Convert host to IP

Hello, list. Seems DNS function implemented for a long time, I wonder if it is possible to convert hostname to IP now? So we can have like: acl US conv_to_ip(host),map_ip(/etc/haproxy/geolocation.txt) -m str -i US Thanks. Bests, -Igor

Re: [PATCH] BUILD: ssl: fix to build (again) with boringssl

1 On Tue, Feb 7, 2017 at 9:12 PM, Emmanuel Hocdet <m...@gandi.net> wrote: > I Igor, > I build haproxy with boringssl static library to avoid any conflict with > openssl shared lib. > It also need to be link with libdecrepit (boringssl). > >> Le 30 janv. 2017 à 14:28

Re: TLS-PSK support for haproxy?

Tested and it works! Could we expect a rtt reduce? On Mon, Jan 9, 2017 at 8:07 AM, Nenad Merdanovic wrote: > Hello, > > On 1/5/2017 4:47 PM, Emeric Brun wrote: >> On 01/05/2017 04:22 AM, Nenad Merdanovic wrote: >>> I have a working patch for this, but it's very ugly

Re: [PATCH] BUILD: ssl: fix to build (again) with boringssl

sorry for unclear question, it's quite simple, build haproxy from git with boringssl (DBUILD_SHARED_LIBS=1), just config a simple SSL frontend. On Mon, Jan 30, 2017 at 5:42 PM, Willy Tarreau <w...@1wt.eu> wrote: > On Mon, Jan 30, 2017 at 04:07:33PM +0800, Igor Pav wrote: >> any

Re: [PATCH] BUILD: ssl: fix to build (again) with boringssl

any idea with error? undefined symbol: BIO_read_filename On Mon, Jan 16, 2017 at 7:42 PM, Willy Tarreau wrote: > On Fri, Jan 13, 2017 at 06:11:55PM +0100, Emmanuel Hocdet wrote: >> for 1.8dev > > now applied, thanks. > > Willy >

Re: [PATCH] BUILD: ssl: fix to build (again) with boringssl

eb 7, 2017 at 11:17 PM, Emmanuel Hocdet <m...@gandi.net> wrote: > you need: > ADDLIB="-lpthread -ldecrepit" > > Le 7 févr. 2017 à 16:09, Igor Pav <i...@fastsp.net> a écrit : > > Hi, Emmanuel. build with static lib, but no luck, can you provide some

Re: [ANNOUNCE] haproxy-1.7.1

That's great! Will HAProxy adopt TLS 1.3 soon? On Tue, Dec 13, 2016 at 7:39 AM, Willy Tarreau wrote: > Hi, > > HAProxy 1.7.1 was released on 2016/12/13. It added 28 new commits > after version 1.7.0. > > It addresses a few issues related to how buffers are allocated under > low

Re: [ANNOUNCE] haproxy-1.7.1

Cool, even TLS 1.3 0 RTT feature requires no changes? On Fri, Dec 16, 2016 at 3:03 AM, Lukas Tribus <lu...@gmx.net> wrote: > Hi Igor, > > > Am 14.12.2016 um 20:47 schrieb Igor Pav: >> >> Hi Lukas, in fact, openssl already gets early TLS 1.3 adoption in dev, >>

Re: [ANNOUNCE] haproxy-1.7.1

Hi Lukas, in fact, openssl already gets early TLS 1.3 adoption in dev, will release in 1.1.1, and BoringSSL supports TLSv1.3 already. On Thu, Dec 15, 2016 at 1:48 AM, Lukas Tribus <lu...@gmx.net> wrote: > Hi Igor, > > > Am 14.12.2016 um 14:37 schrieb Igor Pav:

Re: [PATCH 2/4] BUILD: ssl: disable OCSP when using boringssl

tried compile 1.7.1 with boringssl, but seems not work, error like below: In file included from src/ssl_sock.c:87:0: include/proto/openssl-compat.h:107:1: error: unknown type name ‘OCSP_CERTID’ static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single) ^

Re: TLS-PSK support for haproxy?

Sounds good for SSL backend, is this possible? On Sun, Oct 25, 2015 at 12:22 PM, Gil Bahat wrote: > Hi, > > I was wondering if HAProxy can do TLS-PSK. this cipher setting is > advantageous in several scenarios, in particular with low-end clients or > with stunnel backends.

