Re: Segfault with haproxy 1.8.10

[Willy Tarreau]

On Mon, Jun 25, 2018 at 10:45:51PM +0200, Thierry Fournier wrote:
> Just for information, If someone is working on this bug, I think
> that I found the origin of the crash. I check impact and the
> validity of the patch, and them I submit a patch

Ah cool, thank you, we'll have a fairly busy week and I didn't expect
to have the time to look at this crash this week :-(

Cheers,
Willy

Re: Issue with parsing DNS from AWS

[Jim Deville]

Hi Bapiste,


I just wanted to follow up to see if you were able to repro and perhaps had a 
patch we could try?


Jim


From: Jim Deville
Sent: Thursday, June 21, 2018 1:05:49 PM
To: Baptiste
Cc: haproxy@formilux.org; Jonathan Works
Subject: Re: Issue with parsing DNS from AWS


Thanks for the reply, we were able to extract a minimal repro to demonstrate 
the problem: https://github.com/jgworks/haproxy-servicediscovery



The docker folder contains a version of the config we're using and a startup 
script to determine the local private DNS zone (AWS puts it at the subnet's +2).


Jim


From: Baptiste 
Sent: Thursday, June 21, 2018 11:02:26 AM
To: Jim Deville
Cc: haproxy@formilux.org; Jonathan Works
Subject: Re: Issue with parsing DNS from AWS

and by the way, I had a quick look at the pcap file and could not find anything 
weird.
The function you're pointing seem to say there is not enough space to store a 
server's dns name, but the allocated space is larger that your current records.

Baptiste

Re: Segfault with haproxy 1.8.10

[Thierry Fournier]

Just for information, If someone is working on this bug, I think
that I found the origin of the crash. I check impact and the
validity of the patch, and them I submit a patch

Thierry

> On 25 Jun 2018, at 11:07, Thierry Fournier  
> wrote:
> 
> Hi,
> 
> I freshly compile haproxy-1.9.10, and after the start, I display a lot of 
> segfaults.
> 
> #0  stktable_release (t=t@entry=0x274a5a8, ts=0x0) at src/stick_table.c:419
> #1  0x0049a0d6 in sample_conv_in_table (arg_p=, 
> smp=0x7fffc6ed0d70, private=)
>at src/stick_table.c:876
> #2  0x004d1554 in sample_process (px=px@entry=0x32cbae0, 
> sess=sess@entry=0x36e13b0,
>strm=strm@entry=0x365d0d0, opt=opt@entry=6, expr=0x3294540, 
> p=p@entry=0x7fffc6ed0d70) at src/sample.c:1082
> #3  0x004f99fc in acl_exec_cond (cond=0x3707690, px=0x32cbae0, 
> sess=sess@entry=0x36e13b0,
>strm=strm@entry=0x365d0d0, opt=6, opt@entry=2) at src/acl.c:1148
> #4  0x004e6c7d in tcp_inspect_request (s=s@entry=0x365d0d0, 
> req=req@entry=0x365d0e0, an_bit=an_bit@entry=2)
>at src/tcp_rules.c:148
> #5  0x00487deb in process_stream (t=t@entry=0x8163d80) at 
> src/stream.c:1902
> #6  0x00508b1b in process_runnable_tasks () at src/task.c:229
> #7  0x004ba44b in run_poll_loop () at src/haproxy.c:2403
> #8  run_thread_poll_loop (data=data@entry=0x27d97e0) at src/haproxy.c:2470
> #9  0x0041b5a5 in main (argc=, argv=0x7fffc6ed1498) at 
> src/haproxy.c:3074
> 
> src/stick_table.c:419
> 
> 415 /* Just decrease the ref_cnt of the current session */
> 416 void stktable_release(struct stktable *t, struct stksess *ts)
> 417 {
> 418 HA_SPIN_LOCK(STK_TABLE_LOCK, &t->lock);
> 419 ts->ref_cnt--;
> 420 HA_SPIN_UNLOCK(STK_TABLE_LOCK, &t->lock);
> 421 }
> 
> (gdb) p ts
> $1 = (struct stksess *) 0x0
> 
> There is basic haproxy 1.8.10 (ec17d7a98f30326918219ba876fcfc56f6ad6823) 
> compiled with these options:
> 
> make -j 2 -C haproxy-1.8 \
>DEBUG="-DDEBUG_EXPR" \
>TARGET=linux2628 \
>USE_THREAD=1 \
>USE_REGPARM=1 \
>USE_SYSTEMD=1 \
>USE_LINUX_TPROXY=1 \
>USE_OPENSSL=yes \
>USE_PCRE=yes \
>USE_ZLIB=yes \
>USE_LUA=1 \
>USE_51DEGREES=1 \
>51DEGREES_SRC=/opt/Device-Detection/src/pattern
> 
> Tell me if you want the core & binary file.
> 
> Thierry

Re: [PATCH] REGTEST: stick-tables: Test expiration when used with table_*

[Willy Tarreau]

Hi Fred,

On Mon, Jun 25, 2018 at 11:45:31AM +0200, Frederic Lecaille wrote:
> I have attached #0003 patch for that in addition to these ones:
> 
> #0001 : as would say Olivier "Ooops, I'am an idiot etc".
>
> reg-tests/ssl/h0.vtc did not run any https request.
> 
> #0002 : set the default value of HAPROXY_PROGRAM environment variable.
> 
> We will have to change the class of the already existing reg test files.

Sorry I missed this series today, it's now merged.

Thank you!
Willy

Re: Haproxy client ip

[Daniel Augusto Esteves]

Hi Malcolm


I will set up a lab with this information.


Thanks

Daniel



De: Malcolm Turnbull 
Enviado: segunda-feira, 25 de junho de 2018 14:05
Para: Daniel Augusto Esteves
Cc: Jarno Huuskonen; simos.li...@googlemail.com; haproxy@formilux.org
Assunto: Re: Haproxy client ip

Daniel,

Yes, That's expected :-).

It normally scares me when people say they are going to use TPROXY...
It's awesome but needs a bit of thought to implement properly.

