Re: [PATCH] MINOR: sample: Add bc_rtt and bc_rttvar

Hi Alex, On Fri, Apr 28, 2023 at 11:43:26AM +0200, Aleksandar Lazic wrote: > Attached the new patch. Thank you, it went OK on the CI so we don't even need to refine the list of targets for now. I've just merged it as-is. Many thanks for your fast update and for the reminder! Willy

Re: [PATCH] MINOR: sample: Add bc_rtt and bc_rttvar

Hi Alex, On Fri, Apr 28, 2023 at 10:59:46AM +0200, Aleksandar Lazic wrote: > Hi Willy. > > On 30.03.23 06:23, Willy Tarreau wrote: > > On Thu, Mar 30, 2023 at 06:16:34AM +0200, Willy Tarreau wrote: > > > Hi Alex, > > > > > > On Wed, Mar 29, 2023 a

Re: [ANNOUNCE] haproxy-2.7.7

On Thu, Apr 27, 2023 at 04:59:24PM +0200, Christopher Faulet wrote: > Hi, > > HAProxy 2.7.7 was released on 2023/04/27. It added 163 new commits > after version 2.7.6. > > This release is pretty huge. In one month, the QUIC team achieved an amazing > work to improve the stack and make it more sta

Re: [PATCH] temporarily switch to libressl mirror

Hi Ilya, On Wed, Apr 26, 2023 at 12:19:28PM +0200, ??? wrote: > Hello, > > it is probably good idea to learn not to fail when libressl site is down > (I'll work on that). > > as a fast fix, let us switch to mirror. Ah great, I didn't know what was failing, now I understand. Both patche

Re: [ANNOUNCE] haproxy-2.5.13

Hi Tim, On Tue, Apr 25, 2023 at 10:57:04AM +0200, Tim Düsterhus wrote: > Willy, > > On 3/17/23 18:56, Willy Tarreau wrote: > > HAProxy 2.5.13 was released on 2023/03/17. It added 60 new commits > > after version 2.5.12. > > > > Please note that 2.5 is getting

Re: [OPINIONS DESIRED] (was Re: [PATCH] BUG/MINOR: Fix typo in `TotalSplicedBytesOut` field name)

On Sun, Apr 23, 2023 at 02:25:06PM +0200, Lukas Tribus wrote: > On Sun, 23 Apr 2023 at 13:08, Willy Tarreau wrote: > > > > On Sun, Apr 23, 2023 at 12:39:25PM +0200, Tim Düsterhus, WoltLab GmbH wrote: > > > Willy, > > > > > > On 3/27/23 20:25, Willy Tarre

Re: [OPINIONS DESIRED] (was Re: [PATCH] BUG/MINOR: Fix typo in `TotalSplicedBytesOut` field name)

On Sun, Apr 23, 2023 at 12:39:25PM +0200, Tim Düsterhus, WoltLab GmbH wrote: > Willy, > > On 3/27/23 20:25, Willy Tarreau wrote: > > OK, let's see what other users and participants think about it. If I get > > at least one "please don't change it" I

[ANNOUNCE] haproxy-2.8-dev8

ts Olivier Houchard (1): BUG/MEDIUM: fd: don't wait for tmask to stabilize if we're not in it. Tim Duesterhus (5): MINOR: Make `tasklet_free()` safe to be called with `NULL` CLEANUP: Stop checking the pointer before calling `tasklet_free()` CLEANUP: Stop chec

Re: [PATCH] CI: bump cirrus-ci freebsd to 13-2

Hi Ilya, On Sat, Apr 22, 2023 at 08:29:38PM +0200, ??? wrote: > Hello > > minor freebsd cirrus-ci image update (...) all 4 patches applied, thank you! Willy

Re: [PATCH 1/5] MINOR: Make `tasklet_free()` safe to be called with `NULL`

On Sat, Apr 22, 2023 at 05:47:31PM +0200, Tim Duesterhus wrote: > Make this freeing function safe, like other freeing functions are as discussed > in GitHub issue #2126. (...) Whole series applied, thank you Tim! Willy

Re: Puzzlement : empty field vs. ,field() -m

Hi Jim, [side note: please guys, avoid top-posting, it makes it very difficult to quote context in responses] On Mon, Apr 17, 2023 at 09:17:03PM -0600, Jim Freeman wrote: > Aleksandar - thanks for the feedback ! (haproxy -vv : attached) > > I'd spent a good long while scouring the config docs (

Re: Problems using custom error files with HTTP/2

On Mon, Apr 17, 2023 at 03:04:05PM +0200, Lukas Tribus wrote: > On Sat, 15 Apr 2023 at 23:08, Willy Tarreau wrote: > > > > On Sat, Apr 15, 2023 at 10:59:42PM +0200, Willy Tarreau wrote: > > > Hi Nick, > > > > > > On Sat, Apr 15, 2023 at 09:44:32PM +010

