Re: [PATCH] BUG/MINOR: init: enforce strict-limits when using master-worker

2021-01-13 Thread Jerome Magnin
c68c Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Tue, 12 Jan 2021 20:19:38 +0100 Subject: [PATCH] BUG/MINOR: init: enforce strict-limits when using master-worker The strict-limits global option was introduced with commit 0fec3ab7b ("MINOR: init: always fail when setrlimit fai

Re: [PATCH] BUG/MINOR: init: enforce strict-limits when using master-worker

2021-01-13 Thread Jerome Magnin
Hi William, On Wed, Jan 13, 2021 at 08:57:47AM +0100, William Dauchy wrote: > On Tue, Jan 12, 2021 at 08:36:57PM +0100, Jerome Magnin wrote: > > From ca260ac46cd441ed4108cdef7b304b6c0baec68c Mon Sep 17 00:00:00 2001 > > From: Jerome Magnin > > Date: Tue, 12 Jan 2021 20:19

[PATCH] BUG/MINOR: init: enforce strict-limits when using master-worker

2021-01-12 Thread Jerome Magnin
Hi William, list, This is a patch for issue 1042. I removed all tests for master-worker mode for everything related to strict-limits. regards, -- Jérôme >From ca260ac46cd441ed4108cdef7b304b6c0baec68c Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Tue, 12 Jan 2021 20:19:38 +0100 Subj

[PATCH] DOC: ssl-load-extra-files only applies to certificates on bind lines.

2020-09-07 Thread Jerome Magnin
rom: Jerome Magnin Date: Mon, 7 Sep 2020 11:55:57 +0200 Subject: [PATCH] DOC: ssl-load-extra-files only applies to certificates on bind lines. Be explicit about ssl-load-extra-files not applying to certificates referenced with the crt keyword on server lines. --- doc/configuration.txt | 3 ++- 1 f

Re: Is the "source" keyword supported on FreeBSD?

2020-08-12 Thread Jerome Magnin
Hi Frank, On Wed, Aug 12, 2020 at 11:50:05AM +0200, Frank Wall wrote: > Hi, > > this *feels* like a silly question and I may have missed something > pretty obvious, but... I've tried to use the "source" keyword and > it doesn't work. HAProxy does not use the specified IP address when >

Re: SRV records resolution failure if Authority section is present

2020-07-28 Thread Jerome Magnin
is email. >From db0198a29ab493796414033b8fb11661e91d0bee Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Sun, 26 Jul 2020 12:13:12 +0200 Subject: [PATCH] BUG/MAJOR: dns: don't treat Authority records as an error Support for DNS Service Discovery by means of SRV records was enhanced with commit

[PATCH] BUG/MAJOR: dns: fix null pointer dereference in snr_update_srv_status

2020-07-28 Thread Jerome Magnin
Hi, this is a patch for issue #775. -- Jérôme >From 68e8b71c50d0805faf5facba587f1c8c3f1760b7 Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Tue, 28 Jul 2020 13:38:22 +0200 Subject: [PATCH] BUG/MAJOR: dns: fix null pointer dereference in snr_update_srv_status Since commit 13a923

Re: SRV records resolution failure if Authority section is present

2020-07-26 Thread Jerome Magnin
or your review. -- Jérôme >From 363ed1dd2f3ded7837bbb424eabb309803fc6292 Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Sun, 26 Jul 2020 12:13:12 +0200 Subject: [PATCH] BUG/MAJOR: dns: don't treat Authority records as an error Support for DNS Service Discovery by means of SRV records was enhanced with commit 13a

SRV records resolution failure if Authority section is present

2020-07-26 Thread Jerome Magnin
On Sun, Jul 26, 2020 at 01:21:45PM +0200, Jerome Magnin wrote: > as I was trying to reproduce the issue with DNS Service Discovery with > SRV records reported in issue #775 I encountered a different issue. > > I am using bind as a dns server, and its answers contain an Authority &g

haproxy@formilux.org

2020-07-26 Thread Jerome Magnin
ions to 2.2 can have their service break because of this. -- Jérôme >From 9637655e5ee0d4d51056cbdb948f4c2b1da272e4 Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Sun, 26 Jul 2020 12:13:12 +0200 Subject: [PATCH] BUG/MAJOR: dns: don't treat Authority records as an error Support for DNS Service Di

Re: [ANNOUNCE] haproxy-2.0.16

2020-07-18 Thread Jerome Magnin
Hi Dmitry On Sat, Jul 18, 2020 at 12:29:10PM +0300, Dmitry Sivachenko wrote: > > 1) new warnings: > > src/log.c:1692:10: warning: logical not is only applied to the left hand side > of this comparison [-Wlogical-not-parentheses] > while (HA_SPIN_TRYLOCK(LOGSRV_LOCK, >lock) !=

Re: Log levels when logging to stdout

2020-07-16 Thread Jerome Magnin
Hi Martin, On Thu, Jul 16, 2020 at 10:05:40AM +0300, Martin Grigorov wrote: > > I am using such logging configuration (HAProxy built from master branch): > > global > log stdout format raw local0 err > ... > defaults > log global > option dontlog-normal > option httplog > option

Re: HTTP/2 in 2.1.x behaves different than in 2.0.x

2020-07-03 Thread Jerome Magnin
Hi Christian, On Fri, Jul 03, 2020 at 11:02:48AM +0200, Christian Ruppert wrote: > Hi List, > > we've just noticed and confirmed some strange change in behavior, depending > on whether the request is made with HTTP 1.x or 2.x. > [...] > That also affects ACLs like url*/path* and probably

Re: Ubuntu 20.04 + TLSv1

2020-06-12 Thread Jerome Magnin
On Fri, Jun 12, 2020 at 03:09:18PM +0200, bjun...@gmail.com wrote: > Hi, > > currently i'm testing Ubuntu 20.04 and HAProxy 2.0.14. > > I'm trying to get TLSv1 working (we need this for some legacy clients), so > far without success. > > I've read different things, on the one hand Ubuntu has

Re: missing backports in haproxy-1.8

2020-06-12 Thread Jerome Magnin
On Fri, Jun 12, 2020 at 11:10:08AM +0200, William Lallemand wrote: > I pushed them in the 1.8 git. I couldn't reproduce the issue though, > which compiler do you use? > I ran into the issue with gcc 10.1.0. Thanks for the backports! Jérôme

Re: missing backports in haproxy-1.8

2020-06-11 Thread Jerome Magnin
On Thu, Jun 11, 2020 at 07:27:26PM +0200, William Lallemand wrote: > On Thu, Jun 11, 2020 at 12:41:51PM +0200, Jerome Magnin wrote: > > 72d9f3351 BUILD: chunk: properly declare pool_head_trash as extern > > 2231b6388 BUILD: cache: avoid a build warning with some compilers/linkers

missing backports in haproxy-1.8

2020-06-11 Thread Jerome Magnin
Hi list, haproxy-1.8 is missing two backports, and can't be built with recent gcc as a result. 72d9f3351 BUILD: chunk: properly declare pool_head_trash as extern 2231b6388 BUILD: cache: avoid a build warning with some compilers/linkers regards, Jérôme

[PATCH] DOC: retry-on can only be used with mode http

2020-05-13 Thread Jerome Magnin
rom e030ea97758cc8b6af5f655637137230e9a1791f Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Wed, 13 May 2020 20:09:57 +0200 Subject: [PATCH] DOC: retry-on can only be used with mode http The documentation for retry-on hints at it being meant to be used in conjuction with mode http, but since we've a had bug report involving m

Re: [PATCH 1/3] BUG/MINOR: pollers: remove uneeded free in global init

2020-05-13 Thread Jerome Magnin
Hi Willy, On Wed, May 13, 2020 at 03:52:54PM +0200, Willy Tarreau wrote: > Hi Jérôme, > [...] > Ah crap! I didn't notice this part which didn't appear in the context > of the patch. I didn't notice we still had a few such labels in very > old files. Do you mind if instead I edit your patch to

Re: [PATCH 1/3] BUG/MINOR: pollers: remove uneeded free in global init

2020-05-13 Thread Jerome Magnin
e breaks clang builds because it removes the fail_revt label but it is still declared as a local label, and clang errors on it. Please find a patch attached. Jérôme >From 7549f1648f4e32ded652eabc07cd1dd7f0e7f38f Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Wed, 13 May 2020 15:11:

Re: [PATCH] DOC: give a more accuration description of what check does

2020-04-28 Thread Jerome Magnin
he context of checks. I don't think there are ways around this. - the "alpn" setting of a server line is also not used for checks, one must define it with check-alpn. This will probably change soon now that haproxy can do h2 checks natively. Jérôme >From 6a8e8ecfa

[PATCH] DOC: give a more accuration description of what check does

2020-04-26 Thread Jerome Magnin
Hi, here's a documentation patch for the check keyword. regards, Jérôme >From 10e90939d9fd1bd4f1e651d679d0b99e8da91afb Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Sun, 26 Apr 2020 14:23:04 +0200 Subject: [PATCH] DOC: give a more accurate description of what check does The documentat

[PATCH] option logasap does not depend on mode

2020-04-23 Thread Jerome Magnin
Hi, this patch is to disambiguate option logasap. regards, Jérôme >From b7feb6d24341c15320ec961ebf1f8fc39342c0da Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Thu, 23 Apr 2020 19:01:17 +0200 Subject: [PATCH] DOC: option logasap does not depend on mode The documentation for option loga

Re: How to suppress weak ciphers

2020-04-23 Thread Jerome Magnin
On Thu, Apr 23, 2020 at 03:59:59AM +, Branitsky, Norman wrote: > Jerome, > > Thanks for the clarification. > > This string: > > CHACHA20:AESGCM:AESCCM:!RSA > resulted in an F grade from SSL Labs due to the inclusion of TLS_DH_anon > ciphers: > > [cid:image001.jpg@01D61902.1FDF86A0] > >

Re: How to suppress weak ciphers

2020-04-22 Thread Jerome Magnin
On Wed, Apr 22, 2020 at 06:20:14PM +, Branitsky, Norman wrote: > As you can see from my pasted configuration, I was specifying exactly 4 > ciphers. > The 2 weak CBC ciphers were magically appearing in the SSL Labs report. > I tried to explicitly delete them - but the delete request is

Re: How to suppress weak ciphers

2020-04-22 Thread Jerome Magnin
Hi Norman, On Wed, Apr 22, 2020 at 03:29:28PM +, Branitsky, Norman wrote: > HA-Proxy version 1.7.10-a7dcc3b 2018/01/02 > SSL Labs reports the CBC ciphers are "weak": > > [cid:image002.jpg@01D6117D.1C8AC910] > > I've tried to explicitly negate these ciphers with an "!" in haproxy.cfg to > no

Re: [PATCH] ssl defaults enhancements

2020-04-22 Thread Jerome Magnin
On Wed, Apr 22, 2020 at 12:06:15PM +0200, Jerome Magnin wrote: > Hi, > [...] > The other patch adds a new keyword in global section to set default bind > curves. > I updated the second patch to remove the ability to set the default curves at build time because I did it wrong a

[PATCH] ssl defaults enhancements

2020-04-22 Thread Jerome Magnin
to set default bind curves. Jérôme >From d86993cbd4476e1901eafdc7fbe88d31ca6f8e90 Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Wed, 22 Apr 2020 11:40:18 +0200 Subject: [PATCH] BUG/MINOR: ssl: default settings for ssl server options are not used Documentation states that default setti

Re: FreeBSD CI builds fail

2019-07-29 Thread Jerome Magnin
On Tue, Jul 23, 2019 at 08:37:37PM +0200, Jerome Magnin wrote: > On Tue, Jul 23, 2019 at 07:09:57PM +0200, Tim Düsterhus wrote: > > Jérôme, > > Ilya, > > > > I noticed that FreeBSD CI fails since > > https://github.com/haproxy/haproxy/commit/885f64f

Re: FreeBSD CI builds fail

2019-07-23 Thread Jerome Magnin
On Tue, Jul 23, 2019 at 07:09:57PM +0200, Tim Düsterhus wrote: > Jérôme, > Ilya, > > I noticed that FreeBSD CI fails since > https://github.com/haproxy/haproxy/commit/885f64fb6da0a349dd3182d21d337b528225c517. > > > One example is here: https://github.com/haproxy/haproxy/runs/169980019 > > It

Re: fullconn not working

2019-07-16 Thread Jerome Magnin
Hi Patrick, On Tue, Jul 16, 2019 at 09:40:31AM -0400, Patrick Hemmer wrote: > > > > *From:* Pavlos Parissis [mailto:pavlos.paris...@gmail.com] > *Sent:* Tuesday, July 16, 2019, 09:32 EDT > *To:* haproxy@formilux.org >

Re: Server IP address not being preserved from server state file

2019-07-11 Thread Jerome Magnin
Hi On Thu, Jul 11, 2019 at 12:15:19PM -0400, Shaun Tarves wrote: > Hi - > > I am trying to determine why my servers' IP address is not being preserved > through a reload when written to the server state file. I'm using version > 1.9.8 on alpine linux. > > CONFIGURATION: > global >

