Deny with 413 request too large

Hello list, I need to configure HAProxy to deny the request with 413 based on the value of the content-length header. This is my actual configuration: errorfile 400 /usr/local/etc/haproxy/errors/413.http http-request deny deny_status 400 if { req.body_size gt 10485760 } This is working

Re: Deny with 413 request too large

> Em 17 de mai de 2017, à(s) 19:34, Bryan Talbot <bryan.tal...@playnext.com> > escreveu: > > >> On May 15, 2017, at May 15, 6:35 PM, Joao Morais <l...@joaomorais.com.br> >> wrote: >> >> errorfile 413 /usr/local/etc/haproxy/errors

[docs] about master-worker mode

Hi, from nbproc doc[1]: "This requires the 'daemon' mode”, but this is also the way to start more than one worker on master-worker mode, right? Still on the same doc: "USING MULTIPLE PROCESSES IS HARDER TO DEBUG AND IS REALLY DISCOURAGED”, is this still valid on master-worker? Both "harder to

Re: Client cert verification on some paths

> Em 2 de dez de 2017, à(s) 08:47, Aleksandar Lazic <al-hapr...@none.at> > escreveu: > > Von: "Joao Morais" <l...@joaomorais.com.br> gesendet: 02.12.2017 00:53:33 > >> Hi, I have some apps that need to mimic an Apache httpd behavior on client >&

What can cause RST from HAProxy 1.7.9

Hi, HAProxy 1.7.9 is being used to route traffic to a Kubernetes cluster on AWS. It was observed periodic spikes of RST from HAProxy on active connections. Full details in the following issue from GitHub: https://github.com/jcmoraisjr/haproxy-ingress/issues/77 . In which circumstances HAProxy

Client cert verification on some paths

Hi, I have some apps that need to mimic an Apache httpd behavior on client certificate verification: require certificate only on some paths. Apache does this implementing SSL renegotiation as briefly explained here[1]. Of couse I can `mode tcp` proxy to an Apache instance to do that for me but

Fetch DN according to RFC 2253

Hi list, is there a way to choose between pre and pos RFC 2253[1] format of DN from a client cert? Here are nginx[2] and Apache[3] docs about the subject. [1] https://tools.ietf.org/html/rfc2253 [2] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#var_ssl_client_s_dn [3]

SPOE and modsecurity contrib

Hi list, I'm playing with SPOE and modsecurity contrib from HAProxy 1.8.9. I've a couple of doubts and issues that I'll describe just below my config and some loggings: = haproxy.conf listen my-front log 127.0.0.1:514 format rfc5424 local0 timeout client 5s timeout connect 5s

Use acl on spoe events

Hi list, I’m trying to filter spoe events using acl, no success atm. This is the relevant part of my configuration: === /etc/haproxy/haproxy.cfg === frontend bar ... filter spoe engine modsecurity config /etc/haproxy/spoe-modsecurity.conf http-request deny if {

Re: Use acl on spoe events

> Em 27 de mai de 2018, à(s) 12:02, Daniel Corbett <dcorb...@haproxy.com> > escreveu: > > Hello Joao, > > On 05/26/2018 05:54 PM, Joao Morais wrote: >> >> There is no difference if I use acl like the example above, or use the `if >> {...}` synta

Right way to seamless reload a multi process cfg

Hi, taking this hypothetical cfg: === global daemon nbproc 3 stats socket unix@/tmp/haproxy1.sock expose-fd listeners process 1 stats socket unix@/tmp/haproxy2.sock expose-fd listeners process 2 stats socket unix@/tmp/haproxy3.sock expose-fd listeners process 3 listen f1 bind

Re: Use acl on spoe events

> Em 27 de mai de 2018, à(s) 14:51, Joao Morais > escreveu: > >> Em 27 de mai de 2018, à(s) 12:02, Daniel Corbett >> escreveu: >> >> Hello Joao, >> >> On 05/26/2018 05:54 PM, Joao Morais wrote: >>> >>> The

Re: [ANNOUNCE] haproxy-1.8.3

> Em 30 de dez de 2017, à(s) 15:32, Willy Tarreau escreveu: > > - implemented the graceful shutdown on HTTP/2 connections during a reload >so that we can inform the client we're going to close, encouraging the >client to switch to a new connection. This avoids connections

