Hello list, I need to configure HAProxy to deny the request with 413 based on
the value of the content-length header. This is my actual configuration:
errorfile 400 /usr/local/etc/haproxy/errors/413.http
http-request deny deny_status 400 if { req.body_size gt 10485760 }
This is working
> Em 17 de mai de 2017, à(s) 19:34, Bryan Talbot <bryan.tal...@playnext.com>
> escreveu:
>
>
>> On May 15, 2017, at May 15, 6:35 PM, Joao Morais <l...@joaomorais.com.br>
>> wrote:
>>
>> errorfile 413 /usr/local/etc/haproxy/errors
Hi, from nbproc doc[1]: "This requires the 'daemon' mode”, but this is also the
way to start more than one worker on master-worker mode, right?
Still on the same doc: "USING MULTIPLE PROCESSES IS HARDER TO DEBUG AND IS
REALLY DISCOURAGED”, is this still valid on master-worker? Both "harder to
> Em 2 de dez de 2017, à(s) 08:47, Aleksandar Lazic <al-hapr...@none.at>
> escreveu:
>
> Von: "Joao Morais" <l...@joaomorais.com.br> gesendet: 02.12.2017 00:53:33
>
>> Hi, I have some apps that need to mimic an Apache httpd behavior on client
>&
Hi, HAProxy 1.7.9 is being used to route traffic to a Kubernetes cluster on
AWS. It was observed periodic spikes of RST from HAProxy on active connections.
Full details in the following issue from GitHub:
https://github.com/jcmoraisjr/haproxy-ingress/issues/77 . In which
circumstances HAProxy
Hi, I have some apps that need to mimic an Apache httpd behavior on client
certificate verification: require certificate only on some paths.
Apache does this implementing SSL renegotiation as briefly explained here[1].
Of couse I can `mode tcp` proxy to an Apache instance to do that for me but
Hi list, is there a way to choose between pre and pos RFC 2253[1] format of DN
from a client cert? Here are nginx[2] and Apache[3] docs about the subject.
[1] https://tools.ietf.org/html/rfc2253
[2] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#var_ssl_client_s_dn
[3]
Hi list, I'm playing with SPOE and modsecurity contrib from HAProxy 1.8.9. I've
a couple of doubts and issues that I'll describe just below my config and some
loggings:
= haproxy.conf
listen my-front
log 127.0.0.1:514 format rfc5424 local0
timeout client 5s
timeout connect 5s
Hi list, I’m trying to filter spoe events using acl, no success atm.
This is the relevant part of my configuration:
=== /etc/haproxy/haproxy.cfg ===
frontend bar
...
filter spoe engine modsecurity config /etc/haproxy/spoe-modsecurity.conf
http-request deny if {
> Em 27 de mai de 2018, à(s) 12:02, Daniel Corbett <dcorb...@haproxy.com>
> escreveu:
>
> Hello Joao,
>
> On 05/26/2018 05:54 PM, Joao Morais wrote:
>>
>> There is no difference if I use acl like the example above, or use the `if
>> {...}` synta
Hi, taking this hypothetical cfg:
===
global
daemon
nbproc 3
stats socket unix@/tmp/haproxy1.sock expose-fd listeners process 1
stats socket unix@/tmp/haproxy2.sock expose-fd listeners process 2
stats socket unix@/tmp/haproxy3.sock expose-fd listeners process 3
listen f1
bind
> Em 27 de mai de 2018, à(s) 14:51, Joao Morais
> escreveu:
>
>> Em 27 de mai de 2018, à(s) 12:02, Daniel Corbett
>> escreveu:
>>
>> Hello Joao,
>>
>> On 05/26/2018 05:54 PM, Joao Morais wrote:
>>>
>>> The
> Em 30 de dez de 2017, à(s) 15:32, Willy Tarreau escreveu:
>
> - implemented the graceful shutdown on HTTP/2 connections during a reload
>so that we can inform the client we're going to close, encouraging the
>client to switch to a new connection. This avoids connections
> Em 16 de fev de 2019, à(s) 03:16, Willy Tarreau escreveu:
>
> If you have some time to run some extra tests, it would be nice to rebuild
> haproxy with "ARCH_FLAGS=-pg", run it again, stop it using kill -USR1 (not
> ctrl-C), and run "gprof haproxy gmon.out". It will show the number of calls
> Em 16 de fev de 2019, à(s) 03:16, Willy Tarreau escreveu:
>
> If you have some time to run some extra tests, it would be nice to rebuild
> haproxy with "ARCH_FLAGS=-pg", run it again, stop it using kill -USR1 (not
> ctrl-C), and run "gprof haproxy gmon.out". It will show the number of calls
> Em 20 de fev de 2019, à(s) 03:30, Baptiste escreveu:
>
> Hi Joao,
>
> I do have a question for you about your ingress controller design and the
> "chained" frontends, summarized below:
> * The first frontend is on tcp mode binding :443, inspecting sni and doing a
> triage;
>There is
> Em 19 de fev de 2019, à(s) 17:51, Bruno Henc escreveu:
>
> On 2/19/19 9:45 PM, Joao Morais wrote:
>>
>>> Em 19 de fev de 2019, à(s) 05:57, Willy Tarreau escreveu:
>>>
>>> In the past it was not possible
>>> to dynamically create servers
> Em 20 de fev de 2019, à(s) 02:51, Igor Cicimov
> escreveu:
>
>
> On Wed, 20 Feb 2019 3:39 am Joao Morais Hi Willy,
>
> > Em 19 de fev de 2019, à(s) 01:55, Willy Tarreau escreveu:
> >
> > use_backend foo if { var(req.host) ssl:www.example.com }
> Em 15 de fev de 2019, à(s) 07:44, Aleksandar Lazic
> escreveu:
>
> Hi Joao.
