Re: SNI vs hdr(host) ACL

Hi, On Thu, Oct 15, 2015 at 11:14:18AM +, ACKERMANN, Thibaut (Thibaut)** CTR ** wrote: > Hi all, > > I have a HAproxy 1.5 setup which offloads SSL in front of multiple webservers. > My SSL certificate is a wildcard and we are balancing to different backends > based on the FQDN. > > My

Re: 1.6 segfaults

Here is the config https://gist.github.com/joelmoss/1e90ceadae8a8305f7dd thx --  Joel Moss Sent with Airmail On 15 October 2015 at 12:21:42, Willy Tarreau (w...@1wt.eu) wrote: On Thu, Oct 15, 2015 at 12:06:08PM +0100, j...@developwithstyle.com wrote: > Hi all, so just installed 1.6 but am

Re: [blog] What's new in HAProxy 1.6

Extremely useful, thanks a lot. On Thu, Oct 15, 2015 at 5:13 AM, Igor Cicimov wrote: > > On 14/10/2015 9:41 PM, "Baptiste" wrote: >> >> Hey, >> >> I summarized what's new in HAProxy 1.6 with some configuration >> examples in a blog post to help

1.6 segfaults

Hi all, so just installed 1.6 but am seeing it crash regularly with segfaults… [86278081.318561] haproxy[22518]: segfault at 0 ip 7ff30397a988 sp 7fff01e0fdd0 error 4 in libssl.so.1.0.0[7ff30394+55000] [86278215.833184] haproxy[23656]: segfault at 7f1bbc00 ip 7f1bbeea1e2c sp

Re: haproxy 1.6.0 crashes

Le 15/10/2015 10:51, Seri, Kim a écrit : Hi, all HAProxy 1.6.0 crashes in multiple certificates environment as belows, bind :443 ssl crt test.com.pem crt test2.com.pem ecdhe prime256v1 but, in single certificate environment, haproxy doesn't crash. bind :443 ssl crt test.com.pem ecdhe

RE: 1.6 segfaults

One of them is, but I just removed the one that is not a wildcard and all seemed good - no crashes. Also tried passing a directory with just the two certs in it, but that also crashed after a few minutes --  Joel Moss Sent with Airmail On 15 October 2015 at 13:06:08, Lukas Tribus

Re: 1.6 segfaults

On Thu, Oct 15, 2015 at 12:06:08PM +0100, j...@developwithstyle.com wrote: > Hi all, so just installed 1.6 but am seeing it crash regularly with > segfaults??? > > [86278081.318561] haproxy[22518]: segfault at 0 ip 7ff30397a988 sp > 7fff01e0fdd0 error 4 in

Re: 1.6 segfaults

So you may be right on the two certs on the same line bug. Just removed one of the certs and so far, so good. Can you verify? --  Joel Moss Sent with Airmail On 15 October 2015 at 12:28:35, j...@developwithstyle.com (j...@developwithstyle.com) wrote: Here is the config 

RE: 1.6 segfaults

> So you may be right on the two certs on the same line bug. Just removed > one of the certs and so far, so good. Can you verify? Are both or one of them (first or second one) wildcard certificates? Thanks, Lukas

SNI vs hdr(host) ACL

Hi all, I have a HAproxy 1.5 setup which offloads SSL in front of multiple webservers. My SSL certificate is a wildcard and we are balancing to different backends based on the FQDN. My frontend config look like this : ... frontend my-frontend bind ip:443 ssl crt

Re: 1.6 segfaults

My config is fairly complex, but let me see what I can do. And actually, I do use two certs on the same line, but this was never a problem with 1.5.* --  Joel Moss Sent with Airmail On 15 October 2015 at 12:21:42, Willy Tarreau (w...@1wt.eu) wrote: On Thu, Oct 15, 2015 at 12:06:08PM +0100,

