since I've used it, but there have been times I did
special, unsupported builds in COPR for others to use.
Hope this helps.
Ryan
Links:
--
[1] http://haproxy.debian.net
--
Regards,
Christian Ruppert
ach reload. Running 2.5 with
fab0fdce981149a4e3172f2b81113f505f415595 seems to fix the issue for me.
https://github.com/haproxy/haproxy/commit/fab0fdce981149a4e3172f2b81113f505f415595
--
Regards,
Christian Ruppert
On 2021-02-12 12:06, William Dauchy wrote:
Hi Christian,
On Fri, Feb 12, 2021 at 11:59 AM Christian Ruppert
wrote:
Is this a bug? Can you confirm this behavior? Is there any other way I
could figure out whether a backend is currently in use?
unfortunately reload does not recover stats
this behavior? Is there any other way I
could figure out whether a backend is currently in use?
--
Regards,
Christian Ruppert
On 2021-02-10 18:15, Christopher Faulet wrote:
Le 08/02/2021 à 14:31, Christian Ruppert a écrit :
Hi list, Christopher,
we're having issues with the mentioned commit / patch:
d13afbcce5e664f9cfe797eee8c527e5fa947f1b
https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h
On 2021-02-08 14:46, Christopher Faulet wrote:
Le 08/02/2021 à 14:31, Christian Ruppert a écrit :
Hi list, Christopher,
we're having issues with the mentioned commit / patch:
d13afbcce5e664f9cfe797eee8c527e5fa947f1b
https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h
Hi list, Christopher,
we're having issues with the mentioned commit / patch:
d13afbcce5e664f9cfe797eee8c527e5fa947f1b
https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=d13afbcce5e664f9cfe797eee8c527e5fa947f1b
I can also reproduce it with 2.2.9 as well as 2.3.5. I don't have any
useful
No Problem at all. Feel free :)
On 2020-12-21 12:59, Willy Tarreau wrote:
On Mon, Dec 21, 2020 at 12:20:36PM +0100, Christian Ruppert wrote:
> 2) we include from this file so that it becomes
> consistent
> with everything else ;
>
> 3) we add the ifdef VAR
Hey Willy,
On 2020-12-21 11:36, Willy Tarreau wrote:
Hi,
On Sun, Dec 20, 2020 at 12:58:52PM +0500, ??? wrote:
ping :)
Oh I completely missed this one in the noise it seems! I'm sorry.
No problem! :)
> Author: Christian Ruppert
> Number of patches: 1
>
> This is
to know like where a bot triggered some action and stuff like
that.
--
Regards,
Christian Ruppert
, 2020 at 11:02:48AM +0200, Christian Ruppert wrote:
> Hi List,
>
> we've just noticed and confirmed some strange change in behavior, depending
> on whether the request is made with HTTP 1.x or 2.x.
> [...]
> That also affects ACLs like url*/path* and probably others.
> I don't t
e via test case
(regtest).
--
Regards,
Christian Ruppert
On 2020-03-27 16:58, Christian Ruppert wrote:
On 2020-03-27 16:49, Olivier Houchard wrote:
On Fri, Mar 27, 2020 at 04:32:21PM +0100, Christian Ruppert wrote:
On 2020-03-27 16:27, Olivier Houchard wrote:
> On Fri, Mar 27, 2020 at 04:21:20PM +0100, Christian Ruppert wrote:
>> During the
On 2020-03-27 16:49, Olivier Houchard wrote:
On Fri, Mar 27, 2020 at 04:32:21PM +0100, Christian Ruppert wrote:
On 2020-03-27 16:27, Olivier Houchard wrote:
> On Fri, Mar 27, 2020 at 04:21:20PM +0100, Christian Ruppert wrote:
>> During the reload I just found something in the daemon lo
On 2020-03-27 16:27, Olivier Houchard wrote:
On Fri, Mar 27, 2020 at 04:21:20PM +0100, Christian Ruppert wrote:
During the reload I just found something in the daemon log:
Mar 27 13:37:54 somelb haproxy[20799]: [ALERT] 086/133748 (20799) :
Starting proxy someotherlistener: cannot bind socket
someotherlistener: cannot bind socket [:::18540]
So during the reload, this happened and seems to have caused any further
issues/trouble.
