Re: Potential Bug

[Michael Crilly]

Great ideas. Email marked as a todo for tomorrow. Will report back. 

Thanks. 

- Michael C. 

On 3 Nov 2015, at 18:32, Lukas Tribus  wrote:

>> I believe I may have discovered a bug in HAProxy 1.5.4 on CentOS 7.1,
>> installed via standard repositories.
>> 
>> I don't want to go into debugging levels of detail here, but instead
>> will provide a synopsis in the hopes someone knows of a bug already or
>> can confirm it warrants further investigation.
> 
> Some proposal that would help nail it down:
> - can you provide a gdb backtrace (catch the coredump or start haproxy
>   with gdb directly)
> - try (as a workaround) without chroot
> - try (as a alternative trigger) with
>   openssl s_client -cipher LOW -connect  instead of the
>   ssl test
> 
> 
> I don't think the bug is in haproxy, I think you may hit some obscure
> problem in the openssl library, similar to this here:
> http://blog.tinola.com/?e=36
> 
> 
> Maybe that problem reappeared in CentOs 7.1.
> 
> 
> 
> Regards,
> 
> Lukas
> 
> 

RE: Potential Bug

[Lukas Tribus]

> I believe I may have discovered a bug in HAProxy 1.5.4 on CentOS 7.1,
> installed via standard repositories.
>
> I don't want to go into debugging levels of detail here, but instead
> will provide a synopsis in the hopes someone knows of a bug already or
> can confirm it warrants further investigation.

Some proposal that would help nail it down:
- can you provide a gdb backtrace (catch the coredump or start haproxy
  with gdb directly)
- try (as a workaround) without chroot
- try (as a alternative trigger) with
  openssl s_client -cipher LOW -connect  instead of the
  ssl test


I don't think the bug is in haproxy, I think you may hit some obscure
problem in the openssl library, similar to this here:
http://blog.tinola.com/?e=36


Maybe that problem reappeared in CentOs 7.1.



Regards,

Lukas

  

Re: GET HAPROXY HOST INFO VIA Api/JSON

[Willy Tarreau]

On Mon, Nov 02, 2015 at 09:27:45AM +0100, Baptiste wrote:
> I was delivering the "quick" answer to have this feature right now :)
> 
> This is a need we identified and I already talked to Willy about it.
> There is technically nothing against such feature.
> We need time or resource to develop it.
> If you want to contribute, write a similar function than csv_enc() in
> src/standard.c.

Not exactly, as csv_enc() is only used to encode one string at a time. The
proper approach is to change the stats output to emit an indexed array for
values that will be used both by the existing CSV and HTML outputs. Then
it will be much easier to emit JSON as well. I'm not interested in seeing
any work towards JSON before addressing the current model. Indeed, most of
the information is present in the HTML output and is not available through
CSV. So if we're going to have a third output format with even different
fields, it becomes a real mess.

So to summarize, here are the actions :

  1) scrutinize the HTML output format to enumerate all the data we need to
 get ; HTML output will not be allowed to perform any computation anymore,
 only representation. So each value needs to have one entry ;

  2) create a huge enum and assign non-ambiguous names to each values ; declare
 an array of "values" (I think we need 64bit ints and strings at least). We
 can have two arrays if we suffic each enum with its type (eg: FOO_S for a
 string, FOO_I for an int, maybe later FOO_F for a float).

  3) write a function to fill th{is,ese} array[s] for the current proxy and
 server

  4) reimplement HTML and CSV outputs by calling this function and picking the
 values from the indexed array[s]. The iterators are still in these output
 formats which serve as templates.
 
  5) write the equivalent JSON output


  6) add the ability to request JSON output on the HTTP stats request line
 just like we have ";csv" for CSV. It may be nice to see if we can have
 something similar on the CLI at least for debugging, and possibly for
 better interfacing with monitoring daemons

  7) see how we can do the same for the global per-process info that are
 currently reported in the HTML version and in "show info" but not in
 the CSV output. I think the JSON output will be able to dump them at the
 same time as the other ones. Maybe for the HTTP access we'll just ask
 ";info" to get them in CSV format.

Willy

Re: [ANNOUNCE] haproxy-1.6.2

[Pavlos Parissis]

On 03/11/2015 11:32 πμ, Willy TARREAU wrote:
> Hi,
> 
> some extra bugs were found and fixed since 1.6.1, and since they can
> cause trouble, here comes 1.6.2. In short, a bug in the DNS parser could
> lead to an endless loop, and another bug in the HTTP connection reuse code
> could cause a crash if a redirect was performed between two connections to
> the same server on the same session. The other ones are less important but
> everyone will prefer to have them fixed of course.
> 
> Now things are stabilizing, I hope to be able to focus on new developments
> again soon.
> 
> Full changelog below :
> - BUILD: ssl: fix build error introduced in commit 7969a3 with OpenSSL < 
> 1.0.0
> - DOC: fix a typo for a "deviceatlas" keyword
> - FIX: small typo in an example using the "Referer" header
> - BUG/MEDIUM: config: count memory limits on 64 bits, not 32
> - BUG/MAJOR: dns: first DNS response packet not matching queried hostname 
> may lead to a loop
> - BUG/MINOR: dns: unable to parse CNAMEs response
> - BUG/MINOR: examples/haproxy.init: missing brace in quiet_check()
> - DOC: deviceatlas: more example use cases.
> - BUG/BUILD: replace haproxy-systemd-wrapper with $(EXTRA) in install-bin.

The above may make some packagers a bit unhappy:-) It broke my fully
automated process:
git pull;make git-tar;build;push to production:-)

I had to introduce a search-replace in SPEC file for the build process
to force the TARGET, I could add EXTRA variable in the make call for
install-bin. See below the SPEC file.

%build
regparm_opts=
%ifarch %ix86 x86_64
regparm_opts="USE_REGPARM=1"
%endif
target_kernel="linux2628"
%if 0%{?rhel} < 6
target_kernel="linux26"
%endif

# Make sure TARGET is the same on each invocation of make
sed -i -e "/^TARGET =/s/=/= ${target_kernel}/" Makefile


make %{?_smp_mflags} SMALL_OPTS="-DMAX_HOSTNAME_LEN=42" CPU="generic"
USE_PCRE=1 USE_ZLIB=1 USE_OPENSSL=1 ${regparm_opts} ADDINC="%{optflags}"
USE_LINUX_TPROXY=1 CFLAGS="${CFLAGS} $(pcre-config --cflags)"

pushd contrib/halog
%{__make} ${halog} OPTIMIZE="%{optflags}"
popd

pushd contrib/iprange
%{__make} iprange OPTIMIZE="%{optflags}"
popd

%install
rm -rf %{buildroot}
make install-bin DESTDIR=%{buildroot} PREFIX=%{_prefix}
make install-man DESTDIR=%{buildroot} PREFIX=%{_prefix}

Cheers,
Pavlos



signature.asc
Description: OpenPGP digital signature

[SPAM] Un cambriolage toutes les 90 secondes

[Securitas Direct]

http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff170=haproxy@formilux.org=haproxy@formilux.org
 Signaler comme indésirable  


Pour visualiser ce message au format html, cliquez ici :
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff171=%40BjYG%2B9ZZMefUqXjNM%2BAR2lYcMCpiH8lexy%2Fbikag9uM%3D
ou copiez le lien dans votre navigateur Web


 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff172=haproxy@formilux.org


 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff173=haproxy@formilux.org


 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff174=haproxy@formilux.org
 N°1 DES ALARMES 
AVEC TÉLÉSURVEILLANCE EN EUROPE  
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff175=haproxy@formilux.org





 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff176=haproxy@formilux.org



 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff177=haproxy@formilux.org



 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff178=haproxy@formilux.org

 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff179=haproxy@formilux.org
 Intrusion traitée en moins de 
60 secondes *   

 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff17a=haproxy@formilux.org

 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff17b=haproxy@formilux.org
 Appel 
de la police 
après vérification**

 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff17c=haproxy@formilux.org

 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff17d=haproxy@formilux.org
 Installation 
en moins 
d'1 heure   

 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff17e=haproxy@formilux.org

 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff17f=haproxy@formilux.org
 Contrôle 
depuis votre 
smartphone  

