Currently, I?ve coded it so that this only happens when the client does not
specify an SNI, but I?m looking for guidance on what you would consider to be
the best solution. This approach can certainly be taken to be compatible with
SNI.
Is this something that you would be interested in
Hey Willy,
Lukas explained it pretty well, but I can expound on it some more.
You can imagine a situation where HAProxy has 2 certificates of different
key types; one ECDSA and one RSA. In the current codebase, if no SNI is
used, the certificate that is used will be whichever certificate is
Hi Jeff,
504's are killing us and we have no clue why we get them
Here's a sample log entry:
Jun 10 17:27:33 localhost haproxy[23508]: 10.126.160.11:37139
[10/Jun/2015:17:26:03.027] http-in resub-bb-default/njorch0pe16
30935/0/1/-1/90937 504 194 - - sH-- 16/14/0/0/0 0/0
Hi!
Hi everyone,
It seems that since some times haproxy 1.6 segfault on freebsd
Eg: at commit 80b59eb0d20245b4040f8ee0baae0d36b6c446b5
I can't find that commit? Where are you pulling/cloning from?
Lukas
Hi Devendra,
Hi Lukas,
Thanks For your valuable reply.
Please find attach config file of current HAProxy server.
Please let me know , whether i should upgrade my server with latest
stable version of HA Proxy.
Need your suggestion.
Hi Lukas,
This is the last commit available on github for haproxy/haproxy
https://github.com/haproxy/haproxy/commit/80b59eb0d20245b4040f8ee0baae0d36b6c446b5
That is a unofficial mirror, updated manually and often
outdated (like right now).
Please clone from the official mirror at:
Hi Brian,
Thanks for your suggestion. Unfortunately it's not clear how I would
use this command and format it when doing a redirect. I read the
HAProxy 1.5 documentation, but it wasn't detailed enough.
You don't want a redirect, you explicitly asked for a rewrite:
retaining original domain
Subject: Does haproxy use lt or et mode of epoll ?
thanks
Level-triggered, if I understand the following commit correctly:
http://www.haproxy.org/git?p=haproxy.git;a=commit;h=6c11bd2f89eb043fd493d77b784198e90e0a01b2
Lukas
Hi!
Hello,
I’m trying to determine how to redirect from an incoming domain
(alias.com) to another domain (domain.com), yet retain the original
incoming domain (alias.com) in the user’s browser URL address bar. I
believe I need to use “http-request replace-header”, but not sure how
Hi,
Hi Lukas
We are getting following warning while running haproxy after migration
from
[WARNING] 163/012854 (8453) : Setting tune.ssl.default-dh-param to 1024
by default, if your workload permits it you should set it to at least
2048. Please set a value= 1024 to make this warning
Hi Brendan,
Hi I am having an issue with HAProxy in http-server-close mode, when more
then one request is sent in a stream and one timeouts after a success it
re-sends that request. On the second request HAProxy send the 504 and the
request is not resent again.
I'm sorry, I don't really get
Bump. Turns out a bunch of scripts/programs hit my sites that don't do
SNI. Any ideas?
Virtual HTTPS hosting needs SNI. If your clients/script doesn't support SNI,
you cannot host more than one certificate with one IP.
Doesn't have anything todo with SPDY or Haproxy, its just how things are.
Hi Atul,
Hi,
using a browser to query the stats from haproxy, I'm facing a non
consistent behavior where about One time every 2 attempts I get a 503
error.
Can you please let me know how to correct this.
Can you provide configuration and logs of the failed request?
Lukas
Hi Damiano,
Dear all, an update: logging using sockets doesn't change anything.
After some grepping the code and tinkering I found that changing REQURI_LEN
in include/common/defaults.h does the job
Thanks for your analysis.
the strange thing is that there's also #define MAX_SYSLOG_LEN
Hi Willy,
Thank you, that was pretty clear and easy. I checked that I was running
with about 2 kb of entropy before the tests and that I was alone on the
machine, so I'm confident that what I did wasn't skewed.
