Re: Quick question re errorloc urls

Hello Andy, 2017-11-03 13:44 GMT+01:00 Franks Andy (IT Technical Architecture Manager) : > First of all, the errorloc “redirection” from a 503 works fine but since > this intranet page is configured using an internal CA certificate and for > some reason the client doesn’t see the letscrypt certif

Re: Logging errors during reload of haproxy

Hello, > This is a test system with not much load other than my little 'ab -c 10 ...' > is creating. We have unix logging everywhere locally, works even under heavy > load. Be that as it may, this is a syscall returning an error: http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/log.c;h=88e0d

Re: Logging errors during reload of haproxy

Hello Veiko, 2017-11-03 12:21 GMT+01:00 Veiko Kukk : > Hi, > > I noticed, while trying to reproduce conditions for another bug about > processes never closing after restart, that sometimes reload causes logging > errors displayed. > > Following config section might be relevant: > > global > log

Re: 1.8-RC1 100% cpu usage

Hello Mihail, 2017-11-02 15:20 GMT+01:00 Mihail Samoylov : > I recompiled with explicit disabling threads: > > root@ubuntu-xenial:~/4/haproxy-1.8-rc1# ./haproxy -vv > HA-Proxy version 1.8-rc1-901f75c 2017/10/31 > Copyright 2000-2017 Willy Tarreau > > Build options : > TARGET = linux2628 > C

Re: 1.8-RC1 100% cpu usage

2017-11-02 15:20 GMT+01:00 Mihail Samoylov : > I recompiled with explicit disabling threads: The variable would have to be emtpy, not 0 to make any difference (USE_THREAD=). Still, threads are not supposed to be used without explicit configuration (nbthreads), so this is probably a different prob

Re: 1.8-RC1 100% cpu usage

Hi, 2017-11-02 14:33 GMT+01:00 Pavlos Parissis : > On 02/11/2017 02:24 μμ, Mihail Samoylov wrote: >> Hi. >> >> I've tried 1.8-RC1 and in my case it ate 100% CPU and didn't work. I found >> out that this is caused >> by option httpchk. When I commented this line everything became fine. Some >> d

Re: [ANNOUNCE] haproxy-1.8-rc1 : the last mile

Hello Willy, > - client-facing HTTP/2 : that's HTTP/2 support on the frontend. It's > much better after the completely new rewrite than the first attempt a > few months ago, and in the end I'm really happy with the outcome > despite the pain it was. It's now almost complete, it supp

Re: [ANNOUNCE] haproxy-1.8-rc1 : the last mile

Hello, outstanding work everyone! I hope to play with those features soon. Just upgrading the binary from -dev3 to -rc1 however broke my setup: Turns out that the new object caching code breaks when another filter (compression) is already enabled (at config parsing stage) - even when object ca

Re: confusion regarding usage of haproxy for large number of connections

Hello, 2017-10-31 6:55 GMT+01:00 Baptiste : > hi > > You miss a "maxconn 8000" in your frontend as well. > maxconn in the global section is process-wide, but it does not apply to the > frontend (which is limited to 2000 connections by default). However "maxconn 8000" is the in the default sectio

Re: load balancing using haproxing with 3 mqttbroker with different ports

Hello Kushal, 2017-10-24 10:06 GMT+02:00 kushal bhattacharya < bhattacharya.kush...@gmail.com>: > Hi, > My main goal is to distribute 8000 connections among 3 mqtt brokers having > capacity of 3000,3000,2000 respectively .I want to distribute it in the > following way;first 3000 connections

[PATCH 1/2] BUG/MINOR: cli: restore "set ssl tls-key" command

in 32af203b75 ("REORG: cli: move ssl CLI functions to ssl_sock.c") "set ssl tls-key" was accidentally replaced with "set ssl tls-keys" (keys instead of key). This is undocumented and breaks upgrades from 1.6 to 1.7. This patch restores "set ssl tls-key" and also registers a helptext. This should

[PATCH 2/2] CLEANUP: cli: remove undocumented "set ssl tls-keys" command

The documented "set ssl tls-key" command must be used instead. This is for 1.8 only. --- src/ssl_sock.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 79fddc8..697961f 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -7906,7 +7906,6 @@ static struct cl

Re: Is there any best practice for setting tune.bufsize?

