The first thing I'd try is to disable multithreading (by putting
nbthread 1 in the global section of the configuration), so if that
helps.
Lukas
Hello,
On Wed, 26 May 2021 at 13:29, reshma r wrote:
>
> Hello all,
> Periodically I need to write some configuration data to a file.
> However I came across documentation that warned against writing to a file at
> runtime.
> Can someone give me advice on how I can achieve this safely?
You'll h
Hello,
On Mon, 7 Jun 2021 at 14:51, Godfrin, Philippe E
wrote:
>
> Greetings!
>
> I can’t seem to find instructions on how to use this builtin ACL. Can someone
> point me in the right direction, please?
There is nothing specific about it, you use just like every other ACL.
http-request deny if
Hello,
On Tue, 8 Jun 2021 at 17:36, Godfrin, Philippe E
wrote:
>
> Certainly,
>
> Postrgres sends this message across the wire:
>
> Jun 2 21:14:40 ip-172-31-77-193 haproxy[9031]: #0110x00: 00 00 00 4c 00
> 03 00 00 75 73 65 72 00 74 73 64 |...Luser.tsd|
> Jun 2 21:14:40 ip-172-31-
On Wed, 16 Jun 2021 at 17:03, Илья Шипицин wrote:
>
> ssl sessions are for tls1.0 (disabled in your config)
> tls1.2 uses tls tickets for resumption
That is not true, you can disable TLS tickets and still get resumption
on TLSv1.2. Disabling TLSv1.0 does not mean disabling Session ID
caching.
Hello Shawn,
On Sun, 20 Jun 2021 at 08:39, Shawn Heisey wrote:
> This is what SSL Labs now says for the thing that started this thread:
>
> Session resumption (caching)No (IDs assigned but not accepted)
> Session resumption (tickets)Yes
>
> I'd like to get the caching item fixed, but I h
Hello Shawn,
On Sun, 20 Jun 2021 at 14:03, Shawn Heisey wrote:
>
> On 6/20/2021 1:52 AM, Lukas Tribus wrote:
> > Can you try disabling threading, by putting nbthread 1 in your config?
>
> That didn't help. From testssl.sh:
>
> SSL Session ID support
Hello,
On Wed, 23 Jun 2021 at 22:25, Willy Tarreau wrote:
>
> Hi Tim, Max,
>
> On Wed, Jun 23, 2021 at 09:38:12PM +0200, Tim Duesterhus wrote:
> > Hi Willy, Lukas, List!
> >
> > GitHub finally launched their next evolution of issue templates, called
> > issue
> > forms, as a public beta:
> > h
Hello Stefan,
On Tue, 13 Jul 2021 at 14:10, Stefan Fuhrmann
wrote:
>
> Hello all,
>
>
> First, we can not change to newer version so fast within the project.
>
> We are having on old installation of haproxy (1.7.9) and we have the
> need to configure tcp- mss- value on backend site.
>
>
>
> Is th
On Thu, 15 Jul 2021 at 11:27, Илья Шипицин wrote:
>
> I really wonder what they will suggest.
>
> I'm not a spam source, since we do not have "opt in" policy, anybody can send
> mail. so they do.
> please address the issue properly, either change list policy or be calm with
> my experiments.
It
Hello,
On Tue, 20 Jul 2021 at 08:13, Peter Jin wrote:
> 2. There is a stack buffer overflow found in one of the files. Not
> disclosing it here because this email will end up on the public mailing
> list. If there is a "security" email address I could disclose it to,
> what is it?
It's secur...
On Thursday, 19 August 2021, James Brown wrote:
> Are there CVE numbers coming for these vulnerabilities?
