RE: Switching Java client to Websocket with SSL // Connection closed during SSL handshake
Hi Heiko, Also, please try the bind keywords no-tlsv12, no-tlsv11 and ciphers TLS_RSA_WITH_RC4_128_SHA. If this makes it work, please apply the attached debug patch and just run it with force-tlsv10, I would like to know if that call fails. I added the parameters except TLS_RSA_WITH_RC4_128_SHA as it is not available in openssl. This one seems to be the equivalent here: RC4-SHA Well, with this configuration there is now a real TLS handshake problem. Please just try with no-tlsv12, without the cipher configuration and redo those test. I suspect there is no real SSL/TLS handshake issue here, but that the issue is on the application layer (I misread the first capture you sent me: the actual handshake seems ok, its the client that is sending the FIN+ACK). Lukas
Just had a thought about the poodle issue....
I was thinking Haproxy could be used to block any non-TLS connection Like you can with iptables: https://blog.g3rt.nl/take-down-sslv3-using-iptables.html However it would be nice if you had users trying to connect via IE6/7 etc on XP to display a nice message like, please upgrade to a secure browser chrome or firefox etc? Is that easy to do? -- Regards, Malcolm Turnbull. Loadbalancer.org Ltd. Phone: +44 (0)330 1604540 http://www.loadbalancer.org/
Re: Just had a thought about the poodle issue....
You mean like this? http://blog.haproxy.com/2014/10/15/haproxy-and-sslv3-poodle-vulnerability/ On 10/18/14, 10:34 AM, Malcolm Turnbull wrote: I was thinking Haproxy could be used to block any non-TLS connection Like you can with iptables: https://blog.g3rt.nl/take-down-sslv3-using-iptables.html However it would be nice if you had users trying to connect via IE6/7 etc on XP to display a nice message like, please upgrade to a secure browser chrome or firefox etc? Is that easy to do?
[ANNOUNCE] haproxy-1.5.6
Hi, Here's haproxy 1.5.6. It fixes the annoying bug reported this week about disabled proxies, an issue in the URI hash (the question mark of a query string was accidently hashed when present), an off-by-one when checking the stick-counter number in track-sc rules, resulting in the track-sc3 action being accepted and reported as valid but ignored, and slightly improves the systemd wrapper. Nothing big, really. I'd like the stable branch to stabilize as soon as possible so that we can make better progress on 1.6 and spend less time chasing bugs. Here's the full changelog : - BUG/MEDIUM: systemd: set KillMode to 'mixed' - MINOR: systemd: Check configuration before start - BUG/MEDIUM: config: avoid skipping disabled proxies - BUG/MINOR: config: do not accept more track-sc than configured - BUG/MEDIUM: backend: fix URI hash when a query string is present Usual URLs below : Site index : http://www.haproxy.org/ Sources : http://www.haproxy.org/download/1.5/src/ Git repository : http://git.haproxy.org/git/haproxy-1.5.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-1.5.git Changelog: http://www.haproxy.org/download/1.5/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.com/haproxy-dconv/configuration-1.5.html Willy
Re: Just had a thought about the poodle issue....
Doh! I'm getting old... thanks :-). On 18 October 2014 15:37, David Coulson da...@davidcoulson.net wrote: You mean like this? http://blog.haproxy.com/2014/10/15/haproxy-and-sslv3-poodle-vulnerability/ On 10/18/14, 10:34 AM, Malcolm Turnbull wrote: I was thinking Haproxy could be used to block any non-TLS connection Like you can with iptables: https://blog.g3rt.nl/take-down-sslv3-using-iptables.html However it would be nice if you had users trying to connect via IE6/7 etc on XP to display a nice message like, please upgrade to a secure browser chrome or firefox etc? Is that easy to do? -- Regards, Malcolm Turnbull. Loadbalancer.org Ltd. Phone: +44 (0)330 1604540 http://www.loadbalancer.org/
HAPROXY for IMAP, SMTP
Hi, we use HAPROXY for incoming mail, outgoing mail (authenticated), POP3, IMAP. With incoming mail, I can make use of HAProxy’s send-proxy feature to make the source-IP known to the backend SMTP-servers. (Works in the lab, I just need to move a few hundred customers off port 25 for authenticated SMTP, as send-proxy is incompatible with authentication (right?)) But what about authenticated SMTP connections (which go on Port 587 or 465)?. We get a fair amount of abuse from hijacked accounts. I need to know the original IP from these connections, too, so I can quickly see if it connects from China, Pakistan or whatever (our customers are 99.99% only connecting from domestic fix and dynamic IPs and authenticated connections from multiple IPs from multiple countries to the same account are 100% hijacked). Same in principle for POP3 and IMAP. Is there no other way other than running TPROXY mode (which I want to avoid and is AFAIK also not recommended)? I have about 15k individual users. As traffic is going to be almost 100% encrypted in the near future, I can't even run something like SNORT on the LB and just process the logs from that…. Have the patches from this thread: http://marc.info/?t=13662203193r=1w=2 been incoporated into the HAproxy 1.5 source tree since then?
Re: HAPROXY for IMAP, SMTP
With incoming mail, I can make use of HAProxy’s send-proxy feature to make the source-IP known to the backend SMTP-servers. (Works in the lab, I just need to move a few hundred customers off port 25 for authenticated SMTP, as send-proxy is incompatible with authentication (right?)) send-proxy just kicks in HAProxy's PROXY protocol which your backend servers need to be able to understand: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt Authenticated vs unauthenticated vs encrypted SMTP shouldn't matter. As that's all sent after the initial PROXY line. If your backend MTA doesn't understand/expect the HAProxy PROXY protocol, it won't work period. I believe both Postfix and Exim support the HAProxy PROXY protocol. -J
Feature Request
Not sure if this is the right place for this, but I was wondering if a select all check box could be added to the statistics page for each section. Right now, you check off the selection boxes for each server you want to perform an action for, which is fine. But if you have 20(or more) servers in the list and you want to take 19 down for a code upgrade, you have to click each box. I would be really really really greatful if a select all box could be added to the top of each section. Then I could select that which would then check all the boxes and then uncheck the one server( two clicks instead of 19). It's a pretty standard web functionality, but there might be a reason it was never added or it was just overlooked, so I thought I would ask. Really liking HAproxy 1.5.4 though, with built in SSL, things are more streamlined now! Thanks for everything! Brent Kennedy