 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff180=haproxy@formilux.org

 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff181=haproxy@formilux.org
 1,8 million  de clients

 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff182=haproxy@formilux.org

 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff183=haproxy@formilux.org
 Expert 
de la sécurité 
depuis 25 ans   



 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff184=haproxy@formilux.org



 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff185=haproxy@formilux.org
Verisure, c'est toute l'expérience du numéro 1 européen de l'alarme 
télésurveillée  


 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff186=haproxy@formilux.org



 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff187=haproxy@formilux.org

 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff188=haproxy@formilux.org

 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff189=haproxy@formilux.org




 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff18a=haproxy@formilux.org
 Découvrez nos solutions pour protéger 
votre habitation, vos proches et vous-même   
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff18b=haproxy@formilux.org



 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff18c=haproxy@formilux.org



 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff18d=haproxy@formilux.org
 Proche de 
chez vous   
 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff18e=haproxy@formilux.org

 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff18f=haproxy@formilux.org
 Plus de 1300 professionnels à votre 
service 24h24, 7j/7 répartis dans 
près de 60 agences en France.   

 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff190=haproxy@formilux.org
 Expert en sécurité 
depuis 1984 
 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff191=haproxy@formilux.org

 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff192=haproxy@formilux.org
 Nous assurons votre sécurité 
depuis 1934 dans le monde et 
depuis 1988 en France   

 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff193=haproxy@formilux.org
 Alarme 
intelligente
 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff194=haproxy@formilux.org

 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff195=haproxy@formilux.org
 Contrôlez votre système à 
distance : demande d'images, 
écoute silencieuse, activation/ 
désactivation, domotique... 



 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff196=haproxy@formilux.org





 
http://lb.enquete-en-or.com/r/?id=t2f0823e7,20fefef,20ff197=haproxy@formilux.org
 

[SPAM] Livraison de votre nouvelle CB

[Christine]

-
  http://compte-interdit-bancaire.net 

 
http://compte-interdit-bancaire.net/carte-bancaire-internationale.html


OBTENEZ VOTRE CARTE BANCAIRE NON PLAFONNéE EN QUELQUES CLICS

Quelle que soit votre situation personnelle ou professionnelle, nous
vous garantissons l'ouverture de votre compte à l'étranger
http://compte-interdit-bancaire.net/ouverture-compte-etranger.html
chez l'une de nos banques partenaires.

Sans vous déplacer, en quelques clics, retrouvez votre indépendance
bancaire et obtenez votre carte bancaire
http://compte-interdit-bancaire.net/carte-bancaire-internationale.html
internationale non plafonnée.

-

 
http://tradingopportunities.net/app/member/img/ouverture-compte-etranger.jpg


VOUS êTES?

* Interdit bancaire
http://compte-interdit-bancaire.net/interdit-bancaire 
* FICP http://compte-interdit-bancaire.net/ficp 
* ATD
* Auto-entrepreneur
http://compte-interdit-bancaire.net/ouverture-compte-business.html 

-

  
http://compte-interdit-bancaire.net/ouverture-compte-etranger.html


NOTRE SOLUTION COMPLèTE:

* Une carte bancaire Visa ou Mastercard
http://compte-interdit-bancaire.net/carte-bancaire-internationale.html

* Pas de plafond de retraits ou de paiements
* Gestion en ligne sécurisée
* Des interlocuteurs francophones

-

  http://compte-interdit-bancaire.net/formulaires?id_form=1 

COMMENT çA MARCHE?

* Remplissez le questionnaire de connaissance
http://compte-interdit-bancaire.net/formulaires?id_form=1 *
* Envoyez-nous la copie de votre pièce d'identité
* Envoyez-nous un justificatif de domicile récent
* Contactez-nous http://compte-interdit-bancaire.net/contactez-nous
si vous avez la moindre question

* Dans le cadre de la lutte contre le blanchiment de capitaux 
et le
financement du terrorisme, la loi oblige toute banque à clairement
identifier son client dès l'entrée en relation.

-

BESOIN D'UN CONSEIL?

