Re: Odd H2 in Chrome...

`` On Thu, Jun 20, 2019 at 3:39 AM Lukas Tribus wrote: > > Hello, > > On Wed, 19 Jun 2019 at 19:35, Igor Pav wrote: > > > > Hello, > > > > I do a quick playing around with H2 proxy with Chome, Chrome has > > built-in HTTPS proxy support. > > If I con

Re: Odd H2 in Chrome...

Tried, still same result. On Thu, Jun 20, 2019 at 11:14 PM Lukas Tribus wrote: > > On Thu, 20 Jun 2019 at 09:24, Igor Pav wrote: > > > > Hi Lukas, > > > > Found when using h2, the request URI to squid is / without > > http://example.com/, so squid return

Re: Zero RTT in backend server side

Hi Olivier, The `retry-on 0rtt-rejected` will only work in tcp mode, is that possible to let it work in http mode too? On Mon, May 6, 2019 at 4:37 AM Olivier Houchard wrote: > > Hi Igor, > > On Mon, May 06, 2019 at 12:26:33AM +0800, Igor Pav wrote: > > Hi, Olivier, thanks for

Re: Zero RTT in backend server side

wrote: > > Hi Igor, > > On Sun, Jun 23, 2019 at 08:42:46PM +0800, Igor Pav wrote: > > Hi Olivier, > > > > The `retry-on 0rtt-rejected` will only work in tcp mode, is that > > possible to let it work in http mode too? > > > > It should work with

Zero RTT in backend server side

Hello, can we use TLS zero RTT in server-side now? Just want to reduce more latency when using SSL talk to the backend servers(also running haproxy). Thanks in advance. Regards

Re: Zero RTT in backend server side

Just tested with openssl 1.1.1b and haproxy 1.9.7, it appears no success, you are right :) On Thu, May 2, 2019 at 8:45 PM Olivier Houchard wrote: > > Hi Igor, > > On Thu, May 02, 2019 at 08:39:58PM +0800, Igor Pav wrote: > > Hello, can we use TLS zero RTT in server-side now? J

Re: Zero RTT in backend server side

Olivier Houchard wrote: > > Hi Igor, > > On Fri, May 03, 2019 at 05:21:50PM +0800, Igor Pav wrote: > > Just tested with openssl 1.1.1b and haproxy 1.9.7, it appears no > > success, you are right :) > > > > Indeed :) > I just pushed commit 010941f8760

Re: Proof of concept SPOE based SSO solution

h come from the claims in the > authentication process. > > Hopefully this is of some use to people. > > Any feedback and constructive criticism is welcome. > > -- > Andrew Heberle > > Thanks for sharing Andrew! Cheers, Igor

Re: global maxconn behaviour in haproxy2.0

Hi, On Wed, Jun 26, 2019 at 2:52 AM William Dauchy wrote: > Hello, > > Using haproxy2.0 we are seeing logs with connection number while reloading: > Proxy stopped (FE: 0 conns, BE: 549563 conns). > > while we have in our configuration: > global maxconn 262144 > defaults maxconn 262134 > >

The server-template and default-server options

Hi all, Just a quick one to confirm for sure, can/does server-template considers/inherits the options from a default-server line? Thanks, Igor

Re: [PR/FEATURE] support for virtual hosts / Host header per server

ation entry and explain what it really does > so that it doesn't drive some users to wrong conclusions. > > What do others think ? Igor maybe you have a particular opinion on > this one ? Baptiste, anything from the dynamic use cases you're aware > of ? > > Thanks, >

Re: ModSecurity testing

Hi Joao, On Sat, Dec 14, 2019 at 11:30 PM Joao Morais wrote: > > > > Em 13 de dez de 2019, à(s) 10:09, Christopher Faulet < > cfau...@haproxy.com> escreveu: > > > > Le 10/12/2019 à 05:24, Igor Cicimov a écrit : > >> > >> Testing with Hapro

