[PATCH] BUG/MEDIUM: map: Fix memory leak in the map converter

2019-04-12 Thread Nenad Merdanovic
The allocated trash chunk is not freed properly and causes a memory leak exhibited as the growth in the trash pool allocations. Bug was introduced in commit 271022 (BUG/MINOR: map: fix map_regm with backref). This should be backported to all branches where the above commit was backported. ---

Re: [PATCH] MINOR: ssl: Add aes_gcm_dec converter

2019-03-23 Thread Nenad Merdanovic
Hey Willy, On 3/23/2019 11:24 AM, Willy Tarreau wrote: I'm not sure why this is needed, because my first impression was that if this part can be an argument in the decode it ought to be one as well for the encoder, but that's where my ignorance of crypto shines, as I understand from your

[PATCH] MINOR: ssl: Add aes_gcm_dec converter

2019-03-23 Thread Nenad Merdanovic
The converter can be used to decrypt the raw byte input using the AES-GCM algorithm, using provided nonce, key and AEAD tag. This can be useful to decrypt encrypted cookies for example and make decisions based on the content. --- doc/configuration.txt | 12 src/ssl_sock.c| 148

Re: [PATCH] MINOR: ssl: Add aes_gcm_dec converter

2019-03-23 Thread Nenad Merdanovic
Hey Willy, On 3/22/2019 5:38 PM, Willy Tarreau wrote: Hi Nenad, On Fri, Mar 22, 2019 at 12:02:24PM +0100, Nenad Merdanovic wrote: The converter can be used to decrypt the raw byte input using the AES-GCM algorithm, using provided nonce, key and AEAD tag. This can be useful to decrypt

Re: [PATCH] MINOR: ssl: Add aes_gcm_dec converter

2019-03-23 Thread Nenad Merdanovic
Hello Willy, On 3/22/2019 5:40 PM, Willy Tarreau wrote: Hmmm sorry, but I'm getting this here : CC src/ssl_sock.o src/ssl_sock.c: In function 'sample_conv_aes_gcm_dec': src/ssl_sock.c:9166:27: error: 'EVP_CTRL_AEAD_SET_IVLEN' undeclared (first use in this function)

Re: [PATCH] MINOR: ssl: Add aes_gcm_dec converter

2019-03-22 Thread Nenad Merdanovic
I've just renamed the converter based on Emeric's suggestion. And fixed a typo in the doc of course. Regards, Nenad

[PATCH] MINOR: ssl: Add aes_gcm_dec converter

2019-03-22 Thread Nenad Merdanovic
The converter can be used to decrypt the raw byte input using the AES-GCM algorithm, using provided nonce, key and AEAD tag. This can be useful to decrypt encrypted cookies for example and make decisions based on the content. --- doc/configuration.txt | 11 src/ssl_sock.c| 140

[PATCH] MINOR: ssl: Add aes_gcm_decrypt converter

2019-03-21 Thread Nenad Merdanovic
The converted can be used to decrypt the raw byte input using the AES-GCM algorithm, using provided nonce, key and AEAD tag. This can be useful to decrypt encrypted cookies for example and make decisions based on the content. --- doc/configuration.txt | 11 src/ssl_sock.c| 140

Re: SSL: double free on reload

2018-07-16 Thread Nenad Merdanovic
Hello, On 7/16/2018 10:46 AM, Willy Tarreau wrote: On Mon, Jul 16, 2018 at 08:32:31AM +0200, Janusz Dziemidowicz wrote: pon., 16 lip 2018 o 08:02 Willy Tarreau napisal(a): This one looks a bit strange. I looked at it a little bit and it corresponds to the line

Re: regression with patch 19e8aa58 "BUG/MINOR: server: Remove FQDN requirement for using init-addr and state file"

2017-09-06 Thread Nenad Merdanovic
Hello Willy, On 9/6/2017 2:03 PM, Willy Tarreau wrote: On Wed, Sep 06, 2017 at 01:10:26PM +0200, Emmanuel Hocdet wrote: Hi, server configuration now break with: cfg sample: listen tls [...] server bla 127.0.0.1:8080 [ALERT] 248/130258 (21960) : parsing [/etc/haproxy/test.cfg:53] :