Hello, 2017-10-23 8:49 GMT+02:00 : > Hi, > > Is there any best practice for setting tune.bufsize? > > such as, leave it as is(16k), or never make it bigger than 1MB, something > like this? >From the documentation: > *It is strongly recommended not to change this from the default value* Best p

Re: [PATCH] checks: Add a keyword to specify the SNI in health checks

Hello, 2017-10-17 18:12 GMT+02:00 Willy Tarreau : > On Tue, Oct 17, 2017 at 05:36:19PM +0200, Olivier Houchard wrote: >> Hi, >> >> The attached patch adds a new keyword to servers, "check-sni", that lets you >> specify which SNI to use when doing health checks over SSL. > > And applied as well (I

Re: [PATCH] Reset a few more counters on "clear counters"

Hello! 2017-10-18 18:36 GMT+02:00 Willy Tarreau : > On Wed, Oct 18, 2017 at 04:29:19PM +0200, Olivier Houchard wrote: > > A few counters (namely, MaxSslRate, SslFrontendMaxKeyRate, and > > SslBackendMaxKeyRate) are not cleared as I think they should, when clear > > counters is used. > > The atta

Re: Haproxy returns 502 before backend replies with 200

Hello Alexey, > Details of error 502 from Haproxy: > > client_ip= client_port=32668 backend=http_data times=0/0/0/-1/91 > http_status=502 bytes_uploaded=478 bytes_read=1807 termination_state=PH-- > connections=1/0/0/0/0 queues=0/0 "PATCH /incoming_data HTTP/1.1" > > Termination state PH means e

Re: Unable to modify haproxy stats url header

Hello Suraj, hello Willy, > frontend stats_proxy >     bind :ssl crt no-sslv3 no-tlsv10 > ciphers >     mode http >     default_backend stats_server >     rspadd Cache-Control:\ no-store,no-cache,private >     rspadd Pragma:\ no-cache >     rspadd Strict-Transport-Security: > > backend stats_s

Re: Unable to modify haproxy stats url header

Hello, Am 09.10.2017 um 15:28 schrieb Suraj Bora -X (surbora - HCL AMERICA INC at Cisco): > >   > > *We are recently migrated to haproxy 1.5.4 from haproxy-1.5-dev23.3 release, > not seen this issue on same.* > I'm sorry, but 1.5.4 is 3 years old already and contains 183 already fixed bugs: h

Re: Denying client certificates

Hello, Am 06.10.2017 um 15:33 schrieb Marco Corte: > > Is there a way to deny the access to some certificates without using a > certificate revocation list? > I am trying with ACLs like > >   acl revoked_cert ssl_c_serial,hex 0x25 > or >   acl revoked_cert ssl_c_sha1,hex 0xFC481501DB98290C5E9B22

Re: [PATCH] Add info about stats report when a reload is done in management.txt

Hello Ricardo, Am 05.10.2017 um 09:47 schrieb Ricardo Fraile: > +Note that when a "restart" is doing, the new process have the listening ports > +but the old process continue with the existing connections until they close. > +All the active connections that the old process did are still working b

Re: Inquiry: Information, HAProxy

Hello Logan, Am 05.10.2017 um 02:29 schrieb Logan Hicks: > > Aaron West, > > Thank you! Its great to know I'm not just tossing information into oblivion. > Thank you for such a fast reply. > > All, > > > I am looking for a good tutorial to help me truly understand how and why > HAProxy works. >

Re: Haproxy refuses new connections when doing a reload followed by a restart

Hello Moemen, Am 04.10.2017 um 19:21 schrieb Moemen MHEDHBI: > > I am wondering if this is actually an expected behaviour and if maybe > that restart/stop should just shutdown the process and its open connections. > I have made the following tests: > 1/ keep an open connection then do a restart w

Re: Haproxy refuses new connections when doing a reload followed by a restart

Hello Niels, a restart means stopping haproxy - and after haproxy exited completely, starting haproxy again. When that happens, haproxy immediately stops listening to the sockets and then waits for existing connections to be closed (you can accelerate that with hard-stop-after [1], but that's not

Re: Use EV certificate for root domain and wildcard certificate for subdomains

Hello Marco, Am 26.09.2017 um 20:42 schrieb Pushpad Support: > Could you help with this question?  > https://serverfault.com/questions/875572/use-ev-ssl-certificate-in-haproxy-for-root-domain > > I think it is a pretty general use case. You should be able to achieve this using crt-list: https://

Re: Question related to gpc0_rate values in stick-table

Hello, Am 25.09.2017 um 10:34 schrieb Saurabh Patwardhan: > > Hi HAProxy Team, > >   > > We are using haproxy 1.5.2 as a load balancer for our solution. > Before going any further here, notice that 1.5.2 is 3 years old and has a huge amount of bugs: http://www.haproxy.org/bugs/bugs-1.5.2.html

