Hi,
On Thu, Oct 15, 2015 at 11:14:18AM +, ACKERMANN, Thibaut (Thibaut)** CTR **
wrote:
> Hi all,
>
> I have a HAproxy 1.5 setup which offloads SSL in front of multiple webservers.
> My SSL certificate is a wildcard and we are balancing to different backends
> based on the FQDN.
>
> My
Here is the config https://gist.github.com/joelmoss/1e90ceadae8a8305f7dd
thx
--
Joel Moss
Sent with Airmail
On 15 October 2015 at 12:21:42, Willy Tarreau (w...@1wt.eu) wrote:
On Thu, Oct 15, 2015 at 12:06:08PM +0100, j...@developwithstyle.com wrote:
> Hi all, so just installed 1.6 but am
Extremely useful, thanks a lot.
On Thu, Oct 15, 2015 at 5:13 AM, Igor Cicimov
wrote:
>
> On 14/10/2015 9:41 PM, "Baptiste" wrote:
>>
>> Hey,
>>
>> I summarized what's new in HAProxy 1.6 with some configuration
>> examples in a blog post to help
Hi all, so just installed 1.6 but am seeing it crash regularly with segfaults…
[86278081.318561] haproxy[22518]: segfault at 0 ip 7ff30397a988 sp
7fff01e0fdd0 error 4 in libssl.so.1.0.0[7ff30394+55000]
[86278215.833184] haproxy[23656]: segfault at 7f1bbc00 ip 7f1bbeea1e2c
sp
Le 15/10/2015 10:51, Seri, Kim a écrit :
Hi, all
HAProxy 1.6.0 crashes in multiple certificates environment as belows,
bind :443 ssl crt test.com.pem crt test2.com.pem ecdhe prime256v1
but, in single certificate environment, haproxy doesn't crash.
bind :443 ssl crt test.com.pem ecdhe
One of them is, but I just removed the one that is not a wildcard and all
seemed good - no crashes. Also tried passing a directory with just the two
certs in it, but that also crashed after a few minutes
--
Joel Moss
Sent with Airmail
On 15 October 2015 at 13:06:08, Lukas Tribus
On Thu, Oct 15, 2015 at 12:06:08PM +0100, j...@developwithstyle.com wrote:
> Hi all, so just installed 1.6 but am seeing it crash regularly with
> segfaults???
>
> [86278081.318561] haproxy[22518]: segfault at 0 ip 7ff30397a988 sp
> 7fff01e0fdd0 error 4 in
So you may be right on the two certs on the same line bug. Just removed one of
the certs and so far, so good. Can you verify?
--
Joel Moss
Sent with Airmail
On 15 October 2015 at 12:28:35, j...@developwithstyle.com
(j...@developwithstyle.com) wrote:
Here is the config
> So you may be right on the two certs on the same line bug. Just removed
> one of the certs and so far, so good. Can you verify?
Are both or one of them (first or second one) wildcard certificates?
Thanks,
Lukas
Hi all,
I have a HAproxy 1.5 setup which offloads SSL in front of multiple webservers.
My SSL certificate is a wildcard and we are balancing to different backends
based on the FQDN.
My frontend config look like this :
...
frontend my-frontend
bind ip:443 ssl crt
My config is fairly complex, but let me see what I can do. And actually, I do
use two certs on the same line, but this was never a problem with 1.5.*
--
Joel Moss
Sent with Airmail
On 15 October 2015 at 12:21:42, Willy Tarreau (w...@1wt.eu) wrote:
On Thu, Oct 15, 2015 at 12:06:08PM +0100,
Christopher Faulet writes:
> I confirm the bug. Here is a very quick patch. Could you confirm that it
> works for you ?
>
Hi,
I can confirm this patch fixes the crash!!
cf. because of my mail service, I've changed my e-mail
Thanks a lot.
Seri
Le 15/10/2015 13:49, Joel Moss a écrit :
So you may be right on the two certs on the same line bug. Just removed
one of the certs and so far, so good. Can you verify?
FYI, I submit a quick patch[1]. Could you check it ?
[1] https://www.mail-archive.com/haproxy@formilux.org/msg19948.html
--
OK< so I just applied the patch from
http://marc.info/?l=haproxy=144491072111043=2 and so far, so good without
any crashes.
--
Joel Moss
Sent with Airmail
On 15 October 2015 at 13:11:21, Joel Moss (j...@joelmoss.info) wrote:
One of them is, but I just removed the one that is not a wildcard
On Thu, Oct 15, 2015 at 11:02 AM, Øyvind Johnsen wrote:
> Sorry about the mixing of topics. I will repost the SSL question when I am
> done investigating the DNS topic which currently is the deal breaker :)
Thanks a lot!
