Client Authentication using HAProxy
Hi, I need your help in resolving the below query. In our project, we are using HAProxy for load balancing the logs from multiple clients. These logs would come from various endpoints, over HTTP. We have a requirement to authenticate each of these clients before processing them. We are planning for client certificate based authentication. Question: If we have multiple client certificates (around 500 client certificates one for each client), what would be the processing overhead to validate the client. But, we are not sure at this point whether to go with a common CA for all customers or one CA each per customer. So, our questions are: 1. Is client certificate the best way? 2. If so, can we have multiple Certification Authorities (say per end-point) configured at HAProxy level? 3. What would be impact on performance and how would the verification happen? Kindly suggest. Regards, Kumar.
[SPAM] Un cambriolage toutes les 90 secondes
http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3ca1&p1=haproxy@formilux.org&p2=haproxy@formilux.org Signaler comme indésirable Pour visualiser ce message au format html, cliquez ici : http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3ca2&p1=%40EaUBXhRPVDtMX23haT28VbwS92I7k7Oi%2Fxonm%2FCHGZY%3D ou copiez le lien dans votre navigateur Web http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3ca3&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3ca4&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3ca5&p1=haproxy@formilux.org N°1 DES ALARMES AVEC TÉLÉSURVEILLANCE EN EUROPE http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3ca6&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3ca7&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3ca8&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3ca9&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3caa&p1=haproxy@formilux.org Intrusion traitée en moins de 60 secondes * http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cab&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cac&p1=haproxy@formilux.org Appel de la police après vérification** http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cad&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cae&p1=haproxy@formilux.org Installation en moins d'1 heure http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3caf&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cb0&p1=haproxy@formilux.org Contrôle depuis votre smartphone http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cb1&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cb2&p1=haproxy@formilux.org 1,8 million de clients http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cb3&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cb4&p1=haproxy@formilux.org Expert de la sécurité depuis 25 ans http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cb5&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cb6&p1=haproxy@formilux.org Verisure, c'est toute l'expérience du numéro 1 européen de l'alarme télésurveillée http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cb7&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cb8&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cb9&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cba&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cbb&p1=haproxy@formilux.org Découvrez nos solutions pour protéger votre habitation, vos proches et vous-même http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cbc&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cbd&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cbe&p1=haproxy@formilux.org Proche de chez vous http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cbf&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cc0&p1=haproxy@formilux.org Plus de 1300 professionnels à votre service 24h24, 7j/7 répartis dans près de 60 agences en France. http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cc1&p1=haproxy@formilux.org Expert en sécurité depuis 1984 http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cc2&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cc3&p1=haproxy@formilux.org Nous assurons votre sécurité depuis 1934 dans le monde et depuis 1988 en France http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cc4&p1=haproxy@formilux.org Alarme intelligente http://lb.le-meilleur-ecommerce.com/r/?id=t3005bd2b,21c3bee,21c3cc5&p1=haproxy@formilux.org http://lb.le-meilleur-ecommerce.c
Haproxy 1.6 Ldap frontend/backend Segfault
Hi
I am testing out the new 1.6 Haproxy and everything works great except when I
try to use it for balancing LDAP traffic in mode tcp. It seems to segfault
after doing an initial connection. Below is the information, please let me know
if I can get you any other information. Thanks!
Some System Info[root@lb1 conf]# uname -aLinux lb1 2.6.32-573.3.1.el6.x86_64 #1
SMP Thu Aug 13 22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Build Infomake TARGET=linux2628 CPU=x86_64 USE_OPENSSL=1 USE_ZLIB=1 USE_PCRE=1
USE_LINUX_SPLICE=1
#Initial Connection try success[root@lb1 conf]# telnet 11.111.12.11 389Trying
11.111.12.11...Connected to 11.111.12.11.Escape character is '^]'.