Re: [PATCH 2/2] BUG/MINOR: lua: Correctly use INET6_ADDRSTRLEN in Server.get_addr()

2017-07-24 Thread Nenad Merdanovic
Aleksandar, On 7/24/2017 5:07 PM, Aleksandar Lazic wrote: Hi Nenad Merdanovic, Nenad Merdanovic wrote on 24.07.2017: The get_addr() method of the Lua Server class incorrectly used INET_ADDRSTRLEN for IPv6 addresses resulting in failing to convert longer IPv6 addresses to strings. This fix

[PATCH 1/2] BUG/MINOR: lua: Fix Server.get_addr() port values

2017-07-23 Thread Nenad Merdanovic
The get_addr() method of the Lua Server class was using the 'sockaddr_storage addr' member to get the port value. HAProxy does not store ports in this member as it uses a separate member, called 'svc_port'. This fix should be backported to 1.7. --- src/hlua_fcn.c | 6 ++ 1 file changed, 2

[PATCH 2/2] BUG/MINOR: lua: Correctly use INET6_ADDRSTRLEN in Server.get_addr()

2017-07-23 Thread Nenad Merdanovic
The get_addr() method of the Lua Server class incorrectly used INET_ADDRSTRLEN for IPv6 addresses resulting in failing to convert longer IPv6 addresses to strings. This fix should be backported to 1.7. --- src/hlua_fcn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git

Re: TLS-PSK support for haproxy?

2017-04-20 Thread Nenad Merdanovic
nd then add the socket-related functionality later (as with Olivier's patches it is less critical)? Regards, Nenad > > Regards, > > Gil > > On Thu, Jan 5, 2017 at 5:22 AM, Nenad Merdanovic <nmer...@haproxy.com > <mailto:nmer...@haproxy.com>> wrote: > >

Re: [ANNOUNCE] haproxy-1.7.5

2017-04-04 Thread Nenad Merdanovic
Hello, On 04/04/2017 10:25 AM, Willy Tarreau wrote: >> I will also add 1.8-dev soon ;-) >> > >> > Maybe I can contribute to the official repo & image. >> > https://hub.docker.com/_/haproxy/ >> > >> > Do you know who maints this image? > No, but I was recently asked and am now wondering whether

Re: [PATCH] CLEANUP: pattern: Move pattern_finalize_config to post checks initialization

2017-03-13 Thread Nenad Merdanovic
Hey Willy, On 3/13/2017 6:32 PM, Willy Tarreau wrote: > Hi Nenad, > > [ccing Thierry] > > On Sun, Mar 12, 2017 at 10:00:51PM +0100, Nenad Merdanovic wrote: >> Signed-off-by: Nenad Merdanovic <nmer...@haproxy.com> >> --- >> include/proto/pattern.h

[PATCH 1/2] BUG/MEDIUM: cli: Prevent double free in CLI ACL lookup

2017-03-12 Thread Nenad Merdanovic
The memory is released by cli_release_mlook, which also properly sets the pointer to NULL. This was introduced with a big code reorganization involving moving to the new keyword registration form in commit ad8be61c7. This fix needs to be backported to 1.7. Signed-off-by: Nenad Merdanovic <n

[PATCH 2/2] BUG/MINOR: Fix "get map " CLI command

2017-03-12 Thread Nenad Merdanovic
The said form of the CLI command didn't return anything since commit ad8be61c7. This fix needs to be backported to 1.7. Signed-off-by: Nenad Merdanovic <nmer...@haproxy.com> --- src/map.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/map.c b/src/map.c index 9

[PATCH] CLEANUP: pattern: Move pattern_finalize_config to post checks initialization

2017-03-12 Thread Nenad Merdanovic
Signed-off-by: Nenad Merdanovic <nmer...@haproxy.com> --- include/proto/pattern.h | 2 -- src/haproxy.c | 2 -- src/pattern.c | 9 - 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/include/proto/pattern.h b/include/proto/pattern.h index 9c93db9..1

