Re: Is www.haproxy.org down?

[Willy Tarreau]

Hi Vivek,

On Mon, Apr 03, 2017 at 07:36:13PM -0500, Vivek Malik wrote:
> Hi,
> 
> I am getting 500 Internal Server Error on the haproxy.org website.
> Various websites like
> 
> http://downforeveryoneorjustme.com/www.haproxy.org
> http://www.isitdownrightnow.com/haproxy.org.html
> http://www.websitenotworking.com/haproxy.org
> 
> confirm that the website is down for them too.

It seems that the front cache has just died, switched back to the
old one now and that fixed it. I'll take a look to understand what's
happening.

Thanks,
Willy

Is www.haproxy.org down?

[Vivek Malik]

Hi,

I am getting 500 Internal Server Error on the haproxy.org website.
Various websites like

http://downforeveryoneorjustme.com/www.haproxy.org
http://www.isitdownrightnow.com/haproxy.org.html
http://www.websitenotworking.com/haproxy.org

confirm that the website is down for them too.

Regards,
Vivek

PATCH : CLEANUP

[David CARLIER]

Hi all,

This is small necessary change for OpenBSD at least, hopes it finds its
way. Kind regards.
From 334acf5219fcc3bad9c965ce9f8725a48444ff34 Mon Sep 17 00:00:00 2001
From: David Carlier 
Date: Mon, 3 Apr 2017 21:58:04 +0100
Subject: [PATCH] CLEANUP: server: moving netinet/tcp.h inclusion

netinet/tcp.h needs sys/types.h for u_int* types usage,
issue found while building on OpenBSD.
---
 src/server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/server.c b/src/server.c
index 0795e256..23343d86 100644
--- a/src/server.c
+++ b/src/server.c
@@ -13,7 +13,6 @@
 
 #include 
 #include 
-#include 
 
 #include 
 
@@ -43,6 +42,7 @@
 #include 
 #include 
 #include 
+#include 
 
 static void srv_update_state(struct server *srv, int version, char **params);
 static int srv_apply_lastaddr(struct server *srv, int *err_code);
-- 
2.12.2

Re: ssl & default_backend

[PiBa-NL]

Hi Antonio,

Op 3-4-2017 om 13:29 schreef Antonio Trujillo Carmona:

It's well documented that Windows XP with Internet Explorer don't
support sni, so I try to redirect call through "default_backend", but I
got ERROR-404, it work fine with all other combination of  OS/surfer.
If I (only for test purpose) comment the four line with "ssiiprovincial"
(witch mean all the traffic must be redirected through default_backend)
it don't work with any OS/surfer.



frontend Aplicaciones
 bind *:443
 mode tcp
 log global
 tcp-request inspect-delay 5s
 tcp-request content accept if { req_ssl_hello_type 1 }

 # Parametros para utilizar SNI (Server Name Indication)
 acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es
 acl citrixsf req_ssl_sni -i ssiiprovincial.gra.sas.junta-andalucia.es
 acl citrixsf req_ssl_sni -i ssiiprovincial01.gra.sas.junta-andalucia.es
 acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es
 acl citrixsf req_ssl_sni -i ssiiprovincial01.hvn.sas.junta-andalucia.es

 use_backend CitrixSF-SSL if citrixsf
 use_backend SevidoresWeblogic-12c-Balanceador-SSL
There is no acl for the backend above? so probably the default_backend 
below will never be reached.

Could it be the above backend returns the 404 your seeing?

 default_backend CitrixSF-SSL


Regards,

PiBa-NL

Re: HaProxy Hang

[Dave Cottlehuber]

On Mon, 13 Mar 2017, at 13:31, David King wrote:
> Hi All
> 
> Apologies for the delay in response, i've been out of the country for the
> last week
> 
> Mark, my gut feeling is that is network related in someway, so thought we
> could compare the networking setup of our systems
> 
> You mentioned you see the hang across geo locations, so i assume there
> isn't layer 2 connectivity between all of the hosts? is there any back
> end
> connectivity between the haproxy hosts?

Following up on this, some interesting points but nothing useful.

- Mark & I see the hang at almost exactly the same time on the same day:
2017-02-27T14:36Z give or take a minute either way

- I see the hang in 3 different regions using 2 different hosting
providers on both clustered and non-clustered services, but all on
FreeBSD 11.0R amd64. There is some dependency between these systems but
nothing unusual (logging backends, reverse proxied services etc).