Re: haproxy 1.6.0 crashes

Christopher Faulet writes: > I confirm the bug. Here is a very quick patch. Could you confirm that it > works for you ? > Hi, I can confirm this patch fixes the crash!! cf. because of my mail service, I've changed my e-mail Thanks a lot. Seri

Re: 1.6 segfaults

Le 15/10/2015 13:49, Joel Moss a écrit : So you may be right on the two certs on the same line bug. Just removed one of the certs and so far, so good. Can you verify? FYI, I submit a quick patch[1]. Could you check it ? [1] https://www.mail-archive.com/haproxy@formilux.org/msg19948.html --

RE: 1.6 segfaults

OK< so I just applied the patch from  http://marc.info/?l=haproxy=144491072111043=2 and so far, so good without any crashes. --  Joel Moss Sent with Airmail On 15 October 2015 at 13:11:21, Joel Moss (j...@joelmoss.info) wrote: One of them is, but I just removed the one that is not a wildcard

Re: DNS resolvers issue with haproxy 1.6

On Thu, Oct 15, 2015 at 11:02 AM, Øyvind Johnsen wrote: > Sorry about the mixing of topics. I will repost the SSL question when I am > done investigating the DNS topic which currently is the deal breaker :) Thanks a lot! > I did some DNS packet sniffing and it seems the

Fwd: DNS resolvers issue with haproxy 1.6

Sorry about the mixing of topics. I will repost the SSL question when I am done investigating the DNS topic which currently is the deal breaker :) I did some DNS packet sniffing and it seems the problem is that haproxy does a type=ANY request to DNS for the domain names, and weave-DNS then

Re: DNS resolvers issue with haproxy 1.6

On Thu, Oct 15, 2015 at 10:24 AM, Øyvind Johnsen wrote: > Hi all, > > We are running HAProxy on our Docker / Swarm / Weave cluster also featuring > Weave-DNS for service discovery between the containers in the cluster. We are > deploying fairly often to the cluster for both

DNS resolvers issue with haproxy 1.6

Hi all, We are running HAProxy on our Docker / Swarm / Weave cluster also featuring Weave-DNS for service discovery between the containers in the cluster. We are deploying fairly often to the cluster for both dev and stage environments and was very happy to see the DNS Resolvers feature

[SPAM] 10.1 inch IP65 windows 8.1 rugged tablet from china

This email newsletter was sent to you in graphical HTML format. If you're seeing this version, your email program prefers plain text emails. You can read the original version online: http://ymlp169.com/zmuDr2

Re: HAProxy 1.6 and HAProxy EE

Hi Jonathan, First, we don't speak about "license", since HAPEE is open source. We speak about "subscription". Second, please send your HAPEE related questions to supp...@haproxy.com directly :) When writing to support, send the list of backports you'd like and we'll answer you quickly. Be

haproxy 1.6.0 crashes

Hi, all HAProxy 1.6.0 crashes in multiple certificates environment as belows, bind :443 ssl crt test.com.pem crt test2.com.pem ecdhe prime256v1 but, in single certificate environment, haproxy doesn't crash. bind :443 ssl crt test.com.pem ecdhe prime256v1 after applying commit d2cab92,

Segfault bug in 1.6.0 release (SNI related maybe)

Hi, When testing the 1.6.0 release we encountered a segfault bug on the server when trying to run the https://www.ssllabs.com/ssltest/ test on our two sites running with two different SSL certs. The test runs fine when its run against one of the sites / certificates, but when run against the

RE: [call to comment] HAProxy's DNS resolution default query type

Hi folks, > Hey guys, > > by default, HAProxy tries to resolve server IPs using an ANY query > type, then fails over to resolve-prefer type, then to "remaining" > type. > So ANY -> A -> or ANY -> -> A. We can't really rely on ANY queries, no. Also see [1], [2]. > Today, 0yvind

RE: [call to comment] HAProxy's DNS resolution default query type

> Jan, a fellow HAProxy user, already reported me that ANY query types > are less and less fashion (for many reasons I'm not going to develop > here). > > Amongs the many way to fix this issue, the one below has my preference: > A new resolvers section directive (flag in that case) which prevent >

