Re: Possible regression on HAProxy 1.6, related to ACLs and dynamic payload buffers

Hi Felipe, On Tue, Mar 14, 2017 at 04:03:22PM -0300, Felipe Guerreiro Barbosa Ruiz wrote: > Hi all, > > After upgrading from 1.5 to 1.6 I noticed some ACLs stopped working. All of > them looked like: acl some_name req.payload(0,0) <> > > I did some digging and found that the ability to handle

Re: Possible regression on HAProxy 1.6, related to ACLs and dynamic payload buffers

On Wed, Mar 15, 2017 at 10:56:10AM +0100, Willy Tarreau wrote: > > I did some digging and found that the ability to handle dynamic buffers was > > added in 00f0084752eab236af80e61291d672e835790cff > > >

Re: Force connection close after a haproxy reload

On 15/03/2017 11:48 πμ, Cyril Bonté wrote: > Hi all, > >> De: "Willy Tarreau" À: "Robson Roberto Souza Peixoto" >> Cc: haproxy@formilux.org Envoyé: Mardi 14 Mars >> 2017 13:20:46 Objet: Re: Force connection close after a haproxy reload >> >> On Tue, Mar

Re: Force connection close after a haproxy reload

Hi Cyril! On Wed, Mar 15, 2017 at 11:48:01AM +0100, Cyril Bonté wrote: > As a reminder (to me), I sent a patch in december (just before the 1.7.0 > release), which immediately closes the HTTP keep-alived connections. > Currently, during the soft stop, HTTP connections are only closed when a >

Re: OpenSSL engine and async support

Hi Grant, On 03/15/2017 12:05 PM, Emeric Brun wrote: > Hi Grant, > > On 02/04/2017 12:55 AM, Grant Zhang wrote: >> This patch set adds the basic support for OpenSSL crypto engine and >> async mode. >> >> Changes since V2: >> - support keyword "algo" >> - ensure SSL engines are initialized

Re: Some compilation SSL errors/warnings on debian testing

> Le 14 mars 2017 à 19:11, Willy Tarreau a écrit : >> >> For the little story: openssl-1.1.0 and boringssl have >> SSL_CTX_set_min_proto_version/SSL_CTX_set_max_proto_version >> and other methods to set protocol version are deprecated (or not >> implemented). >> It will be boring

Re: [RFC PATCH] MEDIUM: persistent connections for SSL checks

On Mon, Mar 13, 2017 at 06:10:23PM +0100, Willy Tarreau wrote: > > Just wanted to follow up. I've been running this patch for a couple days on > > an idle system and haven't noticed any problems. > > Could this be merged? Is there anything else I can test? > > I'm personally fine with it but I'd

Re: Dynamic cookies support

On Tue, Mar 14, 2017 at 11:22:35PM +0100, Willy Tarreau wrote: > Well that looks pretty good, I have no comment to make about it. > Do you want me to merge them now or are you seeking more comments first ? now applied, thanks! Willy

Re: Force connection close after a haproxy reload

Hi all, > De: "Willy Tarreau" > À: "Robson Roberto Souza Peixoto" > Cc: haproxy@formilux.org > Envoyé: Mardi 14 Mars 2017 13:20:46 > Objet: Re: Force connection close after a haproxy reload > > On Tue, Mar 14, 2017 at 11:16:26AM +, Robson Roberto Souza

Re: Dynamic cookies support

On Wed, Mar 15, 2017 at 03:52:04PM +0200, Jarno Huuskonen wrote: > Hi Olivier, > > On Tue, Mar 14, Olivier Houchard wrote: > > Hi guys, > > > > You'll find attached patches to add support for dynamically-generated > > session > > cookies for each server, the said cookies will be a hash of the

Re: Possible regression on HAProxy 1.6, related to ACLs and dynamic payload buffers

Sure thing, I'll get it tested and submit the patch. Thanks for the swift response. Cheers, Felipe On 15 March 2017 at 07:06, Willy Tarreau wrote: > On Wed, Mar 15, 2017 at 10:56:10AM +0100, Willy Tarreau wrote: > > > I did some digging and found that the ability to handle dynamic

Re: Dynamic cookies support

Hi Olivier, On Tue, Mar 14, Olivier Houchard wrote: > Hi guys, > > You'll find attached patches to add support for dynamically-generated session > cookies for each server, the said cookies will be a hash of the IP, the > TCP port, and a secret key provided. > This adds 2 keywords to the config

Stick table sync problems

Hi HAProxy List, I’ve run into an issue with the stick tables/peering issue that may be of interest to some of you. I’ve got a fleet of 10 proxy servers peering with each other, fronting several backend servers. I have a very simple stick table setup which I’ve pasted examples of below.