>
> Am 15.02.2019 um 10:21 schrieb Joao Morais:
>>
>> Hi list, I'm tuning some HAProxy instances in front of a large kubernetes
>> cluster. The config has about 500 hostnames
Hi list, I'm tuning some HAProxy instances in front of a large kubernetes
cluster. The config has about 500 hostnames (a la apache/nginx virtual hosts),
3 frontends, 1500 backends and 4000 servers. The first frontend is on tcp mode
binding :443, inspecting sni and doing a triage; the second
> Em 12 de fev de 2019, à(s) 21:21, Norman Branitsky
> escreveu:
>
> Do I have to make HAProxy listen on 8443 and just do a tcp frontend/backend
> for the Manager nodes?
You can bind on another port, you can also bind on another IP address (change
*:443 to some.ip.addr:443). But if you
> Em 15 de fev de 2019, à(s) 08:43, Aleksandar Lazic
> escreveu:
>
> Hi Joao.
>
> Am 15.02.2019 um 11:15 schrieb Joao Morais:
>>
>> Hi Aleks, sure. Regarding the config, it has currently about 4k lines only
>> in the largest frontend because of the
> Em 15 de fev de 2019, à(s) 19:22, Aleksandar Lazic
> escreveu:
>
> Am 15.02.2019 um 22:11 schrieb Joao Morais:
>>
>> Hey Aleks, this made my day. Thank you for remember me that map exist and a
>> big thank you to The Author of map, map_beg and map_reg conv
> Em 16 de fev de 2019, à(s) 03:16, Willy Tarreau escreveu:
>
> If you have some time to run some extra tests, it would be nice to rebuild
> haproxy with "ARCH_FLAGS=-pg", run it again, stop it using kill -USR1 (not
> ctrl-C), and run "gprof haproxy gmon.out". It will show the number of calls
> Em 16 de fev de 2019, à(s) 03:16, Willy Tarreau escreveu:
>
> If you have some time to run some extra tests, it would be nice to rebuild
> haproxy with "ARCH_FLAGS=-pg", run it again, stop it using kill -USR1 (not
> ctrl-C), and run "gprof haproxy gmon.out". It will show the number of calls
> Em 16 de fev de 2019, à(s) 03:16, Willy Tarreau escreveu:
>
> If you have some time to run some extra tests, it would be nice to rebuild
> haproxy with "ARCH_FLAGS=-pg", run it again, stop it using kill -USR1 (not
> ctrl-C), and run "gprof haproxy gmon.out". It will show the number of calls
> Em 16 de fev de 2019, à(s) 03:16, Willy Tarreau escreveu:
>
> If you have some time to run some extra tests, it would be nice to rebuild
> haproxy with "ARCH_FLAGS=-pg", run it again, stop it using kill -USR1 (not
> ctrl-C), and run "gprof haproxy gmon.out". It will show the number of calls
> Em 16 de fev de 2019, à(s) 03:16, Willy Tarreau escreveu:
>
> If you have some time to run some extra tests, it would be nice to rebuild
> haproxy with "ARCH_FLAGS=-pg", run it again, stop it using kill -USR1 (not
> ctrl-C), and run "gprof haproxy gmon.out". It will show the number of calls
Hi Willy,
> Em 19 de fev de 2019, à(s) 01:55, Willy Tarreau escreveu:
>
> use_backend foo if { var(req.host) ssl:www.example.com }
>
This is a nice trick that I’m planning to use with dynamic use_backend. I need
to concat host (sometimes ssl_fc_sni) and path. The question is: how do I
> Em 19 de fev de 2019, à(s) 05:57, Willy Tarreau escreveu:
>
> In the past it was not possible
> to dynamically create servers
I think I misunderstood something, but... how do one dynamically create a new
server?