I pushed this into 1.6. I'd rather issue -dev2 with it, wait a little bit
then
On Tuesday, May 26, 2015 5:12 PM Remi Gacogne wrote:
On 05/23/2015 08:47 AM, Willy Tarreau wrote:
Do you have any idea about the ratio of clients (on the net) which don't
support ECDHE right now but support DHE ?
Basically, by totally removing DHE, we would be losing forward secrecy for:
-
If your refer to long EOL'ed system, then they probably don't support DHE at
all.
Alas EOL'ed systems doesn't hinder its use - even if it unwise..
Thats not what I'm saying. What I'm saying is that since they are so old they
don't
even support DHE, therefor the dh group doesn't matter.
Hi Shawn,
I've done a Qualys Labs SSL test against my setup fronted with haproxy,
using this URL:
https://www.ssllabs.com/ssltest/index.html
I thought I had OCSP stapling correctly configured, but Qualys says it's
not there. I ave a cronjob that uses openssl to retrieve the .ocsp file
Hi,
Hi there,
I'm running haproxy 1.5.12 and I have set 'ssl-default-bind-options
no-sslv3 no-tlsv10' (without the quotes of course) under the global
section as I want all my front-ends not to support SSLv3 or TLS1.0.
However I do have a client that still requires SSLv3 support (for
Hi, just to let you know changelog is missing 1.5.14 infos ;)
Its there, its probably just cached in your browser (try ctrl+shift+R).
Lukas
Thanks Lukas,
So its either SSLv3 is enable for all, or its disable for all?
No, you can disable it per bind line, only that you need to
do it the other way around, specifying no-sslv3 on all other
bind lines, not the one where you need sslv3 (and not in the
defaults).
Lukas
oops, I still had the link to the pastebinit, which doesn't work on
binary files.
https://dropsha.re/files/orange-hound-85/64443-traffic.default.cap
https://dropsha.re/files/angry-dragon-19/64443-traffic.baz.cap
Looks alright. Can you configure logging and check the result:
global
But when I use curl bundled with Yosemite (or from Brew) on my macbook,
it's not switching.
curl --insecure https://bar.example.com:64443
Default on 1443
These are the versions I'm testing with:
curl --version
curl 7.37.1 (x86_64-apple-darwin14.0) libcurl/7.37.1
That should have read:
The capture shows that there is *no* SNI emitted by the client. I think your
node.js SNI tests was bogus, and that curl doesn't properly support SNI
*if* the crypto library is SecureTransport instead of openssl, gnutls or
cyassl.
Yep, it's OS X curl.
curl 7.37.1 (x86_64-apple-darwin14.0) libcurl/7.37.1
SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap
ldaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz
sudo tcpdump -ps0 -i eth0 -w eth0.64443.cap tcp port 64443
And then this on my Yosemite Mac
curl
--insecure https://baz.example.com:64443https://baz.example.com:64443/
And here's the result
The capture shows that there is now SNI emitted by the client. I think your
To limit verbosity I just captured one full request where it succeeded
and then another when it didn't
# this is the one that worked as expected
pastebinit dump.1.tls.bin
http://paste.ubuntu.com/11811750/
# this is the one that went to default anyway
sudo haproxy -db -f /etc/haproxy/haproxy.cfg
Backend IPs are 0.0.0.0. Thats probably not what you want.
Should be 127.0.0.1 if I understand correctly.
I've edited /etc/hosts so that baz.example.comhttp://baz.example.com
points to 127.0.0.1
I've created a few bogus servers
Honestly, I'm opting for removing the DH fallback in haproxy altogether and
simple always warn when the certificate (or a dedicated DH file parameter
like
nginx does, which was requested earlier this week and makes sense) does not
have the DH parameters.
I'm having a mixed opinion here.
OK so now we need to find what to do in the end. From what I understood,
just removing the lines was a test and is not viable because we'll always
emit the warning, right ?