This blog may help, it's a bit old, so ignore the Kernel stuff - you
don't need it any more:

https://www.loadbalancer.org/blog/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/
Configure HAProxy with TPROXY kernel for full transparent 
proxy
www.loadbalancer.org
If you use HaProxy as the load balancer then all of the backend servers see the 
traffic coming from the IP address of the load balancer. TPROXY allows you to 
make sure the backend servers see the true client IP address in the logs. NB. 
Standard Kernel builds didn't support








On 25 June 2018 at 17:59, Daniel Augusto Esteves
 wrote:
> Hi
>
>
> When configuring source 0.0.0.0 usesrc clientip the backend stops
> responding.
>
>
> Best Regards
>
> Daniel
>
>
>
> 
> De: Daniel Augusto Esteves 
> Enviado: segunda-feira, 25 de junho de 2018 08:37
> Para: Jarno Huuskonen; simos.li...@googlemail.com
> Cc: haproxy@formilux.org
> Assunto: Re: Haproxy client ip
>
> Thank you for the tips guys.
>
>
> Obter o Outlook para Android
>
> 
> From: Jarno Huuskonen 
> Sent: Monday, June 25, 2018 8:24:11 AM
> To: Daniel Augusto Esteves
> Cc: haproxy@formilux.org
> Subject: Re: Haproxy client ip
>
> Hi,
>
> On Mon, Jun 25, Simos Xenitellis wrote:
>> On Sat, Jun 23, 2018 at 1:43 AM, Daniel Augusto Esteves
>>  wrote:
>> > Hi
>> >
>> > I am setting up haproxy with keepalived and i need to know if is
>> > possible
>> > pass client ip for destination log server using haproxy in tcp mode?
>> >
>>
>> That can be done with the "proxy protocol". See more at
>> https://www.haproxy.com/blog/haproxy/proxy-protocol/
>
> There's also source usesrc clientip:
> http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-source
> if your backend servers don't support proxy-protocol.
>
> -Jarno
>
> --
> Jarno Huuskonen
>

Re: Haproxy client ip

[Malcolm Turnbull]

Daniel,

Yes, That's expected :-).

It normally scares me when people say they are going to use TPROXY...
It's awesome but needs a bit of thought to implement properly.

This blog may help, it's a bit old, so ignore the Kernel stuff - you
don't need it any more:

https://www.loadbalancer.org/blog/configure-haproxy-with-tproxy-kernel-for-full-transparent-proxy/






On 25 June 2018 at 17:59, Daniel Augusto Esteves
 wrote:
> Hi
>
>
> When configuring source 0.0.0.0 usesrc clientip the backend stops
> responding.
>
>
> Best Regards
>
> Daniel
>
>
>
> 
> De: Daniel Augusto Esteves 
> Enviado: segunda-feira, 25 de junho de 2018 08:37
> Para: Jarno Huuskonen; simos.li...@googlemail.com
> Cc: haproxy@formilux.org
> Assunto: Re: Haproxy client ip
>
> Thank you for the tips guys.
>
>
> Obter o Outlook para Android
>
> 
> From: Jarno Huuskonen 
> Sent: Monday, June 25, 2018 8:24:11 AM
> To: Daniel Augusto Esteves
> Cc: haproxy@formilux.org
> Subject: Re: Haproxy client ip
>
> Hi,
>
> On Mon, Jun 25, Simos Xenitellis wrote:
>> On Sat, Jun 23, 2018 at 1:43 AM, Daniel Augusto Esteves
>>  wrote:
>> > Hi
>> >
>> > I am setting up haproxy with keepalived and i need to know if is
>> > possible
>> > pass client ip for destination log server using haproxy in tcp mode?
>> >
>>
>> That can be done with the "proxy protocol". See more at
>> https://www.haproxy.com/blog/haproxy/proxy-protocol/
>
> There's also source usesrc clientip:
> http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-source
> if your backend servers don't support proxy-protocol.
>
> -Jarno
>
> --
> Jarno Huuskonen
>

Re: Haproxy client ip

[Daniel Augusto Esteves]

Hi


When configuring source 0.0.0.0 usesrc clientip the backend stops responding.


Best Regards

Daniel




De: Daniel Augusto Esteves 
Enviado: segunda-feira, 25 de junho de 2018 08:37
Para: Jarno Huuskonen; simos.li...@googlemail.com
Cc: haproxy@formilux.org
Assunto: Re: Haproxy client ip

Thank you for the tips guys.


Obter o Outlook para Android


From: Jarno Huuskonen 
Sent: Monday, June 25, 2018 8:24:11 AM
To: Daniel Augusto Esteves
Cc: haproxy@formilux.org
Subject: Re: Haproxy client ip

Hi,

On Mon, Jun 25, Simos Xenitellis wrote:
> On Sat, Jun 23, 2018 at 1:43 AM, Daniel Augusto Esteves
>  wrote:
> > Hi
> >
> > I am setting up haproxy with keepalived and i need to know if is possible
> > pass client ip for destination log server using haproxy in tcp mode?
> >
>
> That can be done with the "proxy protocol". See more at
> https://www.haproxy.com/blog/haproxy/proxy-protocol/

There's also source usesrc clientip:
http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-source
if your backend servers don't support proxy-protocol.

-Jarno

--
Jarno Huuskonen

Bug when passing variable to mapping function

[Daniel Schneller]

Hi!

While playing around with map_regm I noticed some strange behavior when using 
variables
and map_regm. I managed to reduce it so a small test case and believe this is 
an actual bug.

