Re: CVE-2021-40346, the Integer Overflow vulnerability

2021-09-08 Thread Lukas Tribus
Hello Jonathan, On Wed, 8 Sept 2021 at 21:28, Jonathan Greig wrote: > > Hello! My name is Jonathan Greig and I'm a reporter for ZDNet. I'm > writing a story about CVE-2021-40346 and I was wondering if > Ha Proxy had any comment about the vulnerability. Just making sure you are aware that this

Re: double // after domain causes ERR_HTTP2_PROTOCOL_ERROR after upgrade to 2.4.3

2021-08-20 Thread Lukas Tribus
On Fri, 20 Aug 2021 at 13:08, Илья Шипицин wrote: > > double slashes behaviour is changed in BUG/MEDIUM: > h2: match absolute-path not path-absolute for :path · haproxy/haproxy@46b7dff > (github.com) Actually, I think the patch you are referring to would *fix* this particular issue, as it was

Re: [ANNOUNCE] HTTP/2 vulnerabilities from 2.0 to 2.5-dev

2021-08-18 Thread Lukas Tribus
On Thursday, 19 August 2021, James Brown wrote: > Are there CVE numbers coming for these vulnerabilities? > > CVE-2021-39240: -> 2) Domain parts in ":scheme" and ":path" CVE-2021-39241: -> 1) Spaces in the ":method" field CVE-2021-39242: -> 3) Mismatch between ":authority" and "Host" Lukas

Re: HAProxy Network Namespace Support issues, and I also found a security flaw.

2021-07-20 Thread Lukas Tribus
Hello, On Tue, 20 Jul 2021 at 08:13, Peter Jin wrote: > 2. There is a stack buffer overflow found in one of the files. Not > disclosing it here because this email will end up on the public mailing > list. If there is a "security" email address I could disclose it to, > what is it? It's

Re: Replying to spam [was: Some Spam Mail]

2021-07-15 Thread Lukas Tribus
On Thu, 15 Jul 2021 at 11:27, Илья Шипицин wrote: > > I really wonder what they will suggest. > > I'm not a spam source, since we do not have "opt in" policy, anybody can send > mail. so they do. > please address the issue properly, either change list policy or be calm with > my experiments.

Re: set mss on backend site on version 1.7.9

2021-07-13 Thread Lukas Tribus
Hello Stefan, On Tue, 13 Jul 2021 at 14:10, Stefan Fuhrmann wrote: > > Hello all, > > > First, we can not change to newer version so fast within the project. > > We are having on old installation of haproxy (1.7.9) and we have the > need to configure tcp- mss- value on backend site. > > > > Is

Re: [PATCH 0/1] Replace issue templates by issue forms

2021-06-23 Thread Lukas Tribus
Hello, On Wed, 23 Jun 2021 at 22:25, Willy Tarreau wrote: > > Hi Tim, Max, > > On Wed, Jun 23, 2021 at 09:38:12PM +0200, Tim Duesterhus wrote: > > Hi Willy, Lukas, List! > > > > GitHub finally launched their next evolution of issue templates, called > > issue > > forms, as a public beta: > >

Re: SSL Labs says my server isn't doing ssl session resumption

2021-06-20 Thread Lukas Tribus
Hello Shawn, On Sun, 20 Jun 2021 at 14:03, Shawn Heisey wrote: > > On 6/20/2021 1:52 AM, Lukas Tribus wrote: > > Can you try disabling threading, by putting nbthread 1 in your config? > > That didn't help. From testssl.sh: > > SSL Session ID support ye

Re: SSL Labs says my server isn't doing ssl session resumption

2021-06-20 Thread Lukas Tribus
Hello Shawn, On Sun, 20 Jun 2021 at 08:39, Shawn Heisey wrote: > This is what SSL Labs now says for the thing that started this thread: > > Session resumption (caching)No (IDs assigned but not accepted) > Session resumption (tickets)Yes > > I'd like to get the caching item fixed, but I

Re: SSL Labs says my server isn't doing ssl session resumption

2021-06-16 Thread Lukas Tribus
On Wed, 16 Jun 2021 at 17:03, Илья Шипицин wrote: > > ssl sessions are for tls1.0 (disabled in your config) > tls1.2 uses tls tickets for resumption That is not true, you can disable TLS tickets and still get resumption on TLSv1.2. Disabling TLSv1.0 does not mean disabling Session ID caching.

Re: [EXTERNAL] Re: built in ACL, REQ_CONTENT

2021-06-08 Thread Lukas Tribus
Hello, On Tue, 8 Jun 2021 at 17:36, Godfrin, Philippe E wrote: > > Certainly, > > Postrgres sends this message across the wire: > > Jun 2 21:14:40 ip-172-31-77-193 haproxy[9031]: #0110x00: 00 00 00 4c 00 > 03 00 00 75 73 65 72 00 74 73 64 |...Luser.tsd| > Jun 2 21:14:40

Re: built in ACL, REQ_CONTENT

2021-06-07 Thread Lukas Tribus
Hello, On Mon, 7 Jun 2021 at 14:51, Godfrin, Philippe E wrote: > > Greetings! > > I can’t seem to find instructions on how to use this builtin ACL. Can someone > point me in the right direction, please? There is nothing specific about it, you use just like every other ACL. http-request deny

Re: how to write to a file safely in haproxy

2021-05-26 Thread Lukas Tribus
Hello, On Wed, 26 May 2021 at 13:29, reshma r wrote: > > Hello all, > Periodically I need to write some configuration data to a file. > However I came across documentation that warned against writing to a file at > runtime. > Can someone give me advice on how I can achieve this safely? You'll

Re: haproxy hung with CPU usage at 100% Heeeelp, please!!!