Re: TLS-PSK support for haproxy?

Stunnel supports it, https://www.stunnel.org/auth.html, quite simple. On Sun, Jan 1, 2017 at 4:34 PM, Willy Tarreau <w...@1wt.eu> wrote: > On Sun, Jan 01, 2017 at 01:16:37AM +0800, Igor Pav wrote: >> Sounds good for SSL backend, is this possible? > > Indeed that sounds int

Re: [Patches] TLS methods configuration reworked

> Manu > >> Le 26 mars 2017 à 17:54, Igor Pav <i...@fastsp.net> a écrit : >> >> Hi, Emmanuel. Any plan to add tls 1.3 zero rtt support for both server >> and client side? >> >> On Sat, Mar 25, 2017 at 2:13 AM, Emmanuel Hocdet <m...@gandi.net>

Re: [Patches] TLS methods configuration reworked

Hi, Emmanuel. Any plan to add tls 1.3 zero rtt support for both server and client side? On Sat, Mar 25, 2017 at 2:13 AM, Emmanuel Hocdet wrote: > > Hi Emeric, > patches serie updated. The new one is 0004. > It should match what you are requesting and what I observed in the

Re: hostname to IP converter possible?

Thanks, Willy. I found DNS infrastructure improved a lot this year, so I ask it again, hope it is not so stupid :-) On Sat, May 13, 2017 at 7:19 AM, Willy Tarreau <w...@1wt.eu> wrote: > Hi Igor, > > On Sat, May 13, 2017 at 12:58:19AM +0800, Igor Pav wrote: >> Hi list,

hostname to IP converter possible?

Hi list, Is now there's a converter for hostname to IPv4 available in haproxy? Regards, Igor

`option http_proxy` DNS and HTTPS support

Hi, since haproxy now has DNS, is now possible to make `option http_proxy` to do DNS and HTTPS, in some cases, we need to let part of requests go local network directly. Thanks in advance.

Re: MEDIUM: Adding upstream socks4 proxy support

Hi, Alec, Willy Sorry to ask a not so related question here, I have a Linux gateway to redirect user's TCP traffic by using iptables like `iptables -t nat -A PREROUTING -p tcp dst -j REDIRECT --to-ports 1000`, port 1000 is redsocks transparent tcp-to-socks proxy, since we have Alec's patch here,

RE: Discussion about "Upstream socks proxy support #82"

Redirect to socks server would be very good for us, we use haproxy to load balance internal user traffic, happy to use one single rock stable haproxy solution. On Mon, Jun 3, 2019 at 8:47 AM Aleksandar Lazic wrote: > > Hi. > > cipriancraciun, nutinshell and I discussed in the issue above some

ea8dd949e4ab7ddd94afdbf0e96087c883192217 breaks allow-0rtt

Hello, dev The commit of ea8dd949e4ab7ddd94afdbf0e96087c883192217 seems to break the allow-0rtt in server line, a connection will take very very long to complete. Remove allow-0rtt it turns normal. conf like: listen test mode tcp bind 0.0.0.0:88 default_backend tls backend tls mode tcp

Re: ea8dd949e4ab7ddd94afdbf0e96087c883192217 breaks allow-0rtt

Hi Olivier, Still suffering from 2.0-dev7-b6563f-41 :( On Sat, Jun 15, 2019 at 5:37 PM Olivier Houchard wrote: > > Hi Igor, > > On Sat, Jun 15, 2019 at 03:00:23AM +0800, Igor Pav wrote: > > Hello, dev > > > > The commit of ea8dd949e4ab7ddd94afdbf0e96087c88319221

Re: ea8dd949e4ab7ddd94afdbf0e96087c883192217 breaks allow-0rtt

Hi Olivier, 965e84e now fixed this, thanks! P.S I test it by using browser and squid proxy. On Sun, Jun 16, 2019 at 3:03 AM Olivier Houchard wrote: > > Hi Igor, > > On Sat, Jun 15, 2019 at 07:19:24PM +0800, Igor Pav wrote: > > Hi Olivier, > > > > Still suf

Odd H2 in Chrome...