>
>
CVE-2021-39240: -> 2) Domain parts in ":scheme" and ":path"
CVE-2021-39241: -> 1) Spaces in the ":method" field
CVE-2021-39242: -> 3) Mismatch between ":authority" and "Host"
Lukas
On Fri, 20 Aug 2021 at 13:08, Илья Шипицин wrote:
>
> double slashes behaviour is changed in BUG/MEDIUM:
> h2: match absolute-path not path-absolute for :path · haproxy/haproxy@46b7dff
> (github.com)
Actually, I think the patch you are referring to would *fix* this
particular issue, as it was co
Hello Jonathan,
On Wed, 8 Sept 2021 at 21:28, Jonathan Greig wrote:
>
> Hello! My name is Jonathan Greig and I'm a reporter for ZDNet. I'm
> writing a story about CVE-2021-40346 and I was wondering if
> Ha Proxy had any comment about the vulnerability.
Just making sure you are aware that this is
Hello,
PCRE (1) is end of life and unmaintained now (see below). Not a huge
problem, because PCRE2 has been supported since haproxy 1.8.
However going forward (haproxy 2.5+) should we:
- warn when compiling with PCRE?
- remove PCRE support?
- both, but start with a warning in 2.5?
- maintain PCR
Hello,
On Wed, 27 Oct 2021 at 22:17, Shawn Heisey wrote:
>
> I am building haproxy from source.
>
> For some load balancers that I used to manage, I also built openssl from
> source, statically linked, and compiled haproxy against that, because
> the openssl included with the OS (CentOS 6 if I r
Hi,
On Thursday, 28 October 2021, Shawn Heisey wrote:
> On 10/27/2021 2:54 PM, Lukas Tribus wrote:
>
>> I'd be surprised if the OpenSSL API calls we are using doesn't support
>> AES-NI.
>>
>
> Honestly that would surprise me too. But I have no idea
On Thu, 28 Oct 2021 at 08:31, Lukas Tribus wrote:
>
> Hi,
>
> On Thursday, 28 October 2021, Shawn Heisey wrote:
>>
>> On 10/27/2021 2:54 PM, Lukas Tribus wrote:
>>>
>>> I'd be surprised if the OpenSSL API calls we are using doesn't support
On Thu, 28 Oct 2021 at 15:49, Shawn Heisey wrote:
>
> On 10/28/21 7:34 AM, Shawn Heisey wrote:
> > Does haproxy's use of openssl turn on the same option that the
> > commandline does with the -evp argument? If it does, then I think
> > everything is probably OK.
>
>
> Running "grep -r EVP ." in t
On Thu, 28 Oct 2021 at 21:20, Shawn Heisey wrote:
>
> On 10/28/21 10:02 AM, Lukas Tribus wrote:
> > You seem to be trying very hard to find a problem where there is none.
> >
> > Definitely do NOT overwrite CPU flags in production. This is to *test*
> > AES accel
Hello,
On Tue, 2 Nov 2021 at 21:24, Ben Hart wrote:
>
> In the config (pasted here
> https://0bin.net/paste/1aOh1F4y#qStfT0m0mER3rhI3DonDbCsr0NRmVuH9XiwvagEkAiE)
> My questions surround the syntax of the config file..
Most likely those clients don't send SNI. Capture the SSL handshake
and ver
Hello Ben,
On Wed, 3 Nov 2021 at 03:54, Ben Hart wrote:
>
> I wonder, can I ask if the server directives are correct insofar as
> making a secured connection to the backend server entries?
>
> I'm told that HAP might be connecting by IP in which case the
> SSL cert would be useless
The document
Hello Ben,
On Wed, 3 Nov 2021 at 12:55, Ben Hart wrote:
>
> Thanks again Lukas!
> So the server directive's use of a cert or CA file is only to
> verify the identity of the server in question.
No, "crt" (a certificate including private key) and "ca-file" (the
public certificate of a CA) are two
Use the instructions in INSTALL to build openssl statically. Building
and installing a custom shared build of openssl on a OS is something
that I'd suggest you avoid, because it will become complicated.
Lukas
We are using comma-delimited list for init-addr for example, let's
document that this is space-delimited to avoid the guessing game.