- our servers don't have a specific workload that would allow them all
to run out of some internal resource at the same time, as their reboot
and patch cycles are reasonably different - typically a few days elapse
between first patches and last reboots unless its deemed high risk

- our networking setup is not complex but typical FreeBSD:
- LACP bonded Gbit igb(4) NICs
- CARP failover for both ipv4 & ipv6 addresses
- either direct to haproxy for http & TLS traffic, or via spiped to
decrypt intra-server traffic 
- haproxy directs traffic into jailed services
- our overall load and throughput is low but consistent
- pf firewall
- rsyslog for logging, along with riemann and graphite for metrics
- all our db traffic (couchdb, kyoto tycoon) and rabbitmq go via haproxy
- haproxy 1.6.10 + libressl at the time

As I'm not one for conspiracy theories or weird coincidences, somebody
port scanning the internet with an Unexpectedly Evil Packet Combo seems
the most plausible explanation.  I cannot find an alternative that would
fit the scenario of 3 different organisations with geographically
distributed equipment and unconnected services reporting an unusual
interruption on the same day and almost the same time.

Since then, I've moved to FreeBSD 11.0p8, haproxy 1.7.3 and latest
libressl and seen no recurrence, just like the last 8+ months or so
since first deploying haproxy on FreeBSD instead of debian & nginx.

If the issue recurs I plan to run a small cyclic traffic capture with
tcpdump and wait for a re-repeat, see
https://superuser.com/questions/286062/practical-tcpdump-examples

Let me know if I can help or clarify further.

A+
Dave

Re: errorfile headers/body split (haproxy-1.8-dev1)

[Jarno Huuskonen]

Hi,

On Mon, Apr 03, Willy Tarreau wrote:
>   - improve handling of error-file by splitting headers and body -- I
> don't know if someone is still working on this, but it's still
> welcome and should not interfer with the other devs

(Unless someone is already actively working on this). I might have some
time to work on this(read errorfile to headers/body, and with errors
send headers + \r\n + body).

I guess there're few special cases when reading errorfiles:
- empty file (errorfile 408 /dev/null): empty headers/empty body
- Hdrs: ...\r\n\r\nEOF -> Only headers, empty body
- \r\n\r\nBody...EOF -> Only body, use default headers ?
- \r\n\r\nEOF -> warning and use default headers/body ?
- something\r\nsomething2EOF -> is this only body, use default headers ?

Is the approach suggested by Michael Hamburger ("Introduction and small
changes to HAProxy for adding custom errorfiles for 401 and 407 http
status page" email thread):

struct err_hdr_body {
struct chunk *hdr;
struct chunk *body;
}
struct err_hdr_body http_err_chunks[HTTP_ERR_SIZE];

ok ?

How should for example http_server_error send headers/body ?
bo_inject headers, bo_inject "\r\n" and bo_inject body, or copy
headers/\r\n/body to trash/chunk etc. and then bo_inject ?

-Jarno

-- 
Jarno Huuskonen

bind with cert but w/out ssl ?

[Jarno Huuskonen]

Hi,

Is there a use case for bind with certificate BUT without "ssl":
frontend xyz
  bind ipv4@127.0.0.1:8443 crt ./test-cert.pem #missing ssl keyword

config parser accepts this w/out warning and plain http works, but
obviously https fails.
Maybe parser could emit a warning if "ssl" keyword is missing and
certificate is configured ?

-Jarno

-- 
Jarno Huuskonen

Re: configuration.txt questions

[Jarno Huuskonen]

Hi,

On Fri, Mar 31, Willy Tarreau wrote:
> On Fri, Mar 31, 2017 at 02:59:37PM +0300, Jarno Huuskonen wrote:
> > On Fri, Mar 31, Jarno Huuskonen wrote:
> > > First I'm attaching a patch that corrects ]) order for urlp_val
> > > and adds 'Example:' string to
> > > src_clr_gpc0,src_inc_gpc0,sc2_clr_gpc0,sc2_inc_gpc0,ssl_c_sha1
> > > (I assume that Example: is what generates the example formatting in
> > > html/dconv documentation).
> > 
> > This time with correct attachment(patch).
> 
> Now merged, and fixed the mangled subject line / commit message :
> 
>  Subject: [PATCH] DOC: urlp_val missing ) DOC:
>src_clr_gpc0,src_inc_gpc0,sc2_clr_gpc0,sc2_inc_gpc0,ssl_c_sha1 Example:
>string.

I'm attaching two more patches for configuration.txt (hopefully with
better subject/commit messages this time:)

First one updates "block" examples to use http-request deny.

Second one adds some comments to examples, and few links/cross
references and adds ignore-persist example (from 7.2 Using ACLs to form
conditions).

-Jarno

-- 
Jarno Huuskonen
>From 5b5e16daff85681eb11a786b8639adf1e3bdc2ae Mon Sep 17 00:00:00 2001
From: Jarno Huuskonen 
Date: Mon, 3 Apr 2017 14:20:34 +0300
Subject: [PATCH 1/2] DOC: changed "block"(deprecated) examples to http-request 
deny
---
 doc/configuration.txt | 17 ++---
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index e3f2b21..0c6816a 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -2510,7 +2510,9 @@ block { if | unless }  (deprecated)
 acl invalid_src  src  0.0.0.0/7 224.0.0.0/3
 acl invalid_src  src_port 0:1023
 acl local_dsthdr(host) -i localhost
-block if invalid_src || local_dst
+# block is deprecated. Use http-request deny instead:
+#block if invalid_src || local_dst
+http-request deny if invalid_src || local_dst
 
   See section 7 about ACL usage.
 
@@ -12187,9 +12189,9 @@ requests with a content-length greater than 0, and 
finally every request which
 is not either GET/HEAD/POST/OPTIONS !
 
acl missing_cl hdr_cnt(Content-length) eq 0
-   block if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
-   block if METH_GET HTTP_CONTENT
-   block unless METH_GET or METH_POST or METH_OPTIONS
+   http-request deny if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
+   http-request deny if METH_GET HTTP_CONTENT
+   http-request deny unless METH_GET or METH_POST or METH_OPTIONS
 
 To select a different backend for requests to static contents on the "www" site
 and to every request on the "img", "video", "download" and "ftp" hosts :
@@ -12212,11 +12214,11 @@ the braces must be seen as independent words). 
Example :
The following rule :
 
acl missing_cl hdr_cnt(Content-length) eq 0
-   block if METH_POST missing_cl
+   http-request deny if METH_POST missing_cl
 
Can also be written that way :
 
-   block if METH_POST { hdr_cnt(Content-length) eq 0 }
+   http-request deny if METH_POST { hdr_cnt(Content-length) eq 0 }
 
 It is generally not recommended to use this construct because it's a lot easier
 to leave errors in the configuration when written that way. However, for very
@@ -12234,7 +12236,8 @@ good use is the following :
 
 monitor fail if { nbsrv(dynamic) lt 2 } || { nbsrv(static) lt 2 }
 
-See section 4.2 for detailed help on the "block" and "use_backend" keywords.
+See section 4.2 for detailed help on the "http-request deny" and "use_backend"
+keywords.
 
 
 7.3. Fetching samples
-- 
1.8.3.1

>From 2a4ef45b258b241c16c79bd183c2acc2a92bff03 Mon Sep 17 00:00:00 2001
From: Jarno Huuskonen 
Date: Mon, 3 Apr 2017 14:36:21 +0300
Subject: [PATCH 2/2] DOC: add few comments to examples.

- http-check expect rstring is missing html comment closing tag.
- option redis-check: See also "option tcp-check", "tcp-check expect".
- ignore-persist static url example ((from 7.2 Using ACLs to form
  conditions)
- tcp-request content: hdr(x-forwarded-for) example: added
  hdr_ip(x-forwarded-for) version.
- tcp-request content: added comments to sc0_inc_gpc0 stick table example.
- timeout tarpit: mention http-request tarpit.
---
 doc/configuration.txt | 24 
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 0c6816a..176a975 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -3637,7 +3637,7 @@ http-check expect [!]  
  http-check expect ! rstatus ^5
 
  # check that we have a correct hexadecimal tag before /html
- http-check expect rstring 
 
   See also : "option httpchk", "http-check disable-on-404"
 
@@ -4594,6 +4594,11 @@ ignore-persist { if | unless } 
   The persistence is ignored when an "if" condition is met, or unless an
   "unless" condition is met.
 