Honestly, I'm opting for removing the DH fallback in haproxy altogether and
simple always warn when the certificate (or a
Mmh, I'm not sure. Try:
source usesrc clientip Where is the real IP from HAproxy.
Just realized that the config is still messed up.
This should have been:
source haproxyip usesrc clientip
where haproxyip is the real IP from HAproxy.
Hi the list
In my backend I've many servers, and I'd like to add some that receive
a copy of all the requests arriving to the backend. Of course haproxy
won't reply to them after sending the request.
I don't find any option for 'server' in section 5 of the docs, that
will allow me to
ilan@ilan-laptop$echo show errors | sudo socat
/run/haproxy/admin.sock stdio
Total events captured on [19/Aug/2015:15:36:43.378] : 3
[19/Aug/2015:15:36:18.452] backend nodes (#4): invalid response
frontend localnodes (#2), server web01 (#1), event #2
src
Hi,
I spent more time debugging the problem.
Here¹s the source snippet from 1.5.2 version of haproxy
(I believe the latest 1.5.14 has the same issue).
This is fixed by commit 8068b03467 (BUG/MINOR: ssl: correctly
initialize ssl ctx for invalid certificates) [1], which is in
Haproxy 1.5.7 and
Hi Baptiste,
Thank you very much for the response.That was quick.
I tired enabling but got following error,
Looks like you're on haproxy 1.4. In your current configuration you are
now using tunnel-mode.
If this is a new deployment, I would recommend upgrading to haproxy
1.5.
Regards,
Hi Roman,
I am publishing horde webmail application. The horde itself is served
internally via http protocol on apache.
I suspect the error is that you are enabling SSL on the backend servers
towards port 80? Remove ssl verify none from the backend
server configurations.
Lukas
yes. Sorry about that. I was changing my configuration and forgot to
rollback some of the changes. But even after removing, ssl verify
none, the problem is still there.
You will have to look at those specific request that don't work. (like
a CSS file), try what happens when you request them
Hey guys,
I haven’t gotten any feedback for this feature. Unless there’s severe
objections, I’ll go ahead and push this to up to master.
Emeric responded here:
http://marc.info/?l=haproxym=143643724320705w=2
Not sure what you mean by pushing this to master...?
Lukas
Hi Marc,
Hi all,
I have some problem making ocsp stapling working. here is what i did :
I have 8150.pem with chain, cert and key in it.
I have 8150.pem.ocsp that seems ok :
# openssl ocsp -respin 8150.pem.ocsp -text -CAfile alphassl256.chain
OCSP Response Data:
OCSP Response Status:
Hi Lukas,
the output of haproxy -c is not helpful.
Configuration file is valid“
I though thats what you want.
I need a more verbose output with a complete overview of the configuration.
I want to check if options configured in the default or global sections
works for all the
Hi Erik,
Hi,
is it possible to show and test the configuration of haproxy
like apache2ctl -S?
I want to check with which configuration options haproxy starts.
Thanks for help.
Yes, see haproxy -h (haproxy -c).
Lukas
Hi Lukas,
I made a mistake in my previous email : it works locally AND remotely !
What fixed the problem? This may be useful for others as well.
Lukas
Hi Lukas,
frontend cluster:443
bind 1.2.3.4:443 ssl strict-sni crt /home/provisionning/0.pem crt
/home/provisionning/cluster.d
default_backend cluster
capture request header Host len 255
Can you confirm there is no SSL intercepting device in front of the webserver,
like
hardware
Hi Marc,
Hi Lukas,
great intuition :)
---
CONNECTED(0003)
TLS server extension server name (id=0), len=0
TLS server extension renegotiation info (id=65281), len=1
0001 - SPACES/NULS
TLS server extension EC point formats (id=11), len=4
- 03 00 01 02
TLS server extension
> Hi,
>
> I checked kernel log and I can't find anything. How do I procede?
Ask kernel folks. Or don't disable tcp_timestamps, a lot of important
TCP features rely on it and those "security reasons" are ridiculous
anyway.