[PATCH] CLEANUP: Remove comment that's no longer valid

2017-03-12 Thread Nenad Merdanovic
Code was deleted in ad63582eb, but the comment remained. Signed-off-by: Nenad Merdanovic <nmer...@haproxy.com> --- src/sample.c | 4 1 file changed, 4 deletions(-) diff --git a/src/sample.c b/src/sample.c index 014913d..71d4e32 100644 --- a/src/sample.c +++ b/src/sample.c @@ -649,10

[PATCH] MINOR: Add hostname sample fetch

2017-03-12 Thread Nenad Merdanovic
Signed-off-by: Nenad Merdanovic <nmer...@haproxy.com> --- doc/configuration.txt | 3 +++ src/sample.c | 12 2 files changed, 15 insertions(+) diff --git a/doc/configuration.txt b/doc/configuration.txt index a79c4f3..ae84b25 100644 --- a/doc/configuration.txt +++

[PATCH 2/2] CLEANUP: Replace repeated code to count usable servers with be_usable_srv()

2017-03-12 Thread Nenad Merdanovic
Signed-off-by: Nenad Merdanovic <nmer...@haproxy.com> --- src/backend.c | 16 ++-- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/src/backend.c b/src/backend.c index 5e2b8fc..b0e0332 100644 --- a/src/backend.c +++ b/src/backend.c @@ -1614,14 +1614,7 @@ smp_fetch

[PATCH 1/2] MINOR: Add nbsrv sample converter

2017-03-12 Thread Nenad Merdanovic
Signed-off-by: Nenad Merdanovic <nmer...@haproxy.com> --- doc/configuration.txt | 6 ++ include/proto/backend.h | 13 + src/backend.c | 25 + 3 files changed, 44 insertions(+) diff --git a/doc/configuration.txt b/doc/configuration.txt

Re: [PATCH] MEDIUM: ssl: Add TLS-PSK client and server side support

2017-03-02 Thread Nenad Merdanovic
Hello Willy, On 03/02/2017 06:39 PM, Willy Tarreau wrote: > Hi Nenad, > > I'm getting the following warnings after I apply it. I'm running > with openssl 1.0.1o here : > > src/ssl_sock.c: In function 'ssl_sock_prepare_ctx': > src/ssl_sock.c:3203:3: warning: passing argument 2 of >

[PATCH] MEDIUM: ssl: Add TLS-PSK client and server side support

2017-02-02 Thread Nenad Merdanovic
From: Nenad Merdanovic <nmer...@anine.io> Signed-off-by: Nenad Merdanovic <nmer...@haproxy.com> --- doc/configuration.txt| 10 include/types/listener.h | 1 + include/types/server.h | 2 + include/types/ssl_sock.h | 5 ++ src/ssl_sock.c

Re: TLS-PSK support for haproxy?

2017-01-08 Thread Nenad Merdanovic
Hello, On 1/5/2017 4:47 PM, Emeric Brun wrote: > On 01/05/2017 04:22 AM, Nenad Merdanovic wrote: >> I have a working patch for this, but it's very ugly currently (minimal >> error checking, no warnings/messages, no docs, very basic tests done >> only, etc.) >> &g

Re: Trouble with ECC/RSA shared IP/port SSL setup and using unix sockets (localhost method works)

2017-01-05 Thread Nenad Merdanovic
Hello, On 1/6/2017 1:55 AM, Vitaly Pecharsky wrote: > haproxy -vv > HA-Proxy version 1.7.1 2016/12/13 > Copyright 2000-2016 Willy Tarreau As you are running 1.7 and OpenSSL 1.1.0, you don't need to do this any more. HAProxy can now natively support ECC/RSA/DSA based on client

Re: TLS-PSK support for haproxy?

2017-01-04 Thread Nenad Merdanovic
I have a working patch for this, but it's very ugly currently (minimal error checking, no warnings/messages, no docs, very basic tests done only, etc.) I expect to have a version for review by EOW (depending on the workload, maybe a bit sooner). Regards, Nenad On 1/2/2017 10:11 AM, Gil Bahat

[PATCH 1/2] MINOR: Add src_status sample fetch

2016-10-11 Thread Nenad Merdanovic
This sample fetch returns a concatenation of the client's IP address and the HTTP status code returned, separated by a single comma character. Signed-off-by: Nenad Merdanovic <nmer...@anine.io> --- doc/configuration.txt | 6 ++ src/proto_http.c