Re: Dynamic server name with HAProxy, based on original hostname

Hello, Am 17.09.2017 um 23:11 schrieb Ludovic Gasc: > >   > > Regarding your specific example, what exactly is not working? Haproxy > will perform dns resolution on startup and my guess would be it throws an > error since %[hdr(host)] at that point is empty. > > > Exactly. > No idea to avoi

Re: Kernel TLS for http/2

Hello, Am 05.09.2017 um 10:00 schrieb Willy Tarreau: > Hi Aleks, > > On Mon, Sep 04, 2017 at 09:34:07AM +0200, Aleksandar Lazic wrote: >> Hi, >> >> Have anyone seen KTLS also? >> >> https://lwn.net/Articles/666509/ >> >> https://netdevconf.org/1.2/papers/ktls.pdf >> >> looks pretty interesting. >

Re: Is there a way to extract list of bound IPs via stats socket ?

Hello, Am 01.09.2017 um 15:46 schrieb Mariusz Gronczewski: > Hi, > > I've been working on a piece of code to announce IPs (via ExaBGP) only if: > > * HAProxy is running > * HAProxy actually uses a given IP > * a frontend with given IP is up for few seconds. > > I could do that via lsof but that's

Re: HAProxy 1.7.9 very slow with HTTP compression

Hi Nick, Am 31.08.2017 um 14:16 schrieb Nick Stolwijk: > Today we noticed something strange after updating our HAProxy to 1.7.9. A > request which took a mere second before now takes a whopping 45 seconds. > > After some playing around, we found that if we turned off the compression on > HAProx

Re: Enable SSL Forward Secrecy

Hello, > Hehe yikes! This was it. It’s normal that someone get’s lost in all > this cipher crap and it should be written in the HaProxy manual as > an important step on how to harden security. Its not a good idea to suggest specific cipher settings in the manual, as the situation may change fast

Re: Two way authentication issue

Hello, Am 25.08.2017 um 17:27 schrieb Markus Rietzler: > you can do or use client authentication with ssl certificates on haproxy. My point is: you cannot enable SSL client certificate authentication on a specific URI. You need to server based renegotiation for that, which haproxy does not suppo

Re: Two way authentication issue

Hello, Am 25.08.2017 um 01:47 schrieb Keresztes Péter-Zoltán: > Hello > > Basically what I need is when I browse /service/ws to use client certificate > authentication otherwise for everything else to use normal ssl termination this is not possible with Haproxy. Also, never ever bind to the sa

Re: Bug

Hello, Am 21.08.2017 um 09:48 schrieb Andrzej Sobociński: > > Hey, > > I found bug in haproxy 1.7, also not working in ver 1.6 > > Condition not work property in option http-response > > Can you fix that? Thx > >   > > CFG: > >   > > frontend https-secure.pl > >   acl is_domain hdr(host) -i secur

AW: Re: CPU 100% when waiting for the client timeout

Hello, > Has this bug fix now in 1.6.13 or 1.7.8 ? > > We have confirmed this bug still exists in 1.6.3. Yes, the fix is in 1.7.4 and 1.6.12. Regards, Lukas

Re: maxconn not respecting idle connections?

Hello, Am 09.08.2017 um 11:12 schrieb Willy Tarreau: > > There might be something which can work, which is > to chain to a TCP listener. It will enforce the maxconn count at the TCP > level. Or a simpler workaround, disable http keepalive on the backend with "option http-server-close". cheers,

Re: maxconn without queue?

Hello, Am 02.08.2017 um 14:41 schrieb Claudio Kuenzler: > Quick update: I set a really short timeout on the queue (timeout queue 100) > so HAProxy returns a 503 to the 7th connection almost immediately as well. > That's what I was about to propose, yes. You should even be able to set "timeout qu

Re: Problem with BOM in healthcheck-file?