On 2020-03-27 15:10, Christian Ruppert wrote:
So now I looked for more of those "SC"'s in the log, from our
monitoring and it appeared first around 13:38:01.
Ar
3-27 15:00, Christian Ruppert wrote:
Hi Olivier,
On 2020-03-27 14:50, Olivier Houchard wrote:
Hi Christian,
On Fri, Mar 27, 2020 at 02:37:41PM +0100, Christian Ruppert wrote:
Hi list,
we have some weird issues now, the second time, that *some* SSL
sockets
seem to be broken as well as stats sockets.
Hi Olivier,
On 2020-03-27 14:50, Olivier Houchard wrote:
Hi Christian,
On Fri, Mar 27, 2020 at 02:37:41PM +0100, Christian Ruppert wrote:
Hi list,
we have some weird issues now, the second time, that *some* SSL
sockets
seem to be broken as well as stats sockets.
HTTP seems to work fine
ilters :
[SPOE] spoe
[CACHE] cache
[FCGI] fcgi-app
[TRACE] trace
[COMP] compression
--
Regards,
Christian Ruppert
On 2019-11-20 11:05, William Lallemand wrote:
On Wed, Nov 20, 2019 at 10:19:20AM +0100, Christian Ruppert wrote:
Hi William,
thanks for the patch. I'll test it later today. What I actually
wanted to
achieve is:
https://cbonte.github.io/haproxy-dconv/2.0/management.html#4 Then
HAProxy tries
Hi Aleks,
On 2019-11-21 11:01, Aleksandar Lazic wrote:
Hi.
Am 21.11.2019 um 10:49 schrieb Christian Ruppert:
Hi list,
for an old exchange cluster I have some check listener like:
listen chk_s015023
bind 0.0.0.0:1001
mode http
monitor-uri /check
tcp
?
I'd like to avoid using an external check script to do all those checks.
--
Regards,
Christian Ruppert
n waitpid mode, then the master exiting with the usage message in your
logs.
--
Regards,
Christian Ruppert
ld process and proceed with the old child until the problem has been
fixed.
Can anybody confirm that? Is that intended?
https://cbonte.github.io/haproxy-dconv/2.0/management.html#4
https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#3.1-master-worker
--
Regards,
Christian Ruppert
Hi Jarno,
On 2019-06-04 12:44, Jarno Huuskonen wrote:
Hi Christian,
On Thu, Apr 25, Christian Ruppert wrote:
listen genlisten_10320-cust1.tls-tcp
acl REQ_TLS_HAS_ECC req.ssl_ec_ext eq 1
tcp-request content accept if { req_ssl_hello_type 1 } # Match
Client SSL Hello
mode http
option httplog
log global
# ...
So it would be cool if both were possible, H2 as well as H1 via that
socket, using "alpn h2,http/1.1"
--
Regards,
Christian Ruppert
2019-04-24 15:06, Willy Tarreau wrote:
Hi Christian,
On Wed, Apr 24, 2019 at 02:29:40PM +0200, Christian Ruppert wrote:
Hi,
so I did some more tests and it seems to be an issue between
h2test_tcp.tls
and the frontend, using the UNIX sockets. Adding a TCP bind to that
listener
also doesn't wo
help.
On 2019-04-23 15:57, Christian Ruppert wrote:
Hey,
we have an older setup using nbproc >1 and having a listener for the
initial tcp connection and one for the actual SSL/TLS, also using tcp
mode which then goes to the actual frontend using http mode. Each
being bound to different proces
perly.
* Connection #0 to host 127.0.0.1 left intact
* Closing connection 0
Can anybody else confirm that? Tested with HAProxy 1.9.6.
Any ideas what might be the reason? Right now, I'd guess that's a
Problem with H/2 and those sockets on the HAProxy side.