It tested this on macOS, should it be relevant. haproxy is installed via 
homebrew:

- haproxy version ---
$ haproxy -vvv
HA-Proxy version 1.8.10-ec17d7a 2018/06/22
Copyright 2000-2018 Willy Tarreau 

Build options :
  TARGET  = generic
  CPU = generic
  CC  = clang
  CFLAGS  =
  OPTIONS = USE_ZLIB=1 USE_POLL=1 USE_KQUEUE=1 USE_THREAD=1 USE_OPENSSL=1 
USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.2o  27 Mar 2018
Running on OpenSSL version : OpenSSL 1.0.2o  27 Mar 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using:
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.42 2018-03-20
Running on PCRE version : 8.42 2018-03-20
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
 kqueue : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use kqueue.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
-


This is my haproxy configuration file:
--- bla.cfg -
defaults
mode http

frontend fe_test
bind 127.0.0.1:2

# Test Setup
# ---
# Remove port from Host header
http-request replace-value Host '(.*):.*' '\1'

# Store host header in variable
http-request set-var(txn.host) req.hdr(Host)
# ---


# Test cases:
# ---
# This works correctly
http-request set-var(txn.manual) str("distri")
http-request set-header X-Distri-Direct-From-Manual-Var %[var(txn.manual)]

# This works correctly
http-request set-header X-Distri-Mapped-From-Header 
%[req.hdr(Host),map_regm(hostmap.txt,"unknown"),lower]

# This works correctly
http-request set-header X-Distri-Direct-From-Var %[var(txn.host)]

# This breaks
http-request set-header X-Distri-Mapped-From-Var 
%[var(txn.host),map_regm(hostmap.txt,"unknown"),lower]

# ---

default_backend be_test

backend be_test
server s 127.0.0.1:8111
-

The sever is just a Python SimpleHTTPServer, dumping the request headers.


This is the contents of the map file:
 hostmap.txt -
^(.*)\.(.*)$ \1
--


This is the sample request I send:
-- request ---
$ curl -v http://127.0.0.1:2/example.txt -H 'Host: distri.com:1234'
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 2 (#0)
> GET /example.txt HTTP/1.1
> Host: distri.com:1234
> User-Agent: curl/7.54.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Server: SimpleHTTP/0.6 Python/2.7.10
< Date: Mon, 25 Jun 2018 14:15:41 GMT
< Content-type: text/plain
< Content-Length: 0
< Last-Modified: Mon, 25 Jun 2018 14:13:09 GMT
* HTTP/1.0 connection set to keep alive!
< Connection: keep-alive
<
* Connection #0 to host 127.0.0.1 left intact
-


HAproxy is started in the Terminal with debug output:
- HAProxy Output 
$ haproxy -d -f bla.cfg
...
Available polling systems :
 kqueue : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result FAILED
Total: 3 (2 usable), will use kqueue.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
Using kqueue() as the polling mechanism.
:fe_test.accept(0004)=0007 from [127.0.0.1:64880] ALPN=
:fe_test.clireq[0007:]: GET /example.txt HTTP/1.1
:fe_test.clihdr[0007:]: Host: distri.com:1234
:fe_test.clihdr[0007:]: User-Agent: curl/7.54.0
:fe_test.clihdr[0007:]: Accept: */*
:be_test.srvrep[0007:0008]: HTTP/1.0 200 OK
:be_test.srvhdr[0007:0008]: Server: SimpleHTTP/0.6 Python/2.7.10
:be_test.srvhdr[0007:0008]: Date: Mon, 25 Jun 2018 14:15:41 GMT
:be_test.srvhdr[0007:0008]: Content-type: text/plain
:be_test.srvhdr[0007:0008]: Content-Length: 0
:be_test.srvhdr[0007:0008]: Last-Modified: Mon, 25 Jun 2018 14:13:09 GMT
:be_test.srvcls[0007:adfd]
0001:fe_test.clicls[0007:]
0001:fe_test.closed

Re: Reverse String (or get 2nd level domain sample)?

[Daniel Schneller]

Hi again!

I found a working config using the map_regm converter.
I think it is somewhat overcomplicated for what it is supposed to achieve, but 
for now it works.

Leaving this here for reference:

# Remove port numbers from the Host header -- we do not rely on different 
ports for the same domain, and this makes ACL matching clearer
http-request replace-value Host '(.*):.*' '\1'

# Store the (now port-free) request Host in a transaction scoped variable 
for use in response ACLs
http-request set-var(txn.host) req.hdr(Host)

# Store the 2nd level domain (lower case) as the distributor. This uses a 
simple map file with just a single
# regex, because the inline regsub function does not support backrefs which 
are needed for variable number of subdomains.
http-request set-var(txn.distributor) 
var(txn.host),map_regm(distributors.map,"unknown"),lower

# Add a X-Distributor header for the application, overwriting anything the 
client may have claimed
http-request set-header X-Distributor %[var(txn.distributor)]

The distributors.map file contents looks like this:

(.*\.)+(.*)\.(.*) \2

Looks more complicated than it is. The first "(.*\.)+" greedily matches 
subdomains (in our case only domains with at least three parts are valid) and 
their trailing dots.
The second capture group matches the second level domain, followed by a dot, 
and then the final capture group "(.*)" for the top level domain.
The final one doesn't _have_ to be a group, because I drop the top level domain 
anyway. , but I find it more readable this way.

Anything that matches this regex is replaced with just the value of the 2nd 
capture group (i. e. the 2nd level domain).

(tested with haproxy 1.8, but this should also work with earlier versions IMO).

Cheers,
Daniel





> On 25. Jun 2018, at 12:29, Daniel Schneller 
>  wrote:
> 
> Hi!
> 
> Just double checking to make sure I am not simply blind: Is there a way to 
> reverse a string using a sample converter?
> 
> Background: I need to extract just the second level domain from the host 
> header. So for sub.sample.example.com  I need 
> to fetch "example".
> 
> Using the "word" converter and a "." as the separator I can get at the 
> individual components, but because the number of nested subdomains varies, I 
> cannot use that directly.
> 
> My idea was to just reverse the full domain (removing a potential port number 
> first), get word(2) and reverse again. Is that possible? Or is there an even 
> better function I can use? I am thinking this must be a common use case, but 
> googling "haproxy" and "reverse" will naturally turn up lots of results 
> talking about "reverse proxying".
> 
> If possible, I would like to avoid using maps to keep this thing as generic 
> as possible.
> 
> Thanks a lot!
> 
> Daniel
> 
> 
> --
> Daniel Schneller
> Principal Cloud Engineer
> 
> CenterDevice GmbH
> Rheinwerkallee 3
> 53227 Bonn
> www.centerdevice.com 
> 
> __
> Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina, Michael Rosbach, 
> Handelsregister-Nr.: HRB 18655, HR-Gericht: Bonn, USt-IdNr.: DE-815299431
> 
> Diese E-Mail einschließlich evtl. beigefügter Dateien enthält vertrauliche 
> und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige 
> Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie 
> bitte sofort den Absender und löschen Sie diese E-Mail und evtl. beigefügter 
> Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder Öffnen evtl. 
> beigefügter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht 
> gestattet.
> 
> 



signature.asc
Description: Message signed with OpenPGP

Re: Haproxy client ip

[Daniel Augusto Esteves]

Thank you for the tips guys.