Hello, I do a quick playing around with H2 proxy with Chome, Chrome has built-in HTTPS proxy support. If I conf like: listen FE mode http bind 0.0.0.0:1443 ssl crt cert.pem alpn h2,http/1.1 server squid-fwd-proxy 127.0.0.1:3128 then I set Chrome to use this proxy, it works fine with the

Re: Odd H2 in Chrome...

`` On Thu, Jun 20, 2019 at 3:39 AM Lukas Tribus wrote: > > Hello, > > On Wed, 19 Jun 2019 at 19:35, Igor Pav wrote: > > > > Hello, > > > > I do a quick playing around with H2 proxy with Chome, Chrome has > > built-in HTTPS proxy support. > > If I con

Re: Odd H2 in Chrome...

Tried, still same result. On Thu, Jun 20, 2019 at 11:14 PM Lukas Tribus wrote: > > On Thu, 20 Jun 2019 at 09:24, Igor Pav wrote: > > > > Hi Lukas, > > > > Found when using h2, the request URI to squid is / without > > http://example.com/, so squid return

Re: Zero RTT in backend server side

Hi Olivier, The `retry-on 0rtt-rejected` will only work in tcp mode, is that possible to let it work in http mode too? On Mon, May 6, 2019 at 4:37 AM Olivier Houchard wrote: > > Hi Igor, > > On Mon, May 06, 2019 at 12:26:33AM +0800, Igor Pav wrote: > > Hi, Olivier, thanks for

Re: Zero RTT in backend server side

wrote: > > Hi Igor, > > On Sun, Jun 23, 2019 at 08:42:46PM +0800, Igor Pav wrote: > > Hi Olivier, > > > > The `retry-on 0rtt-rejected` will only work in tcp mode, is that > > possible to let it work in http mode too? > > > > It should work with

Zero RTT in backend server side

Hello, can we use TLS zero RTT in server-side now? Just want to reduce more latency when using SSL talk to the backend servers(also running haproxy). Thanks in advance. Regards

Re: Zero RTT in backend server side

Just tested with openssl 1.1.1b and haproxy 1.9.7, it appears no success, you are right :) On Thu, May 2, 2019 at 8:45 PM Olivier Houchard wrote: > > Hi Igor, > > On Thu, May 02, 2019 at 08:39:58PM +0800, Igor Pav wrote: > > Hello, can we use TLS zero RTT in server-side now? J

Re: Zero RTT in backend server side

Olivier Houchard wrote: > > Hi Igor, > > On Fri, May 03, 2019 at 05:21:50PM +0800, Igor Pav wrote: > > Just tested with openssl 1.1.1b and haproxy 1.9.7, it appears no > > success, you are right :) > > > > Indeed :) > I just pushed commit 010941f8760

Re: dev 2.2 High CPU Constantly

Hi William, Tried but still the same ;( On Fri, Jul 3, 2020 at 2:35 AM William Dauchy wrote: > > Hi Igor, > > On Thu, Jul 2, 2020 at 9:57 AM Igor Pav wrote: > > By using dev11, the CPU consumption drops a lot, but when connections > > reach ~1000, the CPU would still

Re: dev 2.2 High CPU Constantly

0:31PM +0800, Igor Pav wrote: > > Hi, are those log lines both in syslog? I didn't see it there. I'm > > using this simple setup for a forward HTTP proxy, sooner and later, > > CPU goes crazy. > > Sorry for this late reply. The "bogus stream" message William was

dev 2.2 High CPU Constantly

Hello, list We got a very high CPU constantly while using 2.2dev. Any suggestion? Thanks. Config like: global log 127.0.0.1 local0 maxconn 4096 daemon ssl-server-verify none defaults log global modehttp option httplog timeout check 3000 timeout connect

Re: dev 2.2 High CPU Constantly

Hi, are those log lines both in syslog? I didn't see it there. I'm using this simple setup for a forward HTTP proxy, sooner and later, CPU goes crazy. On Fri, Jun 12, 2020 at 12:24 AM William Dauchy wrote: > > Hello Igor, > > On Thu, Jun 11, 2020 at 5:25 PM Igor Pav wrote: >