~20% of HAProxy forwarded requests missing x-forwarded-for?

Hi! I've got a system here running HA-Proxy version 1.5-dev19 2013/06/17. The backend config contains: 'option forwardfor except 127.0.0.1' However, the backend server seems to receive approximately 20% of requests without an x-forwarded-for I haven't confirmed this at the socket layer yet, as thi

[SPAM] Re:Good appearance flood light.

=20 Hellomyfriend, GreetingsofLaure=nfromAsia-Boslin.WewereprofessionalmanufacturerofLEDfloodlig=htsince2005. Nowwehavepromot=ionforournewSMDfloodlightasbelow,seeifyouwillbeintereste=dinalso. Welcometoaskfor=details. Waitingforyourc=omments. warmregards,Lauren LaurenAsia-BOSLINopto=electroni

Re: Listening only server within backend

On Thu, May 28, 2015 at 03:20:09PM +0200, Kevin Maziere wrote: > But I'm still thinking that such behaviour will be a good improvement in > haproxy :) In fact no. There has been a discussion about this a few years ago that could probably be found on the list. Doing so comes with a significant numb

Re: Recommendations for a new haproxy installation

On Thu, May 28, 2015 at 10:43:37AM -0600, Shawn Heisey wrote: > On 4/30/2015 11:50 PM, Willy Tarreau wrote: > > If you're working on preparing the OS, please *do* verify that > > conntrack is properly tuned (large hash table with at least 1/4 of the > > total number of sessions). Otherwise under lo

Re: Recommendations for a new haproxy installation

On 4/30/2015 11:50 PM, Willy Tarreau wrote: > If you're working on preparing the OS, please *do* verify that > conntrack is properly tuned (large hash table with at least 1/4 of the > total number of sessions). Otherwise under load it will become > extremely slow. When I asked about recommendation

Re: Listening only server within backend

On Thu, May 28, 2015 at 03:20:09PM +0200, Kevin Maziere wrote: 2015-05-28 11:11 GMT+02:00 mkzero : On Thu, May 28, 2015 at 10:44:21AM +0200, Pavlos Parissis wrote: On 28/05/2015 10:14 πμ, Kevin Maziere wrote: 2015-05-26 17:02 GMT+02:00 Lukas Tribus mailto:luky...@hotmail.com>>: > Hi

Re: A few thoughts on Haproxy and weakdh/logjam

Hi Rémi, On Thu, May 28, 2015 at 05:45:43PM +0200, Remi Gacogne wrote: > > Just a question, does it make sense to have different dh-param files > > per key size so that depending on the cert key size we use a different > > file, or are they totally decorrelated ? > > I used to think that it made

Re: A few thoughts on Haproxy and weakdh/logjam

Hi, On 05/26/2015 11:09 PM, Willy Tarreau wrote: >> - a new configuration option, something like ssl-dh-param-file, allowing >> the use of a global DH parameters file (which may still be overridden by >> setting the DH parameters directly in a certificate file) ; > > Just a question, does it make

Re: Listening only server within backend

2015-05-28 11:11 GMT+02:00 mkzero : > On Thu, May 28, 2015 at 10:44:21AM +0200, Pavlos Parissis wrote: > >> >> On 28/05/2015 10:14 πμ, Kevin Maziere wrote: >> >>> >>> >>> 2015-05-26 17:02 GMT+02:00 Lukas Tribus >> >: >>> >>> > Hi the list >>> > >>> > In my b

Re: Haproxy 1.5 ssl redirect

Unfortunately, that did not solve all the problems that proxypass and proxypassreverse does in Apache's mod_proxy. It may be an artifact of how we do our internal load balancing, but the information Baptiste sent me about mirroring the proxypass rules here: http://blog.haproxy.com/2014/04/28/h

Une chemise achetée = 1 offerte

Title: Newsletter - OZOA-chemises.com Une chemise achetée = 1 offerte | Consultez la version en ligne CHEMISES HOMME     |     CHEMISIERS FEMME     |     CRAVATES     |     NOUVEAUTES - Promo sur toutes les chemises -

RE: A few thoughts on Haproxy and weakdh/logjam

>> If your refer to long EOL'ed system, then they probably don't support DHE at >> all. > > Alas EOL'ed systems doesn't hinder its use - even if it unwise.. Thats not what I'm saying. What I'm saying is that since they are so old they don't even support DHE, therefor the dh group doesn't matter.

[SPAM] led lights from YM TECH

Dear Sir/Madam, Hello, this is Jesse. I am glad to send you this letter. I am a LED lighting supplier. Our factory is a professional LED lighting manufacturer with years' experience. Our products have good quality and pretty competitive price. Here is our website. Pls click here to know us and

RE: A few thoughts on Haproxy and weakdh/logjam

On Thursday, May 28, 2015 12:35 PM Lukas Tribus wrote: > > What about other clients (ie. browsers running on different OS > > combinations) - especially legacy systems? > > If your refer to long EOL'ed system, then they probably don't support DHE at > all. Alas EOL'ed systems doesn't hinder it

RE: A few thoughts on Haproxy and weakdh/logjam

> On Tuesday, May 26, 2015 5:12 PM Remi Gacogne wrote: > >> On 05/23/2015 08:47 AM, Willy Tarreau wrote: >>> Do you have any idea about the ratio of clients (on the net) which don't >>> support ECDHE right now but support DHE ? >> >> Basically, by totally removing DHE, we would be losing forward se

RE: A few thoughts on Haproxy and weakdh/logjam

On Tuesday, May 26, 2015 5:12 PM Remi Gacogne wrote: > On 05/23/2015 08:47 AM, Willy Tarreau wrote: > > Do you have any idea about the ratio of clients (on the net) which don't > > support ECDHE right now but support DHE ? > > Basically, by totally removing DHE, we would be losing forward secrecy

Re: stick-table and conn_rate question

On Wed, May 27, 2015 at 3:42 PM, Roland RoLaNd wrote: > managed to successfully reject access from specific users depending on > condition; but what i eventually want is to provide them with a certain page > instead of reject (redirect isn't an option) > > > backend phoenix > stick-table type stri

Re: Listening only server within backend

On Thu, May 28, 2015 at 10:44:21AM +0200, Pavlos Parissis wrote: On 28/05/2015 10:14 πμ, Kevin Maziere wrote: 2015-05-26 17:02 GMT+02:00 Lukas Tribus mailto:luky...@hotmail.com>>: > Hi the list > > In my backend I've many servers, and I'd like to add some that receive > a cop

Re: Listening only server within backend

On 28/05/2015 10:14 πμ, Kevin Maziere wrote: > > > 2015-05-26 17:02 GMT+02:00 Lukas Tribus >: > > > Hi the list > > > > In my backend I've many servers, and I'd like to add some that receive > > a copy of all the requests arriving to the backend. Of

Re: Listening only server within backend

2015-05-26 17:02 GMT+02:00 Lukas Tribus : > > Hi the list > > > > In my backend I've many servers, and I'd like to add some that receive > > a copy of all the requests arriving to the backend. Of course haproxy > > won't reply to them after sending the request. > > I don't find any option for 'ser

Re: A few thoughts on Haproxy and weakdh/logjam

Hi Julien, On 05/27/2015 12:05 PM, Julien Vehent wrote: > This is by far the best write-up on DHE compatibility issues I've seen. > Would you mind organizing your research into something we could publish > on https://wiki.mozilla.org/Security/Server_Side_TLS ? > I've added some notes about compati