Obter o Outlook para Android


From: Jarno Huuskonen 
Sent: Monday, June 25, 2018 8:24:11 AM
To: Daniel Augusto Esteves
Cc: haproxy@formilux.org
Subject: Re: Haproxy client ip

Hi,

On Mon, Jun 25, Simos Xenitellis wrote:
> On Sat, Jun 23, 2018 at 1:43 AM, Daniel Augusto Esteves
>  wrote:
> > Hi
> >
> > I am setting up haproxy with keepalived and i need to know if is possible
> > pass client ip for destination log server using haproxy in tcp mode?
> >
>
> That can be done with the "proxy protocol". See more at
> https://www.haproxy.com/blog/haproxy/proxy-protocol/

There's also source usesrc clientip:
http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-source
if your backend servers don't support proxy-protocol.

-Jarno

--
Jarno Huuskonen

Re: Haproxy client ip

[Jarno Huuskonen]

Hi,

On Mon, Jun 25, Simos Xenitellis wrote:
> On Sat, Jun 23, 2018 at 1:43 AM, Daniel Augusto Esteves
>  wrote:
> > Hi
> >
> > I am setting up haproxy with keepalived and i need to know if is possible
> > pass client ip for destination log server using haproxy in tcp mode?
> >
> 
> That can be done with the "proxy protocol". See more at
> https://www.haproxy.com/blog/haproxy/proxy-protocol/

There's also source usesrc clientip:
http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-source
if your backend servers don't support proxy-protocol.

-Jarno

-- 
Jarno Huuskonen

Re: haproxy bug: healthcheck not passing after port change when statefile is enabled

[Sven Wiltink]

Hello,


So we've dug a little deeper and the issue seems to be caused by the port value 
in the statefile. When the target port of a server has changed between reloads 
the port specified in the state file is leading. When running tcpdump you can 
see the healthchecks are being performed for the old port. After stopping 
haproxy and removing the statefile the healthcheck is performed for the right 
port. When manually editing the statefile to a random port the healthchecks 
will be performed for that port instead of the one specified by the config.


The code responsible for this is line 
http://git.haproxy.org/?p=haproxy-1.8.git;a=blob;f=src/server.c;h=523289e3bda7ca6aa15575f1928f5298760cf582;hb=HEAD#l2931

from commit 
http://git.haproxy.org/?p=haproxy-1.8.git;a=commitdiff;h=3169471964fdc49963e63f68c1fd88686821a0c4.


A solution would be invalidating the state when the ports don't match.


-Sven




Van: Sven Wiltink
Verzonden: dinsdag 12 juni 2018 17:01:18
Aan: haproxy@formilux.org
Onderwerp: haproxy bug: healthcheck not passing after port change when 
statefile is enabled

Hello,

There seems to be a bug in the loading of state files after a configuration 
change. When changing the destination port of a server the healthchecks never 
start passing if the state before the reload was down. This bug has been 
introduced after 1.7.9 as we cannot reproduce it on machines running that 
version of haproxy. You can use the following steps to reproduce the issue:

Start with a fresh debian 9 install
install socat
install haproxy 1.8.9 from backports

create a systemd file 
/etc/systemd/system/haproxy.service.d/60-haproxy-server_state.conf  with the 
following contents:
[Service]
ExecStartPre=/bin/mkdir -p /var/run/haproxy/state
ExecReload=
ExecReload=/usr/sbin/haproxy -f ${CONFIG} -c -q $EXTRAOPTS
ExecReload=/bin/sh -c "echo show servers state | /usr/bin/socat 
/var/run/haproxy.sock - > /var/run/haproxy/state/test"
ExecReload=/bin/kill -USR2 $MAINPID

create the following files:
/etc/haproxy/haproxy.cfg.disabled:
global
maxconn 32000
tune.maxrewrite 2048
user haproxy
group haproxy
daemon
chroot /var/lib/haproxy
nbproc 1
maxcompcpuusage 85
spread-checks 0
stats socket /var/run/haproxy.sock mode 600 level admin process 1 user 
haproxy group haproxy
server-state-file test
server-state-base /var/run/haproxy/state
master-worker no-exit-on-failure

defaults
load-server-state-from-file global
log global
timeout http-request 5s
timeout connect  2s
timeout client   300s
timeout server   300s
mode http
option dontlog-normal
option http-server-close
option redispatch
option log-health-checks

listen stats
bind :1936
bind-process 1
mode http
stats enable
stats uri /
stats admin if TRUE

/etc/haproxy/haproxy.cfg.different-port:
global
maxconn 32000
tune.maxrewrite 2048
user haproxy
group haproxy
daemon
chroot /var/lib/haproxy
nbproc 1
maxcompcpuusage 85
spread-checks 0
stats socket /var/run/haproxy.sock mode 600 level admin process 1 user 
haproxy group haproxy
server-state-file test
server-state-base /var/run/haproxy/state
master-worker no-exit-on-failure

defaults
load-server-state-from-file global
log global
timeout http-request 5s
timeout connect  2s
timeout client   300s
timeout server   300s
mode http
option dontlog-normal
option http-server-close
option redispatch
option log-health-checks

listen stats
bind :1936
bind-process 1
mode http
stats enable
stats uri /
stats admin if TRUE

listen banaan-443-ipv4
bind :443
mode tcp
server banaan-vps 127.0.0.1:80 check inter 2000
listen banaan-80-ipv4
bind :80
mode tcp
server banaan-vps 127.0.0.1:80 check inter 2000

