Tim Düsterhus wrote: > Aurelien, > > On 5/31/23 09:57, Aurelien DARRAGON wrote: > > would not fit properly with existing representation for converters > > within the doc > > > > > iif(str,str): str <= bool > > > > and > > > > > iif(str,str):

Re: haproxy -dKcnv output

Aurelien, On 5/31/23 09:57, Aurelien DARRAGON wrote: would not fit properly with existing representation for converters within the doc iif(str,str): str <= bool and iif(str,str): bool => str could be good candidates (fetches are already represented using "name(arg) : out"), although

Re: haproxy -dKcnv output

> What I would find clear: > > bool => iif(str,str) => str You're right Tim But in the long term it could be great to share a common output format with the doc as well (to find all relevant info from -dKcnv in the doc, and vice versa) While > bool => iif(str,str) => str and > bool |

Re: haproxy -dKcnv output

Hi On 5/30/23 22:09, Aurelien DARRAGON wrote: $> haproxy -f test.conf -dKcnv | grep nbsrv iif(string,string): str => bool iif(string,string): bool => str I don't rely on it, but frankly I find both variants confusing, because it does not follow the logical processing order. What I

Re: haproxy -dKcnv output

On Tue, May 30, 2023 at 10:09:55PM +0200, Aurelien DARRAGON wrote: > Dear haproxy users, > > We recently noticed an inconsistency with haproxy -dKcnv output (which > may be used to dump all available sample converters from the cli). > > Here is how a converter is currently being represented in

Re: haproxy -dKcnv output

Pardon the few typos in the previous mail > $> haproxy -f test.conf -dKcnv | grep iif > iif(string,string): str => bool Replace iff with iif :) Regards, Aurelien

Re: Followup on openssl 3.0 note seen in another thread

On 5/29/23 20:38, Willy Tarreau wrote: Have you verified that the CPU is saturated ? The CPU on the machine running the test settles at about 1800 percent for my test program. 12 real cores, hyperthreaded. The CPU on the frontend haproxy process is barely breathing hard. Never saw it get

Re: Followup on openssl 3.0 note seen in another thread

On Sat, May 27, 2023 at 02:56:39PM -0600, Shawn Heisey wrote: > On 5/27/23 02:59, Willy Tarreau wrote: > > The little difference makes me think you've sent your requests over > > a keep-alive connection, which is fine, but which doesn't stress the > > TLS stack anymore. > > Yup. It was using

Re: Followup on openssl 3.0 note seen in another thread

On 5/29/23 01:43, Aleksandar Lazic wrote: HAProxies FE => HAProxies BE => Destination Servers Where the Destination Servers are also HAProxies which just returns a static content or any high performance low latency HTTPS Server. With such a Setup can you test also the Client mode of the

Re: Followup on openssl 3.0 note seen in another thread

On 5/29/23 19:52, Shawn Heisey wrote: Interesting idea. So sorry. I was writing up the new reply, and my fingers got confused for a moment, accidentally did Ctrl-Enter which tells Thunderbird to send the message. Will send a new complete reply.

Re: Followup on openssl 3.0 note seen in another thread

On 5/29/23 01:43, Aleksandar Lazic wrote: HAProxies FE => HAProxies BE => Destination Servers Where the Destination Servers are also HAProxies which just returns a static content or any high performance low latency HTTPS Server. With such a Setup can you test also the Client mode of the

Re: Followup on openssl 3.0 note seen in another thread

Hi Shawn. On 2023-05-28 (So.) 05:30, Shawn Heisey wrote: On 5/27/23 18:03, Shawn Heisey wrote: On 5/27/23 14:56, Shawn Heisey wrote: Yup.  It was using keepalive.  I turned keepalive off and repeated the tests. I did the tests again with 200 threads.  The system running the tests has 12

