The converter can be useful to look up a server queue from a dynamic value.
Signed-off-by: Nenad Merdanovic
---
doc/configuration.txt | 7 +++
src/backend.c | 35 ++-
2 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/doc
The allocated trash chunk is not freed properly and causes a memory leak
exhibited as the growth in the trash pool allocations. Bug was introduced
in commit 271022 (BUG/MINOR: map: fix map_regm with backref).
This should be backported to all branches where the above commit was
backported.
---
Hey Willy,
On 3/23/2019 11:24 AM, Willy Tarreau wrote:
I'm not sure why this is needed, because my first impression was that if
this part can be an argument in the decode it ought to be one as well for
the encoder, but that's where my ignorance of crypto shines, as I understand
from your
The converter can be used to decrypt the raw byte input using the
AES-GCM algorithm, using provided nonce, key and AEAD tag. This can
be useful to decrypt encrypted cookies for example and make decisions
based on the content.
---
doc/configuration.txt | 12
src/ssl_sock.c| 148
Hey Willy,
On 3/22/2019 5:38 PM, Willy Tarreau wrote:
Hi Nenad,
On Fri, Mar 22, 2019 at 12:02:24PM +0100, Nenad Merdanovic wrote:
The converter can be used to decrypt the raw byte input using the
AES-GCM algorithm, using provided nonce, key and AEAD tag. This can
be useful to decrypt
Hello Willy,
On 3/22/2019 5:40 PM, Willy Tarreau wrote:
Hmmm sorry, but I'm getting this here :
CC src/ssl_sock.o
src/ssl_sock.c: In function 'sample_conv_aes_gcm_dec':
src/ssl_sock.c:9166:27: error: 'EVP_CTRL_AEAD_SET_IVLEN' undeclared (first use
in this function)
I've just renamed the converter based on Emeric's suggestion. And fixed
a typo in the doc of course.
Regards,
Nenad
The converter can be used to decrypt the raw byte input using the
AES-GCM algorithm, using provided nonce, key and AEAD tag. This can
be useful to decrypt encrypted cookies for example and make decisions
based on the content.
---
doc/configuration.txt | 11
src/ssl_sock.c| 140
The converted can be used to decrypt the raw byte input using the
AES-GCM algorithm, using provided nonce, key and AEAD tag. This can
be useful to decrypt encrypted cookies for example and make decisions
based on the content.
---
doc/configuration.txt | 11
src/ssl_sock.c| 140
Hello,
On 7/16/2018 10:46 AM, Willy Tarreau wrote:
On Mon, Jul 16, 2018 at 08:32:31AM +0200, Janusz Dziemidowicz wrote:
pon., 16 lip 2018 o 08:02 Willy Tarreau napisal(a):
This one looks a bit strange. I looked at it a little bit and it corresponds
to the line
Hello Willy,
On 9/6/2017 2:03 PM, Willy Tarreau wrote:
On Wed, Sep 06, 2017 at 01:10:26PM +0200, Emmanuel Hocdet wrote:
Hi,
server configuration now break with:
cfg sample:
listen tls
[...]
server bla 127.0.0.1:8080
[ALERT] 248/130258 (21960) : parsing [/etc/haproxy/test.cfg:53] :
Aleksandar,
On 7/24/2017 5:07 PM, Aleksandar Lazic wrote:
Hi Nenad Merdanovic,
Nenad Merdanovic wrote on 24.07.2017:
The get_addr() method of the Lua Server class incorrectly used
INET_ADDRSTRLEN for IPv6 addresses resulting in failing to convert
longer IPv6 addresses to strings.
This fix
The get_addr() method of the Lua Server class was using the
'sockaddr_storage addr' member to get the port value. HAProxy does not
store ports in this member as it uses a separate member, called
'svc_port'.
This fix should be backported to 1.7.