+  Example:
+  acl url_static  path_beg /static 

Re: ssl & default_backend

[Antonio Trujillo Carmona]

El 31/03/17 a las 20:26, Lukas Tribus escribió:
> Hello Antonio,
>
>
> Am 31.03.2017 um 19:36 schrieb Antonio Trujillo Carmona:
>> El 30/03/17 a las 10:51:58, Antonio Trujillo Carmona escribió:
>>
>>> I'm try to use haproxy for balancing Citrix.
>>>
>>> I prove with:
>>>
>>> acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es
>>> acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es
>>>
>>> use_backend CitrixSF-SSL if citrixsf
>>> use_backend SevidoresWeblogic-12c-Balanceador-SSL
>>> default_backend CitrixSF-SSL
>>>
>>> The goal is Wpx witch can't use sni are redirected to CitrixSF-SSL.
>
> You did not tell us what Wpx is. We also don't know your complete
> configuration.
>
> Please post the complete configuration and the output of haproxy -vv.
>
>
>
>>>
>>> I try commenting acl req_ssl_sni (right now, I have no Wpx to probe)
>>> but
>>> I recive. Error-404 Not Found.
>
> With that statement I don't know which of the above lines you
> commented. Can
> you explain?
>
> Haproxy never generates a "404 Not found message", this comes from one
> of your
> backends.
>
>
>
>>
>> The issue of get diferent result in be redirected from a use_backend or
>> from default_backend occurs in all equipmen, Windows XP,7 or even in
>> linux.
>> I can't understand it
>
> I don't understand what you are saying. I suggest you explain in a few
> sentences
> what you expect from haproxy, and then, explain what the actual result
> is.
>
>
>
> Lukas
>
It's well documented that Windows XP with Internet Explorer don't
support sni, so I try to redirect call through "default_backend", but I
got ERROR-404, it work fine with all other combination of  OS/surfer.
If I (only for test purpose) comment the four line with "ssiiprovincial"
(witch mean all the traffic must be redirected through default_backend)
it don't work with any OS/surfer.

# haproxy -vv
HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.


This is my configuration file:
#
#   Fichero configuracion del HAPROXY
#
global
#Este log es especifico para sistemas basados en RED HAT
log 127.0.0.1 local2 debug
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
node BALANCEADOR-PRINCIPAL

#para sincronizar las tablas de sesión
peers pares
#disable
peer gr43stemis01 10.107.20.7:1024
peer gr43stemis02 10.107.20.8:1024

defaults
log global
modehttp
option  dontlognull
option httpchk
retries 3
option redispatch
maxconn 5000
timeout connect 5s
timeout client  15min
timeout server 15s

frontend Estadisticas#
bind *:80
option  httplog
mode http
stats show-node
stats enable

# Opcion para redirigir las peticiones que entran por http a https
# solo se puede poner en este frontend
redirect scheme https if !{ ssl_fc }

frontend Aplicaciones
bind *:443
mode tcp
log global
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }

# Parametros para utilizar SNI (Server Name Indication)
acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es
acl citrixsf req_ssl_sni -i ssiiprovincial.gra.sas.junta-andalucia.es
acl citrixsf req_ssl_sni -i ssiiprovincial01.gra.sas.junta-andalucia.es
acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es
acl citrixsf req_ssl_sni -i ssiiprovincial01.hvn.sas.junta-andalucia.es

use_backend CitrixSF-SSL if citrixsf
use_backend SevidoresWeblogic-12c-Balanceador-SSL

default_backend CitrixSF-SSL

 BACKEND DE LOS SERVIDORES DE WEBLOGIC PRE PRODUCCION SSL #
#backend SevidoresWeblogic-12c-Balanceador-SSL
backend SevrWlogSSL
  

Re: [ANNOUNCE] haproxy-1.7.5

[Willy Tarreau]

On Mon, Apr 03, 2017 at 12:04:46PM +0200, Aleksandar Lazic wrote:
> Hi.
> 
> Am 03-04-2017 10:37, schrieb Willy Tarreau:
> > Hi,
> > 
> > HAProxy 1.7.5 was released on 2017/04/03. It added 8 new commits
> > after version 1.7.4. The main goal was to fix an incomplete fix
> > on the compression filter in 1.7.4, that now manifests itself as
> > the haproxy spinning at 100% CPU until the connection dies.
> 
> It's now available on docker hub.
> 
> https://hub.docker.com/u/me2digital/

Thanks Aleks. Do you want me to add links to your gitlab repo in the
download sections ? I'm seeing you have haproxy 1.6 an 1.7, that
could be of interest to lots of people. If so, please suggest what
links are most appropriate (I'm seeing centos and rhel but I'm not
sure about the benefit of differenciating them).