2021-05-14 Thread Lukas Tribus
The first thing I'd try is to disable multithreading (by putting nbthread 1 in the global section of the configuration), so if that helps. Lukas

Re: Table sticky counters decrementation problem

2021-03-30 Thread Lukas Tribus
Hi Willy, On Tue, 30 Mar 2021 at 17:56, Willy Tarreau wrote: > > Guys, > > out of curiosity I wanted to check when the overflow happened: > > $ date --date=@$$(date +%s) * 1000) & -0x800) / 1000)) > Mon Mar 29 23:59:46 CEST 2021 > > So it only affects processes started since today. I'm

Re: Stick table counter not working after upgrade to 2.2.11

2021-03-30 Thread Lukas Tribus
Hi Willy, On Tue, 23 Mar 2021 at 09:32, Willy Tarreau wrote: > > Guys, > > These two patches address it for me, and I could verify that they apply > on top of 2.2.11 and work there as well. This time I tested with two > counters at different periods 500 and 2000ms. Both Sander and Thomas now

Re: Table sticky counters decrementation problem

2021-03-30 Thread Lukas Tribus
Hello Thomas, this is a known issue in any release train other than 2.3 ... https://github.com/haproxy/haproxy/issues/1196 However neither 2.3.7 (does not contain the offending commits), nor 2.3.8 (contains all the fixes) should be affected by this. Are you absolutely positive that you are

Re: zlib vs slz (perfoarmance)

2021-03-29 Thread Lukas Tribus
Hello, On Mon, 29 Mar 2021 at 20:54, Илья Шипицин wrote: >> > Dear list, >> > >> > on browser load (html + js + css) I observe 80% of cpu spent on gzip. >> > also, I observe that zlib is probably one of the slowest implementation >> > my personal benchmark correlate with

Re: Is there a way to deactivate this "message repeated x times"

2021-03-29 Thread Lukas Tribus
Hello, On Mon, 29 Mar 2021 at 15:25, Aleksandar Lazic wrote: > > Hi. > > I need to create some log statistics with awffull stats and I assume this > messages > means that only one line is written for 3 requests, is this assumption right? > > Mar 28 14:04:07 lb1 haproxy[11296]: message repeated

Re: zlib vs slz (perfoarmance)

2021-03-29 Thread Lukas Tribus
Hi Ilya, On Mon, 29 Mar 2021 at 15:34, Илья Шипицин wrote: > > Dear list, > > on browser load (html + js + css) I observe 80% of cpu spent on gzip. > also, I observe that zlib is probably one of the slowest implementation > my personal benchmark correlate with https://github.com/inikep/lzbench

Re: HAProxy proxy protocol

2021-03-28 Thread Lukas Tribus
Double post on discourse, please refrain from this practice in the future! https://discourse.haproxy.org/t/haproxy-proxy-protocol/6413/2 Thanks, Lukas

Re: [HAP 2.3.8] Is there a way to see why "" and "SSL handshake failure" happens

2021-03-27 Thread Lukas Tribus
Hello, On Sat, 27 Mar 2021 at 11:52, Aleksandar Lazic wrote: > > Hi. > > I have a lot of such entries in my logs. > > ``` > Mar 27 11:48:20 lb1 haproxy[14556]: ::::23167 > [27/Mar/2021:11:48:20.523] https-in~ https-in/ -1/-1/-1/-1/0 0 0 - - > PR-- 1041/1011/0/0/0 0/0 "" > Mar 27 11:48:20

Fwd: OpenSSL Security Advisory

2021-03-25 Thread Lukas Tribus
FYI -- Forwarded message - From: OpenSSL Date: Thu, 25 Mar 2021 at 15:03 Subject: OpenSSL Security Advisory To: , OpenSSL User Support ML , OpenSSL Announce ML -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL Security Advisory [25 March 2021]

Re: Stick table counter not working after upgrade to 2.2.11

2021-03-23 Thread Lukas Tribus
Hello, just a heads-up, this was also reported for 1.8: https://discourse.haproxy.org/t/counter-issues-on-1-8-29/6381/ Lukas On Tue, 23 Mar 2021 at 09:32, Willy Tarreau wrote: > > Guys, > > These two patches address it for me, and I could verify that they apply > on top of 2.2.11 and work

Re: [ANNOUNCE] haproxy-1.6.16

2021-03-22 Thread Lukas Tribus
Hello Willy, On Sat, 20 Mar 2021 at 10:09, Willy Tarreau wrote: > > 1.6 was EOL last year, I don't understand why there is a last release. > > There were some demands late last year and early this year to issue a > last one with pending fixes to "flush the pipe" but it was terribly > difficult