---
src/hlua_fcn.c | 6 ++
1 file changed, 2
The get_addr() method of the Lua Server class incorrectly used
INET_ADDRSTRLEN for IPv6 addresses resulting in failing to convert
longer IPv6 addresses to strings.
This fix should be backported to 1.7.
---
src/hlua_fcn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
nd then add the socket-related functionality later (as with Olivier's
patches it is less critical)?
Regards,
Nenad
>
> Regards,
>
> Gil
>
> On Thu, Jan 5, 2017 at 5:22 AM, Nenad Merdanovic <nmer...@haproxy.com
> <mailto:nmer...@haproxy.com>> wrote:
>
>
Hello,
On 04/04/2017 10:25 AM, Willy Tarreau wrote:
>> I will also add 1.8-dev soon ;-)
>> >
>> > Maybe I can contribute to the official repo & image.
>> > https://hub.docker.com/_/haproxy/
>> >
>> > Do you know who maints this image?
> No, but I was recently asked and am now wondering whether
Hey Willy,
On 3/13/2017 6:32 PM, Willy Tarreau wrote:
> Hi Nenad,
>
> [ccing Thierry]
>
> On Sun, Mar 12, 2017 at 10:00:51PM +0100, Nenad Merdanovic wrote:
>> Signed-off-by: Nenad Merdanovic <nmer...@haproxy.com>
>> ---
>> include/proto/pattern.h
The memory is released by cli_release_mlook, which also properly sets the
pointer to NULL. This was introduced with a big code reorganization
involving moving to the new keyword registration form in commit ad8be61c7.
This fix needs to be backported to 1.7.
Signed-off-by: Nenad Merdanovic <n
The said form of the CLI command didn't return anything since commit
ad8be61c7.
This fix needs to be backported to 1.7.
Signed-off-by: Nenad Merdanovic <nmer...@haproxy.com>
---
src/map.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/map.c b/src/map.c
index 9
Code was deleted in ad63582eb, but the comment remained.
Signed-off-by: Nenad Merdanovic <nmer...@haproxy.com>
---
src/sample.c | 4
1 file changed, 4 deletions(-)
diff --git a/src/sample.c b/src/sample.c
index 014913d..71d4e32 100644
--- a/src/sample.c
+++ b/src/sample.c
@@ -649,10
Signed-off-by: Nenad Merdanovic <nmer...@haproxy.com>
---
doc/configuration.txt | 3 +++
src/sample.c | 12
2 files changed, 15 insertions(+)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index a79c4f3..ae84b25 100644
--- a/doc/configuration.txt
+++
Signed-off-by: Nenad Merdanovic <nmer...@haproxy.com>
---
src/backend.c | 16 ++--
1 file changed, 2 insertions(+), 14 deletions(-)
diff --git a/src/backend.c b/src/backend.c
index 5e2b8fc..b0e0332 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -1614,14 +1614,7 @@ smp_fetch
Signed-off-by: Nenad Merdanovic <nmer...@haproxy.com>
---
doc/configuration.txt | 6 ++
include/proto/backend.h | 13 +
src/backend.c | 25 +
3 files changed, 44 insertions(+)
diff --git a/doc/configuration.txt b/doc/configuration.txt
Hello Willy,
On 03/02/2017 06:39 PM, Willy Tarreau wrote:
> Hi Nenad,
>
> I'm getting the following warnings after I apply it. I'm running
> with openssl 1.0.1o here :
>
> src/ssl_sock.c: In function 'ssl_sock_prepare_ctx':
> src/ssl_sock.c:3203:3: warning: passing argument 2 of
>
From: Nenad Merdanovic <nmer...@anine.io>
Signed-off-by: Nenad Merdanovic <nmer...@haproxy.com>
---
doc/configuration.txt| 10
include/types/listener.h | 1 +
include/types/server.h | 2 +
include/types/ssl_sock.h | 5 ++
src/ssl_sock.c
Hello,
On 1/5/2017 4:47 PM, Emeric Brun wrote:
> On 01/05/2017 04:22 AM, Nenad Merdanovic wrote:
>> I have a working patch for this, but it's very ugly currently (minimal
>> error checking, no warnings/messages, no docs, very basic tests done
>> only, etc.)