Re: Followup on openssl 3.0 note seen in another thread

On 5/27/23 18:03, Shawn Heisey wrote: On 5/27/23 14:56, Shawn Heisey wrote: Yup.  It was using keepalive.  I turned keepalive off and repeated the tests. I did the tests again with 200 threads.  The system running the tests has 12 hyperthreaded cores, so this definitely pushes its

Re: Followup on openssl 3.0 note seen in another thread

On 5/27/23 14:56, Shawn Heisey wrote: Yup.  It was using keepalive.  I turned keepalive off and repeated the tests. I did the tests again with 200 threads. The system running the tests has 12 hyperthreaded cores, so this definitely pushes its capabilities. The system running haproxy has 24

Re: Followup on openssl 3.0 note seen in another thread

On 5/27/23 02:59, Willy Tarreau wrote: The little difference makes me think you've sent your requests over a keep-alive connection, which is fine, but which doesn't stress the TLS stack anymore. Yup. It was using keepalive. I turned keepalive off and repeated the tests. I'm still not

Re: Followup on openssl 3.0 note seen in another thread

to spend a bunch of time learning how to > do that in another language. For h2 there's h2load that is available but it doesn't allow you to close and re-open connections. > It fires up X threads, each of which make 1000 consecutive requests to the > URL specified. It records th

Re: Followup on openssl 3.0 note seen in another thread

On 5/25/23 09:08, Willy Tarreau wrote: The problem definitely is concurrency, so 1000 curl will show nothing and will not even match production traffic. You'll need to use a load generator that allows you to tweak the TLS resume support, like we do with h1load's argument "--tls-reuse". Also I

Re: How to log the auth user?

Hi! Am Do, Mai 25, 2023 at 22:20:03 +0200 schrieb Willy Tarreau: On Thu, May 25, 2023 at 06:18:02PM +0200, Stephan Seitz wrote: HA-Proxy 2.2.9 First, please note that this one misses many fixes, it's affected by 458 known bugs among wihch one critical and 28 major: As Tim guessed this is

Re: How to log the auth user?

Hi On 5/25/23 22:20, Willy Tarreau wrote: HA-Proxy 2.2.9 First, please note that this one misses many fixes, it's affected by 458 known bugs among wihch one critical and 28 major: https://www.haproxy.org/bugs/bugs-2.2.9.html Based on the version number this likely is the HAProxy

Re: http-request del-header removes Authorization header before authenticated on haproxy

Hi, Thanks for your reply. Yes, "del-header" is put on the backend section. I did a small change to swap the order of these two lines and it works now. http-request auth... http-request del-header authorization Best regards, On Thu, May 25, 2023 at 3:56 PM Lukas Tribus wrote: > Did you try

Re: How to log the auth user?

Hi, On Thu, May 25, 2023 at 06:18:02PM +0200, Stephan Seitz wrote: > Hi! > > HA-Proxy 2.2.9 First, please note that this one misses many fixes, it's affected by 458 known bugs among wihch one critical and 28 major: https://www.haproxy.org/bugs/bugs-2.2.9.html > I have an HA-Proxy frontend

Re: Followup on openssl 3.0 note seen in another thread

чт, 25 мая 2023 г. в 17:11, Willy Tarreau : > On Thu, May 25, 2023 at 07:33:11AM -0600, Shawn Heisey wrote: > > On 3/11/23 22:52, Willy Tarreau wrote: > > > According to the OpenSSL devs, 3.1 should be "4 times better than 3.0", > > > so it could still remain 5-40 times worse than 1.1.1. I intend

Re: Followup on openssl 3.0 note seen in another thread

On Thu, May 25, 2023 at 07:33:11AM -0600, Shawn Heisey wrote: > On 3/11/23 22:52, Willy Tarreau wrote: > > According to the OpenSSL devs, 3.1 should be "4 times better than 3.0", > > so it could still remain 5-40 times worse than 1.1.1. I intend to run > > some tests soon on it on a large machine,

Re: http-request del-header removes Authorization header before authenticated on haproxy