Hello, Am 20.07.2017 um 17:28 schrieb rai...@ultra-secure.de: > > >> od -c bomfile. > > > 000 377 376 s \0 e \0 r \0 v \0 e \0 r \0 _ \0 > 020 u \0 p \0 \r \0 \n \0 > 030 > Obviously haproxy can't match this. Not only because of the BOM, but also becaus

Re: Does anyone heard about DPDK

Hello, Am 15.07.2017 um 14:18 schrieb Andrew Smalley: > On 15 July 2017 at 10:32, Aleksandar Lazic wrote: >> Hi, >> >> Network acceleration with DPDK >> https://lwn.net/Articles/725254/ >> >> -- >> Best Regards >> Aleks I believe eBPF + XDP is more interesting at this point, but I guess it all

Re: Debian upgrade to haproxy 1.7.5: tcp-check fails with Socket error, info: "No port available for the TCP connection"

Hello! Am 29.06.2017 um 16:14 schrieb Philipp Kolmann: > Hi Lukas, > > On 06/19/17 21:23, Lukas Tribus wrote: >> Am 19.06.2017 um 11:27 schrieb Philipp Kolmann: >>> This config works in 1.5.8 but fails to tcp-check in 1.7.5. >>> >>> The errors in the lo

Re: 2x filter + keep-alive regressions (1.7 affected)

Hi Christopher, Am 06.07.2017 um 23:01 schrieb Christopher Faulet: > > Hi guys, > > Attached patches should fix this bug. The real fix is in the last one. > But all the 3 must be backported in 1.7. I made tests with the Lukas > config and http-keep-alive timeout is now respected. But because filt

Re: Seeing server termination_state SD after updating from 1.6.11 to 1.7.5

Hi Christopher, Am 30.06.2017 um 11:14 schrieb Christopher Faulet: > >> We are seeing this as well on 1.7.5. The problem seems to be >> intermittent--it doesn't happen very often when I hit a system with almost >> no load, but is happening very frequently on a high load system. I don't >> beli

Re: ssl: crashing since 8d85aa (BUG/MAJOR: map: fix segfault ...)

Hi Emeric, Am 05.07.2017 um 13:58 schrieb Emeric Brun: > >> Another bisect (this time with -dM or -DDEBUG_MEMORY), another commit... >> Now it points to 23e9e931 (MINOR: log: Add logurilen tunable). >> >> > Hi Lukas, > > Indeed this commit introduced a regression. > > The commit in attachment sho

Re: ssl: crashing since 8d85aa (BUG/MAJOR: map: fix segfault ...)

Am 04.07.2017 um 23:18 schrieb Willy Tarreau: > On Tue, Jul 04, 2017 at 10:57:08PM +0200, Lukas Tribus wrote: >> The call trace doesn't really look different when I used -dM or >> -DDEBUG_MEMORY. >> >> I was able to get a different trace by actually con

Re: ssl: crashing since 8d85aa (BUG/MAJOR: map: fix segfault ...)

Hi, Am 04.07.2017 um 22:35 schrieb Willy Tarreau: > > This one should theorically not be caused by an issue in the task scheduler, > unless we're reusing something already freed. We could retry it with -dM > and/or -DDEBUG_MEMORY to force earlier corruption to pop up. The call trace doesn't real

Re: ssl: crashing since 8d85aa (BUG/MAJOR: map: fix segfault ...)

Hi Willy, Am 04.07.2017 um 22:24 schrieb Willy Tarreau: > Hi Lukas, > > On Tue, Jul 04, 2017 at 09:56:09PM +0200, Lukas Tribus wrote: >> Hi Emeric, >> >> >> since 8d85aa4 ("BUG/MAJOR: map: fix segfault during 'show >> map/acl' on cli"

ssl: crashing since 8d85aa (BUG/MAJOR: map: fix segfault ...)

Hi Emeric, since 8d85aa4 ("BUG/MAJOR: map: fix segfault during 'show map/acl' on cli") my setup crashes when a request comes in going through SSL termination. memory corruption, invalid pointers, double free is what haproxy randomly crashes with. Here 2 crashes with full backtrace: *** Error

2x filter + keep-alive regressions (1.7 affected)

Hello Christopher, William, Willy, et all! Matt McDonagh reported a regression on discourse [1] in 1.7.6, that causes haproxy to ignore "timeout http-keep-alive" when going through filters (aka compression is enabled) and also causes logging to be delayed. Because timeouts are ignored and wrong

Re: Reg: HAProxy 1.6.12 on RHEL7.2 (MAXCONN in FRONT-END/LISTEN BLOCK)

vented people - in this case Jarno - from trying to explain the same thing all over again). Its about helping people out, but that doesn't work in the long term when we have people deliberately spread questions about the same topic across different channels (mailing list, discourse). Lukas

Re: Reg: HAProxy 1.6.12 on RHEL7.2 (MAXCONN in FRONT-END/LISTEN BLOCK)

Hello, Am 27.06.2017 um 12:04 schrieb Velmurugan Dhakshnamoorthy: > Dear, > The HAProxy 1.6.12 has been implemented on Red Hat Linux 7.2(3.10) and we > have set the maxconn to 100 in listen block(front-end). Our objective is to > queue connections more than 100 into linux kernel syn log until t