>>
&g
Hello,
On 1/6/2017 1:55 AM, Vitaly Pecharsky wrote:
> haproxy -vv
> HA-Proxy version 1.7.1 2016/12/13
> Copyright 2000-2016 Willy Tarreau
As you are running 1.7 and OpenSSL 1.1.0, you don't need to do this any
more. HAProxy can now natively support ECC/RSA/DSA based on client
I have a working patch for this, but it's very ugly currently (minimal
error checking, no warnings/messages, no docs, very basic tests done
only, etc.)
I expect to have a version for review by EOW (depending on the workload,
maybe a bit sooner).
Regards,
Nenad
On 1/2/2017 10:11 AM, Gil Bahat
This sample fetch returns a concatenation of the client's IP address
and the HTTP status code returned, separated by a single comma character.
Signed-off-by: Nenad Merdanovic <nmer...@anine.io>
---
doc/configuration.txt | 6 ++
src/proto_http.c
We want the function names in the code to match the fetch names
in the configuration.
Signed-off-by: Nenad Merdanovic <nmer...@anine.io>
---
src/proto_http.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index 13c75ac..c11a1af
The fe_req_rate is similar to fe_sess_rate, but fetches the number
of HTTP requests per second instead of connections/sessions per second.
Signed-off-by: Nenad Merdanovic <nmer...@anine.io>
---
doc/configuration.txt | 5 +
src/frontend.c| 14 ++
2 files chang
Hello Willy,
On 7/20/2016 9:28 PM, Willy Tarreau wrote:
> I vaguely remind such a conversation in the past with reports of
> getaddrinfo() not returning what was expected. Maybe that's something
> to consider for a next major version (eg: 1.7). However we could
> possibly have something
Hello,
On 07/20/2016 05:55 PM, Thomas Heil wrote:
> Hi,
>
> I would like to put the actual value from a stick tables into a request
> header. this way i could inform the backend e.g how many connections
> this ip allready made.
>
> The same I would like to do e.g for src_conn_rate and
Hello Paul,
On 7/20/2016 2:59 AM, Paul McIntire wrote:
> Hi
>
> Is it possible to do consistent hashing on information other than the IP
> address i.e. X-Forwarded-For header? I'm using Haproxy 1.5.17.
>
> Thank you
> Paul
>
I think you are looking for:
balance hdr(X-Forwarded-For)
Adding Vincent here, as he maintains the Debian package.
On 7/19/2016 2:21 PM, Albert Casademont wrote:
> Makes sense, I assumed that the Debian package was compiled with that
> option by default...it's a PITA that it is not, do you think this is
> something to be reported to the maintainers of
Dropped ML by mistake
On 07/18/2016 11:47 PM, Nenad Merdanovic wrote:
> Hello,
>
> On 07/18/2016 02:41 PM, Albert Casademont wrote:
>> Hi!
>>
>> I was trying to configure am IPv6 only backend using the hostname in
>> /etc/hosts and the HAProxy kept failin
Alexander Lebedev reported that the response bit is set on SPARC when
DNS queries are sent. This has been tracked to the endianess issue, so
this patch makes the code portable.
Signed-off-by: Nenad Merdanovic <nmer...@anine.io>
---
include/types/dns.h | 23 +++
src
Hello Willy,
On 7/13/2016 11:26 AM, Willy Tarreau wrote:
> Alexander,
>
> the attached patch fixed the issue for me. There were two places where
> a possibly unaligned address was force casted as uint32_t. Could you confirm
> it's OK for you as well ?