--
Regards,
Christian Ruppert
s located in the
propagation
of the frontend's mask to the listener, I'll look at this.
Thanks!
Willy
-Patrick
--
Regards,
Christian Ruppert
not allocate
more than
4096 filters ‐ or applications should not create more than 4096 outgoing
connections.
The limit does not apply to inbound connections to a listening socket.
On 2017-12-20 13:11, Christian Ruppert wrote:
Hi Elias,
I'm currently preparing a test setup including a SFN8522 + onload
] http://10.3.20.30:445
--
Regards,
Christian Ruppert
Hi Willy,
please see the attached patch that fixes linking / LDFLAGS order of some
contrib modules which is related to e.g. linking with -Wl,--as-needed.
--
Regards,
Christian RuppertFrom c702537864f7e062d18f4ccce3e29d14d4ccf05f Mon Sep 17 00:00:00 2001
From: Christian Ruppert <id...@qasl
the limit of 64 or just the ones >64 which is
currently not possible. Is there any reason to limit the cpu/-set value
instead of just the number of processes?
--
Regards,
Christian Ruppert
On 2016-11-25 15:26, Willy Tarreau wrote:
On Fri, Nov 25, 2016 at 02:44:35PM +0100, Christian Ruppert wrote:
I have a default bind for process 1 which is basically the http
frontend and
the actual backend, RSA is bound to another, single process and ECC is
bound
to all the rest. So
On 2016-11-25 14:44, Christian Ruppert wrote:
Hi Willy,
On 2016-11-25 14:30, Willy Tarreau wrote:
Hi Christian,
On Fri, Nov 25, 2016 at 12:12:06PM +0100, Christian Ruppert wrote:
I'll compare HT/no-HT afterwards. In my first tests it didn't same to
make
much of a difference o far.
I also
Hi Willy,
On 2016-11-25 14:30, Willy Tarreau wrote:
Hi Christian,
On Fri, Nov 25, 2016 at 12:12:06PM +0100, Christian Ruppert wrote:
I'll compare HT/no-HT afterwards. In my first tests it didn't same to
make
much of a difference o far.
I also tried (in this case) to disable HT entirely
ht improve performance)
Hope that helps,
Conrad
On 10/21/2016 04:47 PM, Christian Ruppert wrote:
Hi,
again a performance topic.
I did some further testing/benchmarks with ECC and nbproc >1. I was
testing
on a "E5-2697 v4" and the first thing I noticed was that HAProxy has a
fixed
test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
I actually thought I was using 1.6.9 on that host already so I just
upgraded and tried again some benchmarks but it looks like it's almost
equal at the first glance.
--
Regards,
Christian Ruppert
but it also happens with binds bound
to just one process.
--
Regards,
Christian Ruppert
Hi Dennis,
On 2016-04-16 02:13, Dennis Jacobfeuerborn wrote:
On 15.04.2016 16:01, Christian Ruppert wrote:
Hi,
would it be possible to inherit the SSL information from a SSL
listener/frontend via PROXY protocol?
So for example:
listen ssl-relay
mode tcp
...
server rsa unix@/var
ier/better IMHO.
--
Regards,
Christian Ruppert
On 2016-04-14 11:06, Christian Ruppert wrote:
Hi Willy,
On 2016-04-14 10:17, Willy Tarreau wrote:
On Thu, Apr 14, 2016 at 08:55:47AM +0200, Lukas Tribus wrote:
Le me put it this way:
frontend haproxy_test
bind-process 1-8
bind :12345 process 1
bind :12345 process 2
bind :12345 process 3
proxy_ssl_ecc.sock send-proxy-v2
use-server rsa if !HAS_ECC
server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2
frontend http_https_combined
mode http
bind-process 1-40
bind :80 process 1
bind unix@/var/run/haproxy_ssl_ecc.sock accept-proxy ssl crt
/etc/haproxy/ssltest.pem-ECC user haproxy process 4-40
bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt
/etc/haproxy/ssltest.pem-RSA user haproxy process 3
...
default_backend somebackend
The plan was to have the same http performance as before, move SSL
termination onto other/independent processes and furthermore split RSA
and ECC. The "bind-process 1-40" is necessary because it's otherwise not
possible to bind the SSL binds to the other processes.