Re: [PATCH] CLEANUP: use "offsetof" macro where appropriate

Hi Ilya, On Sat, Apr 15, 2023 at 11:55:14PM +0200, ??? wrote: > From: Ilya Shipitsin > Date: Sat, 15 Apr 2023 23:39:43 +0200 > Subject: [PATCH] CLEANUP: use "offsetof" where appropriate > > let's use the C library macro "offsetof" Good point. In the past we didn't because it was not al

Re: Problems using custom error files with HTTP/2

On Sat, Apr 15, 2023 at 10:59:42PM +0200, Willy Tarreau wrote: > Hi Nick, > > On Sat, Apr 15, 2023 at 09:44:32PM +0100, Nick Wood wrote: > > And here is my configuration - I've slimmed it down to the absolute minimum > > to reproduce the problem: > > > > I

Re: Problems using custom error files with HTTP/2

Hi Nick, On Sat, Apr 15, 2023 at 09:44:32PM +0100, Nick Wood wrote: > And here is my configuration - I've slimmed it down to the absolute minimum > to reproduce the problem: > > If the back end is down, the custom 503.http page should be served. > > This works on HTTP/1.1 but not over HTTP/2: V

Re: Opinions desired on HTTP/2 config simplification

Ai Aleks, On Sat, Apr 15, 2023 at 10:12:00PM +0200, Aleksandar Lazic wrote: > Hi. > > On 15.04.23 11:32, Willy Tarreau wrote: > > Hi everyone, > > > > I was discussing with Tristan a few hours ago about the widespread > > deployment of H2 and H3, with Cloudfl

Re: Opinions desired on HTTP/2 config simplification

Hi Daniel, On Sat, Apr 15, 2023 at 02:37:06PM -0400, Daniel Corbett wrote: > Hi Willy, > > On Sat, Apr 15, 2023, at 8:02 AM, Willy Tarreau wrote: > > Hi Ionel, > > > > On Sat, Apr 15, 2023 at 01:52:27PM +0200, Ionel GARDAIS wrote: > > > Hi Willy, > &g

Re: Opinions desired on HTTP/2 config simplification

On Sat, Apr 15, 2023 at 05:50:53PM +0200, Pavlos Parissis wrote: > On Saturday, April 15, 2023 11:32:49 AM CEST Willy Tarreau wrote: > > Hi everyone, > > [...snip...] > > Even if I wouldn't share my feelings, some would consider that I'm > > trying to influe

Re: Opinions desired on HTTP/2 config simplification

Hi John, On Sat, Apr 15, 2023 at 10:20:22AM -0400, John Lauro wrote: > I agree defaulting to alpn h2,http/1.1 sooner (don't wait for 2.9), > and even 2.6 would be fine IMO. Wouldn't be a new feature for 2.6, > only a non breaking (AFAIK) default change... We won't change 2.6 now since it's alrea

Re: Opinions desired on HTTP/2 config simplification

Hi Lukas, On Sat, Apr 15, 2023 at 02:08:03PM +0200, Lukas Tribus wrote: > Hi, > > On Sat, 15 Apr 2023 at 11:32, Willy Tarreau wrote: > > Thus you're seeing me coming with my question: does anyone have any > > objection against turning "alpn h2,http/1.1" on by

Re: Opinions desired on HTTP/2 config simplification

Hi Ionel, On Sat, Apr 15, 2023 at 01:52:27PM +0200, Ionel GARDAIS wrote: > Hi Willy, > > Agree with that. > However, maybe a "common H2 troubleshooting guide" should be provided so > options like h2-workaround-bogus-websocket-clients will be highlighted if any > trouble arise. Good point, I even

Opinions desired on HTTP/2 config simplification

Hi everyone, I was discussing with Tristan a few hours ago about the widespread deployment of H2 and H3, with Cloudflare showing that H1 only accounts for less than 7% of their traffic and H3 getting close to 30% [1], and the fact that on the opposite yesterday I heard someone say "we still have n

[ANNOUNCE] haproxy-2.8-dev7

old proxy and server attributes MEDIUM: hlua_fcn: dynamic server iteration and indexing William Lallemand (2): DOC: config: strict-sni allows to start without certificate BUG/MINOR: mworker: unset more internal variables from program section Willy Tarreau (10): MINOR

Re: [PATCH] Add the possibility to compress requests

On Fri, Apr 07, 2023 at 12:56:54AM +0200, Olivier Houchard wrote: (...) > > OK otherwise it looks good to me. I suggest you adjust these cosmetic > > details and directly push it. > > Done, thanks! Thanks! > > I'm having one question by the way: how did you manage to test this ? > > Did you fin