Re: Tune HAProxy in front of a large k8s cluster

> Em 16 de fev de 2019, à(s) 03:16, Willy Tarreau escreveu: > > If you have some time to run some extra tests, it would be nice to rebuild > haproxy with "ARCH_FLAGS=-pg", run it again, stop it using kill -USR1 (not > ctrl-C), and run "gprof haproxy gmon.out". It will show the number of calls

Re: Tune HAProxy in front of a large k8s cluster

> Em 16 de fev de 2019, à(s) 03:16, Willy Tarreau escreveu: > > If you have some time to run some extra tests, it would be nice to rebuild > haproxy with "ARCH_FLAGS=-pg", run it again, stop it using kill -USR1 (not > ctrl-C), and run "gprof haproxy gmon.out". It will show the number of calls

Re: Tune HAProxy in front of a large k8s cluster

> Em 20 de fev de 2019, à(s) 03:30, Baptiste escreveu: > > Hi Joao, > > I do have a question for you about your ingress controller design and the > "chained" frontends, summarized below: > * The first frontend is on tcp mode binding :443, inspecting sni and doing a > triage; >There is

Re: %[] in use-server directives

> Em 19 de fev de 2019, à(s) 17:51, Bruno Henc escreveu: > > On 2/19/19 9:45 PM, Joao Morais wrote: >> >>> Em 19 de fev de 2019, à(s) 05:57, Willy Tarreau escreveu: >>> >>> In the past it was not possible >>> to dynamically create servers

Re: Tune HAProxy in front of a large k8s cluster

> Em 20 de fev de 2019, à(s) 02:51, Igor Cicimov > escreveu: > > > On Wed, 20 Feb 2019 3:39 am Joao Morais Hi Willy, > > > Em 19 de fev de 2019, à(s) 01:55, Willy Tarreau escreveu: > > > > use_backend foo if { var(req.host) ssl:www.example.com }

Re: Tune HAProxy in front of a large k8s cluster

> Em 15 de fev de 2019, à(s) 07:44, Aleksandar Lazic > escreveu: > > Hi Joao. > > Am 15.02.2019 um 10:21 schrieb Joao Morais: >> >> Hi list, I'm tuning some HAProxy instances in front of a large kubernetes >> cluster. The config has about 500 hostnames

Tune HAProxy in front of a large k8s cluster

Hi list, I'm tuning some HAProxy instances in front of a large kubernetes cluster. The config has about 500 hostnames (a la apache/nginx virtual hosts), 3 frontends, 1500 backends and 4000 servers. The first frontend is on tcp mode binding :443, inspecting sni and doing a triage; the second

Re: HAProxy in front of Docker Enterprise problem

> Em 12 de fev de 2019, à(s) 21:21, Norman Branitsky > escreveu: > > Do I have to make HAProxy listen on 8443 and just do a tcp frontend/backend > for the Manager nodes? You can bind on another port, you can also bind on another IP address (change *:443 to some.ip.addr:443). But if you

Re: Tune HAProxy in front of a large k8s cluster

> Em 15 de fev de 2019, à(s) 08:43, Aleksandar Lazic > escreveu: > > Hi Joao. > > Am 15.02.2019 um 11:15 schrieb Joao Morais: >> >> Hi Aleks, sure. Regarding the config, it has currently about 4k lines only >> in the largest frontend because of the

Re: Tune HAProxy in front of a large k8s cluster

> Em 15 de fev de 2019, à(s) 19:22, Aleksandar Lazic > escreveu: > > Am 15.02.2019 um 22:11 schrieb Joao Morais: >> >> Hey Aleks, this made my day. Thank you for remember me that map exist and a >> big thank you to The Author of map, map_beg and map_reg conv

Re: Tune HAProxy in front of a large k8s cluster

> Em 16 de fev de 2019, à(s) 03:16, Willy Tarreau escreveu: > > If you have some time to run some extra tests, it would be nice to rebuild > haproxy with "ARCH_FLAGS=-pg", run it again, stop it using kill -USR1 (not > ctrl-C), and run "gprof haproxy gmon.out". It will show the number of calls

