Re: [PATCH] BUILD: makefile: Update feature flags for Solaris / FreeBSD / NetBSD / OpenBSD

2020-09-15 Thread Lukas Tribus
On Tue, 15 Sep 2020 at 09:05, Brad Smith wrote: > >> NetBSD 8.0 adds support for accept4() and closefrom(). Enable > >> getaddrinfo(). > > We just had to disable threading on OpenBSD 6.7 for the build to succeed: > > > > https://github.com/haproxy/haproxy/issues/725 > > > > Did you actually test

Re: [PATCH] BUILD: makefile: Update feature flags for Solaris / FreeBSD / NetBSD / OpenBSD

2020-09-14 Thread Lukas Tribus
Hello Brad, On Sun, 13 Sep 2020 at 09:08, Brad Smith wrote: > > The following diff updates the feature flags for Solaris / FreeBSD / NetBSD / > OpenBSD. > > Bump the baseline Solaris to 9 which intruduced closefrom(). > > FreeBSD 10 is already EOL for support but its the new baseline.

Re: [RFC PATCH] MAJOR: ssl: Support for validating backend certificates with URI SANs (subjectAltName)

2020-09-09 Thread Lukas Tribus
On Tue, 8 Sep 2020 at 12:39, Teo Klestrup Röijezon wrote: > > Hey Willy, sorry about the delay.. managed to get sick right after that stuff. > > > I don't understand what you mean here in that it does not make sense to > > you. Actually it's not even about overriding verifyhost, it's more that >

[PATCH] DOC: overhauling github issue templates

2020-08-17 Thread Lukas Tribus
as per the suggestions from Cyril and Willy on the mailing list: Message-ID: and with direct contributions from Tim, this changes large parts of the bug issue template. The Feature template is also updated as well as a new template for Code Reports is introduced. Co-authored-by: Tim

Re: github template

2020-08-16 Thread Lukas Tribus
Hi, I prepared: - changes to Bug.md as per this discussion - changes to Features.md (just different sequence here) - added a new label "type: code-report" and a new issue template for those as well The changes can be seen here: https://github.com/lukastribus/hap-issue-trial/issues/new/choose

Re: Is the "source" keyword supported on FreeBSD?

2020-08-12 Thread Lukas Tribus
On Wed, 12 Aug 2020 at 21:03, Jerome Magnin wrote: > > Hi Frank, > > On Wed, Aug 12, 2020 at 11:50:05AM +0200, Frank Wall wrote: > > Hi, > > > > this *feels* like a silly question and I may have missed something > > pretty obvious, but... I've tried to use the "source" keyword and > > it doesn't

Re: github template

2020-08-11 Thread Lukas Tribus
Hello, On Mon, 20 Jul 2020 at 06:35, Willy Tarreau wrote: > > (Another case is when I try to follow the issue reports during vacation) > > > > I think it could be easier and quicker by only changing the sections order > > like this : > > 1. Expected behavior > > 2. Actual behavior > > 3. Steps

Re: Can I help with the 2.1 release?

2020-07-30 Thread Lukas Tribus
Hello, On Thu, 30 Jul 2020 at 20:49, Valter Jansons wrote: > > On Thu, Jul 30, 2020 at 6:44 PM Harris Kaufmann > wrote: > > my company really needs the next 2.1 release but we want to avoid > > deploying a custom, self compiled version. > > > > Is there something I can do to help with the

Re: SLZ vs ZLIB

2020-07-29 Thread Lukas Tribus
Hello, On Wed, 29 Jul 2020 at 19:19, Илья Шипицин wrote: > however, ZLIB is enabled by default in many distros and docker images. > any idea why ZLIB is chosen by default ? Because zlib is known, packaged and used everywhere and by everyone while slz is a niche library. It would need a

Re: Several CVEs in Lua 5.4

2020-07-29 Thread Lukas Tribus
Hello, On Wed, 29 Jul 2020 at 11:16, Froehlich, Dominik wrote: > > Hi Lukas, > > Thanks for the reply. > My query goes along the lines of which Lua version is compatible with HAproxy > and contains fixes to those CVEs. > I could not find a specific instruction as to which Lua version can be

Re: Several CVEs in Lua 5.4

2020-07-29 Thread Lukas Tribus
Hello, On Wed, 29 Jul 2020 at 10:23, Froehlich, Dominik wrote: > > Hello everyone, > > Not sure if this is already addressed. Today I got a CVE report of several > issues with Lua 5.3.5 up to 5.4. > > I believe Lua 5.4 is currently recommended to build with HAproxy 2.x? > > Before I open an

Re: http-reuse and Proxy protocol

2020-07-27 Thread Lukas Tribus
On Mon, 27 Jul 2020 at 13:14, Willy Tarreau wrote: > > However on a unix domain socket like this we never had this issue in > > the first place, as connection-reuse cannot be used on it by > > definition, correct? > > No, it doesn't change anything. We consider the connection, the protocol >

Re: http-reuse and Proxy protocol

2020-07-27 Thread Lukas Tribus
Hello, On Thu, 23 Jul 2020 at 14:34, Willy Tarreau wrote: > > defaults > > http-reuse always > > > > backend abuse > > timeout server 60s > > balance roundrobin > > hash-balance-factor 0 > > server s_abuse u...@abuse.sock send-proxy-v2 maxconn 4 > > > > listen l_abuse > >

Re: github template

2020-07-22 Thread Lukas Tribus
I will comment next week, but I generally agree that we should move the version output to the end, as I noticed the same issue. expected/actual behaviour sections are painful in the obvious cases (dont crash/crash), but oftentimes users just assume their itent is obvious when it's really not.