#Next connection try fail[root@lb1 conf]# telnet 11.111.12.11 389Trying
11.111.12.11...telnet: connect to address 11.111.12.11: Connection refused
#Segfault[root@lb1 conf]# grep -i segfault /var/log/messagesNov 5 21:56:14 lb1
kernel: haproxy[2957]: segfault at b8 ip 00415c16 sp 7fff12a33920
error 4 in haproxy[40+127000]
> Some of my haproxy config (also has some web frontend/backends):
global log 127.0.0.1 local2 ##Log to the local rsyslog daemon
user haproxy group haproxy chroot /opt/haproxy/secure/chroot
pidfile /var/run/haproxy.pid stats socket /tmp/haproxy.socket user
nobody group nobody mode 600 level admin node lb1 description
HAPROXY1 daemon maxconn 10 spread-checks 3
ca-base /etc/ssl/certs/comb crt-base /etc/ssl/certs/comb# debug#
nbproc 4 #Number of processes EXPERIMENTAL
defaults log global mode http option forwardfor
compression algo gzip compression type text/html text/plain text/css
text/xml text/javascript retries 5 timeout http-request 181s
##Higher than I want right now but application may require it - testing
timeout http-keep-alive 5s timeout queue 32s timeout connect
12s timeout server 181s ##Higher than I want right now but application
may require it - testing timeout client 32s option
http-server-close option accept-invalid-http-request option
splice-auto option tcp-smart-connect option tcp-smart-accept
log-format
%ci:%cp|[%t]|%ft|%b/%s|%Tq/%Tw/%Tc/%Tr/%Tt|%ST|%B|%CC|%CS|%tsc|%ac/%fc/%bc/%sc/%rc|%sq/%bq|%hr|%hs|%{+Q}r|%fi
errorfile 408 /dev/null
frontend ldap_service_front mode tcp bind
11.111.12.11:389 description LDAP Service
option socket-stats option tcpka
timeout client 5s default_backend LDAP
backend LDAP mode tcp option ldap-check balance source
server LDAP1 11.111.10.11:389 check inter 10s downinter 9s slowstart 20s
server LDAP2 11.111.11.11:389 check inter 10s downinter 9s slowstart 20s
Marc
MINOR: Makefile deviceatlas
Hello, here a tiny change, the USE_PCRE can be easily get forgotten and the user might not necessarly understand the further linkage problem. Not urgent though, just faced one time the problem, would be nice to find it for 1.6.3 otherwise it is ok. Please cc ttr...@deviceatlas.com for any response. Thanks in advance. Kindest regards.
RE: Haproxy 1.6 Ldap frontend/backend Segfault
> Hi > > I am testing out the new 1.6 Haproxy and everything works great except > when I try to use it for balancing LDAP traffic in mode tcp. It seems > to segfault after doing an initial connection. Below is the > information, please let me know if I can get you any other information. > Thanks! Please use latest stable 1.6.2 release. A number of major bugs have been fixed. If thats what you are using already and it still crashes, please provide "haproxy -vv" output and if possible a gdb backtrace of the crash. Thanks, Lukas
Re: MINOR: Makefile deviceatlas
On Fri, Nov 6, 2015 at 4:18 PM, David Carlier wrote: > Hello, > > here a tiny change, the USE_PCRE can be easily get forgotten and the user > might not necessarly understand the further linkage problem. > > Not urgent though, just faced one time the problem, would be nice to find it > for 1.6.3 otherwise it is ok. > > Please cc ttr...@deviceatlas.com for any response. > > Thanks in advance. > Kindest regards. David, You forgot the attachment :) Baptiste
Re: MINOR: Makefile deviceatlas
Ah true :-) On 6 November 2015 at 15:50, Baptiste wrote: > On Fri, Nov 6, 2015 at 4:18 PM, David Carlier > wrote: > > Hello, > > > > here a tiny change, the USE_PCRE can be easily get forgotten and the user > > might not necessarly understand the further linkage problem. > > > > Not urgent though, just faced one time the problem, would be nice to > find it > > for 1.6.3 otherwise it is ok. > > > > Please cc ttr...