Notre service client est à votre disposition pour répondre à
toutes vos questions
 DU LUNDI AU VENDREDI DE 8H30 à 18H

Par téléphone
 09 75 12 97 51
 (prix d'un appel local depuis un poste fixe)Posez votre question
http://compte-interdit-bancaire.net/contactez-nous 

-



To change your subscription options:
http://tradingopportunities.net/app/s/OSozKjQxODg5KjE1KmJyb2FkY2FzdA==

[SPAM] Bons plans de l'automne a prix irresistibles!

[Les bons plans]

http://lb.votre-reve.fr/r/?id=t2f21f592,2103623,210346b=haproxy@formilux.org=haproxy@formilux.org
 Signaler comme indésirable  


Pour visualiser ce message au format html, cliquez ici :
http://lb.votre-reve.fr/r/?id=t2f21f592,2103623,210346c=%400M69%2FqqTmI0LI0Yo1sn6FeHab99xcEddKTgj73cBHOc%3D
ou copiez le lien dans votre navigateur Web


 
http://lb.votre-reve.fr/r/?id=t2f21f592,2103623,210346d=haproxy@formilux.org 
   
 
http://lb.votre-reve.fr/r/?id=t2f21f592,2103623,210346e=haproxy@formilux.org 
   
 
http://lb.votre-reve.fr/r/?id=t2f21f592,2103623,210346f=haproxy@formilux.org 
   
 
http://lb.votre-reve.fr/r/?id=t2f21f592,2103623,2103470=haproxy@formilux.org 
   
 
http://lb.votre-reve.fr/r/?id=t2f21f592,2103623,2103471=haproxy@formilux.org 
   
 
http://lb.votre-reve.fr/r/?id=t2f21f592,2103623,2103472=haproxy@formilux.org 
   




Confidentialité des données : conformément à la Loi Informatique et 
Libertés
du 6 Janvier 1978, vous disposez d'un droit d'accès et de rectification des
données vous concernant. Vous recevez cette invitation car vous avez été en
contact avec le Service Commercial de CapDecision ou de ses partenaires. Pour ne
plus recevoir de messages de CapDecision
http://lb.capmail.fr/webApp/unsub?id=%40qO1ZY7CCAnRLCrIB%2FOQjfA%3D%3D; 
_label="Lien de désinscription" _type="optout">cliquez ici.

[SPAM] Un cambriolage toutes les 90 secondes

[Securitas Direct]

http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102621=haproxy@formilux.org=haproxy@formilux.org
 Signaler comme indésirable 


Pour visualiser ce message au format html, cliquez ici :
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102622=%40Zc9MIjetw%2FcnXW2Of6pvav50GshQs%2Bzg3%2FI1%2BiDgJg8%3D
ou copiez le lien dans votre navigateur Web


 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102623=haproxy@formilux.org
   

 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102624=haproxy@formilux.org
   

 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102625=haproxy@formilux.org
 N°1 DES ALARMES 
AVEC TÉLÉSURVEILLANCE EN EUROPE  
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102626=haproxy@formilux.org
   




 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102627=haproxy@formilux.org
   


 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102628=haproxy@formilux.org
   


 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102629=haproxy@formilux.org
   
 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,210262a=haproxy@formilux.org
 Intrusion traitée en moins de 
60 secondes *   

 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,210262b=haproxy@formilux.org
   
 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,210262c=haproxy@formilux.org
 Appel 
de la police 
après vérification**

 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,210262d=haproxy@formilux.org
   
 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,210262e=haproxy@formilux.org
 Installation 
en moins 
d'1 heure   

 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,210262f=haproxy@formilux.org
   
 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102630=haproxy@formilux.org
 Contrôle 
depuis votre 
smartphone  

 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102631=haproxy@formilux.org
   
 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102632=haproxy@formilux.org
 1,8 million  de clients   

 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102633=haproxy@formilux.org
   
 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102634=haproxy@formilux.org
 Expert 
de la sécurité 
depuis 25 ans   



 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102635=haproxy@formilux.org
   


 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102636=haproxy@formilux.org
   Verisure, c'est toute l'expérience du numéro 1 européen de l'alarme 
télésurveillée  