>
> Nenad, I'm willing to take you patch as
Hello Willy,
On 7/13/2016 11:15 AM, Willy Tarreau wrote:
> I have an ARMv5 board here which is configurable to be very sensitive
> to alignment issues. I'm just realizing something : without your patch
> the server will not respond as it receives a bogus request. With your
> patch it does respond
Hey Willy,
On 7/13/2016 10:35 AM, Willy Tarreau wrote:
> On Wed, Jul 13, 2016 at 09:55:18AM +0600, Alexander Lebedev wrote:
>> Hello Nenad. With this patch I get "Bus Error" and core dumped.
>
> So it means there was an unaligned access. It cannot come from the internals
> of the structure
Hello Alexander,
On 7/12/2016 2:57 PM, Nenad Merdanovic wrote:
> Hello,
>
> On 7/12/2016 1:13 PM, Alexander Lebedev wrote:
>> Hi! On Solaris10/SPARC I see this issue with 1.6.6 and 1.6.3 (before
>> Vincent commit).
>> Haproxy sends queries with "response"
Hello,
On 7/12/2016 1:13 PM, Alexander Lebedev wrote:
> Hi! On Solaris10/SPARC I see this issue with 1.6.6 and 1.6.3 (before
> Vincent commit).
> Haproxy sends queries with "response" bit.
> Maybe it is again alignment issue?
I don't have time to currently look deep into the code, but AFAIR how
Hello Peter,
On 6/14/2016 6:37 PM, PiBa-NL wrote:
> Hi list,
>
> While trying out how to use load-server-state-from-file i noticed that
> 'drain' state set through the stats page is not restored after loading
> the state back.
>
> I'm using haproxy 1.6.4 / 1.7-dev2 . I realize these are not the
Hello Bjorn,
On 5/30/2016 4:29 PM, Björn Zettergren wrote:
> Hi,
>
> I've been playing around with the ECC+RSA certificate on same IP as
> described in the haproxy blog at
> http://blog.haproxy.com/2015/07/15/serving-ecc-and-rsa-certificates-on-same-ip-with-haproxy/
>
> However, I get
Hey,
On 5/18/2016 8:28 AM, Sasha Litvak wrote:
> It is hard to reproduce, It took almost a week for it to crush and
> produced no core. I did ulimit -c unlimited before start. Does it make
> sense to go to back to 1.6.3 or try git source ?
Make sure you set the fs.suid_dumpable=1 sysctl
Hello Willy,
On 05/17/2016 09:41 PM, Willy Tarreau wrote:
> Nenad, you were the one reporting the sorting issue, what do you think
> about all this ?
I don't have strong feelings about this -- the initial point I asked
about was the versionsort vs alphasort and then just pointing out that
we've
Signed-off-by: Nenad Merdanovic <nmer...@anine.io>
---
doc/configuration.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 80b9c01..19b7e1a 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -13218,7 +1
Hello Willy,
On 5/13/2016 7:04 PM, Willy Tarreau wrote:
> I don't know, I'm not fond of setting things in the back of the user like
> this. I don't even know if we have other parts that are currently sensitive
> to the locale and which could be affected. Wouldn't it be better to simply
> add this
Hello Willy,
On 5/13/2016 12:54 PM, Willy Tarreau wrote:
> Wait a minute, what do you mean by "different lower/upper case sorting" ?
> Do you mean that alphasort() ignores the case ? I'm seeing no mention about
> it in the man page, so I'm confused. If this is the case, it can be annoying
> for
Hello Willy,
On 5/13/2016 11:04 AM, Willy Tarreau wrote:
> Hi Nenad,
>
> On Fri, May 13, 2016 at 11:02:01AM +0200, Nenad Merdanovic wrote:
>> Hello,
>>
>> On 5/13/2016 8:07 AM, Willy Tarreau wrote:
>>> I think I'm fine with this one (I'll still wait a bit to
Hello,
On 5/13/2016 8:07 AM, Willy Tarreau wrote:
> I think I'm fine with this one (I'll still wait a bit to let others respond).