Re: [PATCH] Add the possibility to compress requests

On Thu, Apr 06, 2023 at 01:12:09AM +0200, Olivier Houchard wrote: > > Also I don't understand how you can have different algos for each direction > > since the config language allows you to define "compression algo" and > > "compression tocompress" so you cannot (apparently) have a situation where

Re: [PATCH] Add the possibility to compress requests

Hi Olivier, On Tue, Apr 04, 2023 at 12:29:15AM +0200, Olivier Houchard wrote: > Hi, > > The attached patchset is a first attempt at adding the possibility to > compress requests, as well as responses. This is pretty cool, I definitely see how this can be super useful :-) > It adds a new keyword

Re: [PATCH] spelling fixes, CI filter

On Sat, Apr 01, 2023 at 12:30:25PM +0200, ??? wrote: > Hello, > > please find some spelling fixes. > also folders ./doc/design-thoughts,./doc/internals are excluded from > further checks. And merged as well. You're right, internal docs do not need to be spell-checked, they're quick notes

Re: [PATCH] CI: add memory related code flow smoke test

Hi Ilya, On Sat, Apr 01, 2023 at 01:32:09PM +0200, ??? wrote: > Hello, > > after https://github.com/haproxy/haproxy/issues/2082 is resolved, > let's add ci test That's a good idea. It could detect some stuff that gets added later and that we forget to properly deinit. Now merged, thank

Re: [PATCH] MINOR: sample: Add bc_rtt and bc_rttvar

On Thu, Mar 30, 2023 at 06:16:34AM +0200, Willy Tarreau wrote: > Hi Alex, > > On Wed, Mar 29, 2023 at 04:06:10PM +0200, Aleksandar Lazic wrote: > > Ping? > > thanks for the ping, I missed it a few times when being busy with some > painful bugs in the past. I've p

Re: [PATCH] MINOR: sample: Add bc_rtt and bc_rttvar

Hi Alex, On Wed, Mar 29, 2023 at 04:06:10PM +0200, Aleksandar Lazic wrote: > Ping? thanks for the ping, I missed it a few times when being busy with some painful bugs in the past. I've pushed it to a topic branch to verify what it does on the CI for non-linux OS; we might have to add a "feature c

Re: [PATCH] DOC/MINOR: fixes section 2.2 haproxy-dconv output

On Tue, Mar 28, 2023 at 04:02:04PM +0200, Tim Düsterhus wrote: > Willy, > > On 3/18/23 15:55, Willy Tarreau wrote: > > Ah indeed, sorry for the misunderstanding, I'll do it. > > I believe this did not yet happen. Indeed, thanks for the reminder. It's now merged. Thanks! Willy

Re: RFQ HAPROXY SERVER for CTBC Bank

Hello, On Wed, Mar 29, 2023 at 03:02:09AM +, Procurement - TTSolution wrote: > Hi Sir/Madam, > > > > Please help to provide quotation below for: > > > > 1. HAPROXY SERVER - QTY: 1 > > > > Thanks & Best Regards, > Najihah This is a public development mailing-list. We don't provide

[ANNOUNCE] haproxy-2.8-dev6

double free in ocsp update deinit MINOR: ssl: Accept certpath as param in "show ssl ocsp-response" CLI command MINOR: ssl: Add certificate path to 'show ssl ocsp-response' output Tim Duesterhus (1): BUG/MINOR: ssl: Stop leaking `err` in ssl_sock_load_ocs

Re: [PATCH] BUILD/MINOR da

On Tue, Mar 28, 2023 at 07:32:12AM +0100, David Carlier wrote: > Here another revised version of the patch. Now merged, thank you David! Willy

[OPINIONS DESIRED] (was Re: [PATCH] BUG/MINOR: Fix typo in `TotalSplicedBytesOut` field name)

On Mon, Mar 27, 2023 at 07:08:24PM +0200, Tim Düsterhus, WoltLab GmbH wrote: > Willy, > > On 3/27/23 18:17, Willy Tarreau wrote: > > Hmmm that's embarrassing indeed. On the one hand we should consider > > that it's part of the visible API and should stay like this e

Re: [PATCH] BUG/MINOR: Fix typo in `TotalSplicedBytesOut` field name

Hi Tim, On Mon, Mar 27, 2023 at 03:26:51PM +0200, Tim Düsterhus, WoltLab GmbH wrote: > From d1c3bd09b95e6f68d8dc849b0637088b79856fbc Mon Sep 17 00:00:00 2001 > From: Tim Duesterhus > Date: Mon, 27 Mar 2023 15:23:44 +0200 > Subject: [PATCH] BUG/MINOR: Fix typo in `TotalSplicedBytesOut` field name

Re: 100% CPU after config reload on 2.6.10/2.6.11

On Sun, Mar 26, 2023 at 03:16:00AM -0500, Marc West wrote: > On 2023-03-26 07:19:18, Willy Tarreau wrote: > > I could finally reproduce it, figure the cause and the fix. The 2.6 > > backport is missing this patch for evports and kqueue: > > > > 698342635 BUG/MAJOR:

Re: 100% CPU after config reload on 2.6.10/2.6.11

Hi again Marc, On Sat, Mar 25, 2023 at 10:26:46AM +0100, Willy Tarreau wrote: > Hi Marc, > > On Fri, Mar 24, 2023 at 01:52:05PM -0500, Marc West wrote: > > Hi, > > > > I saw in the 2.6.10 release notes to report any issues that seem like > > they could be r

Re: 100% CPU after config reload on 2.6.10/2.6.11

Hi Marc, On Fri, Mar 24, 2023 at 01:52:05PM -0500, Marc West wrote: > Hi, > > I saw in the 2.6.10 release notes to report any issues that seem like > they could be related to the concurrency changes. When reloading config > on 2.6.10 or 2.6.11 on FreeBSD 13.1-RELEASE the old process does not > ex

Re: GitHub Mirror Broken

Hi Tim! On Fri, Mar 24, 2023 at 03:01:21PM +0100, Tim Düsterhus wrote: > Hi! > > It appears that the GitHub Mirror is broken, likely due to the SSH host key > change on GitHub's end: > > https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ Ah, good to know, I wasn't aware. Thanks for

Re: CVE-2023-25690 and CVE-2023-27522

Hi John, On Wed, Mar 22, 2023 at 05:25:19PM -0400, John Lauro wrote: > Assuming no direct access to apache servers, does anyone know if > haproxy would by default protect against these vulnerabilities? For others, the descriptions are here: https://httpd.apache.org/security/vulnerabilities_24.h

Re: [PATCH] BUG/MINOR: illegal use of the malloc_trim() function if jemalloc is used

On Wed, Mar 22, 2023 at 02:39:15PM +0100, Miroslav Zagorac wrote: > On 22. 03. 2023. 14:33, Willy Tarreau wrote: > >> Also, in that case, when calling 'haproxy -vv', it is no longer printed > >> that > >> malloc_trim is enabled. > > > > I'

Re: [PATCH] BUG/MINOR: illegal use of the malloc_trim() function if jemalloc is used

Hi Miroslav, On Wed, Mar 22, 2023 at 01:11:53PM +0100, Miroslav Zagorac wrote: > Hello all, > > here is a patch that does not allow the use of malloc_trim() function if > HAProxy is linked with the malloc library. It was checked in some places in > the source, but not everywhere. Oh thanks for

Re: 2.4.22 and maxconn setting problem

On Tue, Mar 21, 2023 at 02:26:03PM +0100, Maciej Zdeb wrote: > wt., 21 mar 2023 o 11:39 Willy Tarreau napisal(a): > > > Just to be clear on these last few points, when you say you cannot > > connect, you mean in fact that the connection establishes to haproxy > > but y

Re: 2.4.22 and maxconn setting problem

Hi Maciej, On Tue, Mar 21, 2023 at 11:14:48AM +0100, Maciej Zdeb wrote: > Hi, > > I'm observing a strange issue with haproxy 2.4.22 (but it was also on > previous versions). > > I have set maxconn to 20 in global and defaults configuration section > and with following configuration > > fron

Re: Installation query

Hello, On Tue, Mar 21, 2023 at 03:26:30PM +0530, Himanshu Mishra wrote: > Dear team, > > You have done tremendous work, I can easily install HAproxy on Linux > systems, however > I'm facing an issue while installing on a window system, > Can you please answer some of my questions, > 1) Can HAprox

Re: [PATCH] DOC/MINOR: fixes section 2.2 haproxy-dconv output

On Sat, Mar 18, 2023 at 03:51:37PM +0100, Tim Düsterhus wrote: > Willy, > > On 3/18/23 05:53, Willy Tarreau wrote: > > Now applied, thank you Marcos! > > It appears there was a misunderstanding: '2.2' is not referring to the > branch, but the section number on

Re: HAProxy CE Docker Alpine image with QUIC

On Fri, Mar 17, 2023 at 08:59:01PM +0100, Dinko Korunic wrote: > Dear community, > > Upon many requests, we have started building HAProxy CE for 2.6, 2.7 and 2.8 > branches with QUIC (based on OpenSSL 1.1.1t-quic Release 1) as Docker Alpine > 3.17 images. > All these are being built for several

Re: [PATCH] DOC/MINOR: fixes section 2.2 haproxy-dconv output

On Fri, Mar 17, 2023 at 02:55:58PM -0300, Marcos Oliveira wrote: > Hello, > > I noticed that HAProxy section 2.2 ( > https://docs.haproxy.org/2.2/configuration.html#2.2) was cut off at the > start of a table, so I went ahead and dug haproxy-dconv and found out that > the section's table was format