[PATCH] MINOR: doc: ssl: req_ssl_sni needs implicit TLS

2020-07-18 Thread Lukas Tribus
req_ssl_sni is not compatible with protocols negotiating TLS explicitly, like SMTP on port 25 or 587 and IMAP on port 143. Fix an example referring to 587 (SMTPS port with implicit TLS is 465) and amend the req_ssl_sni documentation. This doc fix should be backported to supported versions. ---

Re: Documentation

2020-07-11 Thread Lukas Tribus
Hello, On Sat, 11 Jul 2020 at 13:20, Jonathan Matthews wrote: > > On Sat, 11 Jul 2020 at 12:14, Tofflan wrote: >> >> Hello! >> >> Im trying to setup a setup HAProxy on my Pfsense router, the links under >> documentation dont work. example: >>

proposing a haproxy 2.0.16 release (was [BUG] haproxy retries dispatch to wrong server)

2020-07-10 Thread Lukas Tribus
Hello, On Fri, 10 Jul 2020 at 08:08, Christopher Faulet wrote: > Hi, > > I finally pushed this fix in the 2.0. Note the same bug affected the HTTP > proxy > mode (using http_proxy option). In this case, the connection retries is now > disabled (on the 2.0 only) because the destination address

Re: [BUG] haproxy retries dispatch to wrong server

2020-07-07 Thread Lukas Tribus
Hello Michael, On Tue, 7 Jul 2020 at 15:16, Michael Wimmesberger wrote: > > Hi, > > I might have found a potentially critical bug in haproxy. It occurs when > haproxy is retrying to dispatch a request to a server. If haproxy fails > to dispatch a request to a server that is either up or has no

Re: [PATCH v2 0/2] Warnings for truncated lines

2020-06-22 Thread Lukas Tribus
Hello, On Monday, 22 June 2020, Willy Tarreau wrote: > > > Configuration file is valid > > Looks good to me. > > > I guess a truncated last line cannot be differentiated from file that > > does not > > end with a new line, because fgets() consumes the full line (triggering > the > > eof),

Re: [PATCH] BUG/MINOR: cfgparse: Support configurations without newline at EOF

2020-06-22 Thread Lukas Tribus
On Mon, 22 Jun 2020 at 21:21, Willy Tarreau wrote: > > Hi guys, > > On Mon, Jun 22, 2020 at 07:49:34PM +0200, Lukas Tribus wrote: > > Hello Tim, > > > > On Mon, 22 Jun 2020 at 18:56, Tim Düsterhus wrote: > > > > > > Lukas, > > > > >

Re: [PATCH] BUG/MINOR: cfgparse: Support configurations without newline at EOF

2020-06-22 Thread Lukas Tribus
Hello Tim, On Mon, 22 Jun 2020 at 18:56, Tim Düsterhus wrote: > > Lukas, > > Am 22.06.20 um 18:41 schrieb Lukas Tribus: > > On Mon, 22 Jun 2020 at 18:16, Tim Duesterhus wrote: > >> > >> Fix parsing of configurations if the configuration file does not end w

Re: [PATCH] BUG/MINOR: cfgparse: Support configurations without newline at EOF

2020-06-22 Thread Lukas Tribus
Hello, On Mon, 22 Jun 2020 at 18:16, Tim Duesterhus wrote: > > Fix parsing of configurations if the configuration file does not end with > an LF. ... but it's also warning about it at the same time. So it's unclear to me: Do we support a configuration without trailing LF or not? If yes,

Re: [PATCH] BUG/MINOR: systemd: Wait for network to be online

2020-06-17 Thread Lukas Tribus
for network-online.target > could delay boot time. I agree with this change, I think the advantages outweigh the disadvantages. Acked-by: Lukas Tribus Lukas

Re: Ubuntu 20.04 + TLSv1

2020-06-12 Thread Lukas Tribus
Hello Bjoern, On Fri, 12 Jun 2020 at 15:09, bjun...@gmail.com wrote: > > Hi, > > currently i'm testing Ubuntu 20.04 and HAProxy 2.0.14. > > I'm trying to get TLSv1 working (we need this for some legacy clients), so > far without success. > > I've read different things, on the one hand Ubuntu

Re: Fail to send unique-id by using proxy-v2-options

2020-05-29 Thread Lukas Tribus
Hello, On Fri, 29 May 2020 at 04:39, lufeng0...@outlook.com wrote: > > Hi, > > > > I have compiled haproxy of version2.2-dev8 using Cygwin, in order to use it > as a load balancer in Windows 10. I want to send a unique ID generated using > the frontend's "unique-id-format" within the PROXYv2

Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2

2020-05-27 Thread Lukas Tribus
Hello, On Wed, 27 May 2020 at 13:33, Илья Шипицин wrote: > ср, 27 мая 2020 г. в 16:09, Tim Düsterhus : >> >> William, >> >> Am 27.05.20 um 12:40 schrieb William Lallemand: >> > Hello List, >> > >> > Since HAProxy 1.8, the minimum default TLS version for bind lines is >> > TLSv10. I was thinking

Re: [tcp|http]-check expect status explained

2020-05-06 Thread Lukas Tribus
On Wed, 6 May 2020 at 23:33, Aleksandar Lazic wrote: > > Hi. > > The doc for [tcp|http]-check expect have some *-status arguments like "L7OK", > "L7OKC","L6OK" and "L4OK" and so on. > > In the whole documentation are this states not explained. > I'm not sure in which chapter this states fit's,

Re: about Warning: Setting tune.ssl.default-dh-param to 1024

2020-05-06 Thread Lukas Tribus
Hello, On Wed, 6 May 2020 at 20:25, William Lallemand wrote: > > As such I think it's about time we change the default value to 2048 and > > get rid of this annoying warning before 2.2 gets released (and at the > > same time 86% of the users will be able to remove one cryptic line in > > their

Re: [PATCH] CI: special purpose build, testing compatibility against "no-deprecated" openssl

2020-04-20 Thread Lukas Tribus
Hello Ilya , On Mon, 20 Apr 2020 at 16:12, Илья Шипицин wrote: >> I added weekly build for detection incompatibilities against "no-deprecated" >> openssl. >> >> (well, I first thought to add those option to travis, but it became >> over-engineered from my point of view) >> >> Lukas, if you

Re: HAproxy Error

2020-04-17 Thread Lukas Tribus
On Fri, 17 Apr 2020 at 13:57, wrote: > Even clean installation isn’t working because the default package available > in RHEL from you is without openssl. You are wrong. 1) we don't provide any packages. RHEL does. 2) a fresh RHEL 8.1 AMI on AWS works just fine and uses the provided 1.8.15

Re: HAproxy Error

2020-04-16 Thread Lukas Tribus
Hello, On Thu, 16 Apr 2020 at 13:51, wrote: > # which haproxy > /usr/ local/sbin/haproxy > > > > Attached output for command “haproxy –vv” > > > > Also I’m using a AWS RHEL 8.1 version AMI. > > Let us know what else is required. Also let me know how to enable Openssl. > Provide me the rpm link

Re: HAproxy Error

2020-04-16 Thread Lukas Tribus
Hello, On Thu, 16 Apr 2020 at 06:04, wrote: > > Hi Team > > Let us know your availability to work on this. As Aleks already said: This haproxy executable has been build without OpenSSL support, which is required for your configuration. Provide the output of "which haproxy" and "haproxy -vv",

Re: Disclaimer in emails (was: Re: HAproxy Error)

2020-04-15 Thread Lukas Tribus
Hello Tim, Aleks, I fully agree with everything Tim just said. Let's keep the list about haproxy. Lukas

Re: List of ports opened for Listening by HAProxy

2020-04-08 Thread Lukas Tribus
Hello, On Wed, 8 Apr 2020 at 13:59, kkazmierc...@wp.pl wrote: > > Hello, > We need to know which ports on the server need to be reopened in order to > appropriate work of HAProxy. Haproxy does not listen to any ports by default. It listens only to those ports that you configured haproxy to

Re: Any chance of PPA packages updates for that security fix?

2020-04-06 Thread Lukas Tribus
Hello Sean, On Mon, 6 Apr 2020 at 18:12, Sean Reifschneider wrote: > > Been kind of watching for the haproxy versions to update in the PPAs for > Ubuntu. Considering the security nature of them, I'm kind of chomping at the > bit... :-) Any chance of those getting updated soonish? I can

Re: [PATCH] MINOR: config: make strict limits enabled by default

2020-03-28 Thread Lukas Tribus
Hello, On Sat, 28 Mar 2020 at 19:19, William Dauchy wrote: > > as agreed a few months ago, enable strict-limits for v2.3 master is still for 2.2 which is in development. If you want to target v2.3, you have to wait until 2.2 is released. Lukas

Re: TLS tickets prone to MITM attacks (was: [PR] Docs tls tickets)

2020-03-11 Thread Lukas Tribus
Hello, On Wed, 11 Mar 2020 at 08:32, Илья Шипицин wrote: >> On 09.03.20 20:37, Lukas Tribus wrote: >> >> I think the wording from the patch is still quite relaxed :). One of the >> >> best >> >> summaries describing the session ticket fla

Re: TLS tickets prone to MITM attacks (was: [PR] Docs tls tickets)

2020-03-10 Thread Lukas Tribus
Hello, On Tue, 10 Mar 2020 at 07:36, Илья Шипицин wrote: >> > if you specify, your security team will tell you that "it is not secure". >> > if you do not specify, keys are generated on startup and it lead to huge >> > CPU spike on app reload (if you apply new config, app is reloaded and keys

Re: TLS tickets prone to MITM attacks (was: [PR] Docs tls tickets)

