Re: Haproxy with SNI and http2 seperation

Hi Cyril, Am 19.07.2016 um 00:27 schrieb Cyril Bonté: > You probably have an issue here : hdr(host) won't work with mode tcp. > If you wan't to check the domain provided by SNI, you should use > req.ssl_sni instead. > > Have a look to the example provided in the documentation : >

Haproxy with SNI and http2 seperation

Dear all, I use haproxy 1.6.7 on a FreeBSD host. I just try to do the following: Check if hostname is domain1 or domain2 or bladomain3 or ... , mark it to send the request to nginx all other requests should go to apache backend. Check if client support http2, if yes and nginx acl matches, send

Re: Inform backend about https for http2 connections

Am 06.08.2016 um 05:31 schrieb Igor Cicimov: > Afaik, since http2 is by default tls encrypted just by specifying h2 > as protocol to the backend should be enough i guess. this is not completely true. There is h2c which uses http2 without TLS. Gruß Matthias -- "Programming today is a race

Re: Inform backend about https for http2 connections

Am 06.08.2016 um 15:12 schrieb Neil - HAProxy List: > > if you can have the app not specify the scheme for the css etc. just use > > //site.com/path > or > /path if it is on the same site > as I do not develop the apps I cannot do it. The configuration how the return

Inform backend about https for http2 connections

Dear all, I use haproxy in tcp mode to have http2 working. Now I have the problem that the backend has to know if the connection was encrypted or not (some websites using this information to add the schema to css and javascript URIs). Normally I think a reqadd X-Forwarded-Proto:\ https should

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Dear Willy and Dmitry, Am 14.03.17 um 22:17 schrieb Willy Tarreau: Or you may prefer to wait for 1.7.4. It's not planned yet given that there are other fixes in the wild waiting for some feedback though. Thanks guys for the detailed feedback, it's now time to turn the page and switch to less

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Hi Willy, Hi Dmitry, Am 19.03.2017 um 12:40 schrieb Willy Tarreau: > And here come two patches as a replacement for this temporary one. They > are safer and have been done after throrough code review. I spotted a > small tens of dirty corner cases having accumulated over the years due > to the

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Hi Willy, Hi Dmitry, Am 12.03.2017 um 09:48 schrieb Willy Tarreau: > Yep, that totally makes sense. Thanks for checking. Please find in > attachment one which does properly apply here with -Rp1 (at least it > will allow you to fix your production for the time it takes to find > the root cause of

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Hi Willy, Am 11.03.2017 um 14:13 schrieb Willy Tarreau: > > OK so this is the one that I initially suspected and that after you > reverted, didn't fix the issue for you. > > Are you sure you didn't have a problem when you reverted it ? (eg: > failed to restart the process or something like this).

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Hi Willy, Am 12.03.2017 um 14:51 schrieb Willy Tarreau: > You're welcome. It's possible that I'll ask you to test a patch or two > if I find anything suspicious, given that for now you're the first one > to observe this issue. sure, but next week I will not be able to test anything, so take your

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Hi Willy, Am 07.03.2017 um 17:26 schrieb Willy Tarreau: > > So they're pretty much identical except the version. Are you interested in > trying to do a bisection between 1.7.2 and 1.7.3 to find the culprit commit ? > There are only 20 patches so it should take about 5 attempts so depending > on

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Am 11.03.2017 um 13:45 schrieb Willy Tarreau: > I don't understand, the bisection didn't end ? > > Otherwise I'm inclined to think that the regression comes from > "BUG/MEDIUM: tcp: don't poll for write when connect() succeeds", which > it the one I proposed you to revert and which didn't change

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Dear Willy and Dmitry, Am 06.03.2017 um 11:16 schrieb Willy Tarreau: > with the attachment now (thanks Dmitry) hm, I'm not able to apply the patch: git apply --ignore-space-change --ignore-whitespace 0001-BUG-MEDIUM-tcp-don-t-poll-for-write-when-connect-suc.patch But I get:

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Am 2017-03-07 00:32, schrieb Willy Tarreau: patch -Rp1 < 0001-BUG-MEDIUM-tcp-don-t-poll-for-write-when-connect-suc.patch I've just tested here on 1.7.3 and it does apply correctly. With git apply you'll have to pass -R as well. Sorry for not being clear the first time. so, shortly after I