---
doc/configuration.txt | 14 +-
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 1e04
Hello Cyril,
On Tue, 23 Nov 2021 at 17:18, Willy Tarreau wrote:
>
> Hi,
>
> HAProxy 2.5.0 was released on 2021/11/23. It added 9 new commits after
> version 2.5-dev15, fixing minor last-minute details (bind warnings
> that turned to errors, and an incorrect free in the backend SSL cache).
could
Hello,
On Wed, 8 Dec 2021 at 17:50, Tim Düsterhus wrote:
>
> Lukas,
>
> On 12/8/21 11:33 AM, Lukas Tribus wrote:
> > We are using comma-delimited list for init-addr for example, let's
> > document that this is space-delimited to avoid the guessing game.
>
>
In commit 6f7497616 ("MEDIUM: connection: rename fc_conn_err and
bc_conn_err to fc_err and bc_err"), fc_conn_err became fc_err, so
update this example.
---
Should be backported to 2.5.
---
doc/configuration.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/configuration.t
On Mon, 13 Dec 2021 at 13:25, Aleksandar Lazic wrote:
> 1. Why is a input from out site of the application passed unchecked to the
> logging library!
Because you can't predict the future.
When you know that your backend is SQL, you escape what's necessary to
avoid SQL injection (or use prepared
On Mon, 13 Dec 2021 at 14:43, Aleksandar Lazic wrote:
> Well I go the other way around.
>
> The application must know what data are allowed, verify the input and if the
> input is not valid discard it.´
You clearly did not understand my point so let me try to phrase it differently:
The log4j vu
On Mon, 13 Dec 2021 at 19:51, Valters Jansons wrote:
>
> Is this thread really "on-topic" for HAProxy?
>
> Attempts to mitigate Log4Shell at HAProxy level to me feel similar
> to.. looking at a leaking roof of a house and thinking "I should put
> an umbrella above it, so the leak isn't hit by rain
On Mon, 17 Jan 2022 at 19:37, wrote:
>
> Hi
>
> Configuration uses 'no option http-use-htx' in defaults because of case
> insensitivity.
> Statistics path haproxy?stats is behind simple username/password and
> both credentials are specified in config.
> When accessing haproxy?stats, 2.0.25 works f
I'd suggest you give WSL/WSL2 a try.
Lukas
On Thu, 10 Feb 2022 at 11:25, Gowri Shankar wrote:
>
> Im trying to install haproxy for loadbalancing for my servers,but im not able
> install from my windows system.Is there ha proxy available for windows,
> please give and help us with documentation
As per issue #1552 the mailer code currently breaks on ESMTP multiline
responses. Let's negotiate SMTP instead.
Should be backported to 2.0.
---
src/mailers.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mailers.c b/src/mailers.c
index 3d01d7532..34eaa5bb6 100644
--- a/
Hello,
I suggest you put your backup server in a dedicated backend and select
it in the frontend. I guess the same could be done with use-server in
a single backend, but I feel like this is cleaner:
frontend haproxy
option forwardfor
bind server.lab.local:9191
use_backend backup_servers i
On Sat, 19 Feb 2022 at 16:15, Carlos Renato wrote:
>
> Hi Lukas,
>
> Thanks for the reply and willingness to help.
>
> I did a test and it didn't work. I dropped the server2 interface and only
> server1 was UP.
> Traffic continues to exit through the main bakend. My wish is that the
> traffic is
Hello,
On Sat, 19 Feb 2022 at 17:46, Moutasem Al Khnaifes
wrote:
> but for some reason HAProxy thinks that Plex is down
John already explained this perfectly.
> the status page is inaccessible
Your configuration is:
> listen stats
> bind localhost:1936
[...]
> stats uri /
On Sat, 19 Feb 2022 at 18:38, Carlos Renato wrote:
>
> Yes,
>
> In stats server2 is DOWN. accept the VM's network card.
Provide detailed logs please.