@deviceatlas.com for any response. > > > > Thanks in advance. > > Kindest regards. > > > David, > > You forgot the attachment :) > > Baptiste > From 19200253f8342ab042ce754a6437186440277037 Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Fri, 6 Nov 2015 15:13:06 + Subject: [PATCH] MINOR: Makefile deviceatlas throwing an error if the necessary pcre flag is not passed avoiding surprising bunch of 'undefined reference' for the user. Plus a tiny typo in OPENSSL area. --- Makefile | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 3af735e..d42d5fb 100644 --- a/Makefile +++ b/Makefile @@ -569,7 +569,7 @@ OPTIONS_OBJS += src/dlmalloc.o endif ifneq ($(USE_OPENSSL),) -# OpenSSL is packaged in various forms and with various dependences. +# OpenSSL is packaged in various forms and with various dependencies. # In general -lssl is enough, but on some platforms, -lcrypto may be needed, # reason why it's added by default. Some even need -lz, then you'll need to # pass it in the "ADDLIB" variable if needed. If your SSL libraries are not @@ -614,6 +614,9 @@ OPTIONS_OBJS+= src/hlua.o endif ifneq ($(USE_DEVICEATLAS),) +ifeq ($(USE_PCRE),) +$(error the DeviceAtlas module needs the PCRE library in order to compile) +endif # Use DEVICEATLAS_SRC and possibly DEVICEATLAS_INC and DEVICEATLAS_LIB to force path # to DeviceAtlas headers and libraries if needed. DEVICEATLAS_SRC = -- 2.6.2
Re: Haproxy 1.6 Ldap frontend/backend Segfault
Thank you! Upgrading to 1.6.2 seems to have fixed the issue. Regards, Marc Lukas Tribus , 11/6/2015 10:25 AM: > Hi > > I am testing out the new 1.6 Haproxy and everything works great except > when I try to use it for balancing LDAP traffic in mode tcp. It seems > to segfault after doing an initial connection. Below is the > information, please let me know if I can get you any other information. > Thanks! Please use latest stable 1.6.2 release. A number of major bugs have been fixed. If thats what you are using already and it still crashes, please provide "haproxy -vv" output and if possible a gdb backtrace of the crash. Thanks, Lukas
[SPAM] Moss is a neutral nation of Lodoss, home of Prince Jester and the wyvern riders.
McElroy of Oak Grove, OH. Amazon, based on 72 customer reviews. Voters and politicians are polls apart People once died to be able to vote. His next films were all action movies where he played the main character.Broadway 1968 play and 1970 film. Interviewees include German soldiers and civilians. Boston, where he continued inventing.Kamehameha V did not name a successor. Scotland in the nineteenth century. Jake denied that he would have raped her and tearfully begged her to stay, but Nancy walked out on him.The private corporation dissolved, and its entire collection of films was donated to the government.
tcp-check with persistent session cookie ?
Hi, We encountered a big problem this afternoon, which crashed for a while one of our websites, a java (tomcat+lift) application. We are using Haproxy 1.5. For our backend, we're doing something like this, using tcp-check because we need to check status AND a string, which is not possible with http-check : backend backend-mywebsite balance roundrobin option redispatch option tcp-check tcp-check send GET\ /check \ HTTP/1.1\r\nHost:\ www.mywebsite.fr\r\nConnection:\ close\r\n tcp-check send \r\n tcp-check expect string HTTP/1.1\ 200\ OK tcp-check expect rstring "healthStatus":"(Healthy|DegradedMode)" cookie JSESSIONID prefix nocache server s1 s1:11503 weight 1 check inter 10s fall 3 rise 2 ssl cookie s1 server s2 s2:11503 weight 1 check inter 10s fall 3 rise 2 ssl cookie s2 server s3 s3:11503 weight 1 check inter 10s fall 3 rise 2 ssl cookie s3 server s4 s4:11503 weight 1 check inter 10s fall 3 rise 2 ssl cookie s4 For some reasons, the /check page didn't returned the correct application status and our / returned a 500 even if /check was OK, so we decided to check /. After 20 minutes, our application crashed. In fact, our 4 fronts crashed at the same time, and if we restarted them, 20 minutes after, they crashed again. We lost some time because we were really thinking on a software bug, before we realize the root cause. * Each tcp-check send opens a session on the application * Each session, on the / page, consumes 500 KB * session duration : 30 minutes * We have 4 Haproxy, doing 2 checks (the app provides 2 websites, so one check for each Host: ), 6 times per minute = 48 checks, each minute. On each front. * After 20 minutes : more than 450 MB used in the app for sessions * Full GC, crash So, my question is : Is it possible to get and store the JSESSIONID cookie returned by the tcp-check expect (or something like this), and send it with the tcp-check send, to reuse the same session ? Is there a way for a health check to use persistent cookie session (always the same, one per server), returned by the check ? Thank you very much, Sebastien Rohaut
HAProxy with multiple CRL's