Re: Tune HAProxy in front of a large k8s cluster

> Em 16 de fev de 2019, à(s) 03:16, Willy Tarreau escreveu: > > If you have some time to run some extra tests, it would be nice to rebuild > haproxy with "ARCH_FLAGS=-pg", run it again, stop it using kill -USR1 (not > ctrl-C), and run "gprof haproxy gmon.out". It will show the number of calls

Re: Tune HAProxy in front of a large k8s cluster

> Em 16 de fev de 2019, à(s) 03:16, Willy Tarreau escreveu: > > If you have some time to run some extra tests, it would be nice to rebuild > haproxy with "ARCH_FLAGS=-pg", run it again, stop it using kill -USR1 (not > ctrl-C), and run "gprof haproxy gmon.out". It will show the number of calls

Re: Tune HAProxy in front of a large k8s cluster

> Em 16 de fev de 2019, à(s) 03:16, Willy Tarreau escreveu: > > If you have some time to run some extra tests, it would be nice to rebuild > haproxy with "ARCH_FLAGS=-pg", run it again, stop it using kill -USR1 (not > ctrl-C), and run "gprof haproxy gmon.out". It will show the number of calls

Re: Tune HAProxy in front of a large k8s cluster

> Em 16 de fev de 2019, à(s) 03:16, Willy Tarreau escreveu: > > If you have some time to run some extra tests, it would be nice to rebuild > haproxy with "ARCH_FLAGS=-pg", run it again, stop it using kill -USR1 (not > ctrl-C), and run "gprof haproxy gmon.out". It will show the number of calls

Re: Tune HAProxy in front of a large k8s cluster

Hi Willy, > Em 19 de fev de 2019, à(s) 01:55, Willy Tarreau escreveu: > > use_backend foo if { var(req.host) ssl:www.example.com } > This is a nice trick that I’m planning to use with dynamic use_backend. I need to concat host (sometimes ssl_fc_sni) and path. The question is: how do I

Re: %[] in use-server directives

> Em 19 de fev de 2019, à(s) 05:57, Willy Tarreau escreveu: > > In the past it was not possible > to dynamically create servers I think I misunderstood something, but... how do one dynamically create a new server?

Re: Host header and sni extension differ

Hey guys, > Em 16 de mai de 2019, à(s) 15:05, Tim Düsterhus escreveu: > > Am 16.05.19 um 17:49 schrieb Jarno Huuskonen: >> Do the myapp.io and anotherapp.com share same certificate (ie. >> certificate has both myapp.io and anotherapp.com SAN) ? >> >> AFAIK browser can reuse the same tls

Re: Host header and sni extension differ

Hi Willy, > Em 17 de mai de 2019, à(s) 04:03, Willy Tarreau escreveu: > > Hi Jarno, > > On Thu, May 16, 2019 at 06:49:56PM +0300, Jarno Huuskonen wrote: >> Do the myapp.io and anotherapp.com share same certificate (ie. >> certificate has both myapp.io and anotherapp.com SAN) ? >> >> AFAIK

Host header and sni extension differ

Hi list! The symptom is as follow: when logging Host: header I receive `myapp.io` while in the same request the sni extension says `anotherapp.com`. This happens in a very few requests (about 0.5%) but this is enough to make some noise - regarding server certificate used in the handshake, and

DoS in h2 - from f5.com

Hi list, do you know if HAProxy wasn't mentioned here[1] because it isn't vulnerable (1.8 and 1.9) or because it wasn't tested? ~jm [1] https://www.f5.com/labs/articles/threat-intelligence/denial-of-service-vulnerabilities-discovered-in-http-2

Re: segmentation fault on 1.8.21

> Em 23 de ago de 2019, à(s) 08:16, Willy Tarreau escreveu: > > On Fri, Aug 23, 2019 at 11:47:46AM +0200, Willy Tarreau wrote: >> In the mean time you can apply the patch above. It will reject the >> first hunk but the second one applies and will address the issue. > > I've now backported

segmentation fault on 1.8.21

Hi list, I can reproduce a segmentation fault on HAProxy 1.8.21. No problem with 1.8.20, 1.9.10 or 2.0.5. Is there anything else I can provide or test on my environment? -- haproxy.cfg: ... frontend f mode http ... filter spoe engine modsecurity config