Lukas
Hello,
On Mon, 21 Feb 2022 at 14:25, Tom Browder wrote:
>
> I'm getting ready to try 2.5 HAProxy on my system
> and see http comression is recommended.
I'm not sure we are actively encouraging to enable HTTP compression.
Where did you see this recommendation?
> From those sources I thought ht
Hello,
take a look at how we are using tests with vtc/vtest in
doc/regression-testing.txt.
Maybe this tool can be useful for your use-case.
Lukas
Reverts 75df9d7a7 ("DOC: explain HTTP2 timeout behavior") since H2
connections now respect "timeout http-keep-alive".
If commit 15a4733d5d ("BUG/MEDIUM: mux-h2: make use of http-request
and keep-alive timeouts") is backported, this DOC change needs to
be backported along with it.
---
doc/configur
Hello Willy,
On Sat, 26 Mar 2022 at 10:22, Willy Tarreau wrote:
> A change discussed around previous announce was made in the H2 mux: the
> "timeout http-keep-alive" and "timeout http-request" are now respected
> and work as documented, so that it will finally be possible to force such
> connecti
Hello,
> > Let's say we have the following setup.
> >
> > ```
> > maxconn 2
> > nbthread 4
> > ```
> >
> > My understanding is that HAProxy will accept 2 concurrent connection,
> > right? Even when I increase the nbthread will HAProxy *NOT* accept more then
> > 2 concurrent connection
On Thu, 9 Jun 2022 at 08:42, wrote:
>
> Hi,
>
> I need to enable TLS V1.0 because of some legacy clients which have just been
> "discovered" and won't be updated.
Configure "ssl-default-bind-ciphers" as per:
https://ssl-config.mozilla.org/#server=haproxy&version=2.3&config=old&openssl=1.1.1k&gui
Hello,
wolfSSL has also chosen to use the same API for QUIC:
https://www.wolfssl.com/wolfssl-quic-support/
> The wolfSSL QUIC API is aligned with the corresponding APIs in other *SSL
> libraries, making integration with QUIC protocol stacks easier and protecting
> investments. This is a depar
FYI a CRITICAL openssl vulnerability will be fixed in 3.0.7 and 1.1.1s
to be released Tue, Nov 1st between 1300-1700 UTC:
https://www.openwall.com/lists/oss-security/2022/10/25/4
https://www.openwall.com/lists/oss-security/2022/10/25/6
https://www.openssl.org/policies/general/security-policy.html
On Fri, 4 Nov 2022 at 16:32, Aleksandar Lazic wrote:
>
> Hi.
>
> On 04.11.22 12:24, Szabo, Istvan (Agoda) wrote:
> > Hi,
> >
> > Is there anybody successfully configured haproxy and dsr?
>
> Well maybe this Blog Post is a good start point.
>
> https://www.haproxy.com/blog/layer-4-load-balancing-di
On Fri, 4 Nov 2022 at 16:50, Szabo, Istvan (Agoda)
wrote:
>
> Yeah, that’s why I’m curious anybody ever made it work somehow?
Perhaps I should have been clearer.
It's not supported because it's not possible.
Haproxy the OSS uses the socket API, haproxy cannot forward IP packets
arbitrarily, whi
Hello,
On Thu, 12 Jan 2023 at 09:35, Aurelien DARRAGON wrote:
>
> Hi,
>
> > I am having trouble with Haproxy using a configuration was previously
> > worked and am getting a very odd to me error
> >
> >
> >
> > Jan 11 13:58:00 ca04vlhaproxy01 haproxy[16077]: [ALERT] 010/135800
> > (16077) : Prox
On Wed, 1 Mar 2023 at 10:09, bjun...@gmail.com wrote:
>
> Hi,
>
> i've upgraded from HAProxy 2.4.15 (OS: Ubuntu 18.04) to 2.4.22 (OS: Ubuntu
> 22.04). Now the stick-table synchronization between peers isn't working
> anymore.
>
> The peers listener is completely not existing (lsof output).