/etc/haproxy/haproxy.cfg.same-port:
global
maxconn 32000
tune.maxrewrite 2048
user haproxy
group haproxy
daemon
chroot /var/lib/haproxy
nbproc 1
maxcompcpuusage 85
spread-checks 0
stats socket /var/run/haproxy.sock mode 600 level admin process 1 user 
haproxy group haproxy
server-state-file test
server-state-base /var/run/haproxy/state
master-worker no-exit-on-failure

defaults
load-server-state-from-file global
log global
timeout http-request 5s
timeout connect  2s
timeout client   300s
timeout server   300s
mode http
option dontlog-normal
option http-server-close
option redispatch
option log-health-checks

listen stats
bind :1936
bind-process 1
mode http
stats enable
stats uri /
stats admin if TRUE

listen banaan-443-ipv4
bind :443
mode tcp
server banaan-vps 127.0.0.1:443 check inter 2000
listen banaan-80-ipv4
bind :80
mode tcp
server banaan-vps 127.0.0.1:80 check inter 2000


start a netcat p

Reverse String (or get 2nd level domain sample)?

[Daniel Schneller]

Hi!

Just double checking to make sure I am not simply blind: Is there a way to 
reverse a string using a sample converter?

Background: I need to extract just the second level domain from the host 
header. So for sub.sample.example.com  I need 
to fetch "example".

Using the "word" converter and a "." as the separator I can get at the 
individual components, but because the number of nested subdomains varies, I 
cannot use that directly.

My idea was to just reverse the full domain (removing a potential port number 
first), get word(2) and reverse again. Is that possible? Or is there an even 
better function I can use? I am thinking this must be a common use case, but 
googling "haproxy" and "reverse" will naturally turn up lots of results talking 
about "reverse proxying".

If possible, I would like to avoid using maps to keep this thing as generic as 
possible.

Thanks a lot!

Daniel


--
Daniel Schneller
Principal Cloud Engineer

CenterDevice GmbH
Rheinwerkallee 3
53227 Bonn
www.centerdevice.com

__
Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina, Michael Rosbach, 
Handelsregister-Nr.: HRB 18655, HR-Gericht: Bonn, USt-IdNr.: DE-815299431

Diese E-Mail einschließlich evtl. beigefügter Dateien enthält vertrauliche 
und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige 
Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie 
bitte sofort den Absender und löschen Sie diese E-Mail und evtl. beigefügter 
Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder Öffnen evtl. beigefügter 
Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.




signature.asc
Description: Message signed with OpenPGP

RE: http-response add-header

[mlist]

Sure, I think this is a standard solution, if someone else need it:



capture data in request stage (in Frontend or Backend):



   http-request set-var(txn.req_host) req.hdr(Host)-> capture header host 
part of the request in variable req_host1 (transaction scope)



use data capture in request stage for the response stage (in Frontend or 
Backend):



  acl is_something var(txn.req_host) -i www.url1.com

http-response set-header X-Frame-Options SAMEORIGIN if !is_something



It is also possible to use capture.req… for some data (ex: capture.req.uri). I 
found no simple capture.req… solution for Host data. I suppose using “capture” 
and “vars” is the same for haproxy internals.






[APK]

[Unione]


mlist


APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. 
IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 
- sede operativa Magenta (MI) via Milano 89/91 20013
www.apkappa.it






Ai sensi e per gli effetti della Legge sulla tutela della riservatezza 
personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle 
persone sopra indicate e le informazioni in essa contenute sono da considerarsi 
strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever 
nor disclose them to anyone else. If you are not the intended recipient, you 
should not copy, modify, distribute or take any action in reliance on it. If 
you have received this email in error, please notify the sender and delete this 
email from your system.






-Original Message-
From: Aleksandar Lazic 
Sent: lunedì 25 giugno 2018 11:40
To: mlist ; 'Jarno Huuskonen' 
Cc: 'haproxy@formilux.org' 
Subject: Re: http-response add-header



Hi.



Am 25.06.2018 um 09:49 schrieb mlist:

> You're right. Meanwhile I found a working version using set-vat on 
> http-request.



It would be nice when you share the solution, here or in any blog post, Thank 
you



> Thank you



Best regards

Aleks



> *APKAPPA s.r.l. *sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no.

> IT-08543640158

>

> sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 
> 42123

> - sede operativa Magenta (MI) via Milano 89/91 20013

> www.apkappa.it 

>

> **

>

>

>

> **

>

>

> Ai sensi e per gli effetti della Legge sulla tutela della riservatezza 
> personale

> (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone

> sopra indicate e le informazioni in essa contenute sono da considerarsi

> strettamente riservate.

>

> This email is confidential, do not use the contents for any purpose whatsoever

> nor disclose them to anyone else. If you are not the intended recipient, you

> should not copy, modify, distribute or take any action in reliance on it. If 
> you

> have received this email in error, please notify the sender and delete this

> email from your system.

>

>

>

>

>

>

> -Original Message-

> From: Jarno Huuskonen mailto:jarno.huusko...@uef.fi>>

> Sent: lunedì 25 giugno 2018 09:01

> To: mlist mailto:ml...@apkappa.it>>

> Cc: 'haproxy@formilux.org' mailto:haproxy@formilux.org>>

> Subject: Re: http-response add-header

>

> Hi,

>

> On Sat, Jun 23, mlist wrote:

>> using this config no header is added to client from haproxy:

>>

>> acl is_test hdr_dom(host) -i www.url1.url2.com

>>

>> http-response add-header X-Custom-Header YES if is_test

>

> Most likely the host header is not available for the http-response/acl.