[ANNOUNCE] haproxy-2.5.13

inconsistent reload when upgrading from old versions BUG/MEDIUM: mworker: don't register mworker_accept_wrapper() when master FD is wrong MINOR: startup: HAPROXY_STARTUP_VERSION contains the version used to start BUG/MINOR: mworker: prevent incorrect values in uptime BUG/MIN

[ANNOUNCE] haproxy-2.6.11

M: spoe: Don't set the default traget for the SPOE agent frontend Frédéric Lécaille (2): BUG/MINOR: quic: Missing STREAM frame length updates BUG/MINOR: quic: Missing STREAM frame data pointer updates Willy Tarreau (11): BUG/MINOR: mux-h2: make sure the h2c task exists befor

[ANNOUNCE] haproxy-2.7.5

the default traget for the SPOE agent frontend Frédéric Lécaille (2): BUG/MINOR: quic: Missing STREAM frame length updates BUG/MINOR: quic: Missing STREAM frame data pointer updates Willy Tarreau (9): BUG/MINOR: mux-h2: make sure the h2c task exists before refreshing it

Re: [ANNOUNCE] haproxy-2.6.10

Hello, On Mon, Mar 13, 2023 at 02:32:50PM +0100, Artur wrote: > > However, as > > indicated in the 2.8-dev5 announce, a concurrency bug introduced in 2.5 > > was fixed in this version, that may cause freezes and crashes when some > > HTTP/1 backend connections are closed by the server exactly at t

Re: Followup on openssl 3.0 note seen in another thread

Hi Shawn, On Sat, Mar 11, 2023 at 07:10:30PM -0700, Shawn Heisey wrote: > On 12/14/22 07:15, Willy Tarreau wrote: > > On Wed, Dec 14, 2022 at 07:01:59AM -0700, Shawn Heisey wrote: > > > On 12/14/22 06:07, Willy Tarreau wrote: > > > > By the way, are you running wi

[ANNOUNCE] haproxy-2.6.10

G/MEDIUM: mworker: prevent inconsistent reload when upgrading from old versions BUG/MEDIUM: mworker: don't register mworker_accept_wrapper() when master FD is wrong MINOR: startup: HAPROXY_STARTUP_VERSION contains the version used to start BUG/MINOR: mworker: prevent incorrect

[ANNOUNCE] haproxy-2.7.4

MINOR: startup: HAPROXY_STARTUP_VERSION contains the version used to start BUG/MINOR: mworker: prevent incorrect values in uptime MINOR: ssl: rename confusing ssl_bind_kws BUG/MINOR: config: crt-list keywords mistaken for bind ssl keywords BUG/MINOR: mworker: use MASTER

[ANNOUNCE] haproxy-2.8-dev5

ds BUG/MINOR: mworker: prevent incorrect values in uptime BUG/MINOR: mworker: stop doing strtok directly from the env BUG/MEDIUM: mworker: prevent inconsistent reload when upgrading from old versions BUG/MEDIUM: mworker: don't register mworker_accept_wrapper() when m

Re: [PATCH 1/1] DOC/CLEANUP: fix typos

Hi Michael, On Fri, Dec 09, 2022 at 12:28:46PM +0100, Michael Prokop wrote: > s/algorithmm/algorithm/ > s/an other/another/ > s/certicates/certificates/ > s/exemples/examples/ > s/informations/information/ > s/optionnal/optional/ (...) sorry, this seems to have slipped through the cracks. Now app

Re: tcp mode: client port selection

On Fri, Mar 03, 2023 at 04:04:37PM +0100, Amaury Denoyelle wrote: > > Can anyone say sth. about client port allocation in haproxy? Is it done > > manually in some cases? Or is that a task that is completely done by the OS? > > To my knowledge, haproxy does not explicitely select the port when > co

Re: [PR] BUG/MINOR: http-fetch: recognize IPv6 addresses in square brackets in req.hdr_ip()

Hi Oto! On Wed, Mar 01, 2023 at 01:23:02PM +0100, PR Bot wrote: > Dear list! > > Author: Oto Valek > Number of patches: 2 > > This is an automated relay of the Github pull request: >BUG/MINOR: http-fetch: recognize IPv6 addresses in square brackets in >req.hdr_ip() > > Patch title(s):

Re: Can you block this?

On Fri, Feb 24, 2023 at 10:18:14AM -0700, Bryan Arenal wrote: > And would this work to reject any request that has the > 'X-Forwarded-For' header? > > acl is-forwarded hdr_sub(x-forwarded-for) > http-request reject if is-forwarded No, not like this, as you're searching for sub-strings in this

Re: Host header not copied to :authority when using a proto h2 backend

Hello, On Fri, Feb 24, 2023 at 02:19:30PM +0100, Óscar Frías Barranco wrote: > Hello > > I am using haproxy 2.4.18 with a frontend configured with alpn h2,http/1.1 > > The problem that I am facing is that if I add "proto h2" to the backends, > when a remote client connects to the frontend using

Re: How to test HTTP/3 on version 2.8?