2020-03-09 Thread Lukas Tribus
Hello, On Mon, 9 Mar 2020 at 20:39, Илья Шипицин wrote: >> I would disable session tickets by default in haproxy. Given that most >> clients support TLS 1.3 already this change would not even slow down many >> clients. > > > TLS tickets really require more love :) > > actually, there are two

[PATCH] DOC: ssl: clarify security implications of TLS tickets

2020-03-09 Thread Lukas Tribus
Clarifies security implications of TLS ticket usage when not rotating TLS ticket keys, after commit 7b5e136458 ("DOC: improve description of no-tls-tickets"). --- doc/configuration.txt | 17 + 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/doc/configuration.txt

Re: TLS tickets prone to MITM attacks (was: [PR] Docs tls tickets)

2020-03-09 Thread Lukas Tribus
On Mon, 9 Mar 2020 at 19:18, Björn Jacke wrote: > > On 2020-03-09 at 17:44 +0100 Lukas Tribus sent off: > > Perhaps we can relax the wording a bit here and describe the actual > > technical issue along with some recommendations. Apache for example > > documents [1]: >

TLS tickets prone to MITM attacks (was: [PR] Docs tls tickets)

2020-03-09 Thread Lukas Tribus
Hello, On Mon, 9 Mar 2020 at 11:23, PR Bot wrote: > > Dear list! > > Author: Björn Jacke > Number of patches: 2 > > This is an automated relay of the Github pull request: >Docs tls tickets > > Patch title(s): >BUG/MINOR: fix typo of tls-tickets >DOC: improve description of

Re: option forwardfor with IPv6

2020-03-03 Thread Lukas Tribus
Hello, On Tue, 3 Mar 2020 at 19:06, Ionel GARDAIS wrote: > > Hi, > > What is the expected behavior of "option forwardfor" with an IPv6 connection ? > Frontend listen on IPv4 and IPv6. The expected behavior is to insert the IPv6 address into the X-F-F header, and this is exactly what happens in

Re: Let's Encrypt ca-file for check-ssl on server line

2020-03-02 Thread Lukas Tribus
Hello Aleks, On Mon, 2 Mar 2020 at 22:21, Aleksandar Lazic wrote: > check-ssl check-sni str("storage.sbg.cloud.ovh.net") For the health check it's: check-sni storage.sbg.cloud.ovh.net (not a expression as per the doc: check-sni ) and for the traffic: sni str(storage.sbg.cloud.ovh.net) (as

[PATCH] BUG/MINOR: dns: ignore trailing dot

2020-02-27 Thread Lukas Tribus
As per issue #435 a hostname with a trailing dot confuses our DNS code, as for a zero length DNS label we emit a null-byte. This change makes us ignore the zero length label instead. Must be backported to 1.8. --- As discussed in issue #435 --- src/dns.c | 6 ++ 1 file changed, 6

Re: [PATCH v2] BUG/MINOR: connection: fix ip6 dst_port copy in make_proxy_line_v2

2020-01-26 Thread Lukas Tribus
Hello, On Sun, 26 Jan 2020 at 20:11, William Dauchy wrote: > > > The explanation of the user-visible impact and the need for > > backporting to stable branches or not are MANDATORY. > > Yes; I was simply challenging that, as it is also open to mistakes to > write in commit message to which

Re: Haproxy loadbalancing out going mail to Antispam servers

2020-01-23 Thread Lukas Tribus
Hello, On Wed, 22 Jan 2020 at 16:18, Brent Clark wrote: > > Good day Guys > > We have a project where we are trying to load balance to our outbound > Spamexperts Antispam relays / servers. > > We hit a snag where our clients servers are getting 'Too many concurrent > SMTP connections from this

Re: SameSite attribute for persistent session cookie

2020-01-21 Thread Lukas Tribus
Hello, On Tue, 21 Jan 2020 at 13:09, Tim Düsterhus wrote: > I don't need it myself, but I want to mention that it should be > backported, because the current situation can be "considered a bug" (a > feature now longer works due to changes in the ecosystem). I guess the > patch is fairly low

Re: [PATCH] CLEANUP: server: remove unused err section in server_finalize_init

2020-01-09 Thread Lukas Tribus
Hello, On Thu, 9 Jan 2020 at 06:08, Илья Шипицин wrote: > > btw, if you add "Fixes: #438", the issue will be closed automatically > > https://help.github.com/en/github/managing-your-work-on-github/closing-issues-using-keywords which we are asking people *NOT* to do, because we are also tracking

Re: Re: Help, URL does not work with CHINESE charactor?