Re: [PATCH 1/1] MINOR: build: force CC to set a return code when probing options

2021-03-06 Thread Lukas Tribus
Hello Bertrand, On Sun, 7 Mar 2021 at 00:53, Bertrand Jacquin wrote: > I am not proposing haproxy build-system to use -Werror here, I'm only > proposing to use -Werror when probing for options supported by the > compiler, as effectively clang return a code if 0 even if an option is > not

Re: [PATCH 1/1] MINOR: build: force CC to set a return code when probing options

2021-03-06 Thread Lukas Tribus
Hello, On Sat, 6 Mar 2021 at 21:25, Bertrand Jacquin wrote: > > gcc returns non zero code if an option is not supported (tested > from 6.5 to 10.2). > > $ gcc -Wfoobar -E -xc - -o /dev/null < /dev/null > /dev/null 2>&1 ; echo $? > 1 > > clang always return 0 if an option in not recognized

Re: minconn, maxconn and fullconn (again, sigh!)

2021-02-11 Thread Lukas Tribus
On Thu, 11 Feb 2021 at 05:31, Victor Sudakov wrote: > > Lukas Tribus wrote: > > > > On Wed, 10 Feb 2021 at 16:55, Victor Sudakov wrote: > > > > > > I can even phrase my question in simpler terms. What happens if the sum > > > total of all servers' m

Re: minconn, maxconn and fullconn (again, sigh!)

2021-02-10 Thread Lukas Tribus
Hello Victor, On Wed, 10 Feb 2021 at 16:55, Victor Sudakov wrote: > > I can even phrase my question in simpler terms. What happens if the sum > total of all servers' maxconns in a backend is less than the maxconn > value in the frontend pointing to the said backend? Queueing for "timeout queue"

Re: TCP mode and ultra short lived connection

2021-02-08 Thread Lukas Tribus
Hello, On Mon, 8 Feb 2021 at 18:14, Максим Куприянов wrote: > > Hi! > > I faced a problem dealing with l4 (tcp mode) haproxy-based proxy over > Graphite's component receiving metrics from clients and clients who are > connecting just to send one or two Graphite-metrics and disconnecting right

Re: HAproxy soft reload timeout?

2021-02-04 Thread Lukas Tribus
Hello Dominik, you are looking for hard-stop-after: http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#hard-stop-after Regards, Lukas On Thu, 4 Feb 2021 at 11:40, Froehlich, Dominik wrote: > > Hi, > > > > I am currently experimenting with the HAproxy soft reload functionality

Re: (possibly off topic) how to handle Chrome on SSL mass hosting ?

2021-02-03 Thread Lukas Tribus
On Wed, 3 Feb 2021 at 18:47, Илья Шипицин wrote: >> while I do not mind to have such optimization, but when 'a.example.com" >> responds with http2 GOAWAY, that affects also "b.example.com" and " >> c.example.com". Chrome is not clever enough to open new connections instead >> of abandoned one. >

Re: SSL session resumption

2021-02-03 Thread Lukas Tribus
Hello, On Wed, 3 Feb 2021 at 17:44, Илья Шипицин wrote: > > TLS1.2 uses tls tickets, when TLS1.0 uses ssl sessions. I believe this is incorrect, TLSv1.2 works just fine with Session ID's (RFC5246) and TLS 1.0 works fine with TLS tickets (RFC5077). I'm not aware of any restrictions between

Re: SSL session resumption

2021-02-03 Thread Lukas Tribus
Hello Johan, we are gonna need the outputs of "haproxy -vv" from both situations, as well as at the very least *all* the ssl configuration parameters in haproxy that you are using. However, I do not believe it is likely that we can find the root cause, without access to those handshakes, since

Re: How can I enable the HTTP/3 (QUIC) in HAProxy?

2021-01-21 Thread Lukas Tribus
Jimmy, On Thu, 21 Jan 2021 at 09:45, Tim Düsterhus wrote: > > Hi List, > > Am 21.01.21 um 08:59 schrieb jimmy: > > I found the fact that HAProxy 2.3 higher supports HTTP/3 (QUIC) through > > [this > > link](https://www.haproxy.com/blog/announcing-haproxy-2-3/#connection-improvements). > This

Re: end all sessions for specific user

2020-12-03 Thread Lukas Tribus
Hello, On Friday, 4 December 2020, Yossi Nachum wrote: > If I will change the map file via admin socket > Will it shutdown old/current sessions? Better, you don't need to shutdown anything, because HTTP authentication works on a HTTP transaction level, so each request is authenticated, even

Re: end all sessions for specific user

2020-12-03 Thread Lukas Tribus
Hello, On Thu, 3 Dec 2020 at 16:17, Yossi Nachum wrote: > > Hi, > I'm using haproxy 1.8 > This is my global and frontend configuration which include user auth: > [...] > acl network_allowed src,map_ip_int(/etc/haproxy/allowed_ips.lst,0) -m int > eq 1 > acl users_allowed