> I just have one small request, please move the addition of list_append_word()
> to its own patch : if later we use it to fix a bug which needs to be
> backported,
Hello,
On 5/11/2016 10:16 AM, Alex Litvak wrote:
> Haproxy 1.6.15 crashes with following error
>
> haproxy[24074]: segfault at 3dbed94000 ip 003dbea897fb sp
> 7fffc7278e68 error 4 in libc-2.12.so[3dbea0+18a000]
>
>
Are you able to reliably reproduce this? Please post the output
Typo was introduced in 57bc891 ("BUG/MEDIUM: log: fix risk of
segfault when logging HTTP fields in TCP mode") which inverted the
condition in the test and caused to be logged when using
%HP.
Signed-off-by: Nenad Merdanovic <nmer...@anine.io>
---
src/log.c | 2 +-
1 file chan
---
src/dumpstats.c | 24
1 file changed, 4 insertions(+), 20 deletions(-)
diff --git a/src/dumpstats.c b/src/dumpstats.c
index da26f80..bb62c41 100644
--- a/src/dumpstats.c
+++ b/src/dumpstats.c
@@ -1827,34 +1827,18 @@ static int stats_sock_parse_request(struct
Hey Willy,
On 4/19/2016 12:24 PM, Willy Tarreau wrote:
>
> Your patch looks fine but I'm a bit bothered by the choice of the syntax
> here which is neither really intuitive nor future-proof. I even suspect
> you had some head-scratching before coming to this.
That was the hardest part actually
This is very useful in complex architecture systems where HAproxy
is balancing DB connections for example. We want to keep the maxconn
high in order to avoid issues with queueing on the LB level when
there is slowness on another part of the system. Example is a case of
an architecture where each
---
src/dumpstats.c | 24
1 file changed, 4 insertions(+), 20 deletions(-)
diff --git a/src/dumpstats.c b/src/dumpstats.c
index da26f80..bb62c41 100644
--- a/src/dumpstats.c
+++ b/src/dumpstats.c
@@ -1827,34 +1827,18 @@ static int stats_sock_parse_request(struct
Hello Lukas,
On 4/4/2016 8:56 PM, Lukas Tribus wrote:
> Hi Nenad,
>
>
>> I suggest you try reverting commit 7610073a. I have exhibited very
>> similar issues and everything points to this commit (which was Willy's
>> first suspect).
>
> So I assume this affects 1.6 and 1.7-dev as well, the bug
Similar issue was fixed in 67dad27, but the fix is incomplete. Crash still
happened when utilizing req.fhdr() and sending exactly MAX_HDR_HISTORY
headers.
This fix needs to be backported to 1.5 and 1.6.
Signed-off-by: Nenad Merdanovic <nmer...@anine.io>
---
src/proto_http.c | 7 +--
Hey Lukas,
On 3/27/2016 8:22 AM, Lukas Tribus wrote:
> The patch fixes the issue for me.
Thanks for confirming.
>
> But I have seen another behavior which does not really match my
> expectation, we are saying:
>
> Last TLS_TICKETS_NO keys will be used for decryption
>
>
> But my tests with
to 1.6.
Signed-off-by: Nenad Merdanovic <nmer...@anine.io>
---
src/ssl_sock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 1017388..994cdcc 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5406,8 +5406,8 @@ stat
Hello Willy,
On 03/25/2016 03:29 PM, Nenad Merdanovic wrote:
[..snip..]
Ah, just ignore this :) I've now realized what you meant. Sure, I'll
rewrite the patch like that. To me it doesn't make much difference in
readability and they do accomplish the same purpose, so we can do it as
you prefer
Hello Willy,
On 03/25/2016 01:37 PM, Willy Tarreau wrote:
> Hi Nenad,
>
> On Fri, Mar 25, 2016 at 11:35:01AM +0100, Nenad Merdanovic wrote:
>> diff --git a/src/ssl_sock.c b/src/ssl_sock.c
>> index 1017388..767d6e9 100644
>> --- a/src/ssl_sock.c
>> +++ b/src
to full negotiation):
>
> https://gist.github.com/anonymous/6ec7c863f497cfd849a4
>
>
> Workaround would be to remove the oldest key from the file, so
> that the number of keys in the file remains below 5.