2019-12-24 Thread Lukas Tribus
On Tue, 24 Dec 2019 at 11:46, JWD wrote: > > I have tried version 1.7,1.8,2.0,2.1, all the same. > > Config: > frontend www > acl acl-app hdr(host) -i sharepoint.domain.com > use_backend app if acl-app > backend > cookie HA-Server insert indirect nocache > server app

Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option

2019-12-20 Thread Lukas Tribus
Hello, > Guys, I must confess I'm completely lost in your discussions. I intend > to produce another round of 2.1 and 2.0 tomorrow as time permits, so if > you want me to get anything merged into it, please let me know. Lukas, > I'll count on you to summarize and suggest what's expected from me

[RFC PATCH] BUILD: ssl: improve SSL_CTX_set_ecdh_auto compatibility

2019-12-20 Thread Lukas Tribus
SSL_CTX_set_ecdh_auto() is not defined when OpenSSL 1.1.1 is compiled with the no-deprecated option. Remove existing, incomplete guards and add a compatibility macro in openssl-compat.h, just as OpenSSL does:

Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option

2019-12-20 Thread Lukas Tribus
Hello Ilya, sorry about the delay ... On Wed, 27 Nov 2019 at 07:11, Илья Шипицин wrote: > > -#if (HA_OPENSSL_VERSION_NUMBER >= 0x101fL) > +#if (HA_OPENSSL_VERSION_NUMBER >= 0x101fL) || > defined(OPENSSL_NO_DEPRECATED) > [...] > -#if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER

Re: [PATCHv3] openssl-compat: Fix getm_ defines

2019-12-20 Thread Lukas Tribus
On Fri, 20 Dec 2019 at 16:00, Willy Tarreau wrote: > taking it now. Note that 1.9 needs to access OPENSSL_VERSION_NUMBER instead of HA_OPENSSL_VERSION_NUMBER. lukas

Re: [PATCHv3] openssl-compat: Fix getm_ defines

2019-12-20 Thread Lukas Tribus
On Thu, 19 Dec 2019 at 21:54, Rosen Penev wrote: > > LIBRESSL_VERSION_NUMBER evaluates to 0 under OpenSSL, making the condition > always true. Check for the define before checking it. > > Signed-off-by: Rosen Penev > --- > v3: Added BoringSSL support > v2: Switched to HA_OPENSSL_VERSION_NUMBER

Re: [PATCH] openssl-compat: Fix getm_ defines

2019-12-17 Thread Lukas Tribus
On Tue, 17 Dec 2019 at 21:18, Rosen Penev wrote: > > That's why I'm suggesting: > > > > #ifndef X509_getm_notBefore > > #define X509_getm_notBefore X509_get_notBefore > > #define X509_getm_notAfter X509_get_notAfter > > #endif > > > > > > Am I missing something? > Yes you are. A macro is

Re: [PATCH] openssl-compat: Fix getm_ defines

2019-12-17 Thread Lukas Tribus
Hello, On Mon, 16 Dec 2019 at 20:53, Rosen Penev wrote: > > Any reason why would not just #ifndef X509_getm_notBefore, testing for > > what we actually want instead of those backbreaking version > > assumptions? > X509_getm_notBefore is a function, not a define. A function which needs to be

Re: [PATCH] openssl-compat: Fix getm_ defines

2019-12-16 Thread Lukas Tribus
On Mon, 16 Dec 2019 at 19:00, Илья Шипицин wrote: > > > > пн, 16 дек. 2019 г. в 22:42, Rosen Penev : >> >> LIBRESSL_VERSION_NUMBER evaluates to 0 under OpenSSL, making the condition >> always true. Check for the define before checking it. >> >> Signed-off-by: Rosen Penev >> --- >>

Re: [RFC PATCH] MINOR: debug: allow debug converter in default build

2019-12-16 Thread Lukas Tribus
Hello, On Mon, 16 Dec 2019 at 09:20, Willy Tarreau wrote: > > Hi Lukas, > > On Sun, Dec 15, 2019 at 05:23:38PM +0100, Lukas Tribus wrote: > > Currently this debug converter is only enabled when DEBUG_EXPR is > > defined at build time (which is different than other

Re: [PATCH] openssl-compat: Fix getm_ defines

2019-12-16 Thread Lukas Tribus
> please have a look at https://github.com/haproxy/haproxy/issues/367 (it still > misses germ part, I tried things like you send, but reg-tests fail. do you > have travis-ci passed ?) > also, there's a patch already sent, Lukas Tribus promised to review it Yeah, this one fell through the cr

[RFC PATCH] MINOR: debug: allow debug converter in default build

2019-12-15 Thread Lukas Tribus
Currently this debug converter is only enabled when DEBUG_EXPR is defined at build time (which is different than other debug build options and unclear from the documentation). This moves the patch to the default build, so everyone can use it. Can be backported to stable releases (but not

Re: DNS resolution every second - v2.0.10

2019-11-28 Thread Lukas Tribus
Hello, On Thu, Nov 28, 2019 at 10:35 AM Baptiste wrote: > > @Willy, since 1.8 (I think), the DNS task is autonomous and not triggered by > the check anymore. > > Second, HAProxy never ever follows up TTLs. > > Third, I "fixed" a bug in 2.0.10 which triggers this change of behavior. > Basically,

Re: DNS resolution every second - v2.0.10

2019-11-27 Thread Lukas Tribus
Hello, On Wed, Nov 27, 2019 at 10:25 PM Willy Tarreau wrote: > > Hi Marco, > > On Wed, Nov 27, 2019 at 08:38:03AM +0100, Marco Corte wrote: > > Hello! > > > > I see a strange behaviour of the DNS resolution on version 2.0.9 and 2.0.10, > > but I do not know since when this happens. > > > > On