>
> H
On Sat, 18 Mar 2023 at 20:01, Aleksandar Lazic wrote:
>
> Hi Dinko.
>
> On 17.03.23 20:59, Dinko Korunic wrote:
> > Dear community,
> >
> > Upon many requests, we have started building HAProxy CE for 2.6, 2.7 and
> > 2.8 branches with QUIC (based on OpenSSL 1.1.1t-quic Release 1) as
> > Docker Alp
Hi,
On Sat, 15 Apr 2023 at 11:32, Willy Tarreau wrote:
> Thus you're seeing me coming with my question: does anyone have any
> objection against turning "alpn h2,http/1.1" on by default for HTTP
> frontends, and "alpn h3" by default for QUIC frontends, and have a new
> "no-alpn" option to explici
On Sat, 15 Apr 2023 at 23:08, Willy Tarreau wrote:
>
> On Sat, Apr 15, 2023 at 10:59:42PM +0200, Willy Tarreau wrote:
> > Hi Nick,
> >
> > On Sat, Apr 15, 2023 at 09:44:32PM +0100, Nick Wood wrote:
> > > And here is my configuration - I've slimmed it down to the absolute
> > > minimum
> > > to re
On Sun, 23 Apr 2023 at 13:08, Willy Tarreau wrote:
>
> On Sun, Apr 23, 2023 at 12:39:25PM +0200, Tim Düsterhus, WoltLab GmbH wrote:
> > Willy,
> >
> > On 3/27/23 20:25, Willy Tarreau wrote:
> > > OK, let's see what other users and participants think about it. If I get
> > > at least one "please do
Did you try putting the "del-header" configuration in the backend section?
On Thu, 25 May 2023 at 15:25, pham lan wrote:
>
> Hello,
>
> We use haproxy for basic authentication. And afterward, remove the
> Authorization header from the backend section before forwarding the request
> to backend.
On Fri, 2 Jun 2023 at 21:55, Willy Tarreau wrote:
> Initially during the design phase we thought about having 3 states:
> "off", "on", "auto", with the last one only enabling updates for certs
> that already had a .ocsp file. But along discussions with some users
> we were told that it was not goi
On Sat, 3 Jun 2023 at 14:30, William Lallemand wrote:
> That's what we've done in the first place, but I decided to remove it
> because I was not happy with the architecture. And once you have
> something like this, you have to keep the configuration compatibility
> for the next versions and then
Hello,
yes, H2 behaves very differently; due to protocol differences but also
due to other changes. In the beginning H2 was only implemented in the
frontend and every transaction was downgraded to HTTP/1.1 internally.
This was later changed to an internal generic "HTX" representation
that allowed
On Fri, 7 Jul 2023 at 00:26, Tristan wrote:
>
> Hi Willy,
>
> Thanks for sharing that. First, I'm amazed that such a hacky method
> works well-enough to get QUIC (nearly-fully) working.
>
> Now for your concerns... Honestly, I agree with you and really don't
> want to see a brand new protocol comp
On Thu, 7 Sept 2023 at 14:03, Tom Braarup wrote:
>
> Hello,
>
> After upgrading Haproxy from 2.7 to 2.8, with Nginx (1.25.0) as
> backends and Proxy Protocol v2, the connections are not closed,
> CLOSE_WAIT is increasing over time. No configuration changes apart from
> the Haproxy version.