>
> That's what I did : keep last 2 keys and add a new o
Hey Lucas,
On 03/24/2016 09:15 PM, Lukas Tribus wrote:
> Hi Nenad,
>
>
>>> Well, its not supposed to look like this, there is clearly something
>>> wrong. Master key fluctuates between the requests with TLS tickets
>>> and the reuse collumn shows failure.
>>
>> Looks like a haproxy bug, I think
Hello Pavlos,
On 3/17/2016 4:45 PM, Pavlos Parissis wrote:
> I am working(not very actively) on a solution which utilizes this.
> It will use www.vaultproject.io as central store, a generating engine
> and a pull/push mechanism in place.
>
> But, the current version of HAProxy doesn't support
Hello,
On 3/16/2016 6:25 PM, Christian Ruppert wrote:
>
> Some customers may require 4096 bit keys as it seems to be much more
> decent than 2048 nowadays. So you may be limited here. A test with a
> 2048 bit Cert gives me around ~770 requests per second, a test with an
> 256 bit ECC cert around
Hello Aleksandar
On 3/17/2016 6:00 PM, Aleksandar Lazic wrote:
> Okay I'm now lost 8-O
>
> please can anyone help me to understand how the flow works.
>
> 1st Request
> client -> ssl handshake -> haproxy server 1 (tls ticket?!)
>
> 2nd Request
> Same client -> ssl handshake -> haproxy server 2
Hello Gary,
On 3/17/2016 11:51 AM, Gary Barrueto wrote:
>
> While that would help a single server, how about when dealing with multi
> servers + anycast: Has there been any thoughts about sharing ssl/tls
> session cache between servers? Like how apache can use memcache to store
> its cache or
Hello Neil,
You seem to have missed my answer, so I am gonna top post this time :)
http-request redirect location
%[hdr(host),map(/etc/haproxy/redirect_host.map)] code 301 if {
hdr(host),map(/etc/haproxy/redirect_host.map) -m found }
Regards,
Nenad
On 03/11/2016 11:32 PM, Neil - HAProxy List
Hello
On 3/3/2016 1:40 PM, Neil - HAProxy List wrote:
> Hello
> This works but is yuck (I'd have to automate generating the acl file
> from the map - not hard but not clean). Ideally I'd like a way to only
> redirect when a value is in the map what would be fine is if there were
> a
Hello Nick,
On 2/17/2016 11:01 PM, Nick Ramirez wrote:
> After reading through the documentation on the req.ssl_ver ACL and its
> possible values, I still don't fully understand the possible values that
> it might return.
>
> From the docs, SSL ver 3.0 will return 3 for req.ssl_ver and TLS
Hello Nick,
On 2/2/2016 4:32 PM, Nick Ramirez wrote:
> This all seems to me like keep-alive is not working between frontend and
> backend. Like, it keeps the connection between client and frontend, but
> not between frontend and backend. This is the behavior I would expect if
> I had set
Hello Eric,
On 1/30/2016 3:44 PM, Eric Chan wrote:
> Thank you all for your replies.
> Yes I want to accelerate the RSA and DHE operations also, which needs approx
> 2 million CPU cycles per key pair if done in pure SW. The Coleto Creek HW
> will give big boost if we can get it to work.
Hello,
On 01/25/2016 04:17 PM, Willy Tarreau wrote:
> On Mon, Jan 25, 2016 at 04:46:36PM +0200, mat.mar...@yahoo.com wrote:
>> On 20.01.2016 12:31, mat.mar...@yahoo.com wrote:
>>> Just a short correction.