Regards,
Willy

Re: [ANNOUNCE] haproxy-1.7.5

[Aleksandar Lazic]

Hi.

Am 03-04-2017 10:37, schrieb Willy Tarreau:

Hi,

HAProxy 1.7.5 was released on 2017/04/03. It added 8 new commits
after version 1.7.4. The main goal was to fix an incomplete fix
on the compression filter in 1.7.4, that now manifests itself as
the haproxy spinning at 100% CPU until the connection dies.


It's now available on docker hub.

https://hub.docker.com/u/me2digital/

Regards
Aleks


There was also a potential read-past-end for one byte fixed in the
peers protocol, though it can only happen after the handshake, which
means it can only be triggered from one of the authorized peers. The
impact is quite limited but it's better to get it fixed.

A warning was added for situations where "option tcp/httplog" could
override a log-format in the defaults section.

Please find the usual URLs below :
   Site index   : http://www.haproxy.org/
   Discourse: http://discourse.haproxy.org/
   Sources  : http://www.haproxy.org/download/1.7/src/
   Git repository   : http://git.haproxy.org/git/haproxy-1.7.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-1.7.git
   Changelog: http://www.haproxy.org/download/1.7/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
Christopher Faulet (3):
  BUG/MEDIUM: buffers: Fix how input/output data are injected into 
buffers

  BUG/MEDIUM: http: Fix blocked HTTP/1.0 responses when
compression is enabled
  BUG/MINOR: filters: Don't force the stream's wakeup when we wait
in flt_end_analyze

Emeric Brun (1):
  BUG/MEDIUM: peers: fix buffer overflow control in intdecode.

Guillaume de Lafond (2):
  DOC: log-format/tcplog/httplog update
  MINOR: config parsing: add warning when
log-format/tcplog/httplog is overriden in "defaults" sections

Jarno Huuskonen (1):
  DOC: fix parenthesis and add missing "Example" tags

Willy Tarreau (1):
  DOC: update the contributing file

---

[ANNOUNCE] haproxy-1.7.5

[Willy Tarreau]

Hi,

HAProxy 1.7.5 was released on 2017/04/03. It added 8 new commits
after version 1.7.4. The main goal was to fix an incomplete fix
on the compression filter in 1.7.4, that now manifests itself as
the haproxy spinning at 100% CPU until the connection dies.

There was also a potential read-past-end for one byte fixed in the
peers protocol, though it can only happen after the handshake, which
means it can only be triggered from one of the authorized peers. The
impact is quite limited but it's better to get it fixed.

A warning was added for situations where "option tcp/httplog" could
override a log-format in the defaults section.

Please find the usual URLs below :
   Site index   : http://www.haproxy.org/
   Discourse: http://discourse.haproxy.org/
   Sources  : http://www.haproxy.org/download/1.7/src/
   Git repository   : http://git.haproxy.org/git/haproxy-1.7.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-1.7.git
   Changelog: http://www.haproxy.org/download/1.7/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
Christopher Faulet (3):
  BUG/MEDIUM: buffers: Fix how input/output data are injected into buffers
  BUG/MEDIUM: http: Fix blocked HTTP/1.0 responses when compression is 
enabled
  BUG/MINOR: filters: Don't force the stream's wakeup when we wait in 
flt_end_analyze

Emeric Brun (1):
  BUG/MEDIUM: peers: fix buffer overflow control in intdecode.

Guillaume de Lafond (2):
  DOC: log-format/tcplog/httplog update
  MINOR: config parsing: add warning when log-format/tcplog/httplog is 
overriden in "defaults" sections

Jarno Huuskonen (1):
  DOC: fix parenthesis and add missing "Example" tags

Willy Tarreau (1):
  DOC: update the contributing file

---

[ANNOUNCE] haproxy-1.8-dev1

[Willy Tarreau]

Hi,

HAProxy 1.8-dev1 was released on 2017/04/03. It added 319 new commits
after version 1.8-dev0, brought by 33 contributors among which the
following 13 ones were newcomers :

Andriy Palamarchuk
David Harrigan
Felipe Guerreiro Barbosa Ruiz
Guillaume de Lafond
Hongbo Long
Luca Pizzamiglio
Marcin Deranek
Matthieu Guegan
Misiek
Olivier Houchard
Robin H. Johnson
Ryabin Sergey
Steven Davidovitz
Tim Düsterhus

So this is the end of development phase 1. Now please don't submit stuff
that has not been previously discussed. Developers working on various
features should now have more time to focus on finishing what they've
started and to fix their bugs.