> I did some DNS packet sniffing and it seems the
Sorry about the mixing of topics. I will repost the SSL question when I am
done investigating the DNS topic which currently is the deal breaker :)
I did some DNS packet sniffing and it seems the problem is that haproxy
does a type=ANY request to DNS for the domain names, and weave-DNS then
On Thu, Oct 15, 2015 at 10:24 AM, Øyvind Johnsen wrote:
> Hi all,
>
> We are running HAProxy on our Docker / Swarm / Weave cluster also featuring
> Weave-DNS for service discovery between the containers in the cluster. We are
> deploying fairly often to the cluster for both
Hi all,
We are running HAProxy on our Docker / Swarm / Weave cluster also featuring
Weave-DNS for service discovery between the containers in the cluster. We are
deploying fairly often to the cluster for both dev and stage environments and
was very happy to see the DNS Resolvers feature
This email newsletter was sent to you in graphical HTML format.
If you're seeing this version, your email program prefers plain text emails.
You can read the original version online:
http://ymlp169.com/zmuDr2
Hi Jonathan,
First, we don't speak about "license", since HAPEE is open source. We
speak about "subscription".
Second, please send your HAPEE related questions to
supp...@haproxy.com directly :)
When writing to support, send the list of backports you'd like and
we'll answer you quickly.
Be
Hi, all
HAProxy 1.6.0 crashes in multiple certificates environment as belows,
bind :443 ssl crt test.com.pem crt test2.com.pem ecdhe prime256v1
but, in single certificate environment, haproxy doesn't crash.
bind :443 ssl crt test.com.pem ecdhe prime256v1
after applying commit d2cab92,
Hi,
When testing the 1.6.0 release we encountered a segfault bug on the
server when trying to run the https://www.ssllabs.com/ssltest/ test on
our two sites running with two different SSL certs. The test runs fine
when its run against one of the sites / certificates, but when run
against the
Hi folks,
> Hey guys,
>
> by default, HAProxy tries to resolve server IPs using an ANY query
> type, then fails over to resolve-prefer type, then to "remaining"
> type.
> So ANY -> A -> or ANY -> -> A.
We can't really rely on ANY queries, no. Also see [1], [2].
> Today, 0yvind
> Jan, a fellow HAProxy user, already reported me that ANY query types
> are less and less fashion (for many reasons I'm not going to develop
> here).
>
> Amongs the many way to fix this issue, the one below has my preference:
> A new resolvers section directive (flag in that case) which prevent
>
>From my reading of the code SIGUSR1 does not send a "Connection: close" to the
client or server. This means it is not possible to safely close a keep-alive
session, before terminating HAProxy.
Would there be interest in a patch to send "Connection: close" on both the
request and the response,
On Wed, 14 Oct 2015 08:00:27 -0600
Shawn Heisey wrote:
> Just FYI, in case you don't already know, I have some problems to report
> with the documentation links on the website.
>
> The 1.6 HTML documentation links on haproxy.org have "1.7-dev0" at the top:
>
>
Hey guys,
by default, HAProxy tries to resolve server IPs using an ANY query
type, then fails over to resolve-prefer type, then to "remaining"
type.
So ANY -> A -> or ANY -> -> A.
In some cases, ANY query type is ignored or response contains no
records, which leads HAProxy to try next
Hey Baptiste,
Using ANY queries for this kind of stuff is considered by most people to
be a bad practice since besides all the things you named it can lead to
incomplete responses. Basically a resolver is allowed to just return
whatever it has in cache when it receives an ANY query instead of
Hi,
Here is a proper patch to fix the recent bug reported on haproxy 1.6.0
when SNI is used.
Willy, I didn't wait your reply to speed-up the code review. But if
there is any problem with this patch, let me know.
Regards,
--
Christopher Faulet
>From c89e1256113aa36826b00706094ccde98490684d
Le 15/10/2015 14:45, Seri, Kim a écrit :
Christopher Faulet writes:
I confirm the bug. Here is a very quick patch. Could you confirm that it
works for you ?
Hi,
I can confirm this patch fixes the crash!!
cf. because of my mail service, I've changed my e-mail
Thanks a lot.
Hi Øyvind,
> Hi,
>
> When testing the 1.6.0 release we encountered a segfault bug on the
> server when trying to run the https://www.ssllabs.com/ssltest/ test on
> our two sites running with two different SSL certs. The test runs fine
> when its run against one of the sites / certificates, but
Hi Christopher,
On Thu, Oct 15, 2015 at 03:22:52PM +0200, Christopher Faulet wrote:
> Le 15/10/2015 14:45, Seri, Kim a écrit :
> >Christopher Faulet writes:
> >
> >>I confirm the bug. Here is a very quick patch. Could you confirm that it
> >>works for you ?