Uptime is not supposed to be a secret, if someone can attack you based
on
>> Baptiste, whats the current behavior when an empty response with
>> NOERROR is received?
>>
>> Regards,
>>
>> Lukas
>
>
> Hi,
>
> This is already handled when I detect response without NX code and no
> response records (DNS_RESP_ANCOUNT_ZERO) or no response record
> corresponding to the query
> On Wed, Oct 21, 2015 at 7:14 PM, SL wrote:
>> I'll be doing an upgrade from 1.4 to 1.6 tomorrow. Just wondering if there
>> are any changed defaults, breaking changes, anything like that? Or should
>> my config work as before?
>
> Haproxy 1.5 changed the default connection
> We use HAProxy as our loadbalancer in our private cloud at Symantec. We
> spin these HAProxy processes in a separate network namespaces. We had a
> bug in our HAProxy config population script which was adding wrong mode
> in frontend and backbend sections for SSL termination. The right
>> Can somebody help us get more understanding as to what are the
>> implications of adding wrong mode in config file and why this could
>> cause a kernel panic if at all.
>
> There is no reason whatsoever that this should have caused a kernel
> panic. zero. nada. None at all.
Meaning: if haproxy
> If Haproxy doesn't terminate the encryption there is nothing you can do in
> any case.
> If it does, you can listen for the unencrypted traffic going between haproxy
> and the
> backend using tcpdump with appropriate filtering as well.
Also, if you for whatever reason need to decrypt the
> Hi Baptiste,
>
> I'll try your suggestiion, but I'd like to understand why if I enable
> tcp_timestamp I have no problems and if I disable it, after few
> minutes on the live system I get the problem.
Clearly this is a kernel issue. Check your kernel logs/dmesg.
Lukas
Hi Lukas,
> When reloading haproxy too fast on EL7 (RedHat, CentOS) the system is
> being filled with orphaned processes.
>
> I encountered this problem on CentOS 7 with
> haproxy-1.5.4-4.el7_1.x86_64 but expect it to exist on all systems
> using haproxy-systemd-wrapper not just those based on
Hi Roja,
> Hi,
>
> We need to install Haproxy on Solaris 11 sparc.
>
> I have downloaded from haproxy.org and taken example of sample
> configuration file haproxy.cfg.
>
> I am getting the error while compiling the code.
You are not compiling the code. You are starting haproxy here.
> Hi Lukas,
>
> Sorry for that. I am not a operating system engineer.
Than I suggest a commercial product with commercial
support, like those from haproxy.com.
I'm afraid its not possible to provide support for basic
operating system tasks on this list (like understanding
the presence or absence
Hi Lukas,
> When reloading haproxy too fast on EL7 (RedHat, CentOS) the system is
> being filled with orphaned processes.
>
> I encountered this problem on CentOS 7 with
> haproxy-1.5.4-4.el7_1.x86_64 but expect it to exist on all systems
> using haproxy-systemd-wrapper not just those based on
> Howover, Can you send me some sample haproxy.cfg configuration file for
> Solaris 11.
Sample configurations are already bundled with haproxy, check the folder
examples/
Of course, the those configurations will not work out of the box for
your specific requirements. You will have to understand
> I believe I may have discovered a bug in HAProxy 1.5.4 on CentOS 7.1,
> installed via standard repositories.
>
> I don't want to go into debugging levels of detail here, but instead
> will provide a synopsis in the hopes someone knows of a bug already or
> can confirm it warrants further
> I sent patches to Willy, and they have been integrated a few minutes ago.
> You can git pull ; make clean ; make [...]
Unless you use haproxy-1.6, in that case you have to wait for the backport
and the git push, which has not happened yet.
Lukas
The initial record layer version in a SSL handshake may be set to TLSv1.0
or similar for compatibility reasons, this is allowed as per RFC5246
Appendix E.1 [1]. Some implementations are Openssl [2] and NSS [3].
