Re: forwarded https request missing

2019-02-12 Thread Kevin Decherf 
Hello,

On Tue, Feb 12, 2019, at 11:15, Pan wrote:
> Hi,
> 
> Setting up a haproxy to just forward http requests to other server 
> works fine, but https requests are forwarded as 
> http://www.example.com:443, not https://www.example.com.

[snip]

> backend bk
>  server src www.example.com

You must provide the target port on the backend server, see documentation:

  If unset, the same port the client
  connected to will be used

-- 
Kevin Decherf - @Kdecherf
GPG 0x108ABD75A81E6E2F
https://kdecherf.com

Re: haproxy startup at boot too quick

2018-05-07 Thread Kevin Decherf 
Hello,

On 8 May 2018 02:32:01 CEST, Bill Waggoner  wrote:
 
>Anyway, when the system boots haproxy fails to start. Unfortunately I
>forgot to save the systemctl status message but the impression I get is
>that it's starting too soon.

You can find all past logs of your service using `journalctl -u 
haproxy.service`. If journal persistence is off you'll not be able to look at 
logs sent before the last boot.


-- 
Sent from my mobile. Please excuse my brevity.

[PATCH] DOC: specify that stats socket doc (section 9.2) is in management

2015-10-13 Thread Kevin Decherf 
Commit 44aed90ce102c4136a5eda66d541f6fa79e141e8 moved the stats socket
documentation from config to management but the remaining references to
section 9.2 were not updated; improve it to be less confusing.

Signed-off-by: Kevin Decherf 
---
 doc/configuration.txt | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index b509238..be7e78f 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -859,7 +859,8 @@ stats socket [|] [param*]
   Binds a UNIX socket to  or a TCPv4/v6 address to .
   Connections to this socket will return various statistics outputs and even
   allow some commands to be issued to change some runtime settings. Please
-  consult section 9.2 "Unix Socket commands" for more details.
+  consult section 9.2 "Unix Socket commands" of Management Guide for more
+  details.
 
   All parameters supported by "bind" lines are supported, for instance to
   restrict access to some users or their access rights. Please consult
@@ -4233,7 +4234,7 @@ load-server-state-from-file { global | local | none }
 
   The format of the file is versionned and is very specific. To understand it,
   please read the documentation of the "show servers state" command (chapter
-  9.2).
+  9.2 of Management Guide).
 
   Arguments:
 global load the content of the file pointed by the global directive
-- 
2.5.1

Re: [PATCH] Fix unhandled connections problem with systemd daemon mode and SO_REUSEPORT.

2014-06-10 Thread Kevin Decherf 
Hi Simone,

On Mon, Jun 09, 2014 at 05:28:27PM +0200, Simone Gotti wrote:
> Hi everyone,
> 
> After this big explanation I tried to fix this closing all the
> listeners on the parent before entering the waitpid loop (see attached
> patch).

We experienced this issue here few months ago but we were unable to
figure out why, so thanks!

Seems good to me after a little test. I have just one comment: you
should update your patch to use tabs instead of whitespaces like in the
source code.

Regards,
-- 
Kevin Decherf - @Kdecherf
GPG C610 FE73 E706 F968 612B E4B2 108A BD75 A81E 6E2F
http://kdecherf.com

Re: [ANNOUNCE] haproxy 1.4.21

2012-05-24 Thread Kevin Decherf 
Hi,

Just for archive: CVE-2012-2391
http://www.openwall.com/lists/oss-security/2012/05/23/15


Kevin Decherf - M: +33 681194547 - T: @Kdecherf


On Tue, May 22, 2012 at 9:30 PM, Vivek Malik  wrote:

> A recommended upgrade for all production users. While we are not
> (generally) affected by the bugs fixed in haproxy stable version. I
> recommend updating haproxy.
>
> I can update haproxy bin in puppet and can check it in (we distribute
> haproxy binary via puppetmaster).
>
> Aiman,
>
> Please update puppetmaster when you see fit and also in general, please
> ensure that puppet client is running on all machines.
>
> Thanks,
> Vivek
>
>
> On Mon, May 21, 2012 at 1:43 AM, Willy Tarreau  wrote:
>
>> Hi all,
>>
>> a number of old bugs were reported recently. Some of them are quite
>> problematic because they can lead to crashes while parsing configuration
>> or when starting up, which is even worse considering that startup scripts
>> will generally not notice it.
>>
>> Among the bugs fixed in 1.4.21, we can enumerate :
>>  - risk of crash if using reqrep/rsprep and having tune.bufsize manually
>>configured larger than what was compiled in. The cause is the trash
>>buffer used for the replace was still static, and I believed this was
>>fixed months ago but only my mailbox had the fix! Thanks to Dmitry
>>Sivachenko for reporting this bug.
>>
>>  - risk of crash when using header captures on a TCP frontend. This is a
>>configuration issue, and this situation is now correctly detected and
>>reported. Thanks to Olufemi Omojola for reporting this bug.
>>
>>  - risk of crash when some servers are declared with checks in a farm
>> which
>>does not use an LB algorithm (eg: "option transparent" or "dispatch").
>>This happens when a server state is updated and reported to the non-
>>existing LB algorithm. Fortunately, this happens at start-up when
>>reporting the servers either up or down, but still it's after the fork
>>and too late for being easily recovered from by scripts. Thanks to
>> David
>>Touzeau for reporting this bug.
>>
>>  - "balance source" did not correctly hash IPv6 addresses, so IPv4
>>connections to IPv6 listeners would always get the same result. Thanks
>>to Alex Markham for reporting this bug.
>>
>>  - the connect timeout was not properly reset upon connection
>> establishment,
>>resulting in a retry if the timeout struck exactly at the same
>> millisecond
>>the connect succeeded. The effect is that if a request was sent as
>> part of
>>the connect hanshake, it is not available for resend during the retry
>> and
>>a response timeout is reported for the server. Note that in practice,
>> this
>>only happens with erroneous configurations. Thanks to Yehuda Sadeh for
>>reporting this bug.
>>
>>  - the error captures were wrong if the buffer wrapped, which happens when
>>capturing incorrectly encoded chunked responses.
>>
>> I also backported Cyril's work on the stats page to allow POST params to
>> be
>> posted in any order, because I know there are people who script actions on
>> this page.
>>
>> This release also includes doc cleanups from Cyril, Dmitry Sivachenko and
>> Adrian Bridgett.
>>
>> Distro packagers will be happy to know that I added explicit checks to
>> shut
>> gcc warnings about unchecked write() return value in the debug code.
>>
>> While it's very likely that almost nobody is affected by the bugs above,
>> troubleshooting them is annoying enough to justify an upgrade.
>>
>> Sources, Linux/x86 and Solaris/sparc binaries are at the usual location :
>>
>>site index : http://haproxy.1wt.eu/
>>sources: http://haproxy.1wt.eu/download/1.4/src/
>>changelog  : http://haproxy.1wt.eu/download/1.4/src/CHANGELOG
>>binaries   : http://haproxy.1wt.eu/download/1.4/bin/
>>
>> Willy
>>
>>
>>
>