Send http 413 response

Hello list. I'm trying to send a HTTP 413 to the user based on the hdr(Content-Length). What I've tried so far: 1. Create a http413 backend only with `errorfile 400` + `http-request deny_status 400`. In the frontend, configure a `use_backend http413 if `. This is my current approach but it

Re: [PATCH] BUG/MINOR: config: Warn cookie domain only if missing embedded dot

Hi Willy, > Em 30 de out de 2019, à(s) 01:41, Willy Tarreau escreveu: > > Hi Joao, > > On Tue, Oct 29, 2019 at 09:10:11PM -0300, Joao Morais wrote: >> >> What I need to implement is a way to share the sticky session cookie between >> two distinct but

Re: ModSecurity testing

> Em 13 de dez de 2019, à(s) 10:09, Christopher Faulet > escreveu: > > Le 10/12/2019 à 05:24, Igor Cicimov a écrit : >> >> Testing with Haproxy 2.0.10 but same result with 1.8.23. The versions of >> ModSecurity is 2.9.2 and the OWASP rules v3.0.2 >> What am I doing wrong? Can anyone

[PATCH] BUG/MINOR: config: Warn cookie domain only if missing embedded dot

Hi list, the attached patch fixes a warn message if the domain option, from cookie keyword, configures a domain without starting with a dot. ~jm 0001-BUG-MINOR-config-Warn-cookie-domain-only-if-missing-.patch Description: Binary data

Re: [PATCH] BUG/MINOR: config: Warn cookie domain only if missing embedded dot

Hi Willy, > Em 29 de out de 2019, à(s) 04:27, Willy Tarreau escreveu: > > No, please look at the RFC again, it's very precise on this : > https://tools.ietf.org/html/rfc2109 Thanks for taking the time to review my patch. In fact I read RFC 6265 which doesn’t take the leading dot as

Improve a metric collector

Hello list. I’m improving a metric collector for a haproxy cluster and want to confirm if my findings and sentenses below are correct. My main goal using these metrics is to know how far from exhaustion my haproxy cluster is. 1. Source of the metric: I’m parsing `show info` from admin socket

Redefine 401 error page

Hello list, the 401 is one of the http status code haproxy generates itself: https://github.com/haproxy/haproxy/blob/v2.1.0/doc/configuration.txt#L363 This cannot however be overwritten using the errorfile keyword as stated in the doc:

Re: check successful reload using master cli

> Em 14 de set de 2020, à(s) 19:14, William Lallemand > escreveu: > > Hello, > > On Mon, Sep 14, 2020 at 12:09:21PM -0300, Joao Morais wrote: >> Hello list, I'm working on an automation around haproxy process >> lifecycle in master-worker mode. It's working

Re: check successful reload using master cli

> Em 15 de set de 2020, à(s) 12:36, William Lallemand > escreveu: > > Oh right... the space in "[was: ]" is troublesome for cutting the string, > we must remove it. It's not a problem at all when using chunks of fixed size, even if columns differ between them, and the lay out ([was: ...])

check successful reload using master cli

Hello list, I'm working on an automation around haproxy process lifecycle in master-worker mode. It's working nice but I'm not confident that all premisses I used are correct. Please provide some guidance if I did any wrong assumption, RTFM link is welcome as usual. First of all I figured

[PATCH] DOC: clarify how to create a fallback crt

The attached patch adds some clarification on how one can declare a proper fallback certificate using crt-list. Feel free to ask me to tune verbosity to a higher or lower level. 0001-DOC-clarify-how-to-create-a-fallback-crt.patch Description: Binary data

Re: [PATCH] DOC: clarify how to create a fallback crt

> Em 24 de nov de 2020, à(s) 05:47, William Lallemand > escreveu: > > Hello Joao, > > On Sat, Nov 21, 2020 at 12:33:38PM -0300, Joao Morais wrote: >> >> It’s indeed rather confusing, sorry about the mess. >> >> Here is a new proposal of the la