[PATCH 2/2] CLEANUP: Rename smp_fetch_stcode to smp_fetch_status

2016-10-11 Thread Nenad Merdanovic
We want the function names in the code to match the fetch names in the configuration. Signed-off-by: Nenad Merdanovic <nmer...@anine.io> --- src/proto_http.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/proto_http.c b/src/proto_http.c index 13c75ac..c11a1af

[PATCH] MINOR: Add fe_req_rate sample fetch

2016-10-02 Thread Nenad Merdanovic
The fe_req_rate is similar to fe_sess_rate, but fetches the number of HTTP requests per second instead of connections/sessions per second. Signed-off-by: Nenad Merdanovic <nmer...@anine.io> --- doc/configuration.txt | 5 + src/frontend.c| 14 ++ 2 files chang

Re: Host name resolution in IPv6 only entry in /etc/hosts

2016-07-25 Thread Nenad Merdanovic
Hello Willy, On 7/20/2016 9:28 PM, Willy Tarreau wrote: > I vaguely remind such a conversation in the past with reports of > getaddrinfo() not returning what was expected. Maybe that's something > to consider for a next major version (eg: 1.7). However we could > possibly have something

Re: how to put stick tables values and src_conn_rate into headers

2016-07-20 Thread Nenad Merdanovic
Hello, On 07/20/2016 05:55 PM, Thomas Heil wrote: > Hi, > > I would like to put the actual value from a stick tables into a request > header. this way i could inform the backend e.g how many connections > this ip allready made. > > The same I would like to do e.g for src_conn_rate and

Re: consistent hash-mapping on header?

2016-07-19 Thread Nenad Merdanovic
Hello Paul, On 7/20/2016 2:59 AM, Paul McIntire wrote: > Hi > > Is it possible to do consistent hashing on information other than the IP > address i.e. X-Forwarded-For header? I'm using Haproxy 1.5.17. > > Thank you > Paul > I think you are looking for: balance hdr(X-Forwarded-For)

Re: Host name resolution in IPv6 only entry in /etc/hosts

2016-07-19 Thread Nenad Merdanovic
Adding Vincent here, as he maintains the Debian package. On 7/19/2016 2:21 PM, Albert Casademont wrote: > Makes sense, I assumed that the Debian package was compiled with that > option by default...it's a PITA that it is not, do you think this is > something to be reported to the maintainers of

Re: Host name resolution in IPv6 only entry in /etc/hosts

2016-07-18 Thread Nenad Merdanovic
Dropped ML by mistake On 07/18/2016 11:47 PM, Nenad Merdanovic wrote: > Hello, > > On 07/18/2016 02:41 PM, Albert Casademont wrote: >> Hi! >> >> I was trying to configure am IPv6 only backend using the hostname in >> /etc/hosts and the HAProxy kept failin

[PATCH] BUG/MINOR: Fix endiness issue in DNS header creation code

2016-07-13 Thread Nenad Merdanovic
Alexander Lebedev reported that the response bit is set on SPARC when DNS queries are sent. This has been tracked to the endianess issue, so this patch makes the code portable. Signed-off-by: Nenad Merdanovic <nmer...@anine.io> --- include/types/dns.h | 23 +++ src

Re: [PATCH] BUG/MEDIUM: dns: unbreak DNS resolver after header fix

2016-07-13 Thread Nenad Merdanovic
Hello Willy, On 7/13/2016 11:26 AM, Willy Tarreau wrote: > Alexander, > > the attached patch fixed the issue for me. There were two places where > a possibly unaligned address was force casted as uint32_t. Could you confirm > it's OK for you as well ? > > Nenad, I'm willing to take you patch as

Re: [PATCH] BUG/MEDIUM: dns: unbreak DNS resolver after header fix

2016-07-13 Thread Nenad Merdanovic
Hello Willy, On 7/13/2016 11:15 AM, Willy Tarreau wrote: > I have an ARMv5 board here which is configurable to be very sensitive > to alignment issues. I'm just realizing something : without your patch > the server will not respond as it receives a bogus request. With your > patch it does respond