Re: PROXY protocol and check port

Hi, On Tue, Dec 17, 2019 at 2:55 AM Olivier D wrote: > Hello, > > I found what was wrong : I was using "load-server-state-from-file" and > previous config file was using port 80 as server port. > It seems using this instruction loads previous server state but also > previous srv_port. > Is this

Re: PROXY protocol and check port

Hi Olivier, On Tue, Dec 17, 2019 at 7:20 PM Olivier D wrote: > Hello Igor, > > > Le lun. 16 déc. 2019 à 23:41, Igor Cicimov > a écrit : > >> Hi, >> >> On Tue, Dec 17, 2019 at 2:55 AM Olivier D wrote: >> >>> Hello, >>> >>&

Re: [PR/FEATURE] support for virtual hosts / Host header per server

On Wed, Oct 23, 2019, 8:36 AM Igor Cicimov wrote: > > > On Tue, Oct 22, 2019, 10:27 PM Morotti, Romain D < > romain.d.moro...@jpmorgan.com> wrote: > >> Hello, >> >> >> >> The use case is to load balance applications in multiple datacenters or

Re: [PR/FEATURE] support for virtual hosts / Host header per server

On Tue, Oct 22, 2019, 10:27 PM Morotti, Romain D < romain.d.moro...@jpmorgan.com> wrote: > Hello, > > > > The use case is to load balance applications in multiple datacenters or > regions. > > The common pattern today to cover multiple locations is to deploy services > in each location separately

ModSecurity testing

5948214.857219 [01] <1> write_frame_cb 1575948214.857648 [01] <1> Frame of 31 bytes send Testing with Haproxy 2.0.10 but same result with 1.8.23. The versions of ModSecurity is 2.9.2 and the OWASP rules v3.0.2 What am I doing wrong? Can anyone provide a request that should confirm if the module is working or not from or share the experience from their own setup? Thanks, Igor

Re: Log lines in 2.0

Hi Tim, On Thu, Feb 27, 2020, 10:09 PM Tim Düsterhus wrote: > Igor, > > Am 27.02.20 um 05:27 schrieb Igor Cicimov: > > Feb 27 03:37:21 ip-10-0-4-33 haproxy[21361]: > > 0d56:monitor-in.accept(0009)=0012 from [IP:56142] ALPN= > > Feb 27 03:37:21 ip-10-0-4-33 h

Re: Log lines in 2.0

Hi Willy, On Fri, Feb 28, 2020, 2:15 AM Willy Tarreau wrote: > Hi Igor, > > On Thu, Feb 27, 2020 at 10:36:44PM +1100, Igor Cicimov wrote: > > > This looks like you are running HAProxy in debug mode. Debug mode is > > > enabled via the '-d' command line switch or 'de

Log lines in 2.0

log-format settings thus the default ones should be in play so wonder if this is what I should see? Thanks, Igor

Re: Termination state IR--

Hi Christopher, On Wed, Jan 29, 2020 at 7:58 PM Christopher Faulet wrote: > Le 29/01/2020 à 05:14, Igor Cicimov a écrit : > > Hi all, > > > > I'm asking this question here since I read in the docs that if I see > "Ixxx" in > > the sessio

Server weight in server-template and consul dns

. 1 10 8080 ip-10-20-4-244.node.dc1.consul. The server's weight reported by haproxy is 1 where I expected to see 10. Just to clarify, is this expected or there is a mixup between priority and weight? Thanks, Igor

Re: Multiple balance statements in a backend

On Fri, Apr 3, 2020 at 11:23 PM Willy Tarreau wrote: > On Fri, Apr 03, 2020 at 09:38:58PM +1100, Igor Cicimov wrote: > > >> And in general how are duplicate statements being handled in the code, > > >> .i.e. the first one or the last one is considered as valid, and a

Multiple balance statements in a backend

one is considered as valid, and are there maybe any special statements that are exempt from the rule (like hopefully balance :-) ) Thanks in advance. Igor

Re: Multiple balance statements in a backend

Hi Baptiste, On Fri, Apr 3, 2020 at 5:28 PM Baptiste wrote: > > > On Fri, Apr 3, 2020 at 5:21 AM Igor Cicimov < > ig...@encompasscorporation.com> wrote: > >> Hi all, >> >> Probably another quite basic question that I can't find an example of in >&