Use default/first crt only if all snifilter fails

Hello list, I have a `crt-list` keyword configuring a list of crt/keys, something like this: /tmp/default.pem /tmp/a.pema.local /tmp/b.pemb.local We consider the first line the fallback certificate - that one that should be used if everything else fails. We've

Re: Use default/first crt only if all snifilter fails

> Em 17 de nov de 2020, à(s) 05:28, William Lallemand > escreveu: > > You could also do > > /tmp/default.pem !* > > That will ignore the creation of the SNI entries. Wow thank you so much Willian, as far as I can tell and based on ~5min tests, this worked like a charm without any

Re: [PATCH] DOC: clarify how to create a fallback crt

> Em 21 de nov de 2020, à(s) 12:00, William Lallemand > escreveu: > > On Sat, Nov 21, 2020 at 07:48:48AM -0300, Joao Morais wrote: >> >> The attached patch adds some clarification on how one can declare a >> proper fallback certificate using crt-list.

Change precedence using maps and distinct match types

Hello list, I'm configuring a couple of maps used to route requests based on hostname and path. The map lay out is pretty much like this: sub.tld/path1 name_backend1 ... I have some distinct ways to match a request: str, beg, dir, reg, using their map converter derivatives.

parsing reload cmd output from master cli

Hello William, here[1] is some context. I implemented a parsing of the reload command sent to the master cli, leave it running for a while and got an index out of bounds (in my code) this week. I'm using this lay out to parse the reload output: // 1 3

Read req scoped var from a Lua service

Hello list, following a few questions about Lua and HAProxy vars: Is there a way to read req scoped vars from a Lua script registered with core.register_service()? My attempts so far didn’t succeed, I need to copy the value to a txn scoped var before call the service. Another question, one

Inconsistent reading of txn vars from Lua script

Hello again! Here are the snippets running with 2.4-dev18 - docker image haproxy:2.4-dev18-alpine: $ cat h.cfg global log stdout format raw local0 lua-load /tmp/h/svc1.lua lua-load /tmp/h/svc2.lua defaults timeout server 1m timeout client 1m timeout connect 5s log global listen l

Re: Inconsistent reading of txn vars from Lua script

> Em 12 de mai. de 2021, à(s) 02:47, Willy Tarreau escreveu: > > On Tue, May 11, 2021 at 05:41:28PM -0300, Joao Morais wrote: > >> Just to confirm how it works, I created the snippet below: >> >>http-request lua.auth ## assigning txn.core >>

Re: Inconsistent reading of txn vars from Lua script

> Em 10 de mai. de 2021, à(s) 18:04, Willy Tarreau escreveu: > > On Mon, May 10, 2021 at 10:41:36PM +0200, Willy Tarreau wrote: >>> core.register_action("auth", { "http-req" }, function(txn) >>> txn:set_var("txn.code", 401, true) > > So the problem

Re: SNI spoofing in HAproxy?

> Em 5 de jul. de 2021, à(s) 09:30, Froehlich, Dominik > escreveu: > > Here is my iteration of your solution: > > http-request set-var(txn.host) hdr(host),field(1,:) > acl ssl_sni_http_host_match ssl_fc_sni,strcmp(txn.host) eq 0 > http-request deny deny_status 421 if

A faster way to lookup 5k hosts+paths

Hello list, I've about 5000 hostnames + path that should be mapped to 3000 backends or so. I'm using map converters and the lay out is something like this: /dir/file.map d1.tld/path/sub back1 d1.tld/path back2 d2.tld/path/sub/other back3 d2.tld/path/sub back4 d2.tld/path

Re: A faster way to lookup 5k hosts+paths

> Em 5 de fev. de 2021, à(s) 04:17, Willy Tarreau escreveu: > > Hi Joao, > > On Tue, Feb 02, 2021 at 09:03:06PM -0300, Joao Morais wrote: >> >> Hello list, I've about 5000 hostnames + path that should be mapped to 3000 >> backends or so. I'm usi

Re: parsing reload cmd output from master cli

> Em 5 de fev. de 2021, à(s) 04:33, Willy Tarreau escreveu: > > On Wed, Feb 03, 2021 at 06:32:33PM -0300, Joao Morais wrote: >> >> Hello William, here[1] is some context. I implemented a parsing of the >> reload command sent to the master cli, leave it

Configure peers on clusters with 20+ instances

Hello list. I'm implementing peers in order to share rps and other metrics between all instances of a haproxy cluster, so I have a global view of these data. Here is a snippet of my poc which simply does a request count: global localpeer h1 ... listen l1 ...