Did you try putting the "del-header" configuration in the backend section? On Thu, 25 May 2023 at 15:25, pham lan wrote: > > Hello, > > We use haproxy for basic authentication. And afterward, remove the > Authorization header from the backend section before forwarding the request > to

Re: Followup on openssl 3.0 note seen in another thread

On 3/11/23 22:52, Willy Tarreau wrote: According to the OpenSSL devs, 3.1 should be "4 times better than 3.0", so it could still remain 5-40 times worse than 1.1.1. I intend to run some tests soon on it on a large machine, but preparing tests takes a lot of time and my progress got delayed by

Re: [PATCH 1/1] BUILD: SSL: enable TLS key material logging if built with LibreSSL>=3.5.0

please ignore this patch. LibreSSL implementation of key logging is intended only to shut build warnings. functions themselves do nothing. вт, 23 мая 2023 г. в 22:57, Ilya Shipitsin : > LibreSSL implements TLS key material since 3.5.0, let's enable it > --- > include/haproxy/openssl-compat.h |

Re: [PATCH] re-enable EVP_chacha20_poly1305() for LibreSSL

On Tue, May 23, 2023 at 04:57:05PM +0200, Willy Tarreau wrote: > Hi Ilya, > > On Sun, May 21, 2023 at 12:57:21PM +0200, ??? wrote: > > Hello, > > > > that exclude was only needed for pre-3.6.0 LibreSSL, while support was > > added in > > 3.6.0, so every released LibreSSL supports that,

Re: [PATCH] re-enable EVP_chacha20_poly1305() for LibreSSL

also, there'll be a patch for unlocking haproxy/openssl-compat.h at master · haproxy/haproxy · GitHub for LibreSSL soon (it was too boring to run QUIC Interop without keylog) вт, 23 мая 2023 г. в 17:06, Илья

Re: [PATCH] DOC/MINOR: config: Fix typo in description for `ssl_bc` in configuration.txt

On Mon, May 22, 2023 at 01:11:13PM -0500, Mariam John wrote: > From: Mariam John > > Fix a minor typo in the description of the `ssl_bc` sample fetch method > described under > Section `7.3.4. Fetching samples at Layer 5` in configuration.txt. Changed > `other` to `to`. Good catch, now

Re: [PATCH] re-enable EVP_chacha20_poly1305() for LibreSSL

oops. btw, not enabling chacha20_poly1305 leads to LibreSSL api usage incostistance QUIC regression on LibreSSL-3.7.2 (HAProxy) · Issue #860 · libressl/portable (github.com) it is claimed that OpenSSL does not check for null deref as well, so

Re: [PATCH] re-enable EVP_chacha20_poly1305() for LibreSSL

Hi Ilya, On Sun, May 21, 2023 at 12:57:21PM +0200, ??? wrote: > Hello, > > that exclude was only needed for pre-3.6.0 LibreSSL, while support was > added in > 3.6.0, so every released LibreSSL supports that, no need to keep "ifdef" While I'm probably not the one who will be the best to

Re: Drain L4 host that fronts a L7 cluster

e soft-stop phase and does this without having to fiddle with a front L4 LB. The case where users would like to close H2 connections actually is more when they want some connections to re-establish on another node without reloading the first one. Typically when moving a small portion of the traffic on a

Re: maint, drain: the right approach

On Tue, May 23, 2023 at 11:21:28AM +0200, Thomas Pedoussaut wrote: > > On 23/05/2023 11:14, Matteo Piva wrote: > > Seems that it's considered an expected behavior to consider > > optimistically the server as UP > > when leaving MAINT mode, even if the L4 health checks are not completed yet. To

Re: maint, drain: the right approach

On 23/05/2023 11:14, Matteo Piva wrote: Seems that it's considered an expected behavior to consider optimistically the server as UP when leaving MAINT mode, even if the L4 health checks are not completed yet. I consider that a quite annoying feature, but maybe I'm approaching at this in a