Re: Regression in 2.1 with Host header sent by backends

2019-11-26 Thread Lukas Tribus
Hello Julien, On Wed, Nov 27, 2019 at 12:47 AM Julien Pivotto wrote: > Yes indeed. I tested too and it works. I indeed tried > accept-invalid-http-request like in the commit message > instead of accept-invalid-http-response. > > My concern with the workaround is that there might be huge > side

Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option

2019-11-26 Thread Lukas Tribus
Hello, On Tue, Nov 26, 2019 at 10:50 PM Илья Шипицин wrote: > > Hello, > > I resolved `CRYPTO_set_id_callback', `ERR_remove_state', > `SSL_CTX_set_ecdh_auto' issues. > > > the following two will be addressed later: `X509_get_notBefore', > `X509_get_notAfter' I'm not sure if matching

Re: Regression in 2.1 with Host header sent by backends

2019-11-26 Thread Lukas Tribus
On Wed, Nov 27, 2019 at 12:36 AM Julien Pivotto wrote: > > On 27 Nov 00:31, Lukas Tribus wrote: > > Hello Julien, > > > > > > > > On Wed, Nov 27, 2019 at 12:21 AM Julien Pivotto > > wrote: > > > Haproxy 2.1 blocks a response with PH-- if th

Re: Regression in 2.1 with Host header sent by backends

2019-11-26 Thread Lukas Tribus
Hello Julien, On Wed, Nov 27, 2019 at 12:21 AM Julien Pivotto wrote: > Haproxy 2.1 blocks a response with PH-- if the response has a Host header. A Host header belongs to the request, not the response. Haproxy 2.1 is more strict in that regard. You can configure "option

Re: [PATCH] BUG/MINOR: ssl: fix curve setup with LibreSSL

2019-11-24 Thread Lukas Tribus
Hello, On Sun, Nov 24, 2019 at 6:20 PM Lukas Tribus wrote: > > Since commit 9a1ab08 ("CLEANUP: ssl-sock: use HA_OPENSSL_VERSION_NUMBER > instead of OPENSSL_VERSION_NUMBER") we restrict LibreSSL to the OpenSSL > 1.0.1 API, to avoid breaking LibreSS

[PATCH] BUG/MINOR: ssl: fix curve setup with LibreSSL

2019-11-24 Thread Lukas Tribus
Since commit 9a1ab08 ("CLEANUP: ssl-sock: use HA_OPENSSL_VERSION_NUMBER instead of OPENSSL_VERSION_NUMBER") we restrict LibreSSL to the OpenSSL 1.0.1 API, to avoid breaking LibreSSL every minute. We set HA_OPENSSL_VERSION_NUMBER to 0x1000107fL if LibreSSL is detected and only allow curves to be

Re: Haproxy 1.7.11 log problems

2019-11-21 Thread Lukas Tribus
Hello, On Wed, Nov 20, 2019 at 9:51 AM Alexander Kasantsev wrote: > > Good day everyone! > > I’m migrated from haproxy 1.5 to 1.7.11 and I have some troubles with logging > > I have a following in config file for logging > > capture request header Host len 200 > capture request header

Re: travis-ci: should we drop openssl-1.1.0 and replace it with 3.0 ?

2019-11-19 Thread Lukas Tribus
Hello, On Tuesday, 19 November 2019, Илья Шипицин wrote: > yep, 3.0 stands for openssl master branch. > the point is to catch incompatibilities before it is released. > I am objecting to this. This can be done WHEN openssl declares that the API is stable. Testing and implementing build fixes

Re: Delegated Credentials for TLS

2019-11-06 Thread Lukas Tribus
Hello, On Wed, Nov 6, 2019 at 3:50 PM Dana Dukes wrote: > > Greetings, > > I was wondering if any plans for Delegated Credentials to be supported in > HAProxy. > > https://thehackernews.com/2019/11/delegated-credentials-for-tls.html I'd say it's a little early for that. Without an actual

[PATCH] MINOR: doc: http-reuse connection pool fix

2019-11-06 Thread Lukas Tribus
Since 1.9 we actually do use a connection pool, configurable with pool-max-conn. Update the documentation in this regard. Must be backported to 1.9. --- doc/configuration.txt | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt

Re: Truncated response on 2.0.8

2019-10-31 Thread Lukas Tribus
On Thu, Oct 31, 2019 at 10:02 AM Christopher Faulet wrote: > Could you provide the result of the following command, executed on HAProxy > server ? > >tcpdump -i any -w h2toh2.cap port 82 or port 8080 Better add -s0, otherwise you may only get 68 bytes (at least on older tcpdump releases).