Re: Server weight in server-template and consul dns

On Mon, Apr 27, 2020 at 10:14 PM Baptiste wrote: > > > On Mon, Apr 27, 2020 at 3:05 AM Igor Cicimov < > ig...@encompasscorporation.com> wrote: > >> Hi, >> >> On Mon, Apr 20, 2020 at 10:25 PM Igor Cicimov < >> ig...@encompasscorporation.com> wrot

Re: doubt how to compile modsecurity module for HAproxy

Hi Ricardo, On Fri, May 1, 2020 at 1:06 PM Ricardo Barbosa wrote: > Of course, it would be a pleasure, but I still couldn't get it to work, > following the igor script I even managed to build it but it is generating > the following log. > > --

Re: doubt how to compile modsecurity module for HAproxy

bove. Does anyone have any idea how to do this? > > Best Regards > > This is what I have come up with https://gist.github.com/icicimov/69456f82e60ea6c53feb341f021fd089 Hope can help. Cheers, Igor

Re: Server weight in server-template and consul dns

Hi, On Mon, Apr 20, 2020 at 10:25 PM Igor Cicimov < ig...@encompasscorporation.com> wrote: > Hi, > > I have the following template in a server backend: > > server-template tomcats 10 _tomcat._tcp.service.consul resolvers consul > resolve-prefer ipv4 check > > This

Haproxy 1.8.25 segfault

on this particular one out of many dozens we have on Ubuntu-14.04 and 16.04 I have attached strace so more details upon the next crash. Thanks, Igor

http2 smuggling

Should we be worried? https://portswigger.net/daily-swig/http-request-smuggling-http-2-opens-a-new-attack-tunnel IC

Dynamic peers section

this case if at all possible. Thanks, Igor

Re: Haproxy 1.8.25 segfault

Hi Willy, On Tue, May 26, 2020 at 4:31 PM Willy Tarreau wrote: > Hi Igor, > > On Sun, May 24, 2020 at 10:35:10AM +1000, Igor Cicimov wrote: > > Hi guys, > > > > We are getting segfaults with haproxy 1.8.25 and thought I would ask if > > this rings any bell: &g

Re: Haproxy 1.8.25 segfault

Hi Willy, On Tue, May 26, 2020 at 4:43 PM Willy Tarreau wrote: > On Sun, May 24, 2020 at 10:35:10AM +1000, Igor Cicimov wrote: > > We are getting segfaults with haproxy 1.8.25 > > By the way, does this mean you didn't get them with a previous version > (presumably 1.8.

Re: [2.0.17] crash with coredump

f the devs but obviously many of us using v2.0 will be interested in the answer. Assuming you do not install from packages can you please provide some more background on how you produce the binary, like if you compile then what OS and kernel is this compiled on and what OS and kernel this crashes on? Again if compiled any other custom compiled packages in use, like OpenSSL, lua etc, you might be using or have compiled haproxy against etc.? Also if this is a bug and you have hit some corner case with your config (many are using 2.0 but we have not seen crashes) you should provide a stripped down version (not too stripped though just the sensitive data) of your config too. Cheers, Igor

Re: dev 2.2 High CPU Constantly

Hi William, Tried but still the same ;( On Fri, Jul 3, 2020 at 2:35 AM William Dauchy wrote: > > Hi Igor, > > On Thu, Jul 2, 2020 at 9:57 AM Igor Pav wrote: > > By using dev11, the CPU consumption drops a lot, but when connections > > reach ~1000, the CPU would still

Re: dev 2.2 High CPU Constantly

Hi Willy, By using dev11, the CPU consumption drops a lot, but when connections reach ~1000, the CPU would still go high, remove the 0rtt-rejected from conf, the CPU becomes normal... On Fri, Jun 26, 2020 at 5:48 PM Willy Tarreau wrote: > > Hi Igor, > > On Fri, Jun 12, 2020 at 03:0