Re: end all sessions for specific user

2020-12-03 Thread Lukas Tribus
Hello, On Thu, 3 Dec 2020 at 15:32, Yossi Nachum wrote: > > Hi, > > > > I have haproxy configuration that based on a file with username and password. > > When I disable a user his new sessions are blocked with 407 but his > old/current sessions are still processed Please share your

Fwd: Forthcoming OpenSSL Release

2020-12-01 Thread Lukas Tribus
FYI -- Forwarded message - From: Paul Nelson Date: Tue, 1 Dec 2020 at 11:15 Subject: Forthcoming OpenSSL Release To: The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1i. This release will be made available on Tuesday 8th December

Re: Logging mTLS handshake errors

2020-11-18 Thread Lukas Tribus
Hello Dominik, On Wed, 18 Nov 2020 at 15:06, Froehlich, Dominik wrote: > > Hi everyone, > > > > Some of our customers are using mTLS to authenticate clients. There have been > complaints that some certificates don’t work > > but we don’t know why. To shed some light on the matter, I’ve tried

Re: Disable client keep-alive using ACL

2020-11-17 Thread Lukas Tribus
Hi Tim, On Tue, 17 Nov 2020 at 13:35, Tim Düsterhus, WoltLab GmbH wrote: > > Hi > > Am 09.11.20 um 12:36 schrieb Tim Düsterhus, WoltLab GmbH: > > is it possible to reliably disable client keep-alive on demand based on > > the result of an ACL? > > > > I was successful for HTTP/1 requests by

Re: do we want to keep CentOS 6 builds?

2020-11-16 Thread Lukas Tribus
Hello Ilya, On Mon, 16 Nov 2020 at 22:48, Илья Шипицин wrote: > we run CI only for master branch. Exactly! > do all those people want to run latest unstable haproxy on oldish RHEL 6 ? No, but since we *only test* master, this is the only way we get *some* coverage for the changes we are

Re: do we want to keep CentOS 6 builds?

2020-11-15 Thread Lukas Tribus
Hello, On Sun, 15 Nov 2020 at 17:14, Илья Шипицин wrote: > > Hello, > > we still run cirrus-ci builds. > CentOS 6 is EOL. > > should we drop it? I think CentOs6 gives us good feedback about older operating systems that we may not necessarily want to break. The question for me is not so much

Re: fronted/bind ordering

2020-11-13 Thread Lukas Tribus
Hello, On Fri, 13 Nov 2020 at 21:21, Willy Tarreau wrote: > > > I'd suggest you run haproxy with noreuseport [1] temporarily, and > > > check if your kernel refuses to bind() to those IP's - it likely will. > > > This indicates an unsupported configuration (by your kernel, not by > > >

Re: fronted/bind ordering

2020-11-13 Thread Lukas Tribus
Hello Bartosz, On Fri, 13 Nov 2020 at 10:08, Bartosz wrote: > > Are we really the only ones with this issue? Has no one else seen this > change in behaviour? Or otherwise have any idea where it's coming from? > > Or at least confirm whether they do or don't see the same behaviour. I don't think

Re: DNS Load balancing needs feedback and advice.

2020-11-10 Thread Lukas Tribus
Hello Willy, On Fri, 6 Nov 2020 at 10:59, Willy Tarreau wrote: > > > hate the noise that some people regularly make about "UDP support" > > > > I am *way* more concerned about what to tell people when they report > > redundant production systems meltdowns because of the traps that we > > knew

Re: DNS Load balancing needs feedback and advice.

2020-11-05 Thread Lukas Tribus
Hello Willy, On Wed, 4 Nov 2020 at 15:36, Willy Tarreau wrote: > I think it's a reasonable tradeoff because those who insist on this are > also those who want to use so-called "modern" tools (placing "modern" > and DNS in the same sentence always leaves me a strange feeling that > something 37

Re: DNS Load balancing needs feedback and advice.

2020-11-02 Thread Lukas Tribus
Hello Emeric, On Mon, 2 Nov 2020 at 15:41, Emeric Brun wrote: > > Hi All, > > We are currently studying to develop a DNS messages load balancer (into > haproxy core) I find this a little surprising given that there already is a great DNS load-balancer out there (dnsdist) from the folks at

Re: IP binding and standby health-checks

2020-10-20 Thread Lukas Tribus
Hello, On Tue, 20 Oct 2020 at 05:36, Dave Hall wrote: > HAProxy Active/Standby pair using keepalived and a virtual IP. > Load balance SSH connections to a group of user access systems (long-running > Layer 4 connections). > Using Fail2Ban to protect against password attacks, so using

Re: Removal / obsolescence of keywords in 2.3 and future

2020-10-14 Thread Lukas Tribus
Hello, On Wed, 14 Oct 2020 at 15:29, Willy Tarreau wrote: > For "nbproc", given that I had no response in the previous question and > I anticipate some surprises if I play games with it, I'll probably apply > William's suggestion, consisting in starting to emit a warning about it, > and asking

Re: source algorithm - question.