Please also note that you'll get a build warning that first needs
another
fix on listen_accept() which doesn't have the same prototype between
the
.c and the .h (!). I'll handle it as well.
Cheers,
Willy
--
Regards,
Christian Ruppert
re, even tough the bind uses the first / only one process anyway?
--
Regards,
Christian Ruppert
On 2016-03-29 15:13, Christian Ruppert wrote:
On 2016-03-29 10:58, Christian Ruppert wrote:
Hi Willy,
On 2016-03-25 18:17, Willy Tarreau wrote:
On Fri, Mar 25, 2016 at 01:53:50PM +0100, Willy Tarreau wrote:
I think it's even different (but could be wrong) since Christian
spoke
about counters
On 2016-03-29 10:58, Christian Ruppert wrote:
Hi Willy,
On 2016-03-25 18:17, Willy Tarreau wrote:
On Fri, Mar 25, 2016 at 01:53:50PM +0100, Willy Tarreau wrote:
I think it's even different (but could be wrong) since Christian
spoke
about counters suddenly doubling. The issue you faced
(!msg_cur) {
/* malformed message */
appctx->st0 = PEER_SESS_ST_ERRPROTO;
Thanks a lot for the fast investigation! The proposed patch seems to do
the trick :)
--
Regards,
Christian Ruppert
?
frontend SSL-Offload
bind :443 ssl crt ssl.pem ecdhe prime256v1
tcp-request connection accept if { src_get_gpc0(whitelist) eq 1 }
tcp-request connection reject
backend whitelist
stick-table type ip size 1m expire 1h nopurge store gpc0
Thanks
Seri
--
Regards,
Christian
s of requests on our prod. systems but according to the logs it
can't be correct.
Does anybody else have similar weirdness or can you guys confirm false
values?
The *_cnt values seem to be ok but the *_rate ones seem to be false in
some cases.
--
Regards,
Christian Ruppert
to not evaluate if there's just
something like
"use_backend somebackend if { ... }"
2. Why is the function called twice? That's only when using the ACL
variant.
Using the workaround with req_ssl_ver above just calls it once.
--
Regards,
Christian Ruppert
quot;.
The "option httpclose" was on purpose. Also the client could (during a
attack) simply do the same and achieve the same result. I don't think
that will help in such cases.
--
Regards,
Christian Ruppert
Hi Willy,
On 2016-03-17 06:05, Willy Tarreau wrote:
Hi Christian,
On Wed, Mar 16, 2016 at 05:25:53PM +0100, Christian Ruppert wrote:
Hi Lukas,
On 2016-03-16 16:53, Lukas Tribus wrote:
>>The "option httpclose" was on purpose. Also the client could (during a
>>atta
Hi Aleks,
On 2016-03-16 15:57, Aleksandar Lazic wrote:
Hi.
Am 16-03-2016 15:17, schrieb Christian Ruppert:
Hi,
this is rather HAProxy unrelated so more a general problem but
anyway..
I did some tests with SSL vs. non-SSL performance and I wanted to
share my
results with you guys but also
On 2016-03-18 11:31, Christian Ruppert wrote:
Hi Willy,
On 2016-03-17 06:05, Willy Tarreau wrote:
Hi Christian,
On Wed, Mar 16, 2016 at 05:25:53PM +0100, Christian Ruppert wrote:
Hi Lukas,
On 2016-03-16 16:53, Lukas Tribus wrote:
>>The "option httpclose" was on purpose.
On 2016-03-17 00:14, Nenad Merdanovic wrote:
Hello,
On 3/16/2016 6:25 PM, Christian Ruppert wrote:
Some customers may require 4096 bit keys as it seems to be much more
decent than 2048 nowadays. So you may be limited here. A test with a
2048 bit Cert gives me around ~770 requests per second
threading.
