Re: [ANNOUNCE] haproxy-2.3-dev3
On Sat, Aug 15, 2020 at 04:09:14PM +0200, William Lallemand wrote: > On Fri, Aug 14, 2020 at 07:23:36PM +0200, Willy Tarreau wrote: > > Another long-standing issue was addressed by William today, regarding how > > filters "work" in crt-lists. When using an exclusion they don't work well > > because instead of using a list of exclusions, a lookup is performed and > > the matching entry is skipped. While that might work in certain cases > > (single entry for a given cert), there are situations where it cannot work > > like when this is used to exclude certain servernames from certain cert > > types. Thus William reworked that so that it really does what the doc > > says and what the syntax suggests. It should not have any visible effect > > for all those who were not subject to the problem, but might possibly > > reveal issues in certain broken configs that were working by accident > > (i.e. the desired cert is broken and not used and might suddenly be > > exposed). If you're using crt-lists with exlusions, you're welcome to > > verify that it's still OK for you. After some time this fix will be > > backported so that users don't get trapped anymore, but we'll have to > > delay this to avoid bad surprises. > > There is indeed a problem which was identified with the exclusions, but > the current commits fix another problem (issue #810). The problem lies > in the lookup of the SNIs, if a SNI with a single name is found, it > won't try to lookup for a wildcard, which is a problem if you use a > single name certificate for ECDSA and a wildcard for the RSA > certificate. This bug was introduced quite recently and backported as > far as 1.8 in december 2019... > > But this is not a fix for the negative filters, that should also be > fixed but need a rework of the filters. OK, then sorry for confusing the two and thanks for clarifying. Willy
Re: [ANNOUNCE] haproxy-2.3-dev3
On Fri, Aug 14, 2020 at 07:23:36PM +0200, Willy Tarreau wrote: > Another long-standing issue was addressed by William today, regarding how > filters "work" in crt-lists. When using an exclusion they don't work well > because instead of using a list of exclusions, a lookup is performed and > the matching entry is skipped. While that might work in certain cases > (single entry for a given cert), there are situations where it cannot work > like when this is used to exclude certain servernames from certain cert > types. Thus William reworked that so that it really does what the doc > says and what the syntax suggests. It should not have any visible effect > for all those who were not subject to the problem, but might possibly > reveal issues in certain broken configs that were working by accident > (i.e. the desired cert is broken and not used and might suddenly be > exposed). If you're using crt-lists with exlusions, you're welcome to > verify that it's still OK for you. After some time this fix will be > backported so that users don't get trapped anymore, but we'll have to > delay this to avoid bad surprises. There is indeed a problem which was identified with the exclusions, but the current commits fix another problem (issue #810). The problem lies in the lookup of the SNIs, if a SNI with a single name is found, it won't try to lookup for a wildcard, which is a problem if you use a single name certificate for ECDSA and a wildcard for the RSA certificate. This bug was introduced quite recently and backported as far as 1.8 in december 2019... But this is not a fix for the negative filters, that should also be fixed but need a rework of the filters. -- William Lallemand
HAProxy http-reuse connections
Hello everyone, I have a setup of HAProxy 2.2 with http connection reuse. >From a single external IP I’m sending loads of non-keepalive requests to the proxy and I’m getting reuse hits only when the http-reuse setting is set to always. If I send the same requests with client connection keep-alive, I'm getting hits with the http-reuse safe option. I’m wondering, what are the conditions for a connection to be considered to be reused in HAProxy? The documentation states: "By default, a connection established between haproxy and the backend server which is considered safe for reuse is moved back to the server’s idle connections pool so that any other request can make use of it." Thanks.
[no subject]
Hello everyone, I have a setup of HAProxy 2.2 with http connection reuse. >From a single external IP I’m sending loads of non-keepalive requests to the proxy and I’m getting reuse hits only when the http-reuse setting is set to always. If I send the same requests with client connection keep-alive, I'm getting hits with the http-reuse safe option. I’m wondering, what are the conditions for a connection to be considered to be reused in HAProxy? The documentation states: "By default, a connection established between haproxy and the backend server which is considered safe for reuse is moved back to the server’s idle connections pool so that any other request can make use of it." Thanks.
Re: Haproxy 1.8.26-1~bpo9+1
Thanks Willy, Not to sound ungrateful at all; an updated 1.8 release with this fix would be greatly appreciated! On Sat, 15 Aug 2020, 19:03 Willy Tarreau, wrote: > On Thu, Aug 13, 2020 at 08:21:28AM +0200, Erwin Schliske wrote: > > > The patch was for the 2.0. It must be adapted for the 1.8. But, it is > not > > > necessary because the bug is now fixed in 2.0 and 1.8 : > > > > > > * 2.0 : > http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=307f31ec > > > * 1.8 : > http://git.haproxy.org/?p=haproxy-1.8.git;a=commit;h=179d316c > > > > > > Thanks. I need the patch until 1.8.27 is released. I found it yesterday > and > > tested it successfully. The observed problem is now solved. > > Thanks for your feedback. We'll issue another 1.8 shortly then I guess. > > Willy >
Re: Haproxy 1.8.26-1~bpo9+1
On Thu, Aug 13, 2020 at 08:21:28AM +0200, Erwin Schliske wrote: > > The patch was for the 2.0. It must be adapted for the 1.8. But, it is not > > necessary because the bug is now fixed in 2.0 and 1.8 : > > > > * 2.0 : http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=307f31ec > > * 1.8 : http://git.haproxy.org/?p=haproxy-1.8.git;a=commit;h=179d316c > > > Thanks. I need the patch until 1.8.27 is released. I found it yesterday and > tested it successfully. The observed problem is now solved. Thanks for your feedback. We'll issue another 1.8 shortly then I guess. Willy
haproxy <> dataplane
Hi. Afaik are there several ways to run haproxy and dataplane together. Because I just start work with the dataplane, is there a "best practice" or "recommended" way to use these both component together? Maybe someone can share some expirinede with the combination of haproxy and dataplane. Best regards Aleks