How to read the state of a mTLS connection

Hi, I started logging mTLS connection failures in order to understand how frequently and why they fail for our users. From the collected data I observed that about 1% of the client certificates has some kind of issue that neither ssl_c_ca_err nor ssl_c_err reports, but it’s reported by

fairly distribute shutdown session a few minutes before hard-stop-after expires

Hello list, we have a HAProxy cluster in front of some chat-like applications. This HAProxy cluster is dynamically updated and now and then the instances need to be reloaded. Some of the applications behind this cluster have a few thousand of active users and, every time that the old

Add vary header with a new value

Hello list, I need to add a Vary header with Origin value in order to properly configure a Cors Allow Origin with dynamic content. This works well provided that my backend doesn’t need to configure another value to the Vary header. I observed that if I configure set-header, this will

Re: Limit requests with peers on 2 independent HAProxies to one backend

> Em 8 de nov. de 2021, à(s) 08:26, Aleksandar Lazic > escreveu: > > > Hi. > > I have 2 LB's which should limit the connection to one backend. > > I would try to use "conn_cur" in a stick table and share it via peers. > Have anyone such a solution already in place? Hi Alex, I’ve already

no-stop keyword proposal

Hello list, the diff below is a proposal to add a bind keyword used to flag LI_O_NOSTOP option in the bind’s listener. Regarding the use case: I need the ability to reach a stopping, but still running haproxy instance to, at least: 1) fairly distribute shutdown sessions of long running

Re: no-stop keyword proposal

> Em 20 de jul. de 2021, à(s) 14:17, Willy Tarreau escreveu: > > Hi Joao, > > On Tue, Jul 20, 2021 at 12:18:18PM -0300, Joao Morais wrote: >> >> Hello list, the diff below is a proposal to add a bind keyword used to flag >> LI_O_NOSTOP option in the bind's l

Re: missing sessions from show sess

> Em 16 de jul. de 2021, à(s) 22:16, Joao Morais > escreveu: > > ... > > # show sess > >$ awk '{print $4}' sess |sort |uniq -c > 1 > 1 fe=GLOBAL > 1902 fe=_front__tls > 2 fe=_front_http > 38 fe=_front_htt

missing sessions from show sess

Hi there, I read frontend stats, global info and current sessions from a running haproxy, almost at the same time. Here are the outputs: # show stat -1 1 -1 typed -- all frontends $ sed -En '/(pxname|scur)/s/.*://p' fronts _front__tls 1906 _front_http 40 _front_https

Re: no-stop keyword proposal

> Em 27 de jul. de 2021, à(s) 10:03, William Lallemand > escreveu: > > On Tue, Jul 20, 2021 at 12:18:18PM -0300, Joao Morais wrote: >> >> Regarding the use case: I need the ability to reach a stopping, but >> still running haproxy instance to, at least: >

map_dir() fail when using path as input

Hi list, giving the configuration below, I was expecting "ok1" response instead of "ok2". What am I doing wrong? /tmp/p1 / ok h.cfg defaults timeout client 1m timeout server 1m timeout connect 5s mode http listen l1 bind :8000 http-request

changes in 2.5

Hello list, I have a consumer of the master socket’s `show proc` output and I observed that 2.5 changed its lay out, and this change lead me to two doubts: - Is there a release notes or something with all the backward compatibility changes between minor versions? I observed that 2.5 now

Improve config with lots of distinct matching types

Hello list, tl;dr is: How can I avoid configuring dozens of http-request with the same acl? My use case is a haproxy cluster receiving requests for hundreds of distinct hostnames, several of them with a dozen or so distinct paths, and a few more than 5k distinct backends that sends these