Re: maint, drain: the right approach

> Hi Matteo, Hi Aurelien, thanks for your reply on my issue > > Once the activity on the underlying service has been completed and they > > are starting up, I switch back from MAINT to READY (without waiting the > > service to be really up). > > The haproxy backend got immediately back in

Re: maint, drain: the right approach

Hi Matteo, > Once the activity on the underlying service has been completed and they > are starting up, I switch back from MAINT to READY (without waiting the > service to be really up). > The haproxy backend got immediately back in the roundrobin pool, even if > the L4 and L7 checks are still

Re: maint, drain: the right approach

Hi all, still trying to figure out the right way to to this. Any suggestions to share with me? Thanks, Matteo - Messaggio originale - Da: "Matteo Piva" A: "HAProxy" Inviato: Giovedì, 11 maggio 2023 11:04:11 Oggetto: maint, drain: the right approach Hi, I'm trying to

Re: Drain L4 host that fronts a L7 cluster

Hi Willy, Thank you for the response. It's great to know that this might be considered as a feature request in future versions, pending prioritization though. Could you comment on why this isn't already a feature yet? It is hard to believe that we're the first to come across this draining

[PATCH] re-enable EVP_chacha20_poly1305() for LibreSSL

Hello, that exclude was only needed for pre-3.6.0 LibreSSL, while support was added in 3.6.0, so every released LibreSSL supports that, no need to keep "ifdef" Cheers, Ilya

Re: Latest 2.8-dev not doing TLS 1.2

On 5/19/23 14:21, Zakharychev, Bob wrote: ssl-default-bind-options no-tls-tickets ssl-min-ver TLSv1.2 I'd suggest you try with ssl-default-bind-options as in my config, and maybe ssl-default-bind-ciphers as well as these are for TLS I have been unknowingly hampered in my tests by the fact

RE: Latest 2.8-dev not doing TLS 1.2

Shawn, >From: Shawn Heisey >Sent: Friday, May 19, 2023 3:33 PM > >I have a config that I have had in place for a while now. It did TLS >1.2 and 1.3, and got an A+ rating at SSL Labs. > >Today I was running the SSL test again and it only got an A rating >instead of A+. Looking deeper at the

Re: net::ERR_INCOMPLETE_CHUNKED_ENCODING / malformed HTTP packet.

Hi Mike, On Wed, May 17, 2023 at 01:58:00PM -0700, Mike Benoit wrote: > Upon further investigation, the following has been discovered, but still no > real resolution: > > The backend server doesn't matter, we moved a large .JS file to another > server and the exact same issue occurred. Since the

Re: net::ERR_INCOMPLETE_CHUNKED_ENCODING / malformed HTTP packet.

Upon further investigation, the following has been discovered, but still no real resolution: The backend server doesn't matter, we moved a large .JS file to another server and the exact same issue occurred. Since the issue didn't occur when HAProxy was in TCP mode, we figured this would be the

Re: RFC new doc section for size format

Le 5/17/23 à 17:16, Daniel Epperson a écrit : I have attached the patch. Thanks Daniel ! Too late for the dev12 but now merged :) -- Christopher Faulet

Re: RFC new doc section for size format

On Wed, May 17, 2023 at 09:49:01AM +0200, Christopher Faulet wrote: > Le 5/15/23 à 21:48, Daniel Epperson a écrit : > > Hello, > > > > I filed #2153 to add a section to the manual, now I'm looking for > > comments to implement the fix via a patch. This is what I have so far. > > If it is

Re: RFC new doc section for size format

I have attached the patch. On 5/17/2023 6:02 AM, Christopher Faulet wrote: Le 5/15/23 à 21:48, Daniel Epperson a écrit : Hello, I filed #2153 to add a section to the manual, now I'm looking for comments to implement the fix via a patch. This is what I have so far. If it is acceptable, please