2020-09-24 Thread Lukas Tribus
Hello, On Thu, 24 Sep 2020 at 11:40, Łukasz Tasz wrote: > > Hi all, > haproxy is gr8 - simply. > > Till today I was using roundobin algorithm, but after studying documentation > it popped up that source might be better. > I'm using haproxy in tcp mode, version 1.8, load from one client

Re: [PATCH] BUILD: makefile: Update feature flags for Solaris / FreeBSD / NetBSD / OpenBSD

2020-09-15 Thread Lukas Tribus
On Tue, 15 Sep 2020 at 09:05, Brad Smith wrote: > >> NetBSD 8.0 adds support for accept4() and closefrom(). Enable > >> getaddrinfo(). > > We just had to disable threading on OpenBSD 6.7 for the build to succeed: > > > > https://github.com/haproxy/haproxy/issues/725 > > > > Did you actually test

Re: [PATCH] BUILD: makefile: Update feature flags for Solaris / FreeBSD / NetBSD / OpenBSD

2020-09-14 Thread Lukas Tribus
Hello Brad, On Sun, 13 Sep 2020 at 09:08, Brad Smith wrote: > > The following diff updates the feature flags for Solaris / FreeBSD / NetBSD / > OpenBSD. > > Bump the baseline Solaris to 9 which intruduced closefrom(). > > FreeBSD 10 is already EOL for support but its the new baseline.

Re: [RFC PATCH] MAJOR: ssl: Support for validating backend certificates with URI SANs (subjectAltName)

2020-09-09 Thread Lukas Tribus
On Tue, 8 Sep 2020 at 12:39, Teo Klestrup Röijezon wrote: > > Hey Willy, sorry about the delay.. managed to get sick right after that stuff. > > > I don't understand what you mean here in that it does not make sense to > > you. Actually it's not even about overriding verifyhost, it's more that >

[PATCH] DOC: overhauling github issue templates

2020-08-17 Thread Lukas Tribus
as per the suggestions from Cyril and Willy on the mailing list: Message-ID: and with direct contributions from Tim, this changes large parts of the bug issue template. The Feature template is also updated as well as a new template for Code Reports is introduced. Co-authored-by: Tim

Re: github template

2020-08-16 Thread Lukas Tribus
Hi, I prepared: - changes to Bug.md as per this discussion - changes to Features.md (just different sequence here) - added a new label "type: code-report" and a new issue template for those as well The changes can be seen here: https://github.com/lukastribus/hap-issue-trial/issues/new/choose

Re: Is the "source" keyword supported on FreeBSD?

2020-08-12 Thread Lukas Tribus
On Wed, 12 Aug 2020 at 21:03, Jerome Magnin wrote: > > Hi Frank, > > On Wed, Aug 12, 2020 at 11:50:05AM +0200, Frank Wall wrote: > > Hi, > > > > this *feels* like a silly question and I may have missed something > > pretty obvious, but... I've tried to use the "source" keyword and > > it doesn't

Re: github template

2020-08-11 Thread Lukas Tribus
Hello, On Mon, 20 Jul 2020 at 06:35, Willy Tarreau wrote: > > (Another case is when I try to follow the issue reports during vacation) > > > > I think it could be easier and quicker by only changing the sections order > > like this : > > 1. Expected behavior > > 2. Actual behavior > > 3. Steps

Re: Can I help with the 2.1 release?

2020-07-30 Thread Lukas Tribus
Hello, On Thu, 30 Jul 2020 at 20:49, Valter Jansons wrote: > > On Thu, Jul 30, 2020 at 6:44 PM Harris Kaufmann > wrote: > > my company really needs the next 2.1 release but we want to avoid > > deploying a custom, self compiled version. > > > > Is there something I can do to help with the

Re: SLZ vs ZLIB

2020-07-29 Thread Lukas Tribus
Hello, On Wed, 29 Jul 2020 at 19:19, Илья Шипицин wrote: > however, ZLIB is enabled by default in many distros and docker images. > any idea why ZLIB is chosen by default ? Because zlib is known, packaged and used everywhere and by everyone while slz is a niche library. It would need a

Re: Several CVEs in Lua 5.4

2020-07-29 Thread Lukas Tribus
Hello, On Wed, 29 Jul 2020 at 11:16, Froehlich, Dominik wrote: > > Hi Lukas, > > Thanks for the reply. > My query goes along the lines of which Lua version is compatible with HAproxy > and contains fixes to those CVEs. > I could not find a specific instruction as to which Lua version can be

Re: Several CVEs in Lua 5.4

2020-07-29 Thread Lukas Tribus
Hello, On Wed, 29 Jul 2020 at 10:23, Froehlich, Dominik wrote: > > Hello everyone, > > Not sure if this is already addressed. Today I got a CVE report of several > issues with Lua 5.3.5 up to 5.4. > > I believe Lua 5.4 is currently recommended to build with HAproxy 2.x? > > Before I open an

Re: http-reuse and Proxy protocol

2020-07-27 Thread Lukas Tribus
On Mon, 27 Jul 2020 at 13:14, Willy Tarreau wrote: > > However on a unix domain socket like this we never had this issue in > > the first place, as connection-reuse cannot be used on it by > > definition, correct? > > No, it doesn't change anything. We consider the connection, the protocol >