On Fri, Feb 24, 2023 at 04:52:23PM +0800, AiDai wrote: > I tried to test outside of Docker, but I encountered the same problem. > ``` > curl --http3-only https://0.0.0.0:443 -k -v > * Trying 0.0.0.0:443... > * ipv4 connect timeout after 30ms, move on! > * Failed to connect to 0.0.0.0 port 443

Re: Can you block this?

On Fri, Feb 24, 2023 at 05:39:13AM +, Robin H. Johnson wrote: > On Thu, Feb 23, 2023 at 06:48:14PM -0700, Bryan Arenal wrote: > > Hi there, > > > > I'm seeing some traffic from what appears to be bad actors and am > > wanting to block them. I see this in the existing config but being > > new

Re: How to test HTTP/3 on version 2.8?

Hi, On Fri, Feb 24, 2023 at 03:07:24PM +0800, AiDai wrote: > Hi there, > > I am interested in testing HTTP/3 on haproxy 2.8, but I am not sure how to > enable it. Currently, I run an Ubuntu 20.04 docker container using the > command: > ` docker run -ti --user root --privileged=true -p 8000:8000 -

Re: [*EXT*] RE: [ANNOUNCE] haproxy-2.4.22

On Tue, Feb 14, 2023 at 07:58:34PM +0100, Vincent Bernat wrote: > On 2023-02-14 18:08, Ionel GARDAIS wrote: > > Hi Marc, > > > > I guess Vincent choose to use a -2 tag so that users who hold their package > > on minor version will still get the update. > > That's because the uploads were prepare

Re: [ANNOUNCE] haproxy-2.4.22

Hello, On Tue, Feb 14, 2023 at 04:44:49PM +, Marc Gebauer wrote: > Hello together, > > we use > > /etc/apt/sources.list.d/haproxy.list > deb http://haproxy.debian.net bullseye-backports-2.4 main > > and apt list --upgradable shows: > > Listing... Done > haproxy/bullseye-backports-2.4 2.4.

[ANNOUNCE] HAProxy Security Update (CVE-2023-25725)

Hello, A team of security researchers notified me on Thursday evening that they had found a dirty bug in HAProxy's headers processing, and that, when properly exploited, this bug allows to build an HTTP content smuggling attack. HTTP content smuggling attacks consist in passing extra requests afte

[ANNOUNCE] haproxy-2.0.31

ith peers BUG/MEDIUM: ssl: wrong eviction from the session cache tree CI: github: don't warn on deprecated openssl functions on windows Willy Tarreau (7): SCRIPTS: announce-release: add a link to the data plane API BUILD: makefile: build the features list dynamically

[ANNOUNCE] haproxy-2.2.29

BUG/MEDIUM: ssl: wrong eviction from the session cache tree BUG/MINOR: ssl/crt-list: warn when a line is malformated CI: github: don't warn on deprecated openssl functions on windows Willy Tarreau (3): BUG/MEDIUM: cache: use the correct time reference when comparing dates

[ANNOUNCE] haproxy-2.4.22

: Schedule a shutw on shutr if data must be sent first William Lallemand (3): BUG/MEDIUM: ssl: wrong eviction from the session cache tree BUG/MINOR: ssl/crt-list: warn when a line is malformated CI: github: don't warn on deprecated openssl functions on windows Willy Tarreau (3

[ANNOUNCE] haproxy-2.5.12

: Schedule a shutw on shutr if data must be sent first William Lallemand (3): BUG/MEDIUM: ssl: wrong eviction from the session cache tree BUG/MINOR: ssl/crt-list: warn when a line is malformated CI: github: don't warn on deprecated openssl functions on windows Willy Tarreau (

[ANNOUNCE] haproxy-2.6.9

session MEDIUM: quic: Remove qc_conn_finalize() from the ClientHello TLS callbacks BUG/MINOR: quic: Unchecked source connection ID William Lallemand (2): BUG/MEDIUM: ssl: wrong eviction from the session cache tree BUG/MINOR: ssl/crt-list: warn when a line is malformated Willy T

[ANNOUNCE] haproxy-2.7.3

d() Olivier Houchard (1): MINOR: connection: add a BUG_ON() to detect destroying connection in idle list Remi Tricot-Le Breton (1): BUG/MINOR: jwt: Wrong return value checked William Lallemand (2): BUG/MEDIUM: ssl: wrong eviction from the session cache tree BUG/MINOR:

[ANNOUNCE] haproxy-2.8-dev4

d list BUG/MINOR: quic: Wrong datagram dispatch because of qc_check_dcid() William Lallemand (3): BUG/MINOR: ssl/crt-list: warn when a line is malformated BUILD: ssl/ocsp: ssl_ocsp-t.h depends on ssl_sock-t.h MINOR: ssl/ocsp: add a function to check the OCSP update config