Re: ELB scaling => sudden backend tragedy

2019-10-24 Thread Lukas Tribus
Hello, On Thu, Oct 24, 2019 at 5:53 PM Jim Freeman wrote: > > Yesterday we had an ELB scale to 26 IP addresses, at which time ALL of the > servers in that backend were suddenly marked down, e.g. : > >Server www26 is going DOWN for maintenance (unspecified DNS error) > > Ergo, ALL requests

Re: haproxy doesn't bring failed server up

2019-10-07 Thread Lukas Tribus
Hello, On Mon, Oct 7, 2019 at 10:00 AM rihad wrote: > > BTW, all these resolver hold settings are a bit confusing, is there a way to > tell > haproxy to rely on the TTL it gets from DNS servers/resolvers? It seems to be > relying on some hard-coded default values instead. I don't think TTL is

Re: haproxy doesn't bring failed server up

2019-10-07 Thread Lukas Tribus
Hello, On Mon, Oct 7, 2019 at 6:30 AM rihad wrote: > Thanks! But according to the manual, shouldn't haproxy re-resolve AWS server > name regardless of its resolver settings? > > > A few other events can trigger a name resolution at run time: > - when a server's health check ends up in a

Re: How to wait some time before retry?

2019-09-27 Thread Lukas Tribus
Ciao Marco, On Fri, Sep 27, 2019 at 1:21 PM Marco Colli wrote: > > Still have this issue and I cannot find a solution. It would be great to have > an option "wait time before retry" in the next versions of HAProxy (instead > of the fixed value of 1 sec). Why not raise "timeout connect" to

Re: [PATCH] improving github experience, kindly ask people to reproduce bugs on latest haproxy

2019-09-24 Thread Lukas Tribus
Hello Tim, Willy, On Tue, Sep 24, 2019 at 2:48 PM Tim Düsterhus wrote: > > Unless you feel that it's starting to cause too much work on your side, > > from my developer's perspective at least it's still manageable as it is > > right now, with a positive balance, so I'd also be all for keeping it

Re: [PATCH] improving github experience, kindly ask people to reproduce bugs on latest haproxy

2019-09-23 Thread Lukas Tribus
Hello Willy, On Mon, Sep 23, 2019 at 7:02 PM Willy Tarreau wrote: > > However it needs to be clear that the issue tracker in Github is not a > > support forum, and that filing a report will needs some ground work. > > It is also *always* a good idea to discuss an issue on the ML first, > >

Re: [PATCH] improving github experience, kindly ask people to reproduce bugs on latest haproxy

2019-09-20 Thread Lukas Tribus
g list. > In corporate environments, it can be difficult to perform such upgrades. > Sometimes these issues are only reproducible in production environments. I know that. But that's not a bug report, it's a support request and it belongs to the mailing list. Acked-by: Lukas Tribus Lukas

Re: [PR] MINOR: remove limit of 1k socket connections with systemd

2019-09-18 Thread Lukas Tribus
Hello Björn, On Wednesday, 18 September 2019, Björn Jacke wrote: > Hi, > On 2019-09-18 at 01:23 +0200 Lukas Tribus sent off: > > On Wed, Sep 18, 2019 at 1:14 AM PR Bot > wrote: > > > Description: > > >systemd by default limits the max open

Re: [PR] MINOR: remove limit of 1k socket connections with systemd

2019-09-17 Thread Lukas Tribus
Hello, On Wed, Sep 18, 2019 at 1:14 AM PR Bot wrote: > Description: >systemd by default limits the max open files to 1k, which also limits >the socket connections to 1k, the service script must be told to >remove the limit. Since haproxy is started as root we have the privilege to

Re: Issue with checks after 2.0.6

2019-09-16 Thread Lukas Tribus
Hello! On Mon, Sep 16, 2019 at 8:50 AM GARDAIS Ionel wrote: > > Hi Lukas, > > Same with nbthread 1. > > I gave my first try to git bisect and it looks like the offending commit is : > > ab160a47acde9dc9c341b328c8716a721a389ab4 is the first bad commit > commit

Re: Issue with checks after 2.0.6

2019-09-15 Thread Lukas Tribus
Hello, On Sat, Sep 14, 2019 at 4:58 PM GARDAIS Ionel wrote: > > What was the previous release that worked for you? 2.0.5 or something older? > > 2.0.5 worked well from the checks point of vue. Ok, so this is a regression in 2.0.6. Please try whether limiting the threads to 1 (global section:

Re: Issue with checks after 2.0.6

2019-09-14 Thread Lukas Tribus
Hello, On Sat, Sep 14, 2019 at 1:08 PM GARDAIS Ionel wrote: > > Hi, > > I've just upgraded to 2.0.6 and all server checks went erratic. > I had to disable checks for the servers to be reachable. What was the previous release that worked for you? 2.0.5 or something older? Thanks, Lukas

Re: Upgrading from 1.7 to 2.0 causes connection spam

2019-09-11 Thread Lukas Tribus
Hello Elias, On Wed, Sep 11, 2019 at 11:52 AM Elias Abacioglu wrote: > So we do zero config changes, upgrade haproxy to 2.0.x + restart haproxy and > like a minute or so then it runs out of resources. > Each haproxy (v2.0.5, no-TLS) have an request rate of 55-90K/s. > Each haproxy (v1.7.11,

Re: Get rid of TCP "Connect from..." logs

2019-09-11 Thread Lukas Tribus
Hello Artur, On Wed, Sep 11, 2019 at 1:22 PM Artur wrote: > > Hello, > > My current 2.0.5 haproxy logs a lot of "useless" messages such as : > > Sep 11 13:10:08 server haproxy[28163]: Connect from 127.0.0.1:39951 to > 127.0.0.1:6379 (r1_front/TCP) > > My configuration is something like (I