Re: Reverse Gateway Throught Security Zones

Hello Himer, this is probably not the response you wanna hear ... Am 22.06.2017 um 22:47 schrieb Himer Martinez: > Hello Guys, > > Sorry to botter you with my specific questions :-) > > Let's imagine a paranoic security team who forbide http and tcp flows between > the dmz zone and the green

Re: HAProxy makes backend unresponsive when handling multiple thousand connections per second

Hello, > Daniel, if using ssl to the backends shouldn't you use http mode? > Per your config you are using tcp which is default one. Afaik tcp > is for ssl passthrough. For the record, this is not true. Just because you need TCP mode for TLS passthrough, doesn't mean you have to use HTTP mode wh

Re: Trouble getting rid of Connection Keep-Alive header

Hi Mats, Am 21.06.2017 um 14:30 schrieb Mats Eklund: > > Hi, > > > Thanks, here's the full config: > So for the record, what you are trying to achieve is to disable HTTP keep-alive between haproxy and the browser? In the default section, replace: option http-server-close with: option httpclose

Re: Trouble getting rid of Connection Keep-Alive header

Hello Mats, Am 21.06.2017 um 07:59 schrieb Mats Eklund: > > > Hi, > > > I am running a load balanced Tomcat application on Openshift Online v2, with > HAProxy ver. 1.4.22 as load balancer. > > > I would like to have HTTP connections closed after each response is returned. > But am unable to mak

BUG: frontend IP/port logging broken since 9b061e332

Hello, as per Mathias Weiersmueller's report on discourse [1], there is a bug in TCP logging when using a custom log-format, accessing the frontend IP or port (%fi/%fp or the deprecated form %Fi/%Fp) in conjunction with other log variables like %Tw or %B. Repro config: global log syslog debug

Re: HAProxy 1.5.18 - rare handshake failure - Bad Record MAC

Hello, Am 20.06.2017 um 17:00 schrieb Teichmann, Janek: >> I'm not sure if this was backported in RedHat/CentOS. Is the package >> uptodate (should be openssl-1.0.1e-60.el7.x86_64 afaik)? > By now openssl is recent (your version is right), but there are for long no > openssl bugfixes. I couldn'

Re: HAProxy 1.5.18 - rare handshake failure - Bad Record MAC

Hello Janek, Am 19.06.2017 um 14:13 schrieb Teichmann, Janek: > Hi, > > I have a problem with HAProxy 1.5.18 on a Centos 7.2.1511. I installed the > HAProxy from the epel repository. So just the normal packages. > The problem is a rarely appearing ssl handshake error. HAProxy is terminating >

Re: Debian upgrade to haproxy 1.7.5: tcp-check fails with Socket error, info: "No port available for the TCP connection"

Hello, Am 19.06.2017 um 11:27 schrieb Philipp Kolmann: > This config works in 1.5.8 but fails to tcp-check in 1.7.5. > > The errors in the logfile look like this: > > Jun 19 10:52:57 testha2 haproxy[5042]: Server mail-exchtest-smtp/mbx13a is > DOWN, reason: Socket error, info: "No port available

Re: Logging SSL pre-master-key

Hi Patrick, Am 13.06.2017 um 01:31 schrieb Patrick Hemmer: > > > On 2017/6/12 15:14, Lukas Tribus wrote: >> Hello, >> >> >> Am 12.06.2017 um 19:35 schrieb Patrick Hemmer: >>> Would we be able to get a new sample which provides the SSL session >>&

Re: Issue while using Proxy protocol in TCP mode

Hello Vijay, Am 13.06.2017 um 10:07 schrieb Vijay Bais: > Hello, > > I am using HAProxy version 1.5-dev25-a339395. This is an unstable, more than 3 years old development version of haproxy. There is no way we can support this release here. Upgrade to a stable release, first of all. > > Facin

Re: Logging SSL pre-master-key

Hello, Am 12.06.2017 um 19:35 schrieb Patrick Hemmer: > Would we be able to get a new sample which provides the SSL session > master-key? > This is so that when performing packet captures with ephemeral ciphers > (DHE), we can decrypt the traffic in the capture. There is no master key. What you

Re: Scaling HAProxy over multiple cores with session stickyness

Hello Peter, Am 09.06.2017 um 10:27 schrieb Peter Kenens: > > I understand that more than 1 HAProxy process can be configured > (nbproc) and via cpu-map and bind-process you can specify to which > cores these processes might bind. > > I also understand that the table with cookies is kept in memor