SIGUSR1 soft stop does not send "Connection: close"

>From my reading of the code SIGUSR1 does not send a "Connection: close" to the client or server. This means it is not possible to safely close a keep-alive session, before terminating HAProxy. Would there be interest in a patch to send "Connection: close" on both the request and the response,

Re: Documentation problems for 1.6

On Wed, 14 Oct 2015 08:00:27 -0600 Shawn Heisey wrote: > Just FYI, in case you don't already know, I have some problems to report > with the documentation links on the website. > > The 1.6 HTML documentation links on haproxy.org have "1.7-dev0" at the top: > >

[call to comment] HAProxy's DNS resolution default query type

Hey guys, by default, HAProxy tries to resolve server IPs using an ANY query type, then fails over to resolve-prefer type, then to "remaining" type. So ANY -> A -> or ANY -> -> A. In some cases, ANY query type is ignored or response contains no records, which leads HAProxy to try next

Re: [call to comment] HAProxy's DNS resolution default query type

Hey Baptiste, Using ANY queries for this kind of stuff is considered by most people to be a bad practice since besides all the things you named it can lead to incomplete responses. Basically a resolver is allowed to just return whatever it has in cache when it receives an ANY query instead of

[PATCH] BUG: ssl: Fix conditions to release SSL_CTX when a SSL connection is closed

Hi, Here is a proper patch to fix the recent bug reported on haproxy 1.6.0 when SNI is used. Willy, I didn't wait your reply to speed-up the code review. But if there is any problem with this patch, let me know. Regards, -- Christopher Faulet >From c89e1256113aa36826b00706094ccde98490684d

Re: haproxy 1.6.0 crashes

Le 15/10/2015 14:45, Seri, Kim a écrit : Christopher Faulet writes: I confirm the bug. Here is a very quick patch. Could you confirm that it works for you ? Hi, I can confirm this patch fixes the crash!! cf. because of my mail service, I've changed my e-mail Thanks a lot.

RE: Segfault bug in 1.6.0 release (SNI related maybe)

Hi Øyvind, > Hi, > > When testing the 1.6.0 release we encountered a segfault bug on the > server when trying to run the https://www.ssllabs.com/ssltest/ test on > our two sites running with two different SSL certs. The test runs fine > when its run against one of the sites / certificates, but

Re: haproxy 1.6.0 crashes

Hi Christopher, On Thu, Oct 15, 2015 at 03:22:52PM +0200, Christopher Faulet wrote: > Le 15/10/2015 14:45, Seri, Kim a écrit : > >Christopher Faulet writes: > > > >>I confirm the bug. Here is a very quick patch. Could you confirm that it > >>works for you ? > >> > > > >Hi, > > > >I

Re: [call to comment] HAProxy's DNS resolution default query type

Actually, I just asked one of the powerdns devs, and their recursor/resolver implementation does actually only return what is in its cache when answering an ANY query. On 10/15/2015 4:46 PM, Robin Geuze wrote: Hey Baptiste, Using ANY queries for this kind of stuff is considered by most

responses from disabled servers

I just want to say first of all that haproxy is incredibly useful and I've enjoyed working with it tremendously. Thank you! My question is if a server is disabled because of a failed http health check and there are requests in flight, will the requests from the disabled app be returned to the

Re：Help You Win More Market - HOYOGO PCB/Rita

Hi Sir or Madam, This is Rita from HOYOGO, which is a leading PCB manufacturer in China, serving Siemens/ Bosch/ Leoni/ Eurotech/ ASTONMARTIN, ASTON(ALL) and so on for a long time.Our business range & qualification for your reference:>>Facility: certifiedwith Canada UL & US UL,ISO9001, 