Hey guys,
> Em 16 de mai de 2019, à(s) 15:05, Tim Düsterhus escreveu:
>
> Am 16.05.19 um 17:49 schrieb Jarno Huuskonen:
>> Do the myapp.io and anotherapp.com share same certificate (ie.
>> certificate has both myapp.io and anotherapp.com SAN) ?
>>
>> AFAIK browser can reuse the same tls
Hi Willy,
> Em 17 de mai de 2019, à(s) 04:03, Willy Tarreau escreveu:
>
> Hi Jarno,
>
> On Thu, May 16, 2019 at 06:49:56PM +0300, Jarno Huuskonen wrote:
>> Do the myapp.io and anotherapp.com share same certificate (ie.
>> certificate has both myapp.io and anotherapp.com SAN) ?
>>
>> AFAIK
Hi list! The symptom is as follow: when logging Host: header I receive
`myapp.io` while in the same request the sni extension says `anotherapp.com`.
This happens in a very few requests (about 0.5%) but this is enough to make
some noise - regarding server certificate used in the handshake, and
Hi list, do you know if HAProxy wasn't mentioned here[1] because it isn't
vulnerable (1.8 and 1.9) or because it wasn't tested?
~jm
[1]
https://www.f5.com/labs/articles/threat-intelligence/denial-of-service-vulnerabilities-discovered-in-http-2
> Em 23 de ago de 2019, à(s) 08:16, Willy Tarreau escreveu:
>
> On Fri, Aug 23, 2019 at 11:47:46AM +0200, Willy Tarreau wrote:
>> In the mean time you can apply the patch above. It will reject the
>> first hunk but the second one applies and will address the issue.
>
> I've now backported
Hi list, I can reproduce a segmentation fault on HAProxy 1.8.21. No problem
with 1.8.20, 1.9.10 or 2.0.5. Is there anything else I can provide or test on
my environment?
--
haproxy.cfg:
...
frontend f
mode http
...
filter spoe engine modsecurity config
Hello list. I'm trying to send a HTTP 413 to the user based on the
hdr(Content-Length). What I've tried so far:
1. Create a http413 backend only with `errorfile 400` + `http-request
deny_status 400`. In the frontend, configure a `use_backend http413 if
`. This is my current approach but it
Hi Willy,
> Em 30 de out de 2019, à(s) 01:41, Willy Tarreau escreveu:
>
> Hi Joao,
>
> On Tue, Oct 29, 2019 at 09:10:11PM -0300, Joao Morais wrote:
>>
>> What I need to implement is a way to share the sticky session cookie between
>> two distinct but
> Em 13 de dez de 2019, à(s) 10:09, Christopher Faulet
> escreveu:
>
> Le 10/12/2019 à 05:24, Igor Cicimov a écrit :
>>
>> Testing with Haproxy 2.0.10 but same result with 1.8.23. The versions of
>> ModSecurity is 2.9.2 and the OWASP rules v3.0.2
>> What am I doing wrong? Can anyone
Hi list, the attached patch fixes a warn message if the domain option, from
cookie keyword, configures a domain without starting with a dot.
~jm
0001-BUG-MINOR-config-Warn-cookie-domain-only-if-missing-.patch
Description: Binary data
Hi Willy,
> Em 29 de out de 2019, à(s) 04:27, Willy Tarreau escreveu:
>
> No, please look at the RFC again, it's very precise on this :
> https://tools.ietf.org/html/rfc2109
Thanks for taking the time to review my patch.
In fact I read RFC 6265 which doesn’t take the leading dot as
Hello list. I’m improving a metric collector for a haproxy cluster and want to
confirm if my findings and sentenses below are correct. My main goal using
these metrics is to know how far from exhaustion my haproxy cluster is.