Re: Updates to the stable release process

Hello! Am 08.06.2017 um 17:30 schrieb Willy Tarreau: > Hi all, > > William has joined Cyril an me in the stable maintenance team. We're now > three to have direct commit access, so don't be surprized if you see > new names in "git log --format=fuller" or in the gitweb interface. > That's a very

Re: HAProxy 1.7.5 cookie JSESSIONID prefix not working

Hello Norman, Am 31.05.2017 um 00:13 schrieb Norman Branitsky: > > You are correct. > > I was setting the jvmRoute parameter to be the server id (AWS EC2 > InstanceID) in my regular apps served by HAPRoxy 1.5.18. > > The HAProxy 1.7.5 testing is using a different app that obviously > doesn't have

Re: HAProxy 1.7.5 cookie JSESSIONID prefix not working

Hello Norman, Am 30.05.2017 um 18:06 schrieb Norman Branitsky: > > The server’s identifier is not added to the cookie. > Did you specify the cookie value on the server line [1], as per [2]: > The value of the cookie will be the value > indicated after the > "cookie

Re: [PATCH] MEDIUM: ssl: disable SSLv3 per default for bind

Hello, Am 23.05.2017 um 17:17 schrieb Emmanuel Hocdet: > Hi, > > I think it’s time to disable SSLv3 on bind line per default. > All configurations should have no-sslv3 (or used a ssllib without sslv3). > SSLv3 can be enable with "ssl-min-ver SSLv3. > > What do you think? +1 agreed, no need to en

Re: Haproxy first core 100%

Hello Haim, Am 25.05.2017 um 09:23 schrieb Haim Ari: > > Hello, > > > I'll try do describe the issue as clear as possible: > > > We set up an haproxy Cluster on Ubuntu16.04 + pacemaker + corosync > > We faced an issue where after working for a few hours with single core > (the haproxy process was

Re: Bug: DNS changes in 1.7.3+ break UNIX socket stats in daemon mode with resolvers on FreeBSD

Hi, Am 11.05.2017 um 21:13 schrieb Jim Pingle: > On 05/11/2017 01:58 PM, Frederic Lecaille wrote: >> I have reproduced (at home) the stats socket issue within a FreeBSD 9.3 VM. >> >> Replacing your call to close() by fd_delete() which removes the fd from >> the fd set used by kevent *and close it

Re: Bug: DNS changes in 1.7.3+ break UNIX socket stats in daemon mode with resolvers on FreeBSD

Hi Baptiste, commit 26c6eb838 breaks kqueue; in the child process we see: 3069: kevent(0,{ 4,EVFILT_READ,EV_ADD,0x0,0x0,0x0 1,EVFILT_READ,EV_ADD,0x0,0x0,0x0 5,EVFILT_READ,EV_ADD,0x0,0x0,0x0 },3,0x0,0,0x0) ERR#9 'Bad file descriptor' full truss output below. I had to remove Jim from CC, as my o

Re: haproxy not creating stick-table entries fast enough

Hello, Am 09.05.2017 um 02:52 schrieb redundantl y: > The way ab is being executed is inline with our real world use. A > separately hosted application will generate HTML with several (20-30) > elements that will be loaded simultaneously by the end user's > browser. There isn't a delay, the ele

Re: haproxy not creating stick-table entries fast enough

Hello, Am 09.05.2017 um 00:38 schrieb redundantl y: > I am running haproxy 1.5.18-3 on CentOS 7 and need to use the > stick-table feature to make sure traffic for a specific user persists > to a given server. > > Things work fine when connections come in slowly, however when there's > numerous si

Re: Automatic Certificate Switching Idea

Hello, Am 30.04.2017 um 22:16 schrieb Daniel Schneller: > Hi! > > Yes, you got it right. I have no idea if there are technical limitations in > the SSL library or other parts of the code that would make several > certificate/key pairs for the same domain infeasible. > > If there were hard rest

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

Hello, Am 08.05.2017 um 10:56 schrieb Daniel Schneller: > Just my 2c, I very much support Kevin’s argument. > Even though we are not (yet) verifying backends — because currently we > _are_ in a private LAN — we are planning to deploy parts of our > application to public cloud infrastructure soon,

[PATCH v3] MINOR: ssl: add prefer-client-ciphers

Currently we unconditionally set SSL_OP_CIPHER_SERVER_PREFERENCE [1], which may not always be a good thing. The benefit of server side cipher prioritization may not apply to all cases out there, and it appears that the various SSL libs are going away from this recommendation ([2], [3]), as insecur