Re: RFC uuid for log-format

2019-09-05 Thread Lukas Tribus
Hello Luca, On Thu, Sep 5, 2019 at 5:38 PM Schimweg, Luca wrote: > > Hey, > > i would suggest adding support for the widely used RFC4122 Version 4 UUID, > which is generated completely random. In lua a script for generating these is > about 5 lines long, but because of several reasons I don't

Re: RFC uuid for log-format

2019-09-05 Thread Lukas Tribus
Hello, On Thu, Sep 5, 2019 at 4:58 PM Schimweg, Luca wrote: > > Hey again, > > I tried to use rand, but when using it, my generation code for a UUID looks > like this: > > unique-id-format >

Re: RFC uuid for log-format

2019-09-03 Thread Lukas Tribus
Hello Luca, On Tue, 3 Sep 2019 at 09:18, Schimweg, Luca wrote: > > Hey, > > > > for one use case I have, I would need a variable like %uuid in log-formats, > which just generates a random UUID. The use-case would be, to be able > to set the unique-id-format to this uuid, so that we can have a

[PATCH] MINOR: build: add linux-glibc-legacy build TARGET

2019-09-01 Thread Lukas Tribus
As discussed in issue #128, introduce a new build TARGET linux-glibc-legacy to allow the build on old, legacy OS. Should be backported to 2.0. --- INSTALL | 25 + Makefile | 20 ++-- 2 files changed, 27 insertions(+), 18 deletions(-) diff --git a/INSTALL

[PATCH] BUG/MINOR: lua: fix setting netfilter mark

2019-08-11 Thread Lukas Tribus
In the REORG of commit 1a18b5414 ("REORG: connection: centralize the conn_set_{tos,mark,quickack} functions") a bug was introduced by calling conn_set_tos instead of conn_set_mark. This was reported in issue #212 This should be backported to 1.9 and 2.0. --- src/hlua.c | 2 +- 1 file changed, 1

Re: [PATCH 1/1] DOC: Add 'Question.md' issue template, discouraging asking questions

2019-08-02 Thread Lukas Tribus
Hello Tim, On Fri, 2 Aug 2019 at 14:52, Willy Tarreau wrote: > > On Fri, Aug 02, 2019 at 02:45:06PM +0200, Tim Düsterhus wrote: > (...) > > So that paragraph you suggested might discourage users that actually > > read and understand if something is *slapped in their face* from HAProxy > > and

Re: Upgrade from 1.7 to 2.0 = increased CPU usage

2019-07-23 Thread Lukas Tribus
Hello Elias, could you try 2.0.3 please? It was just released today and fixes a CPU hogging issue. cheers, lukas

Re: Upgrade from 1.7 to 2.0 = increased CPU usage

2019-07-18 Thread Lukas Tribus
Hello Elias, On Wed, 17 Jul 2019 at 17:52, Elias Abacioglu wrote: > > Ok, I just tried HAProxy 2.0.2. > I see weird CPU behaviour there too. > On threaded mode: > When I restart or reload haproxy it goes between 11-38% idle on core 2 and 3. > But then after a couple of minutes it goes to using

Re: Random 502's and instant 504's after upgrading

2019-07-18 Thread Lukas Tribus
Hello, On Thu, 18 Jul 2019 at 16:51, Sander Klein wrote: > > On 2019-07-18 09:15, Sander Klein wrote: > > Hi, > > > > Last night I tried upgrading from haproxy 1.9.8 to 2.0.2. After > > upgrading I get random 502's and random instant 504's when visiting > > pages. > > > Just tested with 'no

Re: building haproxy against openssl no-deprecated

2019-07-15 Thread Lukas Tribus
Hello, On Mon, 15 Jul 2019 at 09:13, Илья Шипицин wrote: > > Hello, > > I tried to build openssl-1.1.1 with "no-deprecated" > > src/ssl_sock.o: In function `ssl_sock_do_create_cert': > /home/travis/build/chipitsine/haproxy/src/ssl_sock.c:1867: undefined > reference to `X509_get_notBefore' >

Re: Unify equal acl between backends

2019-07-11 Thread Lukas Tribus
Hello Ricardo, On Thu, 11 Jul 2019 at 10:01, Ricardo Fraile wrote: > I tried to set the list under single and double quotes, the error > disappears but it didn't work. Using () and {} still had the error. > Setting only one extension works, two, only with the first on the list. > > What is the

Re: Upgrade from 1.7 to 2.0 = increased CPU usage

2019-07-11 Thread Lukas Tribus
Hello Elias, On Thu, 11 Jul 2019 at 17:05, Elias Abacioglu wrote: > > I just reverted back to haproxy 1.7 now. > To be more accurate, CPU idle is around ~48% for core 2-3. I suggest to wait for 2.0.2 or pull the current 2.0 git tree. 2.0.1 just contains too many bugs at this point. Lukas

  1   2   3   4   5   6   7   8   9   10   >