Re: http-reuse and Proxy protocol

2020-07-27 Thread Lukas Tribus
Hello, On Thu, 23 Jul 2020 at 14:34, Willy Tarreau wrote: > > defaults > > http-reuse always > > > > backend abuse > > timeout server 60s > > balance roundrobin > > hash-balance-factor 0 > > server s_abuse u...@abuse.sock send-proxy-v2 maxconn 4 > > > > listen l_abuse > >

Re: github template

2020-07-22 Thread Lukas Tribus
I will comment next week, but I generally agree that we should move the version output to the end, as I noticed the same issue. expected/actual behaviour sections are painful in the obvious cases (dont crash/crash), but oftentimes users just assume their itent is obvious when it's really not.

[PATCH] MINOR: doc: ssl: req_ssl_sni needs implicit TLS

2020-07-18 Thread Lukas Tribus
req_ssl_sni is not compatible with protocols negotiating TLS explicitly, like SMTP on port 25 or 587 and IMAP on port 143. Fix an example referring to 587 (SMTPS port with implicit TLS is 465) and amend the req_ssl_sni documentation. This doc fix should be backported to supported versions. ---

Re: Documentation

2020-07-11 Thread Lukas Tribus
Hello, On Sat, 11 Jul 2020 at 13:20, Jonathan Matthews wrote: > > On Sat, 11 Jul 2020 at 12:14, Tofflan wrote: >> >> Hello! >> >> Im trying to setup a setup HAProxy on my Pfsense router, the links under >> documentation dont work. example: >>

proposing a haproxy 2.0.16 release (was [BUG] haproxy retries dispatch to wrong server)

2020-07-10 Thread Lukas Tribus
Hello, On Fri, 10 Jul 2020 at 08:08, Christopher Faulet wrote: > Hi, > > I finally pushed this fix in the 2.0. Note the same bug affected the HTTP > proxy > mode (using http_proxy option). In this case, the connection retries is now > disabled (on the 2.0 only) because the destination address

Re: [BUG] haproxy retries dispatch to wrong server

2020-07-07 Thread Lukas Tribus
Hello Michael, On Tue, 7 Jul 2020 at 15:16, Michael Wimmesberger wrote: > > Hi, > > I might have found a potentially critical bug in haproxy. It occurs when > haproxy is retrying to dispatch a request to a server. If haproxy fails > to dispatch a request to a server that is either up or has no

Re: [PATCH v2 0/2] Warnings for truncated lines

2020-06-22 Thread Lukas Tribus
Hello, On Monday, 22 June 2020, Willy Tarreau wrote: > > > Configuration file is valid > > Looks good to me. > > > I guess a truncated last line cannot be differentiated from file that > > does not > > end with a new line, because fgets() consumes the full line (triggering > the > > eof),

Re: [PATCH] BUG/MINOR: cfgparse: Support configurations without newline at EOF

2020-06-22 Thread Lukas Tribus
On Mon, 22 Jun 2020 at 21:21, Willy Tarreau wrote: > > Hi guys, > > On Mon, Jun 22, 2020 at 07:49:34PM +0200, Lukas Tribus wrote: > > Hello Tim, > > > > On Mon, 22 Jun 2020 at 18:56, Tim Düsterhus wrote: > > > > > > Lukas, > > > > >

Re: [PATCH] BUG/MINOR: cfgparse: Support configurations without newline at EOF

2020-06-22 Thread Lukas Tribus
Hello Tim, On Mon, 22 Jun 2020 at 18:56, Tim Düsterhus wrote: > > Lukas, > > Am 22.06.20 um 18:41 schrieb Lukas Tribus: > > On Mon, 22 Jun 2020 at 18:16, Tim Duesterhus wrote: > >> > >> Fix parsing of configurations if the configuration file does not end w

Re: [PATCH] BUG/MINOR: cfgparse: Support configurations without newline at EOF

2020-06-22 Thread Lukas Tribus
Hello, On Mon, 22 Jun 2020 at 18:16, Tim Duesterhus wrote: > > Fix parsing of configurations if the configuration file does not end with > an LF. ... but it's also warning about it at the same time. So it's unclear to me: Do we support a configuration without trailing LF or not? If yes,

Re: [PATCH] BUG/MINOR: systemd: Wait for network to be online

2020-06-17 Thread Lukas Tribus
for network-online.target > could delay boot time. I agree with this change, I think the advantages outweigh the disadvantages. Acked-by: Lukas Tribus Lukas

Re: Ubuntu 20.04 + TLSv1

2020-06-12 Thread Lukas Tribus
Hello Bjoern, On Fri, 12 Jun 2020 at 15:09, bjun...@gmail.com wrote: > > Hi, > > currently i'm testing Ubuntu 20.04 and HAProxy 2.0.14. > > I'm trying to get TLSv1 working (we need this for some legacy clients), so > far without success. > > I've read different things, on the one hand Ubuntu