2.8.3
On Thu, 21 Sept 2023 at 01:20, Björn Jacke wrote:
>
> Hello,
>
> I just experienced that maxconn can easily not work as expected and lead
> to unavailable services. Take this example backend configuration of a
> 2.8.3 haproxy setup:
>
> backend bk_example
>balance first
>server server1 1
Hello,
looks like the bug pages are broken; they contain the table of bugs
but there is really no formatting happening and it appears the entire
HTML header and footer is missing:
Example:
http://www.haproxy.org/bugs/bugs-2.4.html
http://www.haproxy.org/bugs/bugs-2.6.2.html
BR,
Lukas
FYI
https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
On Tue, 10 Oct 2023 at 20:22, Willy Tarreau wrote:
>
> So at this point I'm still failing to find any case where this attack
> hurts haproxy more than any of the benchmarks we're routinely inflicting
> it, given that it acts exactly like a client configured with a short
> timeout (e.g. if you conf
Hello,
an interesting move from the OpenWRT project:
> Switch from wolfssl to mbedtls as default
> =
>
> OpenWrt has transitioned its default cryptographic library from wolfssl
> to mbedtls. This shift brings several changes and implications:
>
> * Size
On Mon, 16 Oct 2023 at 19:41, Aleksandar Lazic wrote:
>
>
>
> On 2023-10-16 (Mo.) 19:29, Илья Шипицин wrote:
> > Does 1.8 support http/2?
>
> No.
Actually haproxy 1.8 supports H2 (without implementing HTX), as per
the documentation and announcements:
https://www.mail-archive.com/haproxy@formilux
As per issue #435 a hostname with a trailing dot confuses our DNS code,
as for a zero length DNS label we emit a null-byte. This change makes us
ignore the zero length label instead.
Must be backported to 1.8.
---
As discussed in issue #435
---
src/dns.c | 6 ++
1 file changed, 6 insertions
Hello Aleks,
On Mon, 2 Mar 2020 at 22:21, Aleksandar Lazic wrote:
> check-ssl check-sni str("storage.sbg.cloud.ovh.net")
For the health check it's:
check-sni storage.sbg.cloud.ovh.net
(not a expression as per the doc: check-sni )
and for the traffic:
sni str(storage.sbg.cloud.ovh.net)
(as p
Hello,
On Tue, 3 Mar 2020 at 19:06, Ionel GARDAIS
wrote:
>
> Hi,
>
> What is the expected behavior of "option forwardfor" with an IPv6 connection ?
> Frontend listen on IPv4 and IPv6.
The expected behavior is to insert the IPv6 address into the X-F-F
header, and this is exactly what happens in m
Hello,
On Mon, 9 Mar 2020 at 11:23, PR Bot wrote:
>
> Dear list!
>
> Author: Björn Jacke
> Number of patches: 2
>
> This is an automated relay of the Github pull request:
>Docs tls tickets
>
> Patch title(s):
>BUG/MINOR: fix typo of tls-tickets
>DOC: improve description of no-tls-ti
On Mon, 9 Mar 2020 at 19:18, Björn Jacke wrote:
>
> On 2020-03-09 at 17:44 +0100 Lukas Tribus sent off:
> > Perhaps we can relax the wording a bit here and describe the actual
> > technical issue along with some recommendations. Apache for example
> > documents [1]:
>
Clarifies security implications of TLS ticket usage when not
rotating TLS ticket keys, after commit 7b5e136458 ("DOC:
improve description of no-tls-tickets").
---
doc/configuration.txt | 17 +
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/doc/configuration.txt b/doc
Hello,
On Mon, 9 Mar 2020 at 20:39, Илья Шипицин wrote:
>> I would disable session tickets by default in haproxy. Given that most
>> clients support TLS 1.3 already this change would not even slow down many
>> clients.
>
>
> TLS tickets really require more love :)
>
> actually, there are two bad
Hello,
On Tue, 10 Mar 2020 at 07:36, Илья Шипицин wrote:
>> > if you specify, your security team will tell you that "it is not secure".
>> > if you do not specify, keys are generated on startup and it lead to huge
>> > CPU spike on app reload (if you apply new config, app is reloaded and keys
Hello,
On Wed, 11 Mar 2020 at 08:32, Илья Шипицин wrote:
>> On 09.03.20 20:37, Lukas Tribus wrote:
>> >> I think the wording from the patch is still quite relaxed :). One of the
>> >> best
>> >> summaries describing the session ticket fla
Hello,
On Sat, 28 Mar 2020 at 19:19, William Dauchy wrote:
>
> as agreed a few months ago, enable strict-limits for v2.3
master is still for 2.2 which is in development. If you want to target
v2.3, you have to wait until 2.2 is released.