A related issue has been fixed some time ago in commit 57d229747
("BUG/MINOR: acl:
>> @@ -402,7 +402,7 @@ smp_fetch_req_ssl_ver(const struct arg *args, struct
>> sample *smp, const char *kw
>> if (bleft < 5)
>> goto too_short;
>>
>> - version = (data[1] << 16) + data[2]; /* version: major, minor */
>> + version = (data[9] << 16) + data[10]; /* client hello version: major,
>>
The initial record layer version in a SSL handshake may be set to TLSv1.0
or similar for compatibility reasons, this is allowed as per RFC5246
Appendix E.1 [1]. Some implementations are Openssl [2] and NSS [3].
A related issue has been fixed some time ago in commit 57d229747
("BUG/MINOR: acl:
>> This should be backported to stable series, the req_ssl_ver keyword was
>> first introduced in 1.3.16.
>
> Thanks Lukas, applied to 1.7, 1.6, 1.5 and 1.4. For 1.3 there might be
> other patches pending so this one will get there at the same time.
Great.
I didn't really expect a 1.3 backport,
> Hi
>
> I am testing out the new 1.6 Haproxy and everything works great except
> when I try to use it for balancing LDAP traffic in mode tcp. It seems
> to segfault after doing an initial connection. Below is the
> information, please let me know if I can get you any other information.
>
> So you may be right on the two certs on the same line bug. Just removed
> one of the certs and so far, so good. Can you verify?
Are both or one of them (first or second one) wildcard certificates?
Thanks,
Lukas
Hi Julien,
> Still, I would like to take a look at the patch and get it fixed properly.
Your patch works for me if I only apply the one-line change at
"version = (data[9] << 16) + data[10];"
Can you confirm that this works for you as well and resubmit it
for inclusion?
Thanks,
Lukas
Hi folks,
> Hey guys,
>
> by default, HAProxy tries to resolve server IPs using an ANY query
> type, then fails over to resolve-prefer type, then to "remaining"
> type.
> So ANY -> A -> or ANY -> -> A.
We can't really rely on ANY queries, no. Also see [1], [2].
> Today, 0yvind
> Jan, a fellow HAProxy user, already reported me that ANY query types
> are less and less fashion (for many reasons I'm not going to develop
> here).
>
> Amongs the many way to fix this issue, the one below has my preference:
> A new resolvers section directive (flag in that case) which prevent
>
Hi Øyvind,
> Hi,
>
> When testing the 1.6.0 release we encountered a segfault bug on the
> server when trying to run the https://www.ssllabs.com/ssltest/ test on
> our two sites running with two different SSL certs. The test runs fine
> when its run against one of the sites / certificates, but
> Attached is a patch that should work but doesn't. (bare with me, I'm in
> unknown codebase territory here).
>
> I also tried to match directly using req.payload, and I can't get the
> ACL to match:
> acl tls12 req.payload(9,2) -m bin 0303
"req.payload(9,2) -m bin 0303" is imho correct, this
Hi,
>> If the session is transferring HTTP body between client and backend server,
>> we
>> can't insert HTTP headers either. If you are waiting for the next request
>> in that particular session, why wouldn't we just close it after the HTTP body
>> has been transfered?
>
> That would be fine,
Hi David,
> I just want to say first of all that haproxy is incredibly useful and
> I've enjoyed working with it tremendously. Thank you!
>
> My question is if a server is disabled because of a failed http health
> check and there are requests in flight, will the requests from the
> disabled app
> when using ipsec on the backend side, this error pops up in the haproxy
> log from time to time:
>
> Layer4 connection problem, info: "General socket error (No buffer space
> available)
>
>
> we have tried both strongswan and libreswan, error is still the same.
> there is nothing strange
> From my reading of the code SIGUSR1 does not send a "Connection: close" to the
> client or server. This means it is not possible to safely close a keep-alive
> session, before terminating HAProxy.
>
> Would there be interest in a patch to send "Connection: close" on both the
> request and the
> Dear Willy,
>
> Thank you for your insights. As you advised, below is the output of
> haproxy -f …cfg -db -V.