Hi. I would like to configure HAProxy to allow multiple CRL's. First, for testing I created my own CA. I created a server cert and signed it. I created a client cert and signed it. I created a CRL. I setup HAProxy like: bind *:443 ssl crt server.crt ca-file my_ca.crt crl-file my_ca.crl That worked fine. The ssl connection prompted me for a cert signed by the CA present in the ca.crt file. I could give it a valid cert, an expired cert and a revoked cert and they all worked as expected. Then I tried integrating with an external CA for which I have a valid client cert, the CA cert and the CA CRL. I concatenated the CA certs to a combined.crt file. Then I concatenated the CRL files to a combined.crl file even though I have read posts that say that invalidates the CRL. There are other posts that say that should work. My HAProxy config is now: bind *:443 ssl crt server.crt ca-file combined.crt crl-file combined.crl The interface will accept a client cert signed by my own CA. If I don't specify a CRL it will also accept a client cert signed by the external CA. But, if I specify the crl-file, it will not accept the client cert from the external CA. I tried using just the external CA cert and the external CRL: bind *:443 ssl crt server.crt ca-file external.crt crl-file external.crl That will not work either. The error in both cases is "SSL client CA chain cannot be verified" But I only get that if I specify the crl-file. I Any help is appreciated! Thanks. Mike
Re: tcp-check with persistent session cookie ?
On Fri, Nov 6, 2015 at 1:00 PM, Sébastien ROHAUT < sebastien.rohaut@gmail.com> wrote: > Hi, > > > Is it possible to get and store the JSESSIONID cookie returned by the > tcp-check expect (or something like this), and send it with the tcp-check > send, to reuse the same session ? > > Is there a way for a health check to use persistent cookie session (always > the same, one per server), returned by the check ? > > Even if you can configure health checks to reuse the session id, your app will still be trivial to remotely crash from the net by anyone able to make GET requests that start sessions.
Re: tcp-check with persistent session cookie ?
On 07/11/2015 8:01 AM, "Sébastien ROHAUT" wrote: > > Hi, > > We encountered a big problem this afternoon, which crashed for a while one of our websites, a java (tomcat+lift) application. We are using Haproxy 1.5. > > For our backend, we're doing something like this, using tcp-check because we need to check status AND a string, which is not possible with http-check : > > backend backend-mywebsite > balance roundrobin > option redispatch > option tcp-check > tcp-check send GET\ /check \ HTTP/1.1\r\nHost:\ > www.mywebsite.fr\r\nConnection:\ close\r\n > tcp-check send \r\n > tcp-check expect string HTTP/1.1\ 200\ OK > tcp-check expect rstring "healthStatus":"(Healthy|DegradedMode)" > cookie JSESSIONID prefix nocache > > > server s1 s1:11503 weight 1 check inter 10s fall 3 rise 2 ssl cookie s1 > server s2 s2:11503 weight 1 check inter 10s fall 3 rise 2 ssl cookie s2 > server s3 s3:11503 weight 1 check inter 10s fall 3 rise 2 ssl cookie s3 > server s4 s4:11503 weight 1 check inter 10s fall 3 rise 2 ssl cookie s4 > > For some reasons, the /check page didn't returned the correct application status and our / returned a 500 even if /check was OK, so we decided to check /. > > After 20 minutes, our application crashed. In fact, our 4 fronts crashed at the same time, and if we restarted them, 20 minutes after, they crashed again. We lost some time because we were really thinking on a software bug, before we realize the root cause. > > * Each tcp-check send opens a session on the application > * Each session, on the / page, consumes 500 KB > * session duration : 30 minutes > * We have 4 Haproxy, doing 2 checks (the app provides 2 websites, so one check for each Host: ), 6 times per minute = 48 checks, each minute. On each front. > * After 20 minutes : more than 450 MB used in the app for sessions > * Full GC, crash > > So, my question is : > > Is it possible to get and store the JSESSIONID cookie returned by the tcp-check expect (or something like this), and send it with the tcp-check send, to reuse the same session ? > > Is there a way for a health check to use persistent cookie session (always the same, one per server), returned by the check ? > > Thank you very much, > > Sebastien Rohaut What we did in our case is simply not produce a session in the app for the health check path.