Lukas
Hello Sean,
On Mon, 6 Apr 2020 at 18:12, Sean Reifschneider wrote:
>
> Been kind of watching for the haproxy versions to update in the PPAs for
> Ubuntu. Considering the security nature of them, I'm kind of chomping at the
> bit... :-) Any chance of those getting updated soonish? I can buil
Hello,
On Wed, 8 Apr 2020 at 13:59, kkazmierc...@wp.pl wrote:
>
> Hello,
> We need to know which ports on the server need to be reopened in order to
> appropriate work of HAProxy.
Haproxy does not listen to any ports by default. It listens only to
those ports that you configured haproxy to list
Hello Tim, Aleks,
I fully agree with everything Tim just said.
Let's keep the list about haproxy.
Lukas
Hello,
On Thu, 16 Apr 2020 at 06:04, wrote:
>
> Hi Team
>
> Let us know your availability to work on this.
As Aleks already said:
This haproxy executable has been build without OpenSSL support, which
is required for your configuration.
Provide the output of "which haproxy" and "haproxy -vv", I
Hello,
On Thu, 16 Apr 2020 at 13:51, wrote:
> # which haproxy
> /usr/ local/sbin/haproxy
>
>
>
> Attached output for command “haproxy –vv”
>
>
>
> Also I’m using a AWS RHEL 8.1 version AMI.
>
> Let us know what else is required. Also let me know how to enable Openssl.
> Provide me the rpm link
On Fri, 17 Apr 2020 at 13:57, wrote:
> Even clean installation isn’t working because the default package available
> in RHEL from you is without openssl.
You are wrong.
1) we don't provide any packages. RHEL does.
2) a fresh RHEL 8.1 AMI on AWS works just fine and uses the provided
1.8.15 imag
Hello Ilya ,
On Mon, 20 Apr 2020 at 16:12, Илья Шипицин wrote:
>> I added weekly build for detection incompatibilities against "no-deprecated"
>> openssl.
>>
>> (well, I first thought to add those option to travis, but it became
>> over-engineered from my point of view)
>>
>> Lukas, if you hav
Hello,
On Wed, 6 May 2020 at 20:25, William Lallemand wrote:
> > As such I think it's about time we change the default value to 2048 and
> > get rid of this annoying warning before 2.2 gets released (and at the
> > same time 86% of the users will be able to remove one cryptic line in
> > their co
On Wed, 6 May 2020 at 23:33, Aleksandar Lazic wrote:
>
> Hi.
>
> The doc for [tcp|http]-check expect have some *-status arguments like "L7OK",
> "L7OKC","L6OK" and "L4OK" and so on.
>
> In the whole documentation are this states not explained.
> I'm not sure in which chapter this states fit's, qu
Hello,
On Wed, 27 May 2020 at 13:33, Илья Шипицин wrote:
> ср, 27 мая 2020 г. в 16:09, Tim Düsterhus :
>>
>> William,
>>
>> Am 27.05.20 um 12:40 schrieb William Lallemand:
>> > Hello List,
>> >
>> > Since HAProxy 1.8, the minimum default TLS version for bind lines is
>> > TLSv10. I was thinking
Hello,
On Fri, 29 May 2020 at 04:39, lufeng0...@outlook.com
wrote:
>
> Hi,
>
>
>
> I have compiled haproxy of version2.2-dev8 using Cygwin, in order to use it
> as a load balancer in Windows 10. I want to send a unique ID generated using
> the frontend's "unique-id-format" within the PROXYv2 h
Hello Bjoern,
On Fri, 12 Jun 2020 at 15:09, bjun...@gmail.com wrote:
>
> Hi,
>
> currently i'm testing Ubuntu 20.04 and HAProxy 2.0.14.
>
> I'm trying to get TLSv1 working (we need this for some legacy clients), so
> far without success.