Hm, I haven't tried Apache yet but would that be a huge benefit
compared
to a setup using nbproc> 1?
I haven't tried it either, but yes, I would assume so. It also doesn't
block
other connections will handshaking new ones.
Regards,
Lukas
--
Regards,
Christian Ruppert
lost when being under attack. How did you guys solve
this problem?
External SSL offloading, using hardware crypto foo, special
cipher/settings tuning,
simply *much* more hardware or not yet at all?
--
Regards,
Christian Ruppert
Apache yet but would that be a huge benefit compared
to a setup using nbproc > 1?
Hope this helps,
Lukas
[1] https://twitter.com/ngx_vbart/status/611956593324916736
--
Regards,
Christian Ruppert
own dhparams file to avoid using those pre-generated ones
and/ore appending some to all certificates. Wouldn't it make sense to
allow it to be read from a file, globally?
--
Regards,
Christian Ruppert
was just an example. There is 1024 and IIRC 768 as well. One might
be forced to use 1024.
Also, according to the documentation HAProxy wouldn't allow/use anything
greater than tune.ssl.default-dh-param which is 1024 by default - unless
I misunderstood something.
--
Regards,
Christian Ruppert
,
; Yuan
--
Regards,
Christian Ruppert
Hi Willy,
On 2015-02-02 17:31, Willy Tarreau wrote:
Hi Christian,
On Mon, Feb 02, 2015 at 04:55:56PM +0100, Christian Ruppert wrote:
Hey,
are there some kind of global ACLs perhaps? I think that could be
really
useful. In my case I have ~70 frontends and ~100 backends. I often use
the same
) 192.168.1.2 # This *might* be
a special case... Not yet further verified.
frontend example
use_backend ... if foo
use_backend ... if foobar
--
Regards,
Christian Ruppert
Hey guys,
just a thought... wouldn't it make sense to add an option to tcp-request
connection reject to disable the actual TCP RST? So, an attacker tries to
(keep) open a lot of ports:
a) HAProxy (configured with rate limiting etc.) does a tcp-request connection
reject which ends up as a TCP
side but don't notify
the remote side it will probably exhaust the attacker and we could handle more
connections and/or free and re-use such connections that has been classified too
much.
On 01/14/2015 05:28 PM, Baptiste wrote:
On Wed, Jan 14, 2015 at 5:00 PM, Christian Ruppert c.rupp...@babiel.com
/haproxy-docs/wiki/UnixSocketCommands
So e.g. disable server backend1/server1
Or even via the stats interface with stats admin if
--
Regards,
Christian Ruppert
pgpOHYOzE_D16.pgp
Description: PGP signature
Hi Baptiste,
it is IMHO not really clear that brackets are for anonymous ACLs only.
Wouldn't it make sense to support it for use_backend as well?
It just makes things easier in my opinion.
Mit freundlichen Grüßen,
Christian Ruppert
Christian Ruppert
Grüßen,
Christian Ruppert
Christian Ruppert
Systemadministrator
Babiel GmbH
Erkrather Str. 224 a
D-40233 Düsseldorf
Tel: 0211-179349 0
Fax: 0211-179349 29
E-Mail: c.rupp...@babiel.com
Internet: http://www.babiel.com http
the action.
I would really like to see that fixed. Or is that on purpose?
Mit freundlichen Grüßen,
Christian Ruppert
Christian Ruppert
Systemadministrator
Babiel GmbH
Erkrather Str. 224 a
D-40233 Düsseldorf
Tel: 0211-179349 0
Fax: 0211-179349 29
E-Mail
Hi guys,
I saw that 1.5.x will have IPv6 ACL support. Would it be possible to backport it
to 1.4.x? :)
I haven't looked at the patch yet though so I don't know how much work it may
be.
--
Regards,
Christian Ruppert
pgpScmPJYmYHN.pgp
Description: PGP signature
71 matches
Mail list logo