Re: Fail to send unique-id by using proxy-v2-options

2020-05-29 Thread Lukas Tribus
Hello, On Fri, 29 May 2020 at 04:39, lufeng0...@outlook.com wrote: > > Hi, > > > > I have compiled haproxy of version2.2-dev8 using Cygwin, in order to use it > as a load balancer in Windows 10. I want to send a unique ID generated using > the frontend's "unique-id-format" within the PROXYv2

Re: RFC: set minimum default TLS version to 1.2 for HAProxy 2.2

2020-05-27 Thread Lukas Tribus
Hello, On Wed, 27 May 2020 at 13:33, Илья Шипицин wrote: > ср, 27 мая 2020 г. в 16:09, Tim Düsterhus : >> >> William, >> >> Am 27.05.20 um 12:40 schrieb William Lallemand: >> > Hello List, >> > >> > Since HAProxy 1.8, the minimum default TLS version for bind lines is >> > TLSv10. I was thinking

Re: [tcp|http]-check expect status explained

2020-05-06 Thread Lukas Tribus
On Wed, 6 May 2020 at 23:33, Aleksandar Lazic wrote: > > Hi. > > The doc for [tcp|http]-check expect have some *-status arguments like "L7OK", > "L7OKC","L6OK" and "L4OK" and so on. > > In the whole documentation are this states not explained. > I'm not sure in which chapter this states fit's,

Re: about Warning: Setting tune.ssl.default-dh-param to 1024

2020-05-06 Thread Lukas Tribus
Hello, On Wed, 6 May 2020 at 20:25, William Lallemand wrote: > > As such I think it's about time we change the default value to 2048 and > > get rid of this annoying warning before 2.2 gets released (and at the > > same time 86% of the users will be able to remove one cryptic line in > > their

Re: [PATCH] CI: special purpose build, testing compatibility against "no-deprecated" openssl

2020-04-20 Thread Lukas Tribus
Hello Ilya , On Mon, 20 Apr 2020 at 16:12, Илья Шипицин wrote: >> I added weekly build for detection incompatibilities against "no-deprecated" >> openssl. >> >> (well, I first thought to add those option to travis, but it became >> over-engineered from my point of view) >> >> Lukas, if you

Re: HAproxy Error

2020-04-17 Thread Lukas Tribus
On Fri, 17 Apr 2020 at 13:57, wrote: > Even clean installation isn’t working because the default package available > in RHEL from you is without openssl. You are wrong. 1) we don't provide any packages. RHEL does. 2) a fresh RHEL 8.1 AMI on AWS works just fine and uses the provided 1.8.15

Re: HAproxy Error

2020-04-16 Thread Lukas Tribus
Hello, On Thu, 16 Apr 2020 at 13:51, wrote: > # which haproxy > /usr/ local/sbin/haproxy > > > > Attached output for command “haproxy –vv” > > > > Also I’m using a AWS RHEL 8.1 version AMI. > > Let us know what else is required. Also let me know how to enable Openssl. > Provide me the rpm link

Re: HAproxy Error

2020-04-16 Thread Lukas Tribus
Hello, On Thu, 16 Apr 2020 at 06:04, wrote: > > Hi Team > > Let us know your availability to work on this. As Aleks already said: This haproxy executable has been build without OpenSSL support, which is required for your configuration. Provide the output of "which haproxy" and "haproxy -vv",

Re: Disclaimer in emails (was: Re: HAproxy Error)

2020-04-15 Thread Lukas Tribus
Hello Tim, Aleks, I fully agree with everything Tim just said. Let's keep the list about haproxy. Lukas

Re: List of ports opened for Listening by HAProxy

2020-04-08 Thread Lukas Tribus
Hello, On Wed, 8 Apr 2020 at 13:59, kkazmierc...@wp.pl wrote: > > Hello, > We need to know which ports on the server need to be reopened in order to > appropriate work of HAProxy. Haproxy does not listen to any ports by default. It listens only to those ports that you configured haproxy to

Re: Any chance of PPA packages updates for that security fix?

2020-04-06 Thread Lukas Tribus
Hello Sean, On Mon, 6 Apr 2020 at 18:12, Sean Reifschneider wrote: > > Been kind of watching for the haproxy versions to update in the PPAs for > Ubuntu. Considering the security nature of them, I'm kind of chomping at the > bit... :-) Any chance of those getting updated soonish? I can

Re: [PATCH] MINOR: config: make strict limits enabled by default

2020-03-28 Thread Lukas Tribus
Hello, On Sat, 28 Mar 2020 at 19:19, William Dauchy wrote: > > as agreed a few months ago, enable strict-limits for v2.3 master is still for 2.2 which is in development. If you want to target v2.3, you have to wait until 2.2 is released. Lukas

Re: TLS tickets prone to MITM attacks (was: [PR] Docs tls tickets)

2020-03-11 Thread Lukas Tribus
Hello, On Wed, 11 Mar 2020 at 08:32, Илья Шипицин wrote: >> On 09.03.20 20:37, Lukas Tribus wrote: >> >> I think the wording from the patch is still quite relaxed :). One of the >> >> best >> >> summaries describing the session ticket fla