>
> I've read different things, on the one hand Ubuntu ha
at waiting for network-online.target
> could delay boot time.
I agree with this change, I think the advantages outweigh the disadvantages.
Acked-by: Lukas Tribus
Lukas
Hello,
On Mon, 22 Jun 2020 at 18:16, Tim Duesterhus wrote:
>
> Fix parsing of configurations if the configuration file does not end with
> an LF.
... but it's also warning about it at the same time.
So it's unclear to me:
Do we support a configuration without trailing LF or not?
If yes, there
Hello Tim,
On Mon, 22 Jun 2020 at 18:56, Tim Düsterhus wrote:
>
> Lukas,
>
> Am 22.06.20 um 18:41 schrieb Lukas Tribus:
> > On Mon, 22 Jun 2020 at 18:16, Tim Duesterhus wrote:
> >>
> >> Fix parsing of configurations if the configuration file does not end w
On Mon, 22 Jun 2020 at 21:21, Willy Tarreau wrote:
>
> Hi guys,
>
> On Mon, Jun 22, 2020 at 07:49:34PM +0200, Lukas Tribus wrote:
> > Hello Tim,
> >
> > On Mon, 22 Jun 2020 at 18:56, Tim Düsterhus wrote:
> > >
> > > Lukas,
> > >
> >
Hello,
On Monday, 22 June 2020, Willy Tarreau wrote:
>
> > Configuration file is valid
>
> Looks good to me.
>
> > I guess a truncated last line cannot be differentiated from file that
> > does not
> > end with a new line, because fgets() consumes the full line (triggering
> the
> > eof), ev
Hello Michael,
On Tue, 7 Jul 2020 at 15:16, Michael Wimmesberger
wrote:
>
> Hi,
>
> I might have found a potentially critical bug in haproxy. It occurs when
> haproxy is retrying to dispatch a request to a server. If haproxy fails
> to dispatch a request to a server that is either up or has no h
Hello,
On Fri, 10 Jul 2020 at 08:08, Christopher Faulet wrote:
> Hi,
>
> I finally pushed this fix in the 2.0. Note the same bug affected the HTTP
> proxy
> mode (using http_proxy option). In this case, the connection retries is now
> disabled (on the 2.0 only) because the destination address i
Hello,
On Sat, 11 Jul 2020 at 13:20, Jonathan Matthews wrote:
>
> On Sat, 11 Jul 2020 at 12:14, Tofflan wrote:
>>
>> Hello!
>>
>> Im trying to setup a setup HAProxy on my Pfsense router, the links under
>> documentation dont work. example:
>> https://cbonte.github.io/haproxy-dconv/2.3/intro.ht
req_ssl_sni is not compatible with protocols negotiating TLS
explicitly, like SMTP on port 25 or 587 and IMAP on port 143.
Fix an example referring to 587 (SMTPS port with implicit TLS
is 465) and amend the req_ssl_sni documentation.
This doc fix should be backported to supported versions.
---
d
I will comment next week, but I generally agree that we should move the
version output to the end, as I noticed the same issue.
expected/actual behaviour sections are painful in the obvious cases (dont
crash/crash), but oftentimes users just assume their itent is obvious when
it's really not.
l
Hello,
On Thu, 23 Jul 2020 at 14:34, Willy Tarreau wrote:
> > defaults
> > http-reuse always
> >
> > backend abuse
> > timeout server 60s
> > balance roundrobin
> > hash-balance-factor 0
> > server s_abuse u...@abuse.sock send-proxy-v2 maxconn 4
> >
> > listen l_abuse
> >
On Mon, 27 Jul 2020 at 13:14, Willy Tarreau wrote:
> > However on a unix domain socket like this we never had this issue in
> > the first place, as connection-reuse cannot be used on it by
> > definition, correct?
>
> No, it doesn't change anything. We consider the connection, the protocol
> famil
1 - 100 of 1687 matches
Mail list logo