Can you run this through strace (strace haproxy -f …cfg -db -V) and
provide the output.
Also, if you have the strace output of a successful startup of 1.5.14 for
comparison, that would
> Hi Andrew,
>
> On Mon, Oct 19, 2015 at 05:39:58PM -0500, Andrew Hayworth wrote:
>> The ANY query type is weird, and some resolvers don't 'do the legwork'
>> of resolving useful things like CNAMEs. Given that upstream resolver
>> behavior is not always under the control of the HAProxy
> I don't know. I'm always only focused on the combination of user-visible
> changes and risks of bugs (which are user-visible changes btw). So if we
> can do it without breaking too much code, then it can be backported. What
> we have now is something which is apparently insufficient to some
Hi,
>> A simple option in the resolvers section to instruct HAPoxy to not
>> forgive on NX and failover to next family:
>> option on-nx-try-next-family
>
> I personally find this confusing from the user's point of view.
Agreed, we should have good and safe defaults, and address corner
cases
Hi Robin,
> Hey guys,
>
> Actually when you get an NXDOMAIN reply you can just stop resolving that
> domain. Basically there are 2 types of "negative" replies in DNS:
>
> NODATA: basically this is when you don't get an error (NOERROR in dig),
> but not the actual data you are looking for. You
> I second this opinion. Removing ANY altogether would be the best case.
>
> In reality, I think it should use the OS's resolver libraries which
> in turn will honor whatever the admin has configured for preference
> order at the base OS level.
>
>
> As a sysadmin, one should reasonably expect
> On Thu, Oct 15, 2015 at 12:26 PM, Lukas Tribus <luky...@hotmail.com> wrote:
>> What request/response, aren't we talking about an idle session here?
>
> No, I am concerned with a non idle persistent session.
When specifically would you intervene? Could you elaborate
> frontend https-in
> bind 0.0.0.0:443
> mode tcp
> tcp-request inspect-delay 5s
> tcp-request content accept if { req_ssl_hello_type 1 }
>
> acl sni_jve req.ssl_sni -i jve.linuxwall.info
> acl tls12 req.payload(9,2) -m bin 0303
> acl sslv3 req_ssl_ver 3.0
>
> use_backend jve_https if sni_jve
> Hi!
>
> I'd like to report a bug I do experience,
> maybe I'm not the first one to report it:
> it's about IP network ranges and acl in haproxy (1.5.8).
> It's working… sometimes.
> I have no issue with ranges like /24 (like 10.10.200.0/24)
> But it is not working with a range like /22 ; /28 ;
Hi Julien,
>> Maybe you can also try with "curl --tlsv1.2" which should use a 3.3
>> version.
>
> That's a very interesting details. Indeed curl sets the HELLO version to
> 0x0303
> whereas OpenSSL uses 0x0301. Interestingly, both Firefox and Chrome also
> use 0x0301
> in the version of the
Hi Diana,
> Hello,
>
> I have two hosts, one has haproxy 1.4.22 installed and the other has
> haproxy 1.5.14 installed.
> The following rewrite config works as expected in 1.5.14, but not in v1.4.22:
You probably want to check whether both 1.4.22 and 1.5.14 executables
have been build
>> jve.linuxwall.info as SNI value? I suggest to remove the
>> SNI if statement while testing the TLS ACL.
>
> Argh... I can't count the number of times forgetting -servername in
> openssl s_client got me looking for a bug. This one included.
>
> "acl tls12 req.payload(9,2) -m bin 0303" works as
> acl allowed_clients hdr_sub(X-Real-IP) 10.10.200.0/24 [...]
This is a *string* comparison. You will have to use "req.hdr_ip" [1]:
acl allowed_clients req.hdr_ip(X-Real-IP,-1) 10.10.200.0/24 [...]
Regards,
Lukas
[1]
Hi Tomas,
Hello,
we have a server with some config running an old version (1.4.25-1) of
haproxy under Debian wheezy. The reason we've not updated it is that any
new versions we had access to would crash.