 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102637=haproxy@formilux.org
   


 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102638=haproxy@formilux.org
   
 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102639=haproxy@formilux.org
   
 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,210263a=haproxy@formilux.org
   



 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,210263b=haproxy@formilux.org
 Découvrez nos solutions pour protéger 
votre habitation, vos proches et vous-même   
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,210263c=haproxy@formilux.org
   


 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,210263d=haproxy@formilux.org
   


 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,210263e=haproxy@formilux.org
 Proche de 
chez vous   
 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,210263f=haproxy@formilux.org
   
 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102640=haproxy@formilux.org
 Plus de 1300 professionnels à votre 
service 24h24, 7j/7 répartis dans 
près de 60 agences en France.   

 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102641=haproxy@formilux.org
 Expert en sécurité 
depuis 1984 
 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102642=haproxy@formilux.org
   
 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102643=haproxy@formilux.org
 Nous assurons votre sécurité 
depuis 1934 dans le monde et 
depuis 1988 en France   

 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102644=haproxy@formilux.org
 Alarme 
intelligente
 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102645=haproxy@formilux.org
   
 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102646=haproxy@formilux.org
 Contrôlez votre système à 
distance : demande d'images, 
écoute silencieuse, activation/ 
désactivation, domotique... 



 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102647=haproxy@formilux.org
   




 
http://lb.top-remise.com/r/?id=t2f1b6db5,210253c,2102648=haproxy@formilux.org
 Rendez-vous sur www.securitasdirect.fr pour en 

[ANNOUNCE] haproxy-1.6.2

[Willy TARREAU]

Hi,

some extra bugs were found and fixed since 1.6.1, and since they can
cause trouble, here comes 1.6.2. In short, a bug in the DNS parser could
lead to an endless loop, and another bug in the HTTP connection reuse code
could cause a crash if a redirect was performed between two connections to
the same server on the same session. The other ones are less important but
everyone will prefer to have them fixed of course.

Now things are stabilizing, I hope to be able to focus on new developments
again soon.

Full changelog below :
- BUILD: ssl: fix build error introduced in commit 7969a3 with OpenSSL < 
1.0.0
- DOC: fix a typo for a "deviceatlas" keyword
- FIX: small typo in an example using the "Referer" header
- BUG/MEDIUM: config: count memory limits on 64 bits, not 32
- BUG/MAJOR: dns: first DNS response packet not matching queried hostname 
may lead to a loop
- BUG/MINOR: dns: unable to parse CNAMEs response
- BUG/MINOR: examples/haproxy.init: missing brace in quiet_check()
- DOC: deviceatlas: more example use cases.
- BUG/BUILD: replace haproxy-systemd-wrapper with $(EXTRA) in install-bin.
- BUG/MAJOR: http: don't requeue an idle connection that is already queued
- DOC: typo on capture.res.hdr and capture.req.hdr
- BUG/MINOR: dns: check for duplicate nameserver id in a resolvers section 
was missing
- CLEANUP: use direction names in place of numeric values
- BUG/MEDIUM: lua: sample fetches based on response doesn't work

Usual URLs below :
Site index   : http://www.haproxy.org/
Sources  : http://www.haproxy.org/download/1.6/src/
Git repository   : http://git.haproxy.org/git/haproxy-1.6.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-1.6.git
Changelog: http://www.haproxy.org/download/1.6/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy

[SPAM] ssl getting the wrong certificate once in a while

[Guillaume Bourque]

Hi all,

I have a very weird problem and need your help if you have any idea !

here is my very simple setup

...
frontend  www_https
bind169.54.85.244:443 ssl crt 
/etc/pki/tls/certs/www.domain1.com.pem
bind169.54.85.249:443 ssl crt 
/etc/pki/tls/certs/www.domain1.com.pem

http-requestset-header X-Forwarded-Proto https


use_backend wcweb   if url_bm-full

frontend  www_soap
bind169.54.85.244:8000 ssl crt 
/etc/pki/tls/certs/star.domain2.ca.pem
bind169.54.85.249:8000 ssl crt 
/etc/pki/tls/certs/star.domain2.ca.pem

acl wc_soap_portdst_port8000

use_backend wcsoap  if wc_soap_port


When ever I connect on the 8000 port I get the correct cert 75 % of the time 
the rest I’m getting the other certs that should only be on port 443 

Here is how I get the certificate ?

echo|openssl s_client -connect sphsoap100.bmtc.ca:8000 |openssl x509 -text 
-noout 2>&1| grep www.domain1.com

I try with haproxy 1.5.14 ( haproxy-1.5.14-1.el6.src.rpm) and haproxy 1.5.4 
(haproxy-1.5.4-2.el6_7.1.src.rpm)


If I try with openssl on port 443 I always get the correct cert which is the 
first one but for the second one I have less luck ;-(

Any info from you would be great.