AW: [PATCH v2] MINOR: ssl: add prefer-client-ciphers

> I'm just waiting for Emeric's approval to merge it. Don't commit yet, there's a little bug in it, I will send a v3 shortly. Sorry about that, lukas

AW: [PATCH v2] MINOR: ssl: add prefer-client-ciphers

>> SSL_OP_CIPHER_SERVER_PREFERENCE is not evil. But yeah - we do want to have >> maximal flexibility in every case. > > Does this mean that this should also be backported to 1.7 in your opinion ? > Maybe even older versions ? Yes, at this point (since the v2 patch doesn't change the default behavi

AW: [PATCH v2] MINOR: ssl: add prefer-client-ciphers

> Can client "override" servers ssl-default-server-ciphers/bind ciphers( > or is the cipher suite selected from ssl-default-server-ciphers/ciphers)? Both the server and the client have a list of supported cipher suites, ordered by preference. With SSL_OP_CIPHER_SERVER_PREFERENCE enabled, the serve

Re: [PATCH v2] MINOR: ssl: add prefer-client-ciphers

Hello, Am 03.05.2017 um 20:05 schrieb Aleksandar Lazic: Am Wed, 3 May 2017 16:23:52 + schrieb Lukas Tribus : Currently we unconditionally set SSL_OP_CIPHER_SERVER_PREFERENCE [1], which may not always be a good thing. I fully agree with you. One of my customer use nginx and I have

[PATCH v2] MINOR: ssl: add prefer-client-ciphers

Currently we unconditionally set SSL_OP_CIPHER_SERVER_PREFERENCE [1], which may not always be a good thing. The benefit of server side cipher prioritization may not apply to all cases out there, and it appears that the various SSL libs are going away from this recommendation ([2], [3]), as insecur

AW: [RFC-PATCH] MINOR: ssl: add prefer-server-ciphers again

Hi Manu, >> I care primarily about vanilla OpenSSL, and in don't get a sense that there >> is an >> interest to implement this for TLSv1.2. > > It make sense with AEAD ciphers like AES-GCM and CHACHA20-POLY1305. and it’s > compatible with TLSv1.2. What I was trying to say above is: my impressio

AW: [RFC-PATCH] MINOR: ssl: add prefer-server-ciphers again

Hello, > Hi Lukas, > > The response is in our link: > [2] https://github.com/openssl/openssl/issues/541 > > No need to disable this option per default and option is needed for security. The point is: when the admin is aware of TLS security, he can easily add a new config option on a major soft

[RFC-PATCH] MINOR: ssl: add prefer-server-ciphers again

Currently we unconditionally set SSL_OP_CIPHER_SERVER_PREFERENCE [1], which may not always be a good thing. The benefit of server side cipher prioritization may not apply to all cases out there, and it appears that the various SSL libs are going away from this recommendation ([2], [3]), as insecur

Re: HAProxy 1.7.5 forwards requests blockwise

Hi Daniel, Am 28.04.2017 um 13:52 schrieb Daniel Heitepriem: Hello everyone, we are currently evaluating HAProxy 1.7.5 as a load balancer for one of our applications. To try out how it is performance wise on Solaris 11 we set up a small test environment of three zones containing: 1x HAProx

[PATCH] doc: update RFC references

--- A few doc and code comment updates bumping RFC references to the new ones. --- doc/configuration.txt | 12 ++-- include/common/defaults.h | 2 +- include/proto/proto_http.h | 2 +- include/types/proto_http.h | 4 ++-- src/haproxy.c | 4 ++-- src/proto_http.c

Re: Fwd: Haproxy-1.5.12 High memory usage problem

Hello lizj3624, we are gonna need the configuration, at least redacted. Especially important are timeouts and maxconn values. Also provide the output of haproxy -vv. Am 21.04.2017 um 08:56 schrieb lizj3624 lizj3624: Why run a period of time, while dealing with a large number of HTTP re

Re: Certificate order

Hello, Am 20.04.2017 um 15:05 schrieb Sander Hoentjen: A new patch, that puts the order like this: config: crt A crt B [...] If A contains wildcard, and B contains exact match, then wildcard is used. This last one is different behavior from what is implemented now. People rely on the specif

Re: Problems with SNI config

Hello Jeremy, you are not using SNI, you are using the Host header to pick the backend. You are also using a non-standard port, so the browser will append the port to the Host header [1]. If 8443 is the port the browser connects to, your ACL's must look like this: acl site01 hdr(host) -i sit