[SPAM] Flipkart | Happy Diwali Sale + Extra Rs3000 Off + Shipping Across India.
Title: ::Flipkart:: If you're having trouble viewing this email, please Disclaimer : This email is being sent by Loyalty Commerce Pvt Ltd and not from Flipkart.com You have received this mailer from us because you indicated that you would like to receive special offers. To unsubscribe from this offer, please click here to unsubscribe.
[SPAM] 0 euro d'impot pendant 9 ans, des-maintenant
http://lb.alsomatia.com/r/?id=t2fc607ed,21ad591,21ad5d4&p1=haproxy@formilux.org&p2=haproxy@formilux.org Signaler comme indésirable Pour visualiser ce message au format html, cliquez ici : http://lb.alsomatia.com/r/?id=t2fc607ed,21ad591,21ad5d5&p1=%402t4lN4FIuTXfB2U6M1WOfx%2FRXcGKOWxsum2%2BpEdFm4A%3D ou copiez le lien dans votre navigateur Web http://lb.alsomatia.com/r/?id=t2fc607ed,21ad591,21ad5d6&p1=haproxy@formilux.org http://lb.alsomatia.com/r/?id=t2fc607ed,21ad591,21ad5d7&p1=haproxy@formilux.org Réalisez un placement immobilier rentable et sans risque. Recevez le guide du LMNP* et les recommandations d'un conseiller spécialisé. http://lb.alsomatia.com/r/?id=t2fc607ed,21ad591,21ad5d8&p1=haproxy@formilux.org http://lb.alsomatia.com/r/?id=t2fc607ed,21ad591,21ad5d9&p1=haproxy@formilux.org http://lb.alsomatia.com/r/?id=t2fc607ed,21ad591,21ad5da&p1=haproxy@formilux.org (1) Dans le cadre des dispositions de la loi de finances en vigueur, selon la loi Censi-Bouvard, réduction d'impôts équivalente à 11% du montant HT de votre investissement immobilier plafonné à 300 000€, soit 3 666€ par an pendant 9 ans. Cette économie d’impôts est applicable pour toute acquisition en 2015 d’un logement neuf dans une résidence avec services gérée par le Groupe Réside Études. (2) Jusqu’à 4,25% HT/HT, taux proposé au 21/07/2015 selon les stocks disponibles. Revenus nets de charges d’entretien, selon les conditions du bail commercial proposé par le Groupe Réside Études et ses filiales, hors impôts fonciers et taxe d’ordures ménagères, et dans le cadre de la Location Meublée Non Professionnelle (LMNP). * LMNP : Loueur Meublé Non Professionnel. Confidentialité des données : conformément à la Loi Informatique et Libertés du 6 Janvier 1978, vous disposez d'un droit d'accès et de rectification des données vous concernant. Vous recevez cette invitation car vous avez été en contact avec le Service Commercial de CapDecision ou de ses partenaires. Pour ne plus recevoir de messages de CapDecision http://lb.capmail.fr/webApp/unsub?id=%40IJ4%2BICkNXfRBANGYQj%2Fzhg%3D%3D"; _label="Lien de désinscription" _type="optout">cliquez ici.
