On Wed, Oct 29, 2014 at 02:29:21PM -0700, Bryan Talbot wrote:
I think he wants to globally disable SSLv3 (by removing support at compile
time) so it can't be accidentally enabled in an errant bind option. There's
no way to disable SSLv3 globally in the haproxy config.
Then probably we should
Hi,
On Wed, Oct 29, Emeric Brun wrote:
I've just push to Willy a patch to produce the 2 new fetchs to
retrieve frontend and client certificates in binary/DER format.
Is the client cert available when client reuses ssl session ?
(This is something I've never tested). I think somewhere in
Hi Willy,
I have test both haproxy-1.5 and latest snapshot. HAProxy will crash
with the following configuration:
global
...
tune.bufsize 1024
tune.maxrewrite 0
frontend xxx
...
backend yyy
...
cookie cookie insert maxidle 300s
If client sends a request of which object
So currently with the last merged patch, we can directly encode the
header in base64:
http-request add-header Client-Cert %[ssl_c_der,base64]
And add pem's header/footer:
http-request add-header Client-Cert -BEGIN\ CERTIFICATE-\
%[ssl_c_der,base64]\ -END\ CERTIFICATE-\ # don't
On 10/30/2014 10:38 AM, Emeric Brun wrote:
So currently with the last merged patch, we can directly encode the
header in base64:
http-request add-header Client-Cert %[ssl_c_der,base64]
And add pem's header/footer:
http-request add-header Client-Cert -BEGIN\ CERTIFICATE-\
this acl:
acl foo hdr bar
- would match any header in 1.4
- wouldn't match anything in 1.5
as 1.5 documentation doesn't mention using hdr without header name, it
should probably raise error in config parser.
--
konrad rzentarzewski -- System Administrator, Efigence S.A.
Office:
On Wed, Oct 29, 2014 at 08:24:31PM +0100, Lukas Tribus wrote:
Previous mail was somehow messed up, here is my proper response:
is there any sensible reason that value of ssloptions is hardcoded
instead of passed with config (ie. similiary to
ssl-default-bind-ciphers)?
i'd like to add
Hi,
You can disable SSLv3 among other things just fine in haproxy 1.5:
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#no-sslv3%20%28Bind%20options%29
sorry, for not being clear.
i'd like this:
src/ssl_sock.c:
1469 long ssloptions =
1470 SSL_OP_ALL | /* all known
Hi Godbach,
[ and first, sorry for not having yet responded to your
other mail about caching ]
On Thu, Oct 30, 2014 at 05:07:15PM +0800, Godbach wrote:
Hi Willy,
I have test both haproxy-1.5 and latest snapshot. HAProxy will crash
with the following configuration:
global
...
What would be the most convenient way to query haproxy for status of the
backend servers. I understand it is available on the stats page, but I
would like to implement a script to get the status. I am working on a
gtm module and would use the info to populate a dns server. Thanks
I found the link. It looks as though it is the 18th column. That will be
easy enough to parse.
Thank you.
Martijn Otto martijn.o...@copernica.com 10/30/2014 10:57 AM
On do, 2014-10-30 at 10:23 -0400, Richard Bassler wrote:
What would be the most convenient way to query haproxy for status of
main reasoning: all known workarounds for bugs as of compile time
might change in future (as new openssl bugs are being uncovered).
I still don't get it.
These are not openssl bugs, but workarounds in openssl for bugs in other
ssl libraries or applications.
not in all cases, some options
On 10/30/2014 04:19 PM, konrad rzentarzewski wrote:
On Thu, Oct 30, 2014 at 02:25:01PM +0100, Lukas Tribus wrote:
main reasoning: all known workarounds for bugs as of compile time
might change in future (as new openssl bugs are being uncovered).
I still don't get it.
These are not openssl
[ asymmetric hello ]
On Thu, Oct 30, 2014 at 04:19:34PM +0100, konrad rzentarzewski wrote:
i already did: stunnel.
And does it have any real use in the end ? In haproxy we have also done
totally pointless things that nobody has ever found a use for as well,
and we better try to forget them
Hi,
I just put haproxy into use on a site and while things seem to work I
noticed that the frontend shows 20 mio. sessions handled total but under
errors/req it shows a number of 5 mio. These 5 mio. seem to correspond
to the number of 4xx reponses shown when i hover over the sessions/total
entry
On 30.10.2014 17:12, Dennis Jacobfeuerborn wrote:
Hi,
I just put haproxy into use on a site and while things seem to work I
noticed that the frontend shows 20 mio. sessions handled total but under
errors/req it shows a number of 5 mio. These 5 mio. seem to correspond
to the number of 4xx
On 10/21/2014 05:43 PM, John Leach wrote:
On 21/10/14 16:05, Ryan O'Hara wrote:
On Tue, Oct 21, 2014 at 04:56:31PM +0200, Thomas Heil wrote:
Hi,
On 21.10.2014 16:26, John Leach wrote:
Hi,
I'm trying to disable sslv3 with the no-sslv3 bind option, but it's
not working.