1. Source of the metric:
I’m parsing `show info` from admin socket
Hello list, the 401 is one of the http status code haproxy generates itself:
https://github.com/haproxy/haproxy/blob/v2.1.0/doc/configuration.txt#L363
This cannot however be overwritten using the errorfile keyword as stated in the
doc:
> Em 14 de set de 2020, à(s) 19:14, William Lallemand
> escreveu:
>
> Hello,
>
> On Mon, Sep 14, 2020 at 12:09:21PM -0300, Joao Morais wrote:
>> Hello list, I'm working on an automation around haproxy process
>> lifecycle in master-worker mode. It's working
> Em 15 de set de 2020, à(s) 12:36, William Lallemand
> escreveu:
>
> Oh right... the space in "[was: ]" is troublesome for cutting the string,
> we must remove it.
It's not a problem at all when using chunks of fixed size, even if columns
differ between them, and the lay out ([was: ...])
Hello list, I'm working on an automation around haproxy process lifecycle in
master-worker mode. It's working nice but I'm not confident that all premisses
I used are correct. Please provide some guidance if I did any wrong assumption,
RTFM link is welcome as usual.
First of all I figured
The attached patch adds some clarification on how one can declare a proper
fallback certificate using crt-list. Feel free to ask me to tune verbosity to a
higher or lower level.
0001-DOC-clarify-how-to-create-a-fallback-crt.patch
Description: Binary data
> Em 24 de nov de 2020, à(s) 05:47, William Lallemand
> escreveu:
>
> Hello Joao,
>
> On Sat, Nov 21, 2020 at 12:33:38PM -0300, Joao Morais wrote:
>>
>> It’s indeed rather confusing, sorry about the mess.
>>
>> Here is a new proposal of the la
Hello list, I have a `crt-list` keyword configuring a list of crt/keys,
something like this:
/tmp/default.pem
/tmp/a.pema.local
/tmp/b.pemb.local
We consider the first line the fallback certificate - that one that should be
used if everything else fails.
We've
> Em 17 de nov de 2020, à(s) 05:28, William Lallemand
> escreveu:
>
> You could also do
>
> /tmp/default.pem !*
>
> That will ignore the creation of the SNI entries.
Wow thank you so much Willian, as far as I can tell and based on ~5min tests,
this worked like a charm without any
> Em 21 de nov de 2020, à(s) 12:00, William Lallemand
> escreveu:
>
> On Sat, Nov 21, 2020 at 07:48:48AM -0300, Joao Morais wrote:
>>
>> The attached patch adds some clarification on how one can declare a
>> proper fallback certificate using crt-list.
Hello list, I'm configuring a couple of maps used to route requests based on
hostname and path. The map lay out is pretty much like this:
sub.tld/path1 name_backend1
...
I have some distinct ways to match a request: str, beg, dir, reg, using their
map converter derivatives.
Hello William, here[1] is some context. I implemented a parsing of the reload
command sent to the master cli, leave it running for a while and got an index
out of bounds (in my code) this week.
I'm using this lay out to parse the reload output:
// 1 3
Hello list, following a few questions about Lua and HAProxy vars:
Is there a way to read req scoped vars from a Lua script registered with
core.register_service()? My attempts so far didn’t succeed, I need to copy the
value to a txn scoped var before call the service.
Another question, one
Hello again! Here are the snippets running with 2.4-dev18 - docker image
haproxy:2.4-dev18-alpine:
$ cat h.cfg
global
log stdout format raw local0
lua-load /tmp/h/svc1.lua
lua-load /tmp/h/svc2.lua
defaults
timeout server 1m
timeout client 1m
timeout connect 5s
log global
listen l
> Em 12 de mai. de 2021, à(s) 02:47, Willy Tarreau escreveu:
>
> On Tue, May 11, 2021 at 05:41:28PM -0300, Joao Morais wrote:
>
>> Just to confirm how it works, I created the snippet below:
>>
>>http-request lua.auth ## assigning txn.core
>>
> Em 10 de mai. de 2021, à(s) 18:04, Willy Tarreau escreveu:
>
> On Mon, May 10, 2021 at 10:41:36PM +0200, Willy Tarreau wrote:
>>> core.register_action("auth", { "http-req" }, function(txn)
>>> txn:set_var("txn.code", 401, true)
>
> So the problem
> Em 5 de jul. de 2021, à(s) 09:30, Froehlich, Dominik
> escreveu:
>
> Here is my iteration of your solution:
>
> http-request set-var(txn.host) hdr(host),field(1,:)
> acl ssl_sni_http_host_match ssl_fc_sni,strcmp(txn.host) eq 0
> http-request deny deny_status 421 if
Hello list, I've about 5000 hostnames + path that should be mapped to 3000
backends or so. I'm using map converters and the lay out is something like this:
/dir/file.map
d1.tld/path/sub back1
d1.tld/path back2
d2.tld/path/sub/other back3
d2.tld/path/sub back4
d2.tld/path
> Em 5 de fev. de 2021, à(s) 04:17, Willy Tarreau escreveu:
>
> Hi Joao,
>
> On Tue, Feb 02, 2021 at 09:03:06PM -0300, Joao Morais wrote:
>>
>> Hello list, I've about 5000 hostnames + path that should be mapped to 3000
>> backends or so. I'm usi
> Em 5 de fev. de 2021, à(s) 04:33, Willy Tarreau escreveu:
>
> On Wed, Feb 03, 2021 at 06:32:33PM -0300, Joao Morais wrote:
>>
>> Hello William, here[1] is some context. I implemented a parsing of the
>> reload command sent to the master cli, leave it
Hello list. I'm implementing peers in order to share rps and other metrics
between all instances of a haproxy cluster, so I have a global view of these
data. Here is a snippet of my poc which simply does a request count:
global
localpeer h1
...