Re: [*EXT*] Important HAProxy releases to come next week

On Mon, Feb 13, 2023 at 02:08:46PM +0100, Thomas Pedoussaut wrote: > On 13/02/2023 13:53, Willy Tarreau wrote: > > On Mon, Feb 13, 2023 at 12:45:36PM +0100, Ionel GARDAIS wrote: > > > That's a pretty sneaky way to ruin one's Valentine dinner. :-D > > Sure, but we

Re: [*EXT*] Important HAProxy releases to come next week

On Mon, Feb 13, 2023 at 12:45:36PM +0100, Ionel GARDAIS wrote: > That's a pretty sneaky way to ruin one's Valentine dinner. :-D Sure, but we have to compose between disclosing too early, ruining the west coast's morning and too late, ruining eastern dinners :-) Maybe this one will be remembered as

Important HAProxy releases to come next week

Hello, we've been notified of a vulnerability in haproxy that will deserve a new series of releases for all branches. As such I'm not going to issue 2.7.3 today and will postpone it a bit to avoid confusion. The releases for 2.7, 2.6, 2.5, 2.4, 2.2, and 2.0 are planned for Tuesday 14th around 5pm

Re: Issues with dynamic inserted servers

On Wed, Feb 08, 2023 at 11:37:11AM +0100, Thomas Pedoussaut wrote: > > On 08/02/2023 10:09, Aurelien DARRAGON wrote: > > > In fact at some point I had a backend with 5 srv from config + 3 > > > dynamically inserted. Those new ones got about 50 requests pushed to > > > them, until they reaches the

Re: Issues with dynamic inserted servers

On Wed, Feb 08, 2023 at 10:18:07AM +0100, Willy Tarreau wrote: > On Wed, Feb 08, 2023 at 09:58:47AM +0100, Thomas Pedoussaut wrote: > > On 08/02/2023 09:52, Willy Tarreau wrote: > > > Just out of curiosity (and in order to help narrow the root cause > > > further), >

Re: Issues with dynamic inserted servers

On Wed, Feb 08, 2023 at 09:58:47AM +0100, Thomas Pedoussaut wrote: > On 08/02/2023 09:52, Willy Tarreau wrote: > > Just out of curiosity (and in order to help narrow the root cause > > further), > > it would be interesting to know if the same problem happens with stati

Re: Issues with dynamic inserted servers

On Wed, Feb 08, 2023 at 09:46:52AM +0100, Thomas Pedoussaut wrote: > Thanks Aurelien, I feel less lonely on this. :-) > I might add that sometime as well the server check results switches to 4 = > CHK_RES_CONDPASS which seems to indicate a bug in the handling of the > maxconn parameter. > > I wi

Re: Issues with dynamic inserted servers

On Wed, Feb 08, 2023 at 09:38:41AM +0100, Aurelien DARRAGON wrote: > Hi, > > I don't know if it could help, but based on Thomas instructions/example, > I'm able to reproduce: > > As weird as it may seem, the 'maxconn' parameter used with dynamic > server seems to trigger the issue. > > Below is

Re: Issues with dynamic inserted servers

Hi Thomas, On Tue, Feb 07, 2023 at 06:18:26PM +0100, Thomas Pedoussaut wrote: (...) > As you can see in the logs, servers are seen, registered and marked as UP. > But a request made a few seconds later, the backend can't find a suitable > server to fulfill the request. > > > Feb  7 16:34:27 ip-1

[ANNOUNCE] haproxy-2.8-dev3

Remi Tricot-Le Breton (2): BUG/MINOR: ssl: Fix leaks in 'update ssl ocsp-response' CLI command MINOR: ssl: Remove debug fprintf in 'update ssl ocsp-response' cli command William Lallemand (1): BUG/MEDIUM: ssl: wrong eviction from the session cache tree

Re: Support arbitrary PROXY protocol v2 TLVs as samples

Hi Johannes, On Wed, Jan 18, 2023 at 10:49:18AM +, Bitsch, Johannes (external - Project) wrote: > Hi again, > > I checked my patch file from a few weeks ago using the recommended > checkpatch.pl [1] and realized that the indentation was off as well as some > other small things. > To make thi

Re: Theoretical limits for a HAProxy instance

Hi Iago, On Tue, Jan 24, 2023 at 04:45:54PM +0100, Iago Alonso wrote: > We are happy to report that after downgrading to OpenSSL 1.1.1s (from > 3.0.7), our performance problems are solved, and now looks like > HAProxy scales linearly with the available resources. Excellent, thanks for this nice f