Re: [PATCH] [MEDIUM] Improve "no free ports" error case

Hi Willy, I am facing one problem with using system port range, Distro: Ubuntu 16.04.1, kernel: 4.4.0-53-generic When I set to 5 to 50999, the kernel allocates port in the range 5 to 50499, the remaining 500 ports do not seem to ever get allocated despite running a few thousand

Re: Some compilation SSL errors/warnings on debian testing

> Le 15 mars 2017 à 12:41, Emmanuel Hocdet a écrit : > > >> Le 14 mars 2017 à 19:11, Willy Tarreau > a >> écrit : >>> >>> For the little story: openssl-1.1.0 and boringssl have >>> SSL_CTX_set_min_proto_version/SSL_CTX_set_max_proto_version

Re: [PATCH] CLEANUP: pattern: Move pattern_finalize_config to post checks initialization

On Mon, 13 Mar 2017 18:54:52 +0100 Nenad Merdanovic wrote: > Hey Willy, > > On 3/13/2017 6:32 PM, Willy Tarreau wrote: > > Hi Nenad, > > > > [ccing Thierry] > > > > On Sun, Mar 12, 2017 at 10:00:51PM +0100, Nenad Merdanovic wrote: > >> Signed-off-by: Nenad Merdanovic

Re: Force connection close after a haproxy reload

On Wed, 15 Mar 2017, at 12:02, Willy Tarreau wrote: > Hi Cyril! > > On Wed, Mar 15, 2017 at 11:48:01AM +0100, Cyril Bonté wrote: > > As a reminder (to me), I sent a patch in december (just before the 1.7.0 > > release), which immediately closes the HTTP keep-alived connections. > > Currently,

Re: [PATCH][RFC] MEDIUM: global: add a 'grace' option to cap the soft-stop time

Hi Bryan, Le 16/03/2017 à 00:52, Bryan Talbot a écrit : On Mar 15, 2017, at Mar 15, 4:44 PM, Cyril Bonté wrote: Several use cases may accept to abruptly close the connections when the instance is stopping instead of waiting for timeouts to happen. This option allows to

[PATCH][RFC] MEDIUM: global: add a 'grace' option to cap the soft-stop time

Several use cases may accept to abruptly close the connections when the instance is stopping instead of waiting for timeouts to happen. This option allows to specify a grace period which defines the maximum time to spend to perform a soft-stop (occuring when SIGUSR1 is received). With this global

Re: [PATCH][RFC] MEDIUM: global: add a 'grace' option to cap the soft-stop time

Hi guys, On Thu, Mar 16, 2017 at 01:03:24AM +0100, Cyril Bonté wrote: > Hi Bryan, > > Le 16/03/2017 à 00:52, Bryan Talbot a écrit : > > > > > On Mar 15, 2017, at Mar 15, 4:44 PM, Cyril Bonté > > > wrote: > > > > > > Several use cases may accept to abruptly close the

Re: OpenSSL engine and async support

Hi Emeric, Thanks for testing. I will try repro the issues locally and report back. Regards, Grant > On Mar 15, 2017, at 07:41, Emeric Brun wrote: > > Hi Grant, > > On 03/15/2017 12:46 PM, Emeric Brun wrote: >> Hi Grant, >> >> On 03/15/2017 12:05 PM, Emeric Brun wrote:

Re: OpenSSL engine and async support

Hi Emeric > On Mar 15, 2017, at 10:05, Emeric Brun wrote: > > Hi John, > >>> >>> There is some inconsistencies between the engine and the used client: >>> >>> here the conf: >>> global >>> tune.ssl.default-dh-param 2048 >>> ssl-engine qat >>> ssl-async >>>