The option is
Hi Thomas, thanks for the suggestion! I'm hoping for a built-in solution
with the existing stats data. Would scur=0 on the server stats be an
accurate test? I'm dubious because I tested disabling http-server-close and
the active server in question still shows scur of 0 most of the time; the
Hi,
On 30.10.2014 19:13, Emeric Brun wrote:
On 10/21/2014 05:43 PM, John Leach wrote:
On 21/10/14 16:05, Ryan O'Hara wrote:
On Tue, Oct 21, 2014 at 04:56:31PM +0200, Thomas Heil wrote:
Hi,
On 21.10.2014 16:26, John Leach wrote:
Hi,
I'm trying to disable sslv3 with the no-sslv3 bind
I am running haproxy in front of a asp.net application. The application has
been running happily for a while!
Recently I have been running into very hard to trace errors. I could use
some guidance to further analyse the situation.
What happens is that one of my clients can predictably
Hello,
On Thu, Oct 30, 2014 at 08:55:15PM +0100, Evert wrote:
I am running haproxy in front of a asp.net application. The application has
been running happily for a while!
Recently I have been running into very hard to trace errors. I could use
some guidance to further analyse the
Hi,
Would you be interested in Agile Users or Industry specific List?
Data Field: verified Phone Number, Fax Number, Verified Email Address,
Employee Size, Revenue size, SIC Code, Industry Type and many more).
We also have other technology users like:
Water Fall
Scrum
Lean
Kanban
Madame, Monsieur,
90 % des entreprises françaises ont un référencement naturel défaillant dans
Google.
Acteur incontournable du référencement en France depuis 2004, nous proposons
une prestation annuelle de haute qualité afin de positionner votre activité
dans les premiers résultats de
Hi all!
At last, a release before the end of the week so that those of us with
a bad weather have something to do on Friday and something to fear for
the week-end :-)
Just as for 1.5.6 two weeks ago, we have a small bunch of fixes for 1.5.7.
- A nasty bug reported by Dmitry Sivachenko can
Willy,
thank for the reply.
I did remove some of the information from the log but it was only the public ip
numbers, there was no port information. So I presume the port is the same on
all requests.
I Also made the urls anonymous in the log by specifying www.customera.nl.
You did notice a
On Thu, Oct 30, 2014 at 11:45:41PM +0100, Evert van Es wrote:
Willy,
thank for the reply.
I did remove some of the information from the log but it was only the public
ip numbers, there was no port information.
The default log format shows the port after the IP address, but indeed
in your
On 30.10.2014 19:01, Dennis Jacobfeuerborn wrote:
...
[30/Oct/2014:18:46:36.035] front-http front-http/NOSRV
-1/-1/-1/-1/19117 400 187 - - CR-- 49/49/0/0/0 0/0 BADREQ
...
So after a bit more googling I found the following mail thread that
mentions this as some sort of tcp pre-connect
Hi Guys,
I've searched the documentation but can't find a condition to set the
monitor fail to react to a page with error code 503. I have an apache
server which uses a jboss as proxy backend. So every time the jboss
stops, I have a 503 error page but haproxy does not react to that.
So how
Email not displaying correctly? View it (
http://sendgrid.org/wf/webmail?rp=ZTI1bGQzTnNaWFIwWlhKZmFXUTZNVEl6TkN4MWMyVnlYMmxrT2pJMU5qVTBmUWV5SnVaWGR6YkdWMGRHVnlYMmxrSWpvaU16TTFNREEwT1NJc0ltNWxkM05zWlhSMFpYSmZkWE5sY2w5cFpDSTZOVFkxTWprME5qRTJNRFI5
) in your browser
To unsubscribe please click here
Hi Willy,
On 2014/10/30 21:48, Willy Tarreau wrote:
Hi Godbach,
[ and first, sorry for not having yet responded to your
other mail about caching ]
Take it easy. :)
Yes, it looks fine to me, feel free to send a patch and tag it as BUG/MAJOR.
In the future we'll probably need to rework
30 matches
Mail list logo