Guillaume

---
Guillaume Bourque, B.Sc.,

Re: Multiplexing multiple services behind one agent (feature suggestion; patch attached)

[James Brown]

Attached is a `git-format-patch`-formatted patch with some extra strduping
and freeing.



On Fri, Oct 30, 2015 at 11:39 PM, Willy Tarreau  wrote:

> Hi James,
>
> On Wed, Oct 28, 2015 at 10:27:22AM -0700, James Brown wrote:
> > Sorry for being thickheaded, Willy, but what's your decision here ??? do
> you
> > want me to make it per-Backend instead of per-Server, or do you want to
> > merge it as-is?
>
> Well, I think we can take it as-is then. The per-server setting doesn't
> block the ability to later add a per-backend setting anyway. However you
> need to fix one point in the patch : the string must be allocated per
> server (so that we don't cause double-free when releasing it on exit).
> Please use strdup() to allocate the string from the default server, and
> please call free() on the server's string before assigning a new one, so
> that we don't leak small memory chunks when setting multiple default-server
> entries. Same when creating a new proxy (look for "fwdfor_hdr_name" as a
> hit about where you should have to free(defproxy->agent_send). Also please
> ensure that you properly assign the string from the default proxy's
> default-server to the current proxy's. fwdfor_hdr_name is properly set
> regarding this so you won't have to search too long.
>
> Last point, please build your patch using "git format-patch", so that I
> can simply apply it. You used "git show", which is sufficient for a review
> but requires manual modifications. If you have a single patch in your
> branch, you can simply use "git format-patch -1" and you'll get the patch
> for the latest commit.
>
> Thanks!
> Willy
>
>


-- 
James Brown
Engineer


0001-Add-agent-send-server-parameter.patch
Description: Binary data

Re: Multiplexing multiple services behind one agent (feature suggestion; patch attached)

[Willy Tarreau]

On Tue, Nov 03, 2015 at 03:12:59PM -0800, James Brown wrote:
> Attached is a `git-format-patch`-formatted patch with some extra strduping
> and freeing.

Thank you. I've just removed the two unneeded "if != NULL" before the free(),
and merged it.

Willy

Re: Echo server in Lua

[Baptiste]

On Tue, Nov 3, 2015 at 5:53 AM, Thrawn  wrote:
> Now that HAProxy has Lua support, I'm looking at the possibility of setting 
> up an echo server, which simply responds with the observed remote address of 
> the client (currently implemented in PHP as  $_SERVER['REMOTE_ADDRESS']; ?>).
>
>
> Does anyone have a suggestion of the most efficient possible implementation 
> of this? If possible, it should handle millions of clients polling it 
> regularly, so speed is essential.
>
>
> Thanks
>

Hi,

content of echo.lua file:
-- a simple echo server
-- it generates a response whose body contains the client IP address
core.register_action("echo", { "http-req" }, function (txn)
local buffer = ""
local response = ""

buffer = txn.f:src()

response = response .. "HTTP/1.0 200 OK\r\n"
response = response .. "Server: haproxy-lua/echo\r\n"
response = response .. "Content-Type: text/html\r\n"
response = response .. "Content-Length: " .. buffer:len() .. "\r\n"
response = response .. "Connection: close\r\n"
response = response .. "\r\n"
response = response .. buffer

txn.res:send(response)
txn:done()
end)

content of haproxy's configuration:

global
  log 127.0.0.1 local0
  lua-load echo.lua

frontend echo
  bind *:10004
  mode http
  http-request lua.echo


Don't forget to setup timeouts, etc...

Baptiste