Compared to 1.7.0, 1.8-dev1 brought a few new features :
  - pipelined and asynchronous SPOE to improve performance of remote
processing / content validation ;

  - bind configuration is now per certificate, which means that you can
expect some client authentication on certain host names only if you
want, while they're shared on the same IP:port as others not having
such a requirement (it also works for alpn, ciphers etc)

  - BoringSSL and LibreSSL are supposed to be much better supported

  - DNS multiple responses are now better spread over the server farm to
limit duplicates so that all servers get a different one  when there
are more addresses than servers.

  - stats output now supports JSON format

  - support for "no-" for all server keywords and support for
all such keywords in the default-server directive

  - a few new sample fetch functions like hostname, or the ability to
extract the cipher list presented by a browser, apparently it's
sometimes useful to distinguish real vs fake browsers

  - "show cli sockets" is supported on the CLI to report what other
sockets are available, useful in multi-process mode.

  - "hard-stop-after" allows an old process to die after a grace period
during reloads, to avoid accumulation of very old processes when
facing never-ending connections. (backported to 1.7 as well).

  - check agent's address can now be set using agent-addr, and all agent
settings can be changed over the CLI (useful in some auto-scale
environments where a central controller informs about the availability
of each server).

  - dynamic cookie valuation : the new keyword "dynamic" on the "cookie" line
will compute an automatic, unique and consistent cookie value for a server
based on its proto:ip:port so that it's possible to maintain stickiness
over a cluster of load balancers regardless of the order of the servers
they learned over DNS or other means

  - support for setting the status code on http-request tarpit, and setting
a custom reason as well on various rules.

  - pcre2 support for regex

  - improved Lua memory usage using pools

  - improved error/warning reporting during config parsing

  - small performance improvements with the kqueue poller (FreeBSD/OpenBSD)

  - large number of documentation fixes and cleanups

  - for developers, the code is now cleaner and more callback-based,
it's possible to create new files which register their own config,
version reporting, deinit code and even CLI keywords, meaning that
it's easier to add optional support for some stuff. As an exercise
(and a cleanup process), we could move the 3 device detection engines
to their own file without any reference at all from the rest of the
code, this will also significantly improve their maintenance and
limit the risk of accidental breakage when other contributors don't
have everything necessary to test them.

  - for developers, the code builds significantly faster on machines
with many cores, after having reordered the sources in the makefile
according to their build time, so that slower ones are started first.

That's about all for now (I might have missed a few things, sorry if that's
the case and it's the feature you implemented, feel free to blame me here).

Now for the next steps, we have some pending stuff already that several
of us are still working on :

  - openssl async API (Grant Zhang, under tests by Emeric, still facing
a few issues, possibly related to the engine we're using, should be
sorted out soon -- hopefully)

  - dealing with the openssl version configuration mess revealed by
the new APIs (Manu and Emeric) -- this will impact some server
keywords. At this point I think there's agreement on what the
config should look like, maybe it's going to be OK with the
implementation, I expect this to get merged soon.

  - HTTP/2 frontend (not kidding, but still quite a hard work)

  - initial multi-threading support (Emeric and Christopher) : things
start to look scarier once observed closer :-)

  - RAM-based "favicon" cache (William)

  - make userlists updatable from the CLI (William) -- turning them to
maps was done already but never merged, 

Re: Mailing list server migration

[Willy Tarreau]

On Mon, Apr 03, 2017 at 09:20:28AM +0200, Baptiste wrote:
> Hi Willy,
> 
> You should be "in ze cloud", so your hardware won't be EOLed :p

Hehe, but as you know in such situations your "hardware" can be EOLed
every few minutes :-)

Willy

Re: Mailing list server migration

[Baptiste]

Hi Willy,

You should be "in ze cloud", so your hardware won't be EOLed :p

Baptiste