>

> For example with this config:

> frontend test_fe

>bind ipv4@127.0.0.1:8080

>acl is_test hdr_dom(host) -i www.url1.url2.com

>http-response add-header X-Custom-Header YES if is_test

>default_backend test_be

>

> backend test_be

>http-request deny deny_status 200

>

> haproxy complains:

> [WARNING] 175/094858 (14971) : parsing [tmp_resp_header.conf:24] : acl 
> 'is_test'

> will never match because it only involves keywords that are incompatible with

> 'frontend http-response header rule'

>

> You can use captures / variables to "store" the host header:

> https://www.haproxy.com/blog/whats-new-in-haproxy-1-6/

>

> So for example:

> frontend test_fe

>bind ipv4@127.0.0.1:8080

> declare capture request len 64

> http-request capture req.hdr(Host) id 0

>acl is_test capture.req.hdr(0) -m beg -i 
> www.url1.url2.com

>http-response add-header X-Custom-Header YES if is_test

>

> -Jarno

>

> --

> Jarno Huuskonen

>

Re: Observations about reloads and DNS SRV records

[Baptiste]

Hi,

Forget the backend id, it's the wrong answer to that problem.
I was investigating an other potential issue, but this does not fix the
original problem reported here.

Here is the answer I delivered today on discourse, where other people have
also reported the same issue:

   Just to let you know that I think I found the cause of the issue but I
don’t have a fix yet.
   I’ll come back to you this week with more info and hopefully a fix.
   The issue seem to be in srv_init_addr(), because srv->hostname is not
set (null).

Baptiste

Re: [PATCH] REGTEST: stick-tables: Test expiration when used with table_*

[Frederic Lecaille]

On 06/21/2018 04:53 AM, Willy Tarreau wrote:

Hi Daniel,

On Wed, Jun 20, 2018 at 10:28:43AM -0400, Daniel Corbett wrote:

+shell -expect "used:0" {
+echo "show table http1" |socat ${tmpdir}/h1/stats.sock -

 ^

This is the point where it will start to require that we organize the
reg tests better. First, socat is rarely installed by default so we'll
have to mention that it's required. Second, socat introduces half a
second delay before quitting, making it impractical for the quick
automated tests that we expect developers to run frequently.

The dependency on socat makes me think we could probably put all of such
tests in a specific sub-directory. However, I predict that we will also
create a number of other ones which will be slower than average and which
will be unrelated to the CLI.

Maybe we could simply introduce levels :
   - level 1 (the default) would contain only the immediate tests that cover
 the internal state machine and HTTP compliance (the things we break the
 most often by side effets when fixing a bug in the same area). Basically
 we should expect to be able to run 100 tests in a second there and there
 should be zero excuse for not running them before committing a patch
 affecting a sensitive area.

   - level 2 would cover some extra parts requiring a bit more time (eg:
 CLI commands, horrible stuff involving tcploop) and would probably
 be needed only when trying to ensure that a fix doesn't break
 something unexpected.

   - level 3 would be the painful one that we already know nobody will dare
 to run. They would cover timeouts, health checks, etc. All the stuff
 that takes multiple seconds per test would be there. They may occasionally
 be run by a dev during lunch time, or at night by automated bots.




Then we could issue "make reg-tests" to run level 1 by default or
"make reg-tests LEVEL=" for the other ones. The idea is that I would
*really* like to encourage developers to run some basic tests before sending
patches, and we all know that none of us will accept to run them if they take
more time than what is needed to divert us (ie if you have time to switch to
reading your mails while the test runs, we won't run them because this will
create distraction).



I have attached #0003 patch for that in addition to these ones:

#0001 : as would say Olivier "Ooops, I'am an idiot etc". 
reg-tests/ssl/h0.vtc did not run any https request.


#0002 : set the default value of HAPROXY_PROGRAM environment variable.

We will have to change the class of the already existing reg test files.
>From bbbef595937170b87d0707780968d031c95ca9e4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Mon, 25 Jun 2018 11:15:43 +0200
Subject: [PATCH 3/3] REGTEST/MINOR: Add levels to reg-tests target.

With this patch we can provide LEVEL environment variable when
running reg-tests Makefile targe (reg testing) to set the execution
level of the reg-tests make target to run.

LEVEL default value is 1.

LEVEL=1 is to run all h*.vtc files which are the most important
reg testing files (to test haproxy core, HTTP compliance etc).

LEVEL=2 is to run all s*.vtc files which are a bit slow tests,
for instance tests requiring external programs (curl, socat etc).

LEVEL=3 is to run all l*.vtc files which are test files with again
more slow or with little interest.
---
 Makefile | 14 --
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 9ea3e80..817161f 100644
--- a/Makefile
+++ b/Makefile
@@ -1004,6 +1004,16 @@ reg-tests:
 		echo "Please make the VARNISHTEST_PROGRAM variable point to the location of the varnishtest program."; \
 		exit 1; \
 	fi
-	@find reg-tests -type f -name "*.vtc" -print0 | \
-	   HAPROXY_PROGRAM=$${HAPROXY_PROGRAM:-$$PWD/haproxy} xargs -0 $(VARNISHTEST_PROGRAM) -l -t5
+	@export LEVEL=$${LEVEL:-1}; \
+	if [ $$LEVEL = 1 ] ; then \
+	   EXPR='h*.vtc'; \
+	elif [ $$LEVEL = 2 ] ; then \
+	   EXPR='s*.vtc'; \
+	elif [ $$LEVEL = 3 ] ; then \
+	   EXPR='l*.vtc'; \
+	fi ; \
+	if [ -n "$$EXPR" ] ; then \
+	   find reg-tests -type f -name "$$EXPR" -print0 | \
+	  HAPROXY_PROGRAM=$${HAPROXY_PROGRAM:-$$PWD/haproxy} xargs -r -0 $(VARNISHTEST_PROGRAM) -l -t5 ; \
+	fi
 .PHONY: reg-tests
-- 
2.1.4

>From 820602fa642c3143c3884056775a7077bf99c2eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= 
Date: Mon, 25 Jun 2018 10:24:37 +0200
Subject: [PATCH 2/3] REGTEST/MINOR: Set HAPROXY_PROGRAM default value.

With this patch, we set HAPROXY_PROGRAM environment variable
default value to the haproxy executable of the current working directory.
So, if the current directory is the haproxy sources directory,
the reg-tests Makefile target may be run with this shorter command:

  $ VARNISTEST_PROGRAM=<...> make reg-tests

in place of

  $ VARNISTEST_PROGRAM=<...> HAPROXY_PROGRAM=<...> make reg-tests
---
 Makefile | 2 +-
 1 file 

Re: http-response add-header

[Aleksandar Lazic]

Hi.