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Thanks Willy, Am 07.03.2017 um 00:32 schrieb Willy Tarreau: > Sorry, when I said "revert" I meant typically like this : > > patch -Rp1 < 0001-BUG-MEDIUM-tcp-don-t-poll-for-write-when-connect-suc.patch > > I've just tested here on 1.7.3 and it does apply correctly. > > With git apply you'll have

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Am 2017-03-07 10:19, schrieb Willy Tarreau: If I do a netstat -an I see a lot of: tcp4 0 0 127.0.0.1.443 127.0.0.1.47010 TIME_WAIT tcp4 0 0 127.0.0.1.443 127.0.0.1.46961 CLOSE_WAIT tcp4 0 0 127.0.0.1.46961127.0.0.1.443

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Am 2017-03-07 10:15, schrieb Willy Tarreau: Thanks. In the mean time, I'm interested in trying to figure the code paths we follow. Could please tell me : - if you're using send-proxy on your server lines ? yes, all 2 backends have (but see first post, for full config: backend

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Hi Georg, Am 06.03.2017 um 09:43 schrieb Georg Faerber: > I'm not running FreeBSD myself, but have a look at [1]: In the > follow-ups to this thread there are two more people reporting problems. > > [1] https://www.mail-archive.com/haproxy@formilux.org/msg25093.html no, this cannot be the

Re: Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Dear Rainer, Am 06.03.2017 um 09:52 schrieb rai...@ultra-secure.de: > it would be cool if somebody could open a PR at > > https://bugs.freebsd.org/ > > I personally don't use FreeBSD 11 for any of my HAProxy-installations > (yet), so I'm not really affected (yet) - but thanks for the heads-up.

Problems with haproxy 1.7.3 on FreeBSD 11.0-p8

Dear all, are problem with haproxy 1.7.3 on FreeBSD 11.0-p8 known? I have the problem that I got a lot of timeout for all websites that are behind haproxy. Haproxy does terminate the SSL connection and forwards to nginx. Before haproxy I have a sslh running. Downgrading to version 1.7.2

Haproxy 1.7.9 or earlier stopped using h2

Dear all, I configured some time ago haproxy to support http2 using tcp mode on FreeBSD. The configuration looked like: frontend www-https     mode tcp     option tcplog     bind : ssl crt /usr/local/etc/haproxy/certs/ alpn h2,http/1.1     use_backend nginx-http2-backend if { ssl_fc_alpn -i h2

Using haproxy to have SSH in a HTTPS connection with HTX

Dear all, as HTTP2 is getting stable in haproxy 1.9.6 I decided to give it a try. Currently I have the following setup:     frontend www-https     mode tcp     option tcplog     bind 0.0.0.0:443 ssl crt /usr/local/etc/haproxy/certs/ alpn h2,http/1.1

Re: [ANNOUNCE] haproxy-2.4.5

Am 01.10.2021 um 18:09 schrieb Christopher Faulet: HAProxy 2.4.5 was released on 2021/10/01. It added 69 new commits after version 2.4.4. could it be, that this upgrade broke something. The connection seems to hang. I use the following configuration, which does not work anymore, downgrading

Re: [ANNOUNCE] haproxy-2.4.5

Am 03.10.2021 um 08:53 schrieb Christopher Faulet: Damned ! You're right... It is a typo in the commit feca2a453 ("BUG/MINOR: filters: Always set FLT_END analyzer when CF_FLT_ANALYZE flag is set"). It also affects the 2.5-DEV. thanks a lot Christopher for the quick fix. Just prepared a

Re: OCSP renewal with 2.8

Am 02.06.2023 um 04:13 schrieb Shawn Heisey: @Matthias I have no idea whether crt-list can load all certs in a directory like crt can.  If it can't, then you will probably need a script for starting/restarting haproxy that generates the cert list file.  If you wantthat script to be

Re: OCSP renewal with 2.8

Am 05.06.2023 um 10:08 schrieb William Lallemand: As I explained in my previous mail, the option was not set on the bind lines because of architectural problems, but you could expect to have a way to do it globally in future versions. thanks a lot for this information. I will wait then to have

OCSP renewal with 2.8

Dear all, I just saw in the release notes for 2.8 that an automatic OCSP renewal is now included and I would like to get rid of my manual scripts that are currently injecting the OCSP information. I checked a little bit the documentation here: