Re: most probably next LibreSSL release will come with ... QUIC

2022-08-31 Thread Lukas Tribus
Hello, wolfSSL has also chosen to use the same API for QUIC: https://www.wolfssl.com/wolfssl-quic-support/ > The wolfSSL QUIC API is aligned with the corresponding APIs in other *SSL > libraries, making integration with QUIC protocol stacks easier and protecting > investments. This is a

Re: V2.3 allow use of TLSv1.0

2022-06-09 Thread Lukas Tribus
On Thu, 9 Jun 2022 at 08:42, wrote: > > Hi, > > I need to enable TLS V1.0 because of some legacy clients which have just been > "discovered" and won't be updated. Configure "ssl-default-bind-ciphers" as per: https://ssl-config.mozilla.org/#server=haproxy=2.3=old=1.1.1k=5.6 If you don't allow

Re: Stupid question about nbthread and maxconn

2022-04-26 Thread Lukas Tribus
Hello, > > Let's say we have the following setup. > > > > ``` > > maxconn 2 > > nbthread 4 > > ``` > > > > My understanding is that HAProxy will accept 2 concurrent connection, > > right? Even when I increase the nbthread will HAProxy *NOT* accept more then > > 2 concurrent

Re: [ANNOUNCE] haproxy-2.6-dev4

2022-03-26 Thread Lukas Tribus
Hello Willy, On Sat, 26 Mar 2022 at 10:22, Willy Tarreau wrote: > A change discussed around previous announce was made in the H2 mux: the > "timeout http-keep-alive" and "timeout http-request" are now respected > and work as documented, so that it will finally be possible to force such >

[PATCH] DOC: reflect H2 timeout changes

2022-03-26 Thread Lukas Tribus
Reverts 75df9d7a7 ("DOC: explain HTTP2 timeout behavior") since H2 connections now respect "timeout http-keep-alive". If commit 15a4733d5d ("BUG/MEDIUM: mux-h2: make use of http-request and keep-alive timeouts") is backported, this DOC change needs to be backported along with it. ---

Re: Is there some kind of program that mimics a problematic HTTP server?

2022-03-03 Thread Lukas Tribus
Hello, take a look at how we are using tests with vtc/vtest in doc/regression-testing.txt. Maybe this tool can be useful for your use-case. Lukas

Re: Question about http compression

2022-02-21 Thread Lukas Tribus
Hello, On Mon, 21 Feb 2022 at 14:25, Tom Browder wrote: > > I'm getting ready to try 2.5 HAProxy on my system > and see http comression is recommended. I'm not sure we are actively encouraging to enable HTTP compression. Where did you see this recommendation? > From those sources I thought

Re: ACL HAPROXY (check servers UP and DOWN) and redirect traffic

2022-02-19 Thread Lukas Tribus
On Sat, 19 Feb 2022 at 18:38, Carlos Renato wrote: > > Yes, > > In stats server2 is DOWN. accept the VM's network card. Provide detailed logs please. Lukas

Re: HAProxy thinks Plex is down when it's not

2022-02-19 Thread Lukas Tribus
Hello, On Sat, 19 Feb 2022 at 17:46, Moutasem Al Khnaifes wrote: > but for some reason HAProxy thinks that Plex is down John already explained this perfectly. > the status page is inaccessible Your configuration is: > listen stats > bind localhost:1936 [...] > stats uri

Re: ACL HAPROXY (check servers UP and DOWN) and redirect traffic

2022-02-19 Thread Lukas Tribus
On Sat, 19 Feb 2022 at 16:15, Carlos Renato wrote: > > Hi Lukas, > > Thanks for the reply and willingness to help. > > I did a test and it didn't work. I dropped the server2 interface and only > server1 was UP. > Traffic continues to exit through the main bakend. My wish is that the > traffic

Re: ACL HAPROXY (check servers UP and DOWN) and redirect traffic

2022-02-19 Thread Lukas Tribus
Hello, I suggest you put your backup server in a dedicated backend and select it in the frontend. I guess the same could be done with use-server in a single backend, but I feel like this is cleaner: frontend haproxy option forwardfor bind server.lab.local:9191 use_backend backup_servers

[PATCH] BUG/MINOR: mailers: negotiate SMTP, not ESMTP

2022-02-17 Thread Lukas Tribus
As per issue #1552 the mailer code currently breaks on ESMTP multiline responses. Let's negotiate SMTP instead. Should be backported to 2.0. --- src/mailers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mailers.c b/src/mailers.c index 3d01d7532..34eaa5bb6 100644 ---

Re: haproxy in windows

2022-02-10 Thread Lukas Tribus
I'd suggest you give WSL/WSL2 a try. Lukas On Thu, 10 Feb 2022 at 11:25, Gowri Shankar wrote: > > Im trying to install haproxy for loadbalancing for my servers,but im not able > install from my windows system.Is there ha proxy available for windows, > please give and help us with

Re: 2.0.26 breaks authentication

2022-01-18 Thread Lukas Tribus
On Mon, 17 Jan 2022 at 19:37, wrote: > > Hi > > Configuration uses 'no option http-use-htx' in defaults because of case > insensitivity. > Statistics path haproxy?stats is behind simple username/password and > both credentials are specified in config. > When accessing haproxy?stats, 2.0.25 works

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Lukas Tribus
On Mon, 13 Dec 2021 at 19:51, Valters Jansons wrote: > > Is this thread really "on-topic" for HAProxy? > > Attempts to mitigate Log4Shell at HAProxy level to me feel similar > to.. looking at a leaking roof of a house and thinking "I should put > an umbrella above it, so the leak isn't hit by

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Lukas Tribus
On Mon, 13 Dec 2021 at 14:43, Aleksandar Lazic wrote: > Well I go the other way around. > > The application must know what data are allowed, verify the input and if the > input is not valid discard it.´ You clearly did not understand my point so let me try to phrase it differently: The log4j

Re: Blocking log4j CVE with HAProxy

2021-12-13 Thread Lukas Tribus
On Mon, 13 Dec 2021 at 13:25, Aleksandar Lazic wrote: > 1. Why is a input from out site of the application passed unchecked to the > logging library! Because you can't predict the future. When you know that your backend is SQL, you escape what's necessary to avoid SQL injection (or use

[PATCH] DOC: config: fix error-log-format example

2021-12-08 Thread Lukas Tribus
In commit 6f7497616 ("MEDIUM: connection: rename fc_conn_err and bc_conn_err to fc_err and bc_err"), fc_conn_err became fc_err, so update this example. --- Should be backported to 2.5. --- doc/configuration.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git

Re: [PATCH] DOC: config: retry-on list is space-delimited

2021-12-08 Thread Lukas Tribus
Hello, On Wed, 8 Dec 2021 at 17:50, Tim Düsterhus wrote: > > Lukas, > > On 12/8/21 11:33 AM, Lukas Tribus wrote: > > We are using comma-delimited list for init-addr for example, let's > > document that this is space-delimited to avoid the guessing game. > >

Re: [ANNOUNCE] haproxy-2.5.0

2021-12-08 Thread Lukas Tribus
Hello Cyril, On Tue, 23 Nov 2021 at 17:18, Willy Tarreau wrote: > > Hi, > > HAProxy 2.5.0 was released on 2021/11/23. It added 9 new commits after > version 2.5-dev15, fixing minor last-minute details (bind warnings > that turned to errors, and an incorrect free in the backend SSL cache). could

[PATCH] DOC: config: retry-on list is space-delimited

2021-12-08 Thread Lukas Tribus
We are using comma-delimited list for init-addr for example, let's document that this is space-delimited to avoid the guessing game. --- doc/configuration.txt | 14 +- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index

Re: How to compile with packaged openssl when custom openssl installed?

2021-11-03 Thread Lukas Tribus
Use the instructions in INSTALL to build openssl statically. Building and installing a custom shared build of openssl on a OS is something that I'd suggest you avoid, because it will become complicated. Lukas

Re: Haproxy + LDAPS+ SNI

2021-11-03 Thread Lukas Tribus
Hello Ben, On Wed, 3 Nov 2021 at 12:55, Ben Hart wrote: > > Thanks again Lukas! > So the server directive's use of a cert or CA file is only to > verify the identity of the server in question. No, "crt" (a certificate including private key) and "ca-file" (the public certificate of a CA) are two

Re: Haproxy + LDAPS+ SNI

2021-11-03 Thread Lukas Tribus
Hello Ben, On Wed, 3 Nov 2021 at 03:54, Ben Hart wrote: > > I wonder, can I ask if the server directives are correct insofar as > making a secured connection to the backend server entries? > > I'm told that HAP might be connecting by IP in which case the > SSL cert would be useless The

Re: Haproxy + LDAPS+ SNI

2021-11-02 Thread Lukas Tribus
Hello, On Tue, 2 Nov 2021 at 21:24, Ben Hart wrote: > > In the config (pasted here > https://0bin.net/paste/1aOh1F4y#qStfT0m0mER3rhI3DonDbCsr0NRmVuH9XiwvagEkAiE) > My questions surround the syntax of the config file.. Most likely those clients don't send SNI. Capture the SSL handshake and

Re: Does haproxy utlize openssl with AES-NI if present?

2021-10-28 Thread Lukas Tribus
On Thu, 28 Oct 2021 at 21:20, Shawn Heisey wrote: > > On 10/28/21 10:02 AM, Lukas Tribus wrote: > > You seem to be trying very hard to find a problem where there is none. > > > > Definitely do NOT overwrite CPU flags in production. This is to *test* > > AE

Re: Does haproxy utlize openssl with AES-NI if present?

2021-10-28 Thread Lukas Tribus
On Thu, 28 Oct 2021 at 15:49, Shawn Heisey wrote: > > On 10/28/21 7:34 AM, Shawn Heisey wrote: > > Does haproxy's use of openssl turn on the same option that the > > commandline does with the -evp argument? If it does, then I think > > everything is probably OK. > > > Running "grep -r EVP ." in

Re: Does haproxy utlize openssl with AES-NI if present?

2021-10-28 Thread Lukas Tribus
On Thu, 28 Oct 2021 at 08:31, Lukas Tribus wrote: > > Hi, > > On Thursday, 28 October 2021, Shawn Heisey wrote: >> >> On 10/27/2021 2:54 PM, Lukas Tribus wrote: >>> >>> I'd be surprised if the OpenSSL API calls we are using doesn't support >>&g

Re: Does haproxy utlize openssl with AES-NI if present?

2021-10-28 Thread Lukas Tribus
Hi, On Thursday, 28 October 2021, Shawn Heisey wrote: > On 10/27/2021 2:54 PM, Lukas Tribus wrote: > >> I'd be surprised if the OpenSSL API calls we are using doesn't support >> AES-NI. >> > > Honestly that would surprise me too. But I have no idea how to

Re: Does haproxy utlize openssl with AES-NI if present?

2021-10-27 Thread Lukas Tribus
Hello, On Wed, 27 Oct 2021 at 22:17, Shawn Heisey wrote: > > I am building haproxy from source. > > For some load balancers that I used to manage, I also built openssl from > source, statically linked, and compiled haproxy against that, because > the openssl included with the OS (CentOS 6 if I

PCRE (1) end of life and unmaintained

2021-10-18 Thread Lukas Tribus
Hello, PCRE (1) is end of life and unmaintained now (see below). Not a huge problem, because PCRE2 has been supported since haproxy 1.8. However going forward (haproxy 2.5+) should we: - warn when compiling with PCRE? - remove PCRE support? - both, but start with a warning in 2.5? - maintain

Re: CVE-2021-40346, the Integer Overflow vulnerability

2021-09-08 Thread Lukas Tribus
Hello Jonathan, On Wed, 8 Sept 2021 at 21:28, Jonathan Greig wrote: > > Hello! My name is Jonathan Greig and I'm a reporter for ZDNet. I'm > writing a story about CVE-2021-40346 and I was wondering if > Ha Proxy had any comment about the vulnerability. Just making sure you are aware that this

Re: double // after domain causes ERR_HTTP2_PROTOCOL_ERROR after upgrade to 2.4.3

2021-08-20 Thread Lukas Tribus
On Fri, 20 Aug 2021 at 13:08, Илья Шипицин wrote: > > double slashes behaviour is changed in BUG/MEDIUM: > h2: match absolute-path not path-absolute for :path · haproxy/haproxy@46b7dff > (github.com) Actually, I think the patch you are referring to would *fix* this particular issue, as it was

Re: [ANNOUNCE] HTTP/2 vulnerabilities from 2.0 to 2.5-dev

2021-08-18 Thread Lukas Tribus
On Thursday, 19 August 2021, James Brown wrote: > Are there CVE numbers coming for these vulnerabilities? > > CVE-2021-39240: -> 2) Domain parts in ":scheme" and ":path" CVE-2021-39241: -> 1) Spaces in the ":method" field CVE-2021-39242: -> 3) Mismatch between ":authority" and "Host" Lukas

Re: HAProxy Network Namespace Support issues, and I also found a security flaw.

2021-07-20 Thread Lukas Tribus
Hello, On Tue, 20 Jul 2021 at 08:13, Peter Jin wrote: > 2. There is a stack buffer overflow found in one of the files. Not > disclosing it here because this email will end up on the public mailing > list. If there is a "security" email address I could disclose it to, > what is it? It's

Re: Replying to spam [was: Some Spam Mail]

2021-07-15 Thread Lukas Tribus
On Thu, 15 Jul 2021 at 11:27, Илья Шипицин wrote: > > I really wonder what they will suggest. > > I'm not a spam source, since we do not have "opt in" policy, anybody can send > mail. so they do. > please address the issue properly, either change list policy or be calm with > my experiments.

Re: set mss on backend site on version 1.7.9

2021-07-13 Thread Lukas Tribus
Hello Stefan, On Tue, 13 Jul 2021 at 14:10, Stefan Fuhrmann wrote: > > Hello all, > > > First, we can not change to newer version so fast within the project. > > We are having on old installation of haproxy (1.7.9) and we have the > need to configure tcp- mss- value on backend site. > > > > Is

Re: [PATCH 0/1] Replace issue templates by issue forms

2021-06-23 Thread Lukas Tribus
Hello, On Wed, 23 Jun 2021 at 22:25, Willy Tarreau wrote: > > Hi Tim, Max, > > On Wed, Jun 23, 2021 at 09:38:12PM +0200, Tim Duesterhus wrote: > > Hi Willy, Lukas, List! > > > > GitHub finally launched their next evolution of issue templates, called > > issue > > forms, as a public beta: > >

Re: SSL Labs says my server isn't doing ssl session resumption

2021-06-20 Thread Lukas Tribus
Hello Shawn, On Sun, 20 Jun 2021 at 14:03, Shawn Heisey wrote: > > On 6/20/2021 1:52 AM, Lukas Tribus wrote: > > Can you try disabling threading, by putting nbthread 1 in your config? > > That didn't help. From testssl.sh: > > SSL Session ID support ye

Re: SSL Labs says my server isn't doing ssl session resumption

2021-06-20 Thread Lukas Tribus
Hello Shawn, On Sun, 20 Jun 2021 at 08:39, Shawn Heisey wrote: > This is what SSL Labs now says for the thing that started this thread: > > Session resumption (caching)No (IDs assigned but not accepted) > Session resumption (tickets)Yes > > I'd like to get the caching item fixed, but I

Re: SSL Labs says my server isn't doing ssl session resumption

2021-06-16 Thread Lukas Tribus
On Wed, 16 Jun 2021 at 17:03, Илья Шипицин wrote: > > ssl sessions are for tls1.0 (disabled in your config) > tls1.2 uses tls tickets for resumption That is not true, you can disable TLS tickets and still get resumption on TLSv1.2. Disabling TLSv1.0 does not mean disabling Session ID caching.

Re: [EXTERNAL] Re: built in ACL, REQ_CONTENT

2021-06-08 Thread Lukas Tribus
Hello, On Tue, 8 Jun 2021 at 17:36, Godfrin, Philippe E wrote: > > Certainly, > > Postrgres sends this message across the wire: > > Jun 2 21:14:40 ip-172-31-77-193 haproxy[9031]: #0110x00: 00 00 00 4c 00 > 03 00 00 75 73 65 72 00 74 73 64 |...Luser.tsd| > Jun 2 21:14:40

Re: built in ACL, REQ_CONTENT

2021-06-07 Thread Lukas Tribus
Hello, On Mon, 7 Jun 2021 at 14:51, Godfrin, Philippe E wrote: > > Greetings! > > I can’t seem to find instructions on how to use this builtin ACL. Can someone > point me in the right direction, please? There is nothing specific about it, you use just like every other ACL. http-request deny

Re: how to write to a file safely in haproxy

2021-05-26 Thread Lukas Tribus
Hello, On Wed, 26 May 2021 at 13:29, reshma r wrote: > > Hello all, > Periodically I need to write some configuration data to a file. > However I came across documentation that warned against writing to a file at > runtime. > Can someone give me advice on how I can achieve this safely? You'll

Re: haproxy hung with CPU usage at 100% Heeeelp, please!!!

2021-05-14 Thread Lukas Tribus
The first thing I'd try is to disable multithreading (by putting nbthread 1 in the global section of the configuration), so if that helps. Lukas

Re: Table sticky counters decrementation problem

2021-03-30 Thread Lukas Tribus
Hi Willy, On Tue, 30 Mar 2021 at 17:56, Willy Tarreau wrote: > > Guys, > > out of curiosity I wanted to check when the overflow happened: > > $ date --date=@$$(date +%s) * 1000) & -0x800) / 1000)) > Mon Mar 29 23:59:46 CEST 2021 > > So it only affects processes started since today. I'm

Re: Stick table counter not working after upgrade to 2.2.11

2021-03-30 Thread Lukas Tribus
Hi Willy, On Tue, 23 Mar 2021 at 09:32, Willy Tarreau wrote: > > Guys, > > These two patches address it for me, and I could verify that they apply > on top of 2.2.11 and work there as well. This time I tested with two > counters at different periods 500 and 2000ms. Both Sander and Thomas now

Re: Table sticky counters decrementation problem

2021-03-30 Thread Lukas Tribus
Hello Thomas, this is a known issue in any release train other than 2.3 ... https://github.com/haproxy/haproxy/issues/1196 However neither 2.3.7 (does not contain the offending commits), nor 2.3.8 (contains all the fixes) should be affected by this. Are you absolutely positive that you are

Re: zlib vs slz (perfoarmance)

2021-03-29 Thread Lukas Tribus
Hello, On Mon, 29 Mar 2021 at 20:54, Илья Шипицин wrote: >> > Dear list, >> > >> > on browser load (html + js + css) I observe 80% of cpu spent on gzip. >> > also, I observe that zlib is probably one of the slowest implementation >> > my personal benchmark correlate with

Re: Is there a way to deactivate this "message repeated x times"

2021-03-29 Thread Lukas Tribus
Hello, On Mon, 29 Mar 2021 at 15:25, Aleksandar Lazic wrote: > > Hi. > > I need to create some log statistics with awffull stats and I assume this > messages > means that only one line is written for 3 requests, is this assumption right? > > Mar 28 14:04:07 lb1 haproxy[11296]: message repeated

Re: zlib vs slz (perfoarmance)

2021-03-29 Thread Lukas Tribus
Hi Ilya, On Mon, 29 Mar 2021 at 15:34, Илья Шипицин wrote: > > Dear list, > > on browser load (html + js + css) I observe 80% of cpu spent on gzip. > also, I observe that zlib is probably one of the slowest implementation > my personal benchmark correlate with https://github.com/inikep/lzbench

Re: HAProxy proxy protocol

2021-03-28 Thread Lukas Tribus
Double post on discourse, please refrain from this practice in the future! https://discourse.haproxy.org/t/haproxy-proxy-protocol/6413/2 Thanks, Lukas

Re: [HAP 2.3.8] Is there a way to see why "" and "SSL handshake failure" happens

2021-03-27 Thread Lukas Tribus
Hello, On Sat, 27 Mar 2021 at 11:52, Aleksandar Lazic wrote: > > Hi. > > I have a lot of such entries in my logs. > > ``` > Mar 27 11:48:20 lb1 haproxy[14556]: ::::23167 > [27/Mar/2021:11:48:20.523] https-in~ https-in/ -1/-1/-1/-1/0 0 0 - - > PR-- 1041/1011/0/0/0 0/0 "" > Mar 27 11:48:20

Fwd: OpenSSL Security Advisory

2021-03-25 Thread Lukas Tribus
FYI -- Forwarded message - From: OpenSSL Date: Thu, 25 Mar 2021 at 15:03 Subject: OpenSSL Security Advisory To: , OpenSSL User Support ML , OpenSSL Announce ML -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [25 March 2021]

Re: Stick table counter not working after upgrade to 2.2.11

2021-03-23 Thread Lukas Tribus
Hello, just a heads-up, this was also reported for 1.8: https://discourse.haproxy.org/t/counter-issues-on-1-8-29/6381/ Lukas On Tue, 23 Mar 2021 at 09:32, Willy Tarreau wrote: > > Guys, > > These two patches address it for me, and I could verify that they apply > on top of 2.2.11 and work

Re: [ANNOUNCE] haproxy-1.6.16

2021-03-22 Thread Lukas Tribus
Hello Willy, On Sat, 20 Mar 2021 at 10:09, Willy Tarreau wrote: > > 1.6 was EOL last year, I don't understand why there is a last release. > > There were some demands late last year and early this year to issue a > last one with pending fixes to "flush the pipe" but it was terribly > difficult

Re: [PATCH 1/1] MINOR: build: force CC to set a return code when probing options

2021-03-06 Thread Lukas Tribus
Hello Bertrand, On Sun, 7 Mar 2021 at 00:53, Bertrand Jacquin wrote: > I am not proposing haproxy build-system to use -Werror here, I'm only > proposing to use -Werror when probing for options supported by the > compiler, as effectively clang return a code if 0 even if an option is > not

Re: [PATCH 1/1] MINOR: build: force CC to set a return code when probing options

2021-03-06 Thread Lukas Tribus
Hello, On Sat, 6 Mar 2021 at 21:25, Bertrand Jacquin wrote: > > gcc returns non zero code if an option is not supported (tested > from 6.5 to 10.2). > > $ gcc -Wfoobar -E -xc - -o /dev/null < /dev/null > /dev/null 2>&1 ; echo $? > 1 > > clang always return 0 if an option in not recognized

Re: minconn, maxconn and fullconn (again, sigh!)

2021-02-11 Thread Lukas Tribus
On Thu, 11 Feb 2021 at 05:31, Victor Sudakov wrote: > > Lukas Tribus wrote: > > > > On Wed, 10 Feb 2021 at 16:55, Victor Sudakov wrote: > > > > > > I can even phrase my question in simpler terms. What happens if the sum > > > total of all servers' m

Re: minconn, maxconn and fullconn (again, sigh!)

2021-02-10 Thread Lukas Tribus
Hello Victor, On Wed, 10 Feb 2021 at 16:55, Victor Sudakov wrote: > > I can even phrase my question in simpler terms. What happens if the sum > total of all servers' maxconns in a backend is less than the maxconn > value in the frontend pointing to the said backend? Queueing for "timeout queue"

Re: TCP mode and ultra short lived connection

2021-02-08 Thread Lukas Tribus
Hello, On Mon, 8 Feb 2021 at 18:14, Максим Куприянов wrote: > > Hi! > > I faced a problem dealing with l4 (tcp mode) haproxy-based proxy over > Graphite's component receiving metrics from clients and clients who are > connecting just to send one or two Graphite-metrics and disconnecting right

Re: HAproxy soft reload timeout?

2021-02-04 Thread Lukas Tribus
Hello Dominik, you are looking for hard-stop-after: http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#hard-stop-after Regards, Lukas On Thu, 4 Feb 2021 at 11:40, Froehlich, Dominik wrote: > > Hi, > > > > I am currently experimenting with the HAproxy soft reload functionality

Re: (possibly off topic) how to handle Chrome on SSL mass hosting ?

2021-02-03 Thread Lukas Tribus
On Wed, 3 Feb 2021 at 18:47, Илья Шипицин wrote: >> while I do not mind to have such optimization, but when 'a.example.com" >> responds with http2 GOAWAY, that affects also "b.example.com" and " >> c.example.com". Chrome is not clever enough to open new connections instead >> of abandoned one. >

Re: SSL session resumption

2021-02-03 Thread Lukas Tribus
Hello, On Wed, 3 Feb 2021 at 17:44, Илья Шипицин wrote: > > TLS1.2 uses tls tickets, when TLS1.0 uses ssl sessions. I believe this is incorrect, TLSv1.2 works just fine with Session ID's (RFC5246) and TLS 1.0 works fine with TLS tickets (RFC5077). I'm not aware of any restrictions between

Re: SSL session resumption

2021-02-03 Thread Lukas Tribus
Hello Johan, we are gonna need the outputs of "haproxy -vv" from both situations, as well as at the very least *all* the ssl configuration parameters in haproxy that you are using. However, I do not believe it is likely that we can find the root cause, without access to those handshakes, since

Re: How can I enable the HTTP/3 (QUIC) in HAProxy?

2021-01-21 Thread Lukas Tribus
Jimmy, On Thu, 21 Jan 2021 at 09:45, Tim Düsterhus wrote: > > Hi List, > > Am 21.01.21 um 08:59 schrieb jimmy: > > I found the fact that HAProxy 2.3 higher supports HTTP/3 (QUIC) through > > [this > > link](https://www.haproxy.com/blog/announcing-haproxy-2-3/#connection-improvements). > This

Re: end all sessions for specific user

2020-12-03 Thread Lukas Tribus
Hello, On Friday, 4 December 2020, Yossi Nachum wrote: > If I will change the map file via admin socket > Will it shutdown old/current sessions? Better, you don't need to shutdown anything, because HTTP authentication works on a HTTP transaction level, so each request is authenticated, even

Re: end all sessions for specific user

2020-12-03 Thread Lukas Tribus
Hello, On Thu, 3 Dec 2020 at 16:17, Yossi Nachum wrote: > > Hi, > I'm using haproxy 1.8 > This is my global and frontend configuration which include user auth: > [...] > acl network_allowed src,map_ip_int(/etc/haproxy/allowed_ips.lst,0) -m int > eq 1 > acl users_allowed

Re: end all sessions for specific user

2020-12-03 Thread Lukas Tribus
Hello, On Thu, 3 Dec 2020 at 15:32, Yossi Nachum wrote: > > Hi, > > > > I have haproxy configuration that based on a file with username and password. > > When I disable a user his new sessions are blocked with 407 but his > old/current sessions are still processed Please share your

Fwd: Forthcoming OpenSSL Release

2020-12-01 Thread Lukas Tribus
FYI -- Forwarded message - From: Paul Nelson Date: Tue, 1 Dec 2020 at 11:15 Subject: Forthcoming OpenSSL Release To: The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1i. This release will be made available on Tuesday 8th December

Re: Logging mTLS handshake errors

2020-11-18 Thread Lukas Tribus
Hello Dominik, On Wed, 18 Nov 2020 at 15:06, Froehlich, Dominik wrote: > > Hi everyone, > > > > Some of our customers are using mTLS to authenticate clients. There have been > complaints that some certificates don’t work > > but we don’t know why. To shed some light on the matter, I’ve tried

Re: Disable client keep-alive using ACL

2020-11-17 Thread Lukas Tribus
Hi Tim, On Tue, 17 Nov 2020 at 13:35, Tim Düsterhus, WoltLab GmbH wrote: > > Hi > > Am 09.11.20 um 12:36 schrieb Tim Düsterhus, WoltLab GmbH: > > is it possible to reliably disable client keep-alive on demand based on > > the result of an ACL? > > > > I was successful for HTTP/1 requests by

Re: do we want to keep CentOS 6 builds?

2020-11-16 Thread Lukas Tribus
Hello Ilya, On Mon, 16 Nov 2020 at 22:48, Илья Шипицин wrote: > we run CI only for master branch. Exactly! > do all those people want to run latest unstable haproxy on oldish RHEL 6 ? No, but since we *only test* master, this is the only way we get *some* coverage for the changes we are

Re: do we want to keep CentOS 6 builds?

2020-11-15 Thread Lukas Tribus
Hello, On Sun, 15 Nov 2020 at 17:14, Илья Шипицин wrote: > > Hello, > > we still run cirrus-ci builds. > CentOS 6 is EOL. > > should we drop it? I think CentOs6 gives us good feedback about older operating systems that we may not necessarily want to break. The question for me is not so much

Re: fronted/bind ordering

2020-11-13 Thread Lukas Tribus
Hello, On Fri, 13 Nov 2020 at 21:21, Willy Tarreau wrote: > > > I'd suggest you run haproxy with noreuseport [1] temporarily, and > > > check if your kernel refuses to bind() to those IP's - it likely will. > > > This indicates an unsupported configuration (by your kernel, not by > > >

Re: fronted/bind ordering

2020-11-13 Thread Lukas Tribus
Hello Bartosz, On Fri, 13 Nov 2020 at 10:08, Bartosz wrote: > > Are we really the only ones with this issue? Has no one else seen this > change in behaviour? Or otherwise have any idea where it's coming from? > > Or at least confirm whether they do or don't see the same behaviour. I don't think

Re: DNS Load balancing needs feedback and advice.

2020-11-10 Thread Lukas Tribus
Hello Willy, On Fri, 6 Nov 2020 at 10:59, Willy Tarreau wrote: > > > hate the noise that some people regularly make about "UDP support" > > > > I am *way* more concerned about what to tell people when they report > > redundant production systems meltdowns because of the traps that we > > knew

Re: DNS Load balancing needs feedback and advice.

2020-11-05 Thread Lukas Tribus
Hello Willy, On Wed, 4 Nov 2020 at 15:36, Willy Tarreau wrote: > I think it's a reasonable tradeoff because those who insist on this are > also those who want to use so-called "modern" tools (placing "modern" > and DNS in the same sentence always leaves me a strange feeling that > something 37

Re: DNS Load balancing needs feedback and advice.

2020-11-02 Thread Lukas Tribus
Hello Emeric, On Mon, 2 Nov 2020 at 15:41, Emeric Brun wrote: > > Hi All, > > We are currently studying to develop a DNS messages load balancer (into > haproxy core) I find this a little surprising given that there already is a great DNS load-balancer out there (dnsdist) from the folks at

Re: IP binding and standby health-checks

2020-10-20 Thread Lukas Tribus
Hello, On Tue, 20 Oct 2020 at 05:36, Dave Hall wrote: > HAProxy Active/Standby pair using keepalived and a virtual IP. > Load balance SSH connections to a group of user access systems (long-running > Layer 4 connections). > Using Fail2Ban to protect against password attacks, so using

Re: Removal / obsolescence of keywords in 2.3 and future

2020-10-14 Thread Lukas Tribus
Hello, On Wed, 14 Oct 2020 at 15:29, Willy Tarreau wrote: > For "nbproc", given that I had no response in the previous question and > I anticipate some surprises if I play games with it, I'll probably apply > William's suggestion, consisting in starting to emit a warning about it, > and asking

Re: source algorithm - question.

2020-09-24 Thread Lukas Tribus
Hello, On Thu, 24 Sep 2020 at 11:40, Łukasz Tasz wrote: > > Hi all, > haproxy is gr8 - simply. > > Till today I was using roundobin algorithm, but after studying documentation > it popped up that source might be better. > I'm using haproxy in tcp mode, version 1.8, load from one client

Re: [PATCH] BUILD: makefile: Update feature flags for Solaris / FreeBSD / NetBSD / OpenBSD

2020-09-15 Thread Lukas Tribus
On Tue, 15 Sep 2020 at 09:05, Brad Smith wrote: > >> NetBSD 8.0 adds support for accept4() and closefrom(). Enable > >> getaddrinfo(). > > We just had to disable threading on OpenBSD 6.7 for the build to succeed: > > > > https://github.com/haproxy/haproxy/issues/725 > > > > Did you actually test

Re: [PATCH] BUILD: makefile: Update feature flags for Solaris / FreeBSD / NetBSD / OpenBSD

2020-09-14 Thread Lukas Tribus
Hello Brad, On Sun, 13 Sep 2020 at 09:08, Brad Smith wrote: > > The following diff updates the feature flags for Solaris / FreeBSD / NetBSD / > OpenBSD. > > Bump the baseline Solaris to 9 which intruduced closefrom(). > > FreeBSD 10 is already EOL for support but its the new baseline.

Re: [RFC PATCH] MAJOR: ssl: Support for validating backend certificates with URI SANs (subjectAltName)

2020-09-09 Thread Lukas Tribus
On Tue, 8 Sep 2020 at 12:39, Teo Klestrup Röijezon wrote: > > Hey Willy, sorry about the delay.. managed to get sick right after that stuff. > > > I don't understand what you mean here in that it does not make sense to > > you. Actually it's not even about overriding verifyhost, it's more that >

[PATCH] DOC: overhauling github issue templates

2020-08-17 Thread Lukas Tribus
as per the suggestions from Cyril and Willy on the mailing list: Message-ID: and with direct contributions from Tim, this changes large parts of the bug issue template. The Feature template is also updated as well as a new template for Code Reports is introduced. Co-authored-by: Tim

Re: github template

2020-08-16 Thread Lukas Tribus
Hi, I prepared: - changes to Bug.md as per this discussion - changes to Features.md (just different sequence here) - added a new label "type: code-report" and a new issue template for those as well The changes can be seen here: https://github.com/lukastribus/hap-issue-trial/issues/new/choose

Re: Is the "source" keyword supported on FreeBSD?

2020-08-12 Thread Lukas Tribus
On Wed, 12 Aug 2020 at 21:03, Jerome Magnin wrote: > > Hi Frank, > > On Wed, Aug 12, 2020 at 11:50:05AM +0200, Frank Wall wrote: > > Hi, > > > > this *feels* like a silly question and I may have missed something > > pretty obvious, but... I've tried to use the "source" keyword and > > it doesn't

Re: github template

2020-08-11 Thread Lukas Tribus
Hello, On Mon, 20 Jul 2020 at 06:35, Willy Tarreau wrote: > > (Another case is when I try to follow the issue reports during vacation) > > > > I think it could be easier and quicker by only changing the sections order > > like this : > > 1. Expected behavior > > 2. Actual behavior > > 3. Steps

Re: Can I help with the 2.1 release?

2020-07-30 Thread Lukas Tribus
Hello, On Thu, 30 Jul 2020 at 20:49, Valter Jansons wrote: > > On Thu, Jul 30, 2020 at 6:44 PM Harris Kaufmann > wrote: > > my company really needs the next 2.1 release but we want to avoid > > deploying a custom, self compiled version. > > > > Is there something I can do to help with the

Re: SLZ vs ZLIB

2020-07-29 Thread Lukas Tribus
Hello, On Wed, 29 Jul 2020 at 19:19, Илья Шипицин wrote: > however, ZLIB is enabled by default in many distros and docker images. > any idea why ZLIB is chosen by default ? Because zlib is known, packaged and used everywhere and by everyone while slz is a niche library. It would need a

Re: Several CVEs in Lua 5.4

2020-07-29 Thread Lukas Tribus
Hello, On Wed, 29 Jul 2020 at 11:16, Froehlich, Dominik wrote: > > Hi Lukas, > > Thanks for the reply. > My query goes along the lines of which Lua version is compatible with HAproxy > and contains fixes to those CVEs. > I could not find a specific instruction as to which Lua version can be

Re: Several CVEs in Lua 5.4

2020-07-29 Thread Lukas Tribus
Hello, On Wed, 29 Jul 2020 at 10:23, Froehlich, Dominik wrote: > > Hello everyone, > > Not sure if this is already addressed. Today I got a CVE report of several > issues with Lua 5.3.5 up to 5.4. > > I believe Lua 5.4 is currently recommended to build with HAproxy 2.x? > > Before I open an

Re: http-reuse and Proxy protocol

2020-07-27 Thread Lukas Tribus
On Mon, 27 Jul 2020 at 13:14, Willy Tarreau wrote: > > However on a unix domain socket like this we never had this issue in > > the first place, as connection-reuse cannot be used on it by > > definition, correct? > > No, it doesn't change anything. We consider the connection, the protocol >

Re: http-reuse and Proxy protocol

2020-07-27 Thread Lukas Tribus
Hello, On Thu, 23 Jul 2020 at 14:34, Willy Tarreau wrote: > > defaults > > http-reuse always > > > > backend abuse > > timeout server 60s > > balance roundrobin > > hash-balance-factor 0 > > server s_abuse u...@abuse.sock send-proxy-v2 maxconn 4 > > > > listen l_abuse > >

Re: github template

2020-07-22 Thread Lukas Tribus
I will comment next week, but I generally agree that we should move the version output to the end, as I noticed the same issue. expected/actual behaviour sections are painful in the obvious cases (dont crash/crash), but oftentimes users just assume their itent is obvious when it's really not.

[PATCH] MINOR: doc: ssl: req_ssl_sni needs implicit TLS

2020-07-18 Thread Lukas Tribus
req_ssl_sni is not compatible with protocols negotiating TLS explicitly, like SMTP on port 25 or 587 and IMAP on port 143. Fix an example referring to 587 (SMTPS port with implicit TLS is 465) and amend the req_ssl_sni documentation. This doc fix should be backported to supported versions. ---

Re: Documentation

2020-07-11 Thread Lukas Tribus
Hello, On Sat, 11 Jul 2020 at 13:20, Jonathan Matthews wrote: > > On Sat, 11 Jul 2020 at 12:14, Tofflan wrote: >> >> Hello! >> >> Im trying to setup a setup HAProxy on my Pfsense router, the links under >> documentation dont work. example: >>

proposing a haproxy 2.0.16 release (was [BUG] haproxy retries dispatch to wrong server)

2020-07-10 Thread Lukas Tribus
Hello, On Fri, 10 Jul 2020 at 08:08, Christopher Faulet wrote: > Hi, > > I finally pushed this fix in the 2.0. Note the same bug affected the HTTP > proxy > mode (using http_proxy option). In this case, the connection retries is now > disabled (on the 2.0 only) because the destination address

Re: [BUG] haproxy retries dispatch to wrong server

2020-07-07 Thread Lukas Tribus
Hello Michael, On Tue, 7 Jul 2020 at 15:16, Michael Wimmesberger wrote: > > Hi, > > I might have found a potentially critical bug in haproxy. It occurs when > haproxy is retrying to dispatch a request to a server. If haproxy fails > to dispatch a request to a server that is either up or has no

  1   2   3   4   5   6   7   8   9   10   >