Re: [RFC PATCH] MEDIUM: persistent connections for SSL checks

Thank you! I may one day follow-up on persistent connections, but this does this trick for now. On Wed, Mar 15, 2017 at 3:44 AM, Willy Tarreau wrote: > On Mon, Mar 13, 2017 at 06:10:23PM +0100, Willy Tarreau wrote: > > > Just wanted to follow up. I've been running this patch for a

Re: [RFC PATCH] MEDIUM: persistent connections for SSL checks

On Wed, Mar 15, 2017 at 09:53:11AM -0700, Steven Davidovitz wrote: > Thank you! I may one day follow-up on persistent connections, but this does > this trick for now. No problem, I think persistent connections must be dealt with more globaly and not just for SSL though. Cheers, Willy

Re: OpenSSL engine and async support

Hi John, >> >> There is some inconsistencies between the engine and the used client: >> >> here the conf: >> global >>tune.ssl.default-dh-param 2048 >>ssl-engine qat >>ssl-async >> >> listen gg >>mode http >>bind 0.0.0.0:8443 ssl crt /root/2048.pem >>

Re: [PATCH][RFC] MEDIUM: global: add a 'grace' option to cap the soft-stop time

> On Mar 15, 2017, at Mar 15, 4:44 PM, Cyril Bonté wrote: > > Several use cases may accept to abruptly close the connections when the > instance is stopping instead of waiting for timeouts to happen. > This option allows to specify a grace period which defines the maximum >

Re: Dynamic cookies support

On Wed, Mar 15, 2017 at 03:19:15PM +0100, Olivier Houchard wrote: > Oops my bad, I'm an idiot. Great, that's exactly what we were missing here, I needed some help. > Willy, can you commit the attached patch ? Both patches merged, thanks guys. Willy

Re: OpenSSL engine and async support

Hi Grant, On Wed, Mar 15, 2017 at 10:20:01AM -0700, Grant Zhang wrote: > Maybe you run into the openssl 1.1 SNI issue. Does your test branch have the > following patch: > http://git.haproxy.org/?p=haproxy.git;a=commit;h=d3850603933c9319528375088a9b28b9b345246b > I think not because Emeric had

Re: [PATCHES] Add support for LibreSSL 2.5.1

> Le 14 mars 2017 à 16:28, Emmanuel Hocdet a écrit : > > Hi Piotr > >> Le 14 mars 2017 à 16:04, Piotr Kubaj a écrit : >> >> And it seems like the previously attached patches do compile, but the >> warning is there again so now I'm finally including

Re: Some compilation SSL errors/warnings on debian testing

Hi Willy,Le 15 mars 2017 à 12:41, Emmanuel Hocdet a écrit :Le 14 mars 2017 à 19:11, Willy Tarreau a écrit :For the little story: openssl-1.1.0 and boringssl have SSL_CTX_set_min_proto_version/SSL_CTX_set_max_proto_versionand other methods to set protocol version are

Re: HTTP Basic Authorisation requests failing with HAProxy 1.7.2

Hi Jon, On Wed, Mar 15, 2017 at 12:38:38PM -0500, Jon Simpson wrote: > Hi Christopher, > > The patch does seem to fix the bug in my testing - I can't reproduce the > 503 errors with your patch on 1.8. Sorry for taking a few days to get > around to looking at this & thanks for the fix! Much

Re: HTTP Basic Authorisation requests failing with HAProxy 1.7.2

On 10 March 2017 at 20:40:11, Christopher Faulet (cfau...@haproxy.com) wrote: Hi Jon, Here is a patch that should fix your bug. It was trickier than expected. Could you confirm that it fix your bug ? -- Christopher Faulet Hi Christopher, The patch does seem to fix the bug in my testing - I

Re: Some compilation SSL errors/warnings on debian testing

Hi Manu, On Wed, Mar 15, 2017 at 07:00:28PM +0100, Emmanuel Hocdet wrote: > > ssl_options seems still valid, all directives can be mapped to it and keep > > compatibility. > > > > Patch proposal: Maybe it could work, let's wait for Emeric's feedback. I remember there was a subtle difference

Re: Propagating agent-check weight change to tracking servers

Hello! Any news in this topic? Is there anything wrong with my patch? Michał 2017-02-04 9:38 GMT+01:00 Michał : > Hi, > I checked it and during synthetic tests it worked. I use same > mechanism as origin agent-check, so it's ready to merge. > > It doesn't need to be