Re: http2-issue with http2 enabled on frontend and on backend

2019-02-26 Thread Jerome Magnin
On Tue, Feb 26, 2019 at 11:19:12AM +0100, Tom wrote: > Hi list > > When I enable health-checks on the backend, then the backend comes not up, > because of "Layer7 invalid response". The backend is a simple nginx with > http2 enabled. As I mentioned: When I directly talk to the backend with >

Re: http2-issue with http2 enabled on frontend and on backend

2019-02-26 Thread Jerome Magnin
On Tue, Feb 26, 2019 at 11:19:12AM +0100, Tom wrote: > Hi list > > I'm using haproxy-1.9.4 and trying to enable http2 in frontend and on one > backend server (nginx with http2 enabled). I'm always receiving a http/502 > from haproxy. I'm successfully able to directly talk to the backend with >

Re: DNS resolution issue with Docker swarm and HAProxy 1.8.15/1.9.0

2018-12-20 Thread Jerome Magnin
Hi Vincent, On Thu, Dec 20, 2018 at 10:22:25PM +0100, Vincent Bernat wrote: > ❦ 20 décembre 2018 17:14 +01, Willy Tarreau : > > >> this is indeed a regression in haproxy. thanks for reporting it. > >> attached patch should fix it. > >> CC'ing Remi as the original author, and Baptiste, as DNS

Re: DNS resolution issue with Docker swarm and HAProxy 1.8.15/1.9.0

2018-12-20 Thread Jerome Magnin
Hi, On Thu, Dec 20, 2018 at 03:42:40PM +0100, Leonhard Wimmer wrote: > Hello, > > We are running HAProxy in our Docker (18.09.0) swarm and we are relying on > the Docker embedded DNS server for service discovery. > > The backend servers are configured to resolve the IP addresses via a >

Re: sample fetch: add bc_http_major

2018-12-07 Thread Jerome Magnin
Hi Aleks, On Fri, Dec 07, 2018 at 01:46:53PM +0100, Aleksandar Lazic wrote: > Hi Jerome. > [...] > I suggest to use a dedicated function for that, jm2c. > > { "bc_http_major", smp_fetch_bc_http_major, 0, NULL, SMP_T_SINT, > SMP_USE_L4SRV }, > If you look at src/ssl_sock.c there are several

sample fetch: add bc_http_major

2018-12-07 Thread Jerome Magnin
Hi, the attached patch adds bc_http_major. It returns the HTTP major encoding of the backend connection, based on the the on-wire encoding. Jérôme >From e0a28394ea2da5757c1e72773ab4c9fb97565a35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Magnin?= Date: Fri, 7 Dec 2018 09:03:11

Re: Difference between rspdel and http-response del-header use case?

2018-11-15 Thread Jerome Magnin
Hi, On Thu, Nov 15, 2018 at 02:01:18PM +, Ricardo Fraile wrote: > Hello, > > > What is the difference between using one of the following rules instead > of the other? > > I think that rspdel is the historic way to do, but maybe it have other > implications. > > > rspdel ^Server.* > > or

Re: Combine different ACLs under same name

2018-10-05 Thread Jerome Magnin
Hello, On Fri, Oct 05, 2018 at 10:46:20AM +0200, Ricardo Fraile wrote: > Hello, > > > I have tested that some types of acls can't be combined, as example: > > Server 192.138.1.1, acl with combined rules: > > acl rule1 hdr_dom(host) -i test.com > acl rule1 src 192.168.1.2/24 >

Re: srv_is_up : unable to find server.

2018-06-05 Thread Jerome Magnin
Hi Brent, On Tue, Jun 05, 2018 at 01:18:36PM +0200, Brent Clark wrote: > Good day Guys > > I am at a total loss, and Im hoping someone on this list, would be so kind > to review my setup. > > I am trying to get haproxy to monitor redis / sentinel. But I keep getting. > > [WARNING] 155/110602

Re: Use SNI with healthchecks

2018-04-23 Thread Jerome Magnin
Hi Vincent, On Mon, Apr 23, 2018 at 02:38:32PM +, GALLISSOT VINCENT wrote: > Hi all, > > > I want to use SNI with httpchk on HAProxy 1.7.10 to connect to CloudFront > distributions as backend servers. > > I saw in this mailing-list archives that SNI is not used by default even when >

Re: Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Jerome Magnin
Hi Igor, On Thu, Jan 25, 2018 at 11:26:14PM +1100, Igor Cicimov wrote: > Hi, > > I was testing haproxy 1.8 from the ppa repository and noticed it is not > build with alpn support so just wonder why? what's the output of haproxy -vv ? Jérôme