Re: RFC new doc section for size format

Le 5/15/23 à 21:48, Daniel Epperson a écrit : Hello, I filed #2153 to add a section to the manual, now I'm looking for comments to implement the fix via a patch. This is what I have so far. If it is acceptable, please merge, or let me know what to correct. Author: Daniel Epperson Date:   Mon

Re: [PATCH] CI: drop dedicated Fedora m32 pipeline

Le 5/14/23 à 21:46, Илья Шипицин a écrit : Hello, no need to keep it, cross build matrix covers this. Ilya Merged, thanks ! -- Christopher Faulet

Re: RFC new doc section for size format

Le 5/15/23 à 21:48, Daniel Epperson a écrit : Hello, I filed #2153 to add a section to the manual, now I'm looking for comments to implement the fix via a patch. This is what I have so far. If it is acceptable, please merge, or let me know what to correct. Author: Daniel Epperson Date:   Mon

Re: HAProxy 2.7.7: Unexpected messages during shutdown after upgrade

Hi Dominik, > The spikes seem to be fixed now Thanks for the update! However, we are now observing log messages during shutdown that weren’t there before: > > > > May 12, 2023 @ 11:56:24.000 Proxy health_check_http_tcp-scheduler > stopped (cumulated conns: FE: 0, BE: 0). > > May 12,

Re: [2.4.22] Segmentation fault when using spoe + disabled keyword

Awesome, thanks! czw., 11 maj 2023 o 09:38 Christopher Faulet napisał(a): > Le 5/9/23 à 14:29, Maciej Zdeb a écrit : > > Hi Christopher, > > no problem. :) Yes I'm using the same spoe backend for multiple > frontends. This > > is my spoe configuration: > > > > [abc] > > > > spoe-agent abc-agent

Re: unsubscribe

Hi. On 14.05.23 22:07, Roman Gelfand wrote: Here is the unsubscribe address. https://www.haproxy.org/#tact Regards Alex

Re: [PATCH] CI: re-enable Fedora Rawhide clang builds

On Fri, May 12, 2023 at 07:42:09PM +0200, ??? wrote: > Hello, > > this enables monthly clang builds (previously only gcc was run). Thank you Ilya, now applied. Willy

[PATCH] CI: re-enable Fedora Rawhide clang builds

Hello, this enables monthly clang builds (previously only gcc was run). Ilya From 9eaae2062b2800e166263855c096dfd44cc03a39 Mon Sep 17 00:00:00 2001 From: Ilya Shipitsin Date: Fri, 12 May 2023 19:26:49 +0200 Subject: [PATCH] CI: enable monthly Fedora Rawhide clang builds that was temporarily

Re: net::ERR_INCOMPLETE_CHUNKED_ENCODING / malformed HTTP packet.

On Fri, May 12, 2023 at 05:17:40AM +0200, Willy Tarreau wrote: > But as a first step, looking at the logs > to see if haproxy considered it closed normally, aborted on client or > on server will be of significant help. Also just in case, are you aware of a previous version that did not exhibit

Re: net::ERR_INCOMPLETE_CHUNKED_ENCODING / malformed HTTP packet.

On Thu, May 11, 2023 at 12:34:18PM -0700, Mike Benoit wrote: > A specific web application that uses large 99.5KB .CSS files is causing a > net::ERR_INCOMPLETE_CHUNKED_ENCODING when being accessed from a computer on > a high latency network (across the Atlantic ocean). We are not able to >

Re: equivalent of url32+src for hdr_ip(x-forwarded-for)?

On Fri, 12 May 2023, 00:00 Aleksandar Lazic, wrote: > How about to try to use `hdr_ip(x-forwarded-for),base32` or something > similar? > > You can take a look into the reg-tests for some more inspiration :-) > >

Re: equivalent of url32+src for hdr_ip(x-forwarded-for)?