listen l1
...
Hi, I started logging mTLS connection failures in order to understand how
frequently and why they fail for our users. From the collected data I observed
that about 1% of the client certificates has some kind of issue that neither
ssl_c_ca_err nor ssl_c_err reports, but it’s reported by
Hello list, we have a HAProxy cluster in front of some chat-like applications.
This HAProxy cluster is dynamically updated and now and then the instances need
to be reloaded.
Some of the applications behind this cluster have a few thousand of active
users and, every time that the old
Hello list, I need to add a Vary header with Origin value in order to properly
configure a Cors Allow Origin with dynamic content. This works well provided
that my backend doesn’t need to configure another value to the Vary header. I
observed that if I configure set-header, this will
> Em 8 de nov. de 2021, à(s) 08:26, Aleksandar Lazic
> escreveu:
>
>
> Hi.
>
> I have 2 LB's which should limit the connection to one backend.
>
> I would try to use "conn_cur" in a stick table and share it via peers.
> Have anyone such a solution already in place?
Hi Alex, I’ve already
Hello list, the diff below is a proposal to add a bind keyword used to flag
LI_O_NOSTOP option in the bind’s listener.
Regarding the use case: I need the ability to reach a stopping, but still
running haproxy instance to, at least: 1) fairly distribute shutdown sessions
of long running
> Em 20 de jul. de 2021, à(s) 14:17, Willy Tarreau escreveu:
>
> Hi Joao,
>
> On Tue, Jul 20, 2021 at 12:18:18PM -0300, Joao Morais wrote:
>>
>> Hello list, the diff below is a proposal to add a bind keyword used to flag
>> LI_O_NOSTOP option in the bind's l
> Em 16 de jul. de 2021, à(s) 22:16, Joao Morais
> escreveu:
>
> ...
>
> # show sess
>
>$ awk '{print $4}' sess |sort |uniq -c
> 1
> 1 fe=GLOBAL
> 1902 fe=_front__tls
> 2 fe=_front_http
> 38 fe=_front_htt
Hi there, I read frontend stats, global info and current sessions from a
running haproxy, almost at the same time. Here are the outputs:
# show stat -1 1 -1 typed -- all frontends
$ sed -En '/(pxname|scur)/s/.*://p' fronts
_front__tls
1906
_front_http
40
_front_https
> Em 27 de jul. de 2021, à(s) 10:03, William Lallemand
> escreveu:
>
> On Tue, Jul 20, 2021 at 12:18:18PM -0300, Joao Morais wrote:
>>
>> Regarding the use case: I need the ability to reach a stopping, but
>> still running haproxy instance to, at least:
>
Hi list, giving the configuration below, I was expecting "ok1" response instead
of "ok2". What am I doing wrong?
/tmp/p1
/ ok
h.cfg
defaults
timeout client 1m
timeout server 1m
timeout connect 5s
mode http
listen l1
bind :8000
http-request
Hello list, I have a consumer of the master socket’s `show proc` output and I
observed that 2.5 changed its lay out, and this change lead me to two doubts:
- Is there a release notes or something with all the backward compatibility
changes between minor versions? I observed that 2.5 now
Hello list, tl;dr is: How can I avoid configuring dozens of http-request with
the same acl?
My use case is a haproxy cluster receiving requests for hundreds of distinct
hostnames, several of them with a dozen or so distinct paths, and a few more
than 5k distinct backends that sends these
74 matches
Mail list logo