Am 25.06.2018 um 09:49 schrieb mlist:
> You're right. Meanwhile I found a working version using set-vat on 
> http-request.

It would be nice when you share the solution, here or in any blog post, Thank 
you

> Thank you

Best regards
Aleks

> *APKAPPA s.r.l. *sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no.
> IT-08543640158
> 
> sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 
> 42123
> - sede operativa Magenta (MI) via Milano 89/91 20013
> www.apkappa.it 
> 
> ** 
> 
>   
> 
> ** 
> 
> 
> Ai sensi e per gli effetti della Legge sulla tutela della riservatezza 
> personale
> (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone
> sopra indicate e le informazioni in essa contenute sono da considerarsi
> strettamente riservate. 
> 
> This email is confidential, do not use the contents for any purpose whatsoever
> nor disclose them to anyone else. If you are not the intended recipient, you
> should not copy, modify, distribute or take any action in reliance on it. If 
> you
> have received this email in error, please notify the sender and delete this
> email from your system.
> 
> 
> 
> 
> 
> 
> -Original Message-
> From: Jarno Huuskonen 
> Sent: lunedì 25 giugno 2018 09:01
> To: mlist 
> Cc: 'haproxy@formilux.org' 
> Subject: Re: http-response add-header
> 
> Hi,
> 
> On Sat, Jun 23, mlist wrote:
>> using this config no header is added to client from haproxy:
>>
>> acl is_test hdr_dom(host) -i www.url1.url2.com
>>
>> http-response add-header X-Custom-Header YES if is_test
> 
> Most likely the host header is not available for the http-response/acl.
> 
> For example with this config:
> frontend test_fe
>    bind ipv4@127.0.0.1:8080
>    acl is_test hdr_dom(host) -i www.url1.url2.com
>    http-response add-header X-Custom-Header YES if is_test
>    default_backend test_be
> 
> backend test_be
>    http-request deny deny_status 200
> 
> haproxy complains:
> [WARNING] 175/094858 (14971) : parsing [tmp_resp_header.conf:24] : acl 
> 'is_test'
> will never match because it only involves keywords that are incompatible with
> 'frontend http-response header rule'
> 
> You can use captures / variables to "store" the host header:
> https://www.haproxy.com/blog/whats-new-in-haproxy-1-6/
> 
> So for example:
> frontend test_fe
>    bind ipv4@127.0.0.1:8080
> declare capture request len 64
> http-request capture req.hdr(Host) id 0
>    acl is_test capture.req.hdr(0) -m beg -i www.url1.url2.com
>    http-response add-header X-Custom-Header YES if is_test
> 
> -Jarno
> 
> --
> Jarno Huuskonen
> 

Re: Haproxy client ip

[Simos Xenitellis]

On Sat, Jun 23, 2018 at 1:43 AM, Daniel Augusto Esteves
 wrote:
> Hi
>
> I am setting up haproxy with keepalived and i need to know if is possible
> pass client ip for destination log server using haproxy in tcp mode?
>

That can be done with the "proxy protocol". See more at
https://www.haproxy.com/blog/haproxy/proxy-protocol/

Simos

Segfault with haproxy 1.8.10

[Thierry Fournier]

Hi,

I freshly compile haproxy-1.9.10, and after the start, I display a lot of 
segfaults.

#0  stktable_release (t=t@entry=0x274a5a8, ts=0x0) at src/stick_table.c:419
#1  0x0049a0d6 in sample_conv_in_table (arg_p=, 
smp=0x7fffc6ed0d70, private=)
at src/stick_table.c:876
#2  0x004d1554 in sample_process (px=px@entry=0x32cbae0, 
sess=sess@entry=0x36e13b0,
strm=strm@entry=0x365d0d0, opt=opt@entry=6, expr=0x3294540, 
p=p@entry=0x7fffc6ed0d70) at src/sample.c:1082
#3  0x004f99fc in acl_exec_cond (cond=0x3707690, px=0x32cbae0, 
sess=sess@entry=0x36e13b0,
strm=strm@entry=0x365d0d0, opt=6, opt@entry=2) at src/acl.c:1148
#4  0x004e6c7d in tcp_inspect_request (s=s@entry=0x365d0d0, 
req=req@entry=0x365d0e0, an_bit=an_bit@entry=2)
at src/tcp_rules.c:148
#5  0x00487deb in process_stream (t=t@entry=0x8163d80) at 
src/stream.c:1902
#6  0x00508b1b in process_runnable_tasks () at src/task.c:229
#7  0x004ba44b in run_poll_loop () at src/haproxy.c:2403
#8  run_thread_poll_loop (data=data@entry=0x27d97e0) at src/haproxy.c:2470
#9  0x0041b5a5 in main (argc=, argv=0x7fffc6ed1498) at 
src/haproxy.c:3074

src/stick_table.c:419

 415 /* Just decrease the ref_cnt of the current session */
 416 void stktable_release(struct stktable *t, struct stksess *ts)
 417 {
 418 HA_SPIN_LOCK(STK_TABLE_LOCK, &t->lock);
 419 ts->ref_cnt--;
 420 HA_SPIN_UNLOCK(STK_TABLE_LOCK, &t->lock);
 421 }

(gdb) p ts
$1 = (struct stksess *) 0x0

There is basic haproxy 1.8.10 (ec17d7a98f30326918219ba876fcfc56f6ad6823) 
compiled with these options:

make -j 2 -C haproxy-1.8 \
DEBUG="-DDEBUG_EXPR" \
TARGET=linux2628 \
USE_THREAD=1 \
USE_REGPARM=1 \
USE_SYSTEMD=1 \
USE_LINUX_TPROXY=1 \
USE_OPENSSL=yes \
USE_PCRE=yes \
USE_ZLIB=yes \
USE_LUA=1 \
USE_51DEGREES=1 \
51DEGREES_SRC=/opt/Device-Detection/src/pattern

Tell me if you want the core & binary file.

Thierry

RE: http-response add-header

[mlist]

You're right. Meanwhile I found a working version using set-vat on http-request.