>>> Before was from an allowed IP.
>>> This is the output from a not allowed IP :
>>>
>>> ~#
Forgot to add the ML :/
On 01/16/2016 07:43 PM, Nenad Merdanovic wrote:
> Hello Robert,
>
> + Baptiste
>
>>
>> Connect() failed for backend bk: no free ports.
>>
>> If you comment out either the load-server-state-from-file line or remove
>> 'reso
Hello,
Sorry for top posting, but has there been any progress in getting the
ability to rewrite response body with Lua in HAproxy (easy way)? I would
assume AppletHTTP could be used for this, but I see that http-response
doesn't support use-service.
Regards,
Nenad
On 10/26/2015 12:00 PM,
Hello Oliver,
On 12/1/2015 12:32 AM, Olivier Doucet wrote:
> Hello,
>
> I'm digging out this thread, because having multiple certificate for one
> single domain (SNI) but with different key types (RSA/ECDSA) can really
> be a great functionality. Is there some progress ? How can we help ?
>
In
Hello,
On 11/24/2015 1:47 PM, Sander Klein wrote:
> On 2015-11-23 22:36, Lukas Tribus wrote:
>> Can you elaborate what kind of OS we are talking about, and where the
>> openssl lib comes from (is it just a openssl-dev package from the
>> repository, or a custom build? static or shared?)
>
> It
Hello Aleksandar,
> Okay after removing accept-proxy from
>
> bind *:${HTTP_BIND_PORT} accept-proxy tfo
>
> It comes what expected.
If you are using 'accept-proxy', HAproxy expects the payload to start
with a PROXY protocol header.
http://www.haproxy.org/download/1.6/doc/proxy-protocol.txt
gt; hard to detect whether or not it's a new SSL session in logs.
> I just need this binary info if it exists.
>
> Thanks all,
> Vincent
>
Regards.
--
Nenad Merdanovic | PGP: 0x423edcb2
Linkedin: http://www.linkedin.com/in/nenadmerdanovic
Hello,
On 8/20/2015 2:55 PM, Pradeep Jindal wrote:
Hi,
It seems haproxy was doing wrong pointer arithmetic to update the ticket
ring correctly. Here's a small patch, self descriptive. This patch is
against the github master branch.
Thanks for spotting this. Looking at it, I am not sure
Hello Tim,
On Fri, Jul 24, 2015 at 1:46 PM, Tim Dunphy bluethu...@gmail.com
mailto:bluethu...@gmail.com wrote:
listen mysql-cluster
bind 127.0.0.1:3306 http://127.0.0.1:3306
mode tcp
option mysql-check user haproxy_check
/dns.html), which are currently very
widely used to provide service discovery.
-Robin-
Regards,
--
Nenad Merdanovic | PGP: 0x423edcb2
Linkedin: http://www.linkedin.com/in/nenadmerdanovic
This bug was introduced in 5fc7d7e. No backport to 1.5 needed.
Signed-off-by: Nenad Merdanovic nmer...@anine.io
---
src/payload.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/payload.c b/src/payload.c
index 78f5608..852727a 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -161,6
Hello Willy,
On 7/8/2015 10:44 PM, Willy Tarreau wrote:
[...]
+req.ssl_ec_ext : boolean
+req_ssl_ec_ext : boolean (deprecated)
The deprecated req_ssl_* keywords were for compatibility with historic
versions
and should not be introduced right now, so I'd rather not add it now to remove
Hello Lukas,
On 7/9/2015 9:53 AM, Lukas Tribus wrote:
I like this, I'm glad we have this possibility now. It isn't however an
alternative to Dave
Zhu's work, its rather an additional possibility.
We still ought to work with Dave to get his proposals merged, imho.