Hi. On 12.05.23 00:36, Nathan Rixham wrote: NP, let's stick to a generic example then, redacted down to the bare minimum backend st-min     # log request rate over 1 minute     stick-table type ipv6 size 1g expire 2m store http_req_rate(1m) backend st-min-url     # log request rate per

Re: equivalent of url32+src for hdr_ip(x-forwarded-for)?

NP, let's stick to a generic example then, redacted down to the bare minimum backend st-min # log request rate over 1 minute stick-table type ipv6 size 1g expire 2m store http_req_rate(1m) backend st-min-url # log request rate per distinct url+ip(v4/6) stick-table type binary len

Re: equivalent of url32+src for hdr_ip(x-forwarded-for)?

Dear Nathan. On 11.05.23 23:59, Nathan Rixham wrote: Hi All, I've run into an issue I can't figure out, essentially need to use url32+src in stick tables, but where src is the x-forwarded-for address rather than the connecting source - any advice would be appreciated. As this is a quite

Re: [2.4.22] Segmentation fault when using spoe + disabled keyword

Le 5/9/23 à 14:29, Maciej Zdeb a écrit : Hi Christopher, no problem. :) Yes I'm using the same spoe backend for multiple frontends. This is my spoe configuration: [abc] spoe-agent abc-agent   messages check-abc   register-var-names x_abc_request_headers x_headers x_abc_response body  

Re: [PATCH] cleanup: remove redundant check

On Wed, May 10, 2023 at 04:30:58PM +0200, ??? wrote: > Hello, > > small clean patch. > mutes coverity finding. Thanks Ilya, now merged in dev11. Willy

Re: process of release to debian, backports ?

For Debian stable, usually only a critical vulnerability. In theory, this could also be major bugs, but maintaining an hybrid patched version is something we prefer not to do, to not have people running in the wild an additional unsupported (by upstream) branch. For Debian backports, they

Re: [2.4.22] Segmentation fault when using spoe + disabled keyword

Hi Christopher, no problem. :) Yes I'm using the same spoe backend for multiple frontends. This is my spoe configuration: [abc] spoe-agent abc-agent messages check-abc register-var-names x_abc_request_headers x_headers x_abc_response body option var-prefix abc option set-on-error error

Re: HAProxy CE Docker Debian and Ubuntu images with QUIC

Dear community, We have been asked quite a few times to also provide haproxytech Docker images in GHCR (GitHub Container Registry), due to the sad fact that Docker Hub has been throttling image downloads (https://www.docker.com/increase-rate-limits/) for a while now. I am happy to announce we

Re: [2.4.22] Segmentation fault when using spoe + disabled keyword

Le 5/2/23 à 13:58, Maciej Zdeb a écrit : Hi, I'm experiencing a segmentation fault caused by adding "disabled" (http://docs.haproxy.org/2.4/configuration.html#4-disabled ) to the frontend section of haproxy configuration file. That

Re: [PATCH] CI: more granular failure on build matrix generating

np. It addresses quite rare conditions, when either github api or openbsd website are down. yet we seen that once in 2 years. пн, 8 мая 2023 г. в 14:07, Willy Tarreau : > On Mon, May 08, 2023 at 01:59:15PM +0200, ??? wrote: > > seems, it was accidentally lost ... > > Indeed, I don't

Re: [PATCH] CI: more granular failure on build matrix generating

On Mon, May 08, 2023 at 01:59:15PM +0200, ??? wrote: > seems, it was accidentally lost ... Indeed, I don't konw why I missed it. Thanks for resending Ilya, now applied! Willy

Re: [PATCH] CI: more granular failure on build matrix generating

seems, it was accidentally lost ... ср, 26 апр. 2023 г. в 20:45, Илья Шипицин : > Hello, > > recent openbsd ftp unavailability has shown that we should more carefully > generate build matrix > > Ilya >