Thank you



[APK]

[Unione]


mlist


APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. 
IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 
- sede operativa Magenta (MI) via Milano 89/91 20013
www.apkappa.it






Ai sensi e per gli effetti della Legge sulla tutela della riservatezza 
personale (DL.gs. 196/03 e collegate), questa mail ? destinata unicamente alle 
persone sopra indicate e le informazioni in essa contenute sono da considerarsi 
strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever 
nor disclose them to anyone else. If you are not the intended recipient, you 
should not copy, modify, distribute or take any action in reliance on it. If 
you have received this email in error, please notify the sender and delete this 
email from your system.





-Original Message-
From: Jarno Huuskonen 
Sent: luned? 25 giugno 2018 09:01
To: mlist 
Cc: 'haproxy@formilux.org' 
Subject: Re: http-response add-header

Hi,

On Sat, Jun 23, mlist wrote:
> using this config no header is added to client from haproxy:
>
> acl is_test hdr_dom(host) -i www.url1.url2.com
>
> http-response add-header X-Custom-Header YES if is_test

Most likely the host header is not available for the http-response/acl.

For example with this config:
frontend test_fe
   bind ipv4@127.0.0.1:8080
   acl is_test hdr_dom(host) -i www.url1.url2.com
   http-response add-header X-Custom-Header YES if is_test
   default_backend test_be

backend test_be
   http-request deny deny_status 200

haproxy complains:
[WARNING] 175/094858 (14971) : parsing [tmp_resp_header.conf:24] : acl 
'is_test' will never match because it only involves keywords that are 
incompatible with 'frontend http-response header rule'

You can use captures / variables to "store" the host header:
https://www.haproxy.com/blog/whats-new-in-haproxy-1-6/

So for example:
frontend test_fe
   bind ipv4@127.0.0.1:8080
declare capture request len 64
http-request capture req.hdr(Host) id 0
   acl is_test capture.req.hdr(0) -m beg -i www.url1.url2.com
   http-response add-header X-Custom-Header YES if is_test

-Jarno

--
Jarno Huuskonen

RE: cookie insert method secure

[mlist]

Thank you for the help on bool var(…). Hard to find in documentation… Now also 
var(…) as ssl_fc do persist for txn (request/response). I tried adding an 
header based on the var persisted as bool and it worked, but as per straight 
“acl https_sess ssl_fc” also rspirep (or http-response) based on var(…) cannot 
modify Set-Cookie header inserted by “cookie  insert…” method.
As I wrote, probably cookie insert method override any other response 
manipulation in the flow. Hard for me to read source code to verify this 
behavior. As now we changed configuration using 2 separate backend one for http 
(cookie… insert) one for https (cookie… insert… secure).
It’ll be very useful a more flexible cookie insert method: with , 
with possibility to be modified in http-response phase end with possibility to 
add new cookie flags for security (ex: samesite) as new security standard 
emerge.
How do you verify your variables memory consumption ? I cannot find a stat or 
method to verify variables not using lot of memory.
Roberto


[APK]

[Unione]


mlist


APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. 
IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 
- sede operativa Magenta (MI) via Milano 89/91 20013
www.apkappa.it






Ai sensi e per gli effetti della Legge sulla tutela della riservatezza 
personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle 
persone sopra indicate e le informazioni in essa contenute sono da considerarsi 
strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever 
nor disclose them to anyone else. If you are not the intended recipient, you 
should not copy, modify, distribute or take any action in reliance on it. If 
you have received this email in error, please notify the sender and delete this 
email from your system.





From: Igor Cicimov 
Sent: lunedì 25 giugno 2018 06:12
To: mlist 
Cc: haproxy@formilux.org
Subject: Re: cookie insert method secure

On Sun, Jun 24, 2018 at 11:28 PM, mlist 
mailto:ml...@apkappa.it>> wrote:
Hi Igor,
as I see, this is not true.

I think ssl_fs is just persisted between request and response as this work fine 
without setting vars (as for below example), but never works for cookie header 
inserted by “cookie  insert …”. It seems that cookie insert method 
override every other set cookie methods (probably applied as last operation on 
the flow):

  acl https_sess ssl_fc
  acl secure_c_present res.hdr(Set-Cookie),lower -m sub secure
  rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secure_c_present

using vars instead doesn’t works, I tested trying to adding a header like this. 
It seems that this var is always false/null/empty:

  http-request set-var(txn.req_ssl) ssl_fc
  acl is_test var(txn.req_ssl)
  http-response set-header XXX-TEST-OPTIONS TEST1 if is_test

is_test is never true as “http-request set-var(txn.req_ssl) ssl” is never what 
one think… if iI’m not wrong…


​You need to use the var as type bool in this case, this is from one of my 
setups:​

​frontend:​
http-request set-var(txn.req_api) bool(true) if tx_is_api

backend:
acl api_call var(txn.req_api) -m bool​

Re: http-response add-header

[Jarno Huuskonen]

Hi,

On Sat, Jun 23, mlist wrote:
> using this config no header is added to client from haproxy:
> 
> acl is_test hdr_dom(host) -i www.url1.url2.com
> 
> http-response add-header X-Custom-Header YES if is_test

Most likely the host header is not available for the http-response/acl.

For example with this config:
frontend test_fe
bind ipv4@127.0.0.1:8080
acl is_test hdr_dom(host) -i www.url1.url2.com
http-response add-header X-Custom-Header YES if is_test
default_backend test_be

backend test_be
http-request deny deny_status 200

haproxy complains:
[WARNING] 175/094858 (14971) : parsing [tmp_resp_header.conf:24] : acl 
'is_test' will never match because it only involves keywords that are 
incompatible with 'frontend http-response header rule'

You can use captures / variables to "store" the host header:
https://www.haproxy.com/blog/whats-new-in-haproxy-1-6/

So for example:
frontend test_fe
bind ipv4@127.0.0.1:8080
declare capture request len 64
http-request capture req.hdr(Host) id 0
acl is_test capture.req.hdr(0) -m beg -i www.url1.url2.com
http-response add-header X-Custom-Header YES if is_test

-Jarno

-- 
Jarno Huuskonen