Absolutely, it is by no
bind unix@/var/run/haproxy_ssl_ecc.sock accept-proxy ssl crt
/usr/local/haproxy/ecc.foo.com.pem user nobody
bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt
/usr/local/haproxy/www.foo.com.pem user nobody
Signed-off-by: Nenad Merdanovic nmer...@anine.io
---
doc
Hello Philip
On 7/6/2015 9:47 PM, Phillip Decker wrote:
Hello again all,
I have a configuration problem, and I have a workaround that I don't
like, so I'm hoping someone here might have a better solution -
I have a number of capture fields such as ssl_c_s_dn, request header
referrer,
, Nenad Merdanovic ni...@nimzo.info
mailto:ni...@nimzo.info wrote:
Hello Philip
On 7/6/2015 9:47 PM, Phillip Decker wrote:
Hello again all,
I have a configuration problem, and I have a workaround that I don't
like, so I'm hoping someone here might have a better
Hello,
Everything said here is based on my opinion, so just add IMO in front
of every sentence :)
On 6/25/2015 6:01 PM, Remi Gacogne wrote:
Hi,
I was unaware that BoringSSL removed the callback, but in that case, could
we limit this feature to only OpenSSL? I¹m also not seeing how using
Hello,
On 6/9/2015 5:44 PM, Sylvain Faivre wrote:
Hello,
We use Haproxy in front of HTTP servers, SSL termination is done on
HAproxy.
Is there a way to have HAproxy log the SSL or TLS protocol version (TLS
1.0 / 1.1 / 1.2) or specific cipher that was used for requests ?
Yes, you can
Hello Willy,
On 5/16/2015 11:27 AM, Willy Tarreau wrote:
Hi Nenad,
It looks OK but you forgot to update the doc!
Should be fixed in the attached patch, sorry about that.
Also just a cosmetic comment below :
On Tue, May 12, 2015 at 12:14:58AM +0200, Nenad Merdanovic wrote:
/* string
Hello Phil,
On 5/12/2015 8:54 AM, Phil Daws wrote:
the issue is that if I go to the web site via HTTPS, which does not pass
through a CDN, then the correct client IP is being passed through but if I go
via HTTP its the CDN's IP which is being presented. When I was using
real_ip_header
Within the listener struct we need to use a reference to the TLS
ticket keys which binds the actual keys with the filename. This will
make it possible to update the keys through the socket
Signed-off-by: Nenad Merdanovic nmer...@anine.io
---
include/types/listener.h | 3 +--
include/types
Evgeniy,
On 4/5/2015 4:47 PM, Evgeniy Sudyr wrote:
Lukas, thank you for pointing to possible keep-alive issues, I've
tested it before, but did it again just to make one more check!
I've increased keep alives timeout to 10se and removed
http-server-close, restarted haproxy :)
Changes I've
Hi Dirkjan,
On 3/2/2015 1:24 PM, Dirkjan Bussink wrote:
Hi all,
On Fri, Feb 27, 2015 at 07:56:48PM +0100, Nenad Merdanovic wrote:
This patchset adds support to configure TLS ticket keys used for
encryption and decryption of TLS tickets.
This is the 2nd version of the patchset that has been
to negotiate
every time they change the handling process.
Signed-off-by: Nenad Merdanovic nmer...@anine.io
---
include/common/defaults.h | 5 ++
include/types/listener.h | 2 +
include/types/ssl_sock.h | 6 ++
src/cfgparse.c| 1 +
src/ssl_sock.c| 163
Signed-off-by: Nenad Merdanovic nmer...@anine.io
---
doc/configuration.txt | 12
1 file changed, 12 insertions(+)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index bb7d567..0aac7e9 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -8969,6 +8969,18
This patchset adds support to configure TLS ticket keys used for
encryption and decryption of TLS tickets.
This is the 2nd version of the patchset that has been updated based on
suggestions from Willy TaRreau, Emeric Brun, Lukas Tribus and Remi Gacogne.
Nenad Merdanovic (2):
MEDIUM: Add
1 - 100 of 135 matches
Mail list logo