Re: Drain L4 host that fronts a L7 cluster

On Fri, May 05, 2023 at 04:18:25PM -0700, Abhijeet Rastogi wrote: > Thanks for the response Tristan. > > For the future reader of this thread, a feature request was created > for this. https://github.com/haproxy/haproxy/issues/2146 I've looked again at the code and am seeing that in modern

Re: [ANNOUNCE] haproxy-2.8-dev10

On Sun, May 07, 2023 at 12:03:09PM +0200, Willy Tarreau wrote: (...) > I consider that this version is free of known issues. If you have not yet > started to test it, please give it a try. I would hate to get reports of > "this stopped working between 2.7 and 2.8" after the release. At the very >

Re: Drain L4 host that fronts a L7 cluster

Isn't is a similar request to https://github.com/haproxy/haproxy/issues/969 as I mentioned in the issue https://github.com/haproxy/haproxy/issues/2149 On 06.05.23 01:18, Abhijeet Rastogi wrote: Thanks for the response Tristan. For the future reader of this thread, a feature request was

Re: Drain L4 host that fronts a L7 cluster

Thanks for the response Tristan. For the future reader of this thread, a feature request was created for this. https://github.com/haproxy/haproxy/issues/2146 On Fri, May 5, 2023 at 4:09 PM Tristan wrote: > > > however, our reason to migrate to HAproxy is adding gRPC > > compliance to the

Re: Drain L4 host that fronts a L7 cluster

however, our reason to migrate to HAproxy is adding gRPC compliance to the stack, so H2 support is a must. Thanks for the workarounds, indeed interesting, I'll check them out. From a cursory look at the gRPC spec it seems like you would indeed really need the GOAWAY to get anywhere trigger

Re: Drain L4 host that fronts a L7 cluster

Hi Tristan, Thanks for the *excellent* reply. Indeed, the map based solution can work for H1, however, our reason to migrate to HAproxy is adding gRPC compliance to the stack, so H2 support is a must. Thanks for the workarounds, indeed interesting, I'll check them out. >trigger the GOAWAY H2

Re: Drain L4 host that fronts a L7 cluster

Hi Abhijeet, Problem statement is, how do you drain a node [...] L7 constructs like "Connection: close" or "GOAWAY h2 frames" [...] > * For any map (L4 client IP lookup) based solution, I was unable to find any http-request operation that sets "drain mode". Indeed the managed drain mode is

Re: Active session count drop after HAProxy upgrade from 2.0 to 2.4

Hi Wily, That's a bug and it shouldn't be like this. > You can find information about this here : https://www.mail-archive.com/haproxy@formilux.org/msg43291.html But don't waste too much time on this. > > For those interested, the (small) necessary config changes were : > > - option httpchk

Re: Active session count drop after HAProxy upgrade from 2.0 to 2.4

Hi Olivier, On Thu, May 04, 2023 at 03:09:43PM +0200, Olivier D wrote: > Hello, > > I've finally updated our load balancer, using HAProxy 2.0, to HAProxy 2.4 > \o/ Great! > I was motivated by both the EOL on 2.0, and by a recurring segfault > everytime we reloaded. btw, that segfault is now

Re: [ANNOUNCE] haproxy-2.5.14 (EOL)

Hi Tim, On Wed, May 03, 2023 at 10:20:12AM +0200, Tim Düsterhus wrote: > Willy, > > On 5/2/23 16:18, Willy Tarreau wrote: > > HAProxy 2.5.14 was released on 2023/05/02. It added 56 new commits > > after version 2.5.13, and is the last version of this branch. > > > > It essentially contains

Re: [ANNOUNCE] haproxy-2.5.14 (EOL)

Willy, On 5/2/23 16:18, Willy Tarreau wrote: HAProxy 2.5.14 was released on 2023/05/02. It added 56 new commits after version 2.5.13, and is the last version of this branch. It essentially contains pending fixes to flush the queue, but nobody should deploy a final version unless they're very

<    5   6   7   8   9   10   11   12   13   14   >