Re: Rate Limit per IP with queueing (delay)

; http-request lua.delay_request if { sc_http_req_rate(0) gt 30 } > use_backend api > > Basically if there are more than 30 request per 10 seconds, i will make > them wait 50*count (so starting from 1500ms up to whatver they keep > insisting) > does it make sense? > d

dev 2.2 High CPU Constantly

Hello, list We got a very high CPU constantly while using 2.2dev. Any suggestion? Thanks. Config like: global log 127.0.0.1 local0 maxconn 4096 daemon ssl-server-verify none defaults log global modehttp option httplog timeout check 3000 timeout connect

Re: dev 2.2 High CPU Constantly

Hi, are those log lines both in syslog? I didn't see it there. I'm using this simple setup for a forward HTTP proxy, sooner and later, CPU goes crazy. On Fri, Jun 12, 2020 at 12:24 AM William Dauchy wrote: > > Hello Igor, > > On Thu, Jun 11, 2020 at 5:25 PM Igor Pav wrote: >

Re: Rate Limit per IP with queueing (delay)

On Tue, Jun 9, 2020 at 6:48 PM Stefano Tranquillini wrote: > Hello, > i didn't really get what has been changed in this example, and why. > > On Tue, Jun 9, 2020 at 9:46 AM Igor Cicimov < > ig...@encompasscorporation.com> wrote: > >> Modify your frontend from th

Re: Rate Limit per IP with queueing (delay)

On Mon, Jun 8, 2020 at 5:18 PM Stefano Tranquillini wrote: > > > On Sun, Jun 7, 2020 at 11:11 PM Илья Шипицин wrote: > >> >> >> вс, 7 июн. 2020 г. в 19:59, Stefano Tranquillini : >> >>> Hello all, >>> >>> I'm moving to HA using it to replace NGINX and I've a question regarding >>> how to do a

Re: Rate Limit per IP with queueing (delay)

now it is by IP or User via auth or JWT. > The problem that I've is with the primitives to define this maximum number > of calls per minute/seconds etc. > > > On Tue, Jun 9, 2020 at 6:08 AM Igor Cicimov < > ig...@encompasscorporation.com> wrote: > >> >> >> O

Re: Apache Proxypass mimicing ?

> But if I do some configuration tweaks in "wp-config.php", like adding the > following two lines : > define('WP_HOME', 'https://front1.domain.local'); > define('WP_SITEURL', 'https://front1.domain.local'); > > It seems to work correctly. > > It is not an acceptable solution however, as these WP

Re: Question about available fetch-methods for http-request

Hi Maya, Maybe try this: http-request set-header Host context_path.ms.example.com if { path_beg /context_path } { hdr(Host) -i example.com } From: Maya Lena Ayleen Scheu Sent: Wednesday, August 11, 2021 9:58 PM To: haproxy@formilux.org Subject: Question about

Re: Blocking log4j CVE with HAProxy

You should also take into account path that can have base64 encoded payload. To me the best bet for protecting via haproxy is using spoa mod_security WAF given people have already come with a comprehensive protection rules. Get Outlook for Android

Re: maxconn limit not working after reload / sighup

Hi, Think this explains it in details https://www.haproxy.com/blog/should-you-reload-or-restart-haproxy Particularly this part: Reloading starts a new HAProxy instance (or “process”) which handles new requests, while the old instance maintains connections until they naturally close or the

Re: Server timeouts since HAProxy 2.2

Because of keep-alive? From: William Edwards Sent: Thursday, 4 August 2022, 00:26 To: haproxy@formilux.org Subject: Server timeouts since HAProxy 2.2 [You don't often get email from wedwa...@cyberfusion.nl. Learn why this is important at

Re: ACL with multi or

http-request tarpit deny_status 403 unless XMail_Autodiscover || XMail_EAS || XMail_ECP || XMail_EWS || XMail_MAPI || XMail_OAB || XMail_OWA || XMail_RPC || XMail_PowerShell Get Outlook for Android Public From: Henning Svane Sent:

<    1   2   3   4