Re: HaProxy Hang

Hello, Am 05.04.2017 um 00:27 schrieb David King: Hi Dave Thanks for the info, So interestingly we had the crash at exactly the same time, so we are 3 for 3 on that The setups sounds very similar, but given we all saw issue at the same time, it really points to something more global. We

Re: ssl & default_backend

Am 04.04.2017 um 19:12 schrieb Lukas Tribus: Hello, Am 03.04.2017 um 13:29 schrieb Antonio Trujillo Carmona: It's well documented that Windows XP with Internet Explorer don't support sni, so I try to redirect call through "default_backend", but I got ERROR-404, it work

Re: ssl & default_backend

Hello, Am 03.04.2017 um 13:29 schrieb Antonio Trujillo Carmona: It's well documented that Windows XP with Internet Explorer don't support sni, so I try to redirect call through "default_backend", but I got ERROR-404, it work fine with all other combination of OS/surfer. I know that, and aga

Re: ssl & default_backend

Hello Antonio, Am 31.03.2017 um 19:36 schrieb Antonio Trujillo Carmona: El 30/03/17 a las 10:51:58, Antonio Trujillo Carmona escribió: I'm try to use haproxy for balancing Citrix. I prove with: acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni

Re: client connections being help open, despite option foceclose

Hello, Am 31.03.2017 um 19:59 schrieb Patrick Kaeding: Okay, thanks Holger! We were hitting the maxconn limit, which is what sparked this investigation. When we were at that limit, the discrepancy between frontend and backend was higher than when I could observe it above (we restarted HAProx

Re: Overwrite "sec-websocket-key"

Hi, Am 24.03.2017 um 17:54 schrieb Thomas Sheppard: Hi everyone, Could someone help us with some info on how to rewrite a request header before its passed to the backend servers? Trying http-request add-header sec-websocket-key abc123 or reqadd sec-websocket-key:\ abc123 Does not work t

Re: [PATCH][RFC] MEDIUM: global: add a 'grace' option to cap the soft-stop time

Am 22.03.2017 um 22:28 schrieb Cyril Bonté: I'm OK with "hard-stop-after", I'll try to send the new patch tonight ;-) Great, thanks! Lukas

Re: [PATCH][RFC] MEDIUM: global: add a 'grace' option to cap the soft-stop time

Hey, Am 16.03.2017 um 01:27 schrieb Willy Tarreau: > >> Thanks for raising that point. The choice was intended and may be subject to >> discussion. >> >> timeout keywords are (most of them, except maybe "timeout mail") defined in >> defaults/frontend/backend/listen sections, whereas this one i

Re: Issue with multiple users on same LAN at client

Hello Tony, Am 18.03.2017 um 14:29 schrieb Tony Zakula: Hi, We are having an issue when multiple users are on the same lan connecting to out network. We are running a network hosting maybe 20 servers/domains behind one HA proxy. Users on different networks connect fine. We are terminatin

Re: issues with ALPN and h2 on frontend

Hi Matt, Am 16.03.2017 um 21:29 schrieb Matt Jamison: So from what I can find, mode http and alpn h2 are not supported together? That's not it. HTTP/2 is not supported in any haproxy release, period. That fact that you can tunnel arbitrary TCP payload through haproxy, while TLS terminating

Re: Considering HAProxy to Bump TLS 1.1 Traffic to TLS 1.2

Hello Ryan, Am 16.03.2017 um 17:02 schrieb Ryan Collier: We have a legacy application that can only use TLS 1.1 due to the version of Java it supports (1.6). We connect to a third party for credit card authorizations, and they are going to be upgrading their web services endpoint to only acce

Re: Client Cert Improvements

Hi, Am 04.03.2017 um 15:27 schrieb mlist: I said I'm using dedicated ip:443 bind as a clean solution because "the current haproxy client certificate management implementation is not optimal nor flexible nor scalable in other configurations" so, in this test we can waste one public IP and an

Re: Client Cert Improvements

Hi Roberto, Am 04.03.2017 um 11:51 schrieb mlist: Hi, after discussing about haproxy client certificate management with other forum users/devel, I ask if it is possible to improve haproxy client certificates management with this case specs: Allow haproxy to manage client certificates usi

Re: add header into http-request redirect

Hi Igor, Am 26.02.2017 um 23:19 schrieb Igor Cicimov: |I don't see how is the hsts header being inserted in the redirect?| || You right, it doesn't. May bad, I didn't read the article properly. However the example in the email from Thierry should do the trick; I thought the article does th

<    1   2   3   4   5   6   7   8   9   10   >