Re: Haproxy 1.8.4 400's with http/2

2018-02-22 Thread Sander Klein
Thanks Lukas, It was indeed the option httpclose enabled only on that backend. Greets, Sander On 2018-02-21 16:49, Lukas Tribus wrote: Hello Sander, make sure you use "option http-keep-alive" as http mode, specifically httpclose will cause issue with H2. If that's not it, please share the

Re: Haproxy 1.8.4 crashing workers and increased memory usage

2018-02-22 Thread Willy Tarreau
Hi guys, On Thu, Feb 22, 2018 at 04:20:07PM +0100, Tim Düsterhus wrote: > Frank, > > Am 22.02.2018 um 15:33 schrieb Frank Schreuder: > >> Code 134 implies the worker was killed with SIGABRT. You could check > >> whether there is a core dump. > > > > I don't have any core dumps. > > Check

Re: Haproxy 1.8.4 crashing workers and increased memory usage

2018-02-22 Thread Tim Düsterhus
Frank, Am 22.02.2018 um 15:33 schrieb Frank Schreuder: >> Code 134 implies the worker was killed with SIGABRT. You could check >> whether there is a core dump. > > I don't have any core dumps. Check whether coredumps are enabled using `ulimit -c`, often they are disabled by default, because

[PATCH 2/2] MINOR: systemd: Add SystemD's SystemCallFilter option to the unit file

2018-02-22 Thread Tim Duesterhus
This option takes away system calls that are unneeded for haproxy's operation and thus is a good defense in depth measure. There are more system call sets available in newer SystemD versions, but using those would make SystemD ignore the whole option when they are not supported. This patch adds a

[PATCH 0/2] Add SystemD's sandboxing options

2018-02-22 Thread Tim Duesterhus
I'm running this exact settings on my Debian Stretch machine using haproxy 1.8.x, without issues so far. The first patch could cause issues for users that store their configuration in /home or /root, but I consider this unlikely. Tim Duesterhus (2): MINOR: systemd: Add SystemD's Protect*=

[PATCH 1/2] MINOR: systemd: Add SystemD's Protect*= options to the unit file

2018-02-22 Thread Tim Duesterhus
While the haproxy workers usually are running chrooted the master process is not. This patch is a pretty safe defense in depth measure to ensure haproxy cannot touch sensitive parts of the file system. ProtectSystem takes non-boolean arguments in newer SystemD versions, but setting those would

Re: Haproxy 1.8.4 crashing workers and increased memory usage

2018-02-22 Thread Frank Schreuder
Hi Tim, >> I'm running haproxy 1.8.4 with a heavy work load. >> For some reason some workers die every now and then with the following error >> in the log: >> Feb 22 05:00:42 hostname haproxy[9950]: [ALERT] 052/045759 (9950) : Current >> worker 3569 exited with code 134 >> > > Code 134 implies