Re: TLS tickets prone to MITM attacks (was: [PR] Docs tls tickets)

2020-03-10 Thread Lukas Tribus
Hello, On Tue, 10 Mar 2020 at 07:36, Илья Шипицин wrote: >> > if you specify, your security team will tell you that "it is not secure". >> > if you do not specify, keys are generated on startup and it lead to huge >> > CPU spike on app reload (if you apply new config, app is reloaded and keys

Re: TLS tickets prone to MITM attacks (was: [PR] Docs tls tickets)

2020-03-09 Thread Lukas Tribus
Hello, On Mon, 9 Mar 2020 at 20:39, Илья Шипицин wrote: >> I would disable session tickets by default in haproxy. Given that most >> clients support TLS 1.3 already this change would not even slow down many >> clients. > > > TLS tickets really require more love :) > > actually, there are two

[PATCH] DOC: ssl: clarify security implications of TLS tickets

2020-03-09 Thread Lukas Tribus
Clarifies security implications of TLS ticket usage when not rotating TLS ticket keys, after commit 7b5e136458 ("DOC: improve description of no-tls-tickets"). --- doc/configuration.txt | 17 + 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/doc/configuration.txt

Re: TLS tickets prone to MITM attacks (was: [PR] Docs tls tickets)

2020-03-09 Thread Lukas Tribus
On Mon, 9 Mar 2020 at 19:18, Björn Jacke wrote: > > On 2020-03-09 at 17:44 +0100 Lukas Tribus sent off: > > Perhaps we can relax the wording a bit here and describe the actual > > technical issue along with some recommendations. Apache for example > > documents [1]: >

TLS tickets prone to MITM attacks (was: [PR] Docs tls tickets)

2020-03-09 Thread Lukas Tribus
Hello, On Mon, 9 Mar 2020 at 11:23, PR Bot wrote: > > Dear list! > > Author: Björn Jacke > Number of patches: 2 > > This is an automated relay of the Github pull request: >Docs tls tickets > > Patch title(s): >BUG/MINOR: fix typo of tls-tickets >DOC: improve description of

Re: option forwardfor with IPv6

2020-03-03 Thread Lukas Tribus
Hello, On Tue, 3 Mar 2020 at 19:06, Ionel GARDAIS wrote: > > Hi, > > What is the expected behavior of "option forwardfor" with an IPv6 connection ? > Frontend listen on IPv4 and IPv6. The expected behavior is to insert the IPv6 address into the X-F-F header, and this is exactly what happens in

Re: Let's Encrypt ca-file for check-ssl on server line

2020-03-02 Thread Lukas Tribus
Hello Aleks, On Mon, 2 Mar 2020 at 22:21, Aleksandar Lazic wrote: > check-ssl check-sni str("storage.sbg.cloud.ovh.net") For the health check it's: check-sni storage.sbg.cloud.ovh.net (not a expression as per the doc: check-sni ) and for the traffic: sni str(storage.sbg.cloud.ovh.net) (as

[PATCH] BUG/MINOR: dns: ignore trailing dot

2020-02-27 Thread Lukas Tribus
As per issue #435 a hostname with a trailing dot confuses our DNS code, as for a zero length DNS label we emit a null-byte. This change makes us ignore the zero length label instead. Must be backported to 1.8. --- As discussed in issue #435 --- src/dns.c | 6 ++ 1 file changed, 6

Re: [PATCH v2] BUG/MINOR: connection: fix ip6 dst_port copy in make_proxy_line_v2

2020-01-26 Thread Lukas Tribus
Hello, On Sun, 26 Jan 2020 at 20:11, William Dauchy wrote: > > > The explanation of the user-visible impact and the need for > > backporting to stable branches or not are MANDATORY. > > Yes; I was simply challenging that, as it is also open to mistakes to > write in commit message to which

Re: Haproxy loadbalancing out going mail to Antispam servers

2020-01-23 Thread Lukas Tribus
Hello, On Wed, 22 Jan 2020 at 16:18, Brent Clark wrote: > > Good day Guys > > We have a project where we are trying to load balance to our outbound > Spamexperts Antispam relays / servers. > > We hit a snag where our clients servers are getting 'Too many concurrent > SMTP connections from this

Re: SameSite attribute for persistent session cookie

2020-01-21 Thread Lukas Tribus
Hello, On Tue, 21 Jan 2020 at 13:09, Tim Düsterhus wrote: > I don't need it myself, but I want to mention that it should be > backported, because the current situation can be "considered a bug" (a > feature now longer works due to changes in the ecosystem). I guess the > patch is fairly low

Re: [PATCH] CLEANUP: server: remove unused err section in server_finalize_init

2020-01-09 Thread Lukas Tribus
Hello, On Thu, 9 Jan 2020 at 06:08, Илья Шипицин wrote: > > btw, if you add "Fixes: #438", the issue will be closed automatically > > https://help.github.com/en/github/managing-your-work-on-github/closing-issues-using-keywords which we are asking people *NOT* to do, because we are also tracking

  1   2   3   4   5   6   7   8   9   10   >