快速积累海外优质客户。

外贸客户开发展会价格高，客户来源单一，B2B竟争激烈，询盘虽然很多但成交却很少，好不容易成交了一个单，价格压得没有利润，想用关键词排名却大把的钱投进去没有效果，靠自身网站去推广暴光率又太小，难道开发海外客户就无路可走了吗？ 主动出击开发客户的重要性 要想和国外的那些展会里又很少机会正好遇得到的，又很少上B2B去压价比较的客户做生意.首先要找到他们和他们主动建立联系才行，如何去主动能找到他们，就要知道他们在哪里，顶易中国集成了世界上所有五大洲的主流搜索引挚，还有各种行业协会，让您轻松一键获取，别人很多步才做到的我们一步就能做到.

RE: SIGUSR1 soft stop does not send "Connection: close"

Hi, >> If the session is transferring HTTP body between client and backend server, >> we >> can't insert HTTP headers either. If you are waiting for the next request >> in that particular session, why wouldn't we just close it after the HTTP body >> has been transfered? > > That would be fine,

RE: responses from disabled servers

Hi David, > I just want to say first of all that haproxy is incredibly useful and > I've enjoyed working with it tremendously. Thank you! > > My question is if a server is disabled because of a failed http health > check and there are requests in flight, will the requests from the > disabled app

Re: SIGUSR1 soft stop does not send "Connection: close"

On Thu, Oct 15, 2015 at 2:11 PM, Lukas Tribus wrote: > When specifically would you intervene? Could you elaborate what you > have in mind? My goal is to shutdown a HAProxy daemon without interrupting any inflight requests or responses. > If the session is transferring HTTP

Re: Resolvable host names in backend server throw invalid address error

Le 16 oct. 2015 06:27, "Mark Betz" a écrit : > > Hi, I have a hopefully quick question about setting up backends for resolvable internal service addresses. > > We are putting together a cluster on Google Container Engine (kubernetes) and have haproxy deployed in a

Resolvable host names in backend server throw invalid address error

Hi, I have a hopefully quick question about setting up backends for resolvable internal service addresses. We are putting together a cluster on Google Container Engine (kubernetes) and have haproxy deployed in a container based on Ubuntu 14.04 LTS. Our backend server specifications are declared

RE: SIGUSR1 soft stop does not send "Connection: close"

> From my reading of the code SIGUSR1 does not send a "Connection: close" to the > client or server. This means it is not possible to safely close a keep-alive > session, before terminating HAProxy. > > Would there be interest in a patch to send "Connection: close" on both the > request and the

Re: [call to comment] HAProxy's DNS resolution default query type

I second this opinion. Removing ANY altogether would be the best case. In reality, I think it should use the OS's resolver libraries which in turn will honor whatever the admin has configured for preference order at the base OS level. As a sysadmin, one should reasonably expect that

RE: [call to comment] HAProxy's DNS resolution default query type

> I second this opinion. Removing ANY altogether would be the best case. > > In reality, I think it should use the OS's resolver libraries which > in turn will honor whatever the admin has configured for preference > order at the base OS level. > > > As a sysadmin, one should reasonably expect

Re: SIGUSR1 soft stop does not send "Connection: close"

On Thu, Oct 15, 2015 at 12:26 PM, Lukas Tribus wrote: > What request/response, aren't we talking about an idle session here? No, I am concerned with a non idle persistent session.

RE: SIGUSR1 soft stop does not send "Connection: close"

> On Thu, Oct 15, 2015 at 12:26 PM, Lukas Tribus wrote: >> What request/response, aren't we talking about an idle session here? > > No, I am concerned with a non idle persistent session. When specifically would you intervene? Could you elaborate what you have in mind? If

Re: Segfault bug in 1.6.0 release (SNI related maybe)

Hi. I can confirm this fixes the crash / segfault when running the ssllabs tests against my HAProxy instance :) Now we are happily running a 1.6.0 frontend for our Docker / Swarm cluster !! Best regards Øyvind Johnsen System Admin +47 99242547 +852 67157472 On Thu, Oct 15, 2015 at 4:32 PM,