Today I was able to pinpoint where the problem lies:
Thanks for the detailed repro.
The deprecated req_ssl_* keywords were for compatibility with historic
versions
and should not be introduced right now, so I'd rather not add it now to
remove
it in next version. If you're OK with me removing it by hand I can fix it
myself, but if you prefer to resubmit that's fine as
Hi Alexander,
Hello!
My name is Alexander and I am writing on behalf of OWOX company, that
supports the most visited Ecommerce website in Ukraine
(rozetka.com.uahttp://rozetka.com.ua).
We are using haproxy as a well-performance server to balance load
between our database servers.
Hello,
The flag TCP_NODELAY is unconditionally set on each TCP (ipv4/ipv6)
connections between haproxy and the server, and beetwen the client and
haproxy.
That may be true, however HAProxy uses MSG_MORE to disable and
enable Nagle based on the individual situation.
Use option http-no-delay
Use option http-no-delay [1] to disable Nagle unconditionally.
This option requires HTTP mode, but I must use TCP mode because our
protocol is not HTTP (some custom protocol over TCP)
Ok, you may be hitting a bug. Can you provide haproxy -vv output?
Thanks,
Lukas
Ok, you may be hitting a bug. Can you provide haproxy -vv output?
What do you mean? I get the following warning when trying to use this
option in tcp backend/frontend:
Yes I know (I didn't realize you are using tcp mode). I don't mean the
warning is the bug, I mean the tcp mode is supposed
Hi Mildis,
>> And regarding "2001:db8::1234", you can't forbit it simply because you
>> don't know if 1234 is a port or not in this context, as you have
>> reported.
>
> Sure. In this very specific case 1234 can’t be a port as 2001:db8:: is
> then a subnet.
For the record: you can't know that,
Hi Galit,
> I want to emphasize that the following test succeeded:
>
> [root@proxy-au51 ~]# openssl s_client -connect 10.106.75.53:50443 -tls1
>
> CONNECTED(0003)
Ok.
> Built with OpenSSL version : OpenSSL 0.9.8b 04 May 2006
> Running on OpenSSL version : OpenSSL 0.9.8e-fips-rhel5
> I'm using service_loadbalancer from kubernetes
> (https://github.com/kubernetes/contrib/tree/master/service-loadbalancer )
> . This program would re-spawn haproxy when it found a change of
> upstream endpoints.
> When service_loadbalancer starts, it runs haproxy -sf $(cat pidfile)
> several
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
>>> You need to disable SSLv3 in haproxy
>>
>> We are talking about the SSLv2 hello format. Its not about SSLv2
>> or SSLv3, its about the hello format.
> Which can also be used by sslv3 clients hence my comment.
True, but
> On 02/12/2015 12:41 AM, "Cohen Galit"
> > wrote:
> >
> > Hello,
> >
> >
> >
> > When HAProxy 1.5.9 is trying to sample our servers with this
> configuration: tcp-check connect port 50443 ssl
> >
> >
> >
> > Our servers returns an
Hi Unkown User!
> Is there any way to get haproxy to listen only on the public IP, other
> than by specifying the IP?
> I dont want this to listen on the loopback.
Use the interface keyword:
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-interface
Regards,
Lukas
> 2015-12-04 16:27 GMT+01:00 Jonathan Leroy - Inikup :
>> Hi Luke,
>>
>> Here's the Nginx config :
>> https://gist.githubusercontent.com/jleroy/ab45c328263731c46ec1/raw/69af9edc154329c113aad588ff5f9501edfd61b1/gistfile1.txt
>
> Now that I use ULA instead of link-local
Hi,
> I'll try to pack again the OpenSSL files (must work with rpm) from
> original repository and will let you know. Thanks.
Ok, but first try the other proposal (takes less time):
>> Should I just add to haproxy.cfg the following?
>> force-tlsv10
>
> Yes, you can try:
>
> global
>
701 - 800 of 1573 matches
Mail list logo