> >>
> >
> >Hi,
> >
> >I
Actually, I just asked one of the powerdns devs, and their
recursor/resolver implementation does actually only return what is in
its cache when answering an ANY query.
On 10/15/2015 4:46 PM, Robin Geuze wrote:
Hey Baptiste,
Using ANY queries for this kind of stuff is considered by most
I just want to say first of all that haproxy is incredibly useful and
I've enjoyed working with it tremendously. Thank you!
My question is if a server is disabled because of a failed http health
check and there are requests in flight, will the requests from the
disabled app be returned to the
Hi Sir or Madam, This is Rita from HOYOGO, which is a leading PCB manufacturer
in China, serving Siemens/ Bosch/ Leoni/ Eurotech/ ASTONMARTIN, ASTON(ALL) and
so on for a long time.Our business range & qualification for your
reference:>>Facility: certifiedwith Canada UL & US UL,ISO9001,
外贸客户开发展会价格高,客户来源单一,B2B竟争激烈,询盘虽然很多但成交却很少,好不容易成交了一个单,价格压得没有利润,想用关键词排名却大把的钱投进去没有效果,靠自身网站去推广暴光率又太小,难道开发海外客户就无路可走了吗?
主动出击开发客户的重要性
要想和国外的那些展会里又很少机会正好遇得到的,又很少上B2B去压价比较的客户做生意.首先要找到他们和他们主动建立联系才行,如何去主动能找到他们,就要知道他们在哪里,顶易中国集成了世界上所有五大洲的主流搜索引挚,还有各种行业协会,让您轻松一键获取,别人很多步才做到的我们一步就能做到.
Hi,
>> If the session is transferring HTTP body between client and backend server,
>> we
>> can't insert HTTP headers either. If you are waiting for the next request
>> in that particular session, why wouldn't we just close it after the HTTP body
>> has been transfered?
>
> That would be fine,
Hi David,
> I just want to say first of all that haproxy is incredibly useful and
> I've enjoyed working with it tremendously. Thank you!
>
> My question is if a server is disabled because of a failed http health
> check and there are requests in flight, will the requests from the
> disabled app
On Thu, Oct 15, 2015 at 2:11 PM, Lukas Tribus wrote:
> When specifically would you intervene? Could you elaborate what you
> have in mind?
My goal is to shutdown a HAProxy daemon without interrupting any inflight
requests or responses.
> If the session is transferring HTTP
Le 16 oct. 2015 06:27, "Mark Betz" a écrit :
>
> Hi, I have a hopefully quick question about setting up backends for
resolvable internal service addresses.
>
> We are putting together a cluster on Google Container Engine (kubernetes)
and have haproxy deployed in a
Hi, I have a hopefully quick question about setting up backends for
resolvable internal service addresses.
We are putting together a cluster on Google Container Engine (kubernetes)
and have haproxy deployed in a container based on Ubuntu 14.04 LTS.
Our backend server specifications are declared
> From my reading of the code SIGUSR1 does not send a "Connection: close" to the
> client or server. This means it is not possible to safely close a keep-alive
> session, before terminating HAProxy.
>
> Would there be interest in a patch to send "Connection: close" on both the
> request and the
I second this opinion. Removing ANY altogether would be the best case.
In reality, I think it should use the OS's resolver libraries which
in turn will honor whatever the admin has configured for preference
order at the base OS level.
As a sysadmin, one should reasonably expect that
> I second this opinion. Removing ANY altogether would be the best case.
>
> In reality, I think it should use the OS's resolver libraries which
> in turn will honor whatever the admin has configured for preference
> order at the base OS level.
>
>
> As a sysadmin, one should reasonably expect
On Thu, Oct 15, 2015 at 12:26 PM, Lukas Tribus wrote:
> What request/response, aren't we talking about an idle session here?
No, I am concerned with a non idle persistent session.
> On Thu, Oct 15, 2015 at 12:26 PM, Lukas Tribus wrote:
>> What request/response, aren't we talking about an idle session here?
>
> No, I am concerned with a non idle persistent session.
When specifically would you intervene? Could you elaborate what you
have in mind?
If
Hi.
I can confirm this fixes the crash / segfault when running the ssllabs
tests against my HAProxy instance :)
Now we are happily running a 1.6.0 frontend for our Docker / Swarm cluster !!
Best regards
Øyvind Johnsen
System Admin
+47 99242547
+852 67157472
On Thu, Oct 15, 2015 at 4:32 PM,
47 matches
Mail list logo