Re: HAProxy performance on OpenBSD

On Wed, Jan 25, 2023 at 12:04:14AM +0100, Olivier Houchard wrote: > > 0x0af892c770b0 : mov%r12,%rdi > > 0x0af892c770b3 : callq 0xaf892c24e40 > > > > 0x0af892c770b8 : mov%rax,%r12 > > 0x0af892c770bb : test %rax,%rax > > 0x0af892c770be : je 0xa

Re: HAProxy performance on OpenBSD

On Tue, Jan 24, 2023 at 11:59:16PM -0600, Marc West wrote: > On 2023-01-24 23:04:14, Olivier Houchard wrote: > > On Tue, Jan 24, 2023 at 11:05:37PM +0100, Willy Tarreau wrote: > > > On Tue, Jan 24, 2023 at 02:15:08PM -0600, Marc West wrote: > > > > > Stupid questio

Re: HAProxy performance on OpenBSD

On Tue, Jan 24, 2023 at 02:15:08PM -0600, Marc West wrote: > > Stupid question but I prefer to ask in order to be certain, are all of > > these 32 threads located on the same physical CPU ? I just want to be > > sure that locks (kernel or user) are not traveling between multiple CPU > > sockets, as

Re: HAProxy performance on OpenBSD

Hi Marc, On Mon, Jan 23, 2023 at 11:36:48PM -0600, Marc West wrote: (...) > I tested flooding bogus UDP traffic from two other machines with random > source ports (nsd listening on 53). Within 1 second PF had ~130k states > and load was minimal: (...) OK at least at this point we can rule out any

Re: HAProxy performance on OpenBSD

On Mon, Jan 23, 2023 at 02:22:45PM +0600, ??? wrote: > also, I wonder what is LibreSSL <--> OpenSSL perf. > I'll try "openssl speed" (I recall LibreSSL has the same feature), but I'm > not sure I can get OpenBSD machine. It wouldn't have caused that much system if it was the cause, the sy

Re: HAProxy performance on OpenBSD

Hi Ilya, On Mon, Jan 23, 2023 at 02:11:56PM +0600, ??? wrote: > I would start with big picture view > > 1) are CPUs utilized at 100% ? > 2) what is CPU usage in details - fraction of system, user, idle ... ? > > it will allow us to narrow things and find what is the bottleneck, either >

Re: HAProxy performance on OpenBSD

Hi Marc, On Mon, Jan 23, 2023 at 12:13:13AM -0600, Marc West wrote: (...) > I understand that raw performance on OpenBSD is sometimes not as high as > other OSes in some scenarios, but the difference of 500 vs 10,000+ > req/sec and 1100 vs 40,000 connections here is very large so I wanted to > see

[ANNOUNCE] haproxy-2.8-dev2

1.0.2 (missing ECDSA_SIG_set0) BUG/MINOR: jwt: Wrong return value checked William Lallemand (3): DOC: management: add details on "Used" status DOC: management: add details about @system-ca in "show ssl ca-file" Revert "BUILD: ssl: add ECDSA_SIG_set0

Re: [ANNOUNCE] haproxy-2.7.2

On Fri, Jan 20, 2023 at 11:42:18AM +0100, Tim Düsterhus wrote: > Hi > > On 1/20/23 11:32, Willy Tarreau wrote: > >- config: the patch adding environment variables HAPROXY_TCP_LOG_FMT, > > HAPROXY_HTTP_LOG_FMT and HAPROXY_HTTPS_LOG_FMT which contain the > >

[ANNOUNCE] haproxy-2.7.2

check environment variable against `None` in matrix.py CI: Reformat `matrix.py` using `black` William Lallemand (5): REGTESTS: ssl: enable the ssl_reuse.vtc test for WolfSSL MINOR: httpclient: don't add body when istlen is empty CI: github: use the GITHUB_TOKEN instead of a manua

Re: Information Required For PostgreSQL HA

On Thu, Jan 19, 2023 at 06:40:30AM +, Zahid Haseeb wrote: > ENVIRONMENT DETAIL > We have setup high availability environment for KONG API Gateway product. We > used two kong applications and two postgresql databases and placed a haproxy > load balancer between kong application and postgresql da

Re: [PATCH] DOC: config: fix "Address formats" chapter syntax

On Wed, Jan 18, 2023 at 01:00:57AM -0500, Daniel Corbett wrote: > Hi, > > The section on "Address formats" doesn't provide the dot (.) after the > chapter numbers, which breaks parsing within the HTML converter. > This commit adds the dot (.) after each chapter within Section 11. > > This should

Re: [PATCH] BUG/MINOR: mux-fcgi: Correctly set pathinfo

On Tue, Jan 17, 2023 at 09:44:11AM +1100, Paul Barnetta wrote: > Existing logic for checking whether a regex subexpression for pathinfo > is matched results in valid matches being ignored and non-matches having > a new zero length string stored in params->pathinfo. This patch reverses > the logic s

<    1   2   3   4   5   6   7   8   9   10   >