Re: [PATCH] BUG/MEDIUM: dns: unbreak DNS resolver after header fix

2016-07-13 Thread Nenad Merdanovic
Hey Willy, On 7/13/2016 10:35 AM, Willy Tarreau wrote: > On Wed, Jul 13, 2016 at 09:55:18AM +0600, Alexander Lebedev wrote: >> Hello Nenad. With this patch I get "Bus Error" and core dumped. > > So it means there was an unaligned access. It cannot come from the internals > of the structure

Re: [PATCH] BUG/MEDIUM: dns: unbreak DNS resolver after header fix

2016-07-12 Thread Nenad Merdanovic
Hello Alexander, On 7/12/2016 2:57 PM, Nenad Merdanovic wrote: > Hello, > > On 7/12/2016 1:13 PM, Alexander Lebedev wrote: >> Hi! On Solaris10/SPARC I see this issue with 1.6.6 and 1.6.3 (before >> Vincent commit). >> Haproxy sends queries with "response"

Re: [PATCH] BUG/MEDIUM: dns: unbreak DNS resolver after header fix

2016-07-12 Thread Nenad Merdanovic
Hello, On 7/12/2016 1:13 PM, Alexander Lebedev wrote: > Hi! On Solaris10/SPARC I see this issue with 1.6.6 and 1.6.3 (before > Vincent commit). > Haproxy sends queries with "response" bit. > Maybe it is again alignment issue? I don't have time to currently look deep into the code, but AFAIR how

Re: load 'drain' with load-server-state-from-file fails ?

2016-06-14 Thread Nenad Merdanovic
Hello Peter, On 6/14/2016 6:37 PM, PiBa-NL wrote: > Hi list, > > While trying out how to use load-server-state-from-file i noticed that > 'drain' state set through the stats page is not restored after loading > the state back. > > I'm using haproxy 1.6.4 / 1.7-dev2 . I realize these are not the

Re: problems with req.ssl_ec_ext

2016-05-30 Thread Nenad Merdanovic
Hello Bjorn, On 5/30/2016 4:29 PM, Björn Zettergren wrote: > Hi, > > I've been playing around with the ECC+RSA certificate on same IP as > described in the haproxy blog at > http://blog.haproxy.com/2015/07/15/serving-ecc-and-rsa-certificates-on-same-ip-with-haproxy/ > > However, I get

Re: Crash with kernel error

2016-05-18 Thread Nenad Merdanovic
Hey, On 5/18/2016 8:28 AM, Sasha Litvak wrote: > It is hard to reproduce, It took almost a week for it to crush and > produced no core. I did ulimit -c unlimited before start. Does it make > sense to go to back to 1.6.3 or try git source ? Make sure you set the fs.suid_dumpable=1 sysctl

Re: [PATCH] MEDIUM: init: allow directory as argument of -f

2016-05-17 Thread Nenad Merdanovic
Hello Willy, On 05/17/2016 09:41 PM, Willy Tarreau wrote: > Nenad, you were the one reporting the sorting issue, what do you think > about all this ? I don't have strong feelings about this -- the initial point I asked about was the versionsort vs alphasort and then just pointing out that we've

[PATCH] DOC: Fix typo so fetch is properly parsed by Cyril's converter

2016-05-16 Thread Nenad Merdanovic
Signed-off-by: Nenad Merdanovic <nmer...@anine.io> --- doc/configuration.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 80b9c01..19b7e1a 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -13218,7 +1

Re: [PATCH] MEDIUM: init: allow directory as argument of -f

2016-05-13 Thread Nenad Merdanovic
Hello Willy, On 5/13/2016 7:04 PM, Willy Tarreau wrote: > I don't know, I'm not fond of setting things in the back of the user like > this. I don't even know if we have other parts that are currently sensitive > to the locale and which could be affected. Wouldn't it be better to simply > add this

Re: [PATCH] MEDIUM: init: allow directory as argument of -f

2016-05-13 Thread Nenad Merdanovic
Hello Willy, On 5/13/2016 12:54 PM, Willy Tarreau wrote: > Wait a minute, what do you mean by "different lower/upper case sorting" ? > Do you mean that alphasort() ignores the case ? I'm seeing no mention about > it in the man page, so I'm confused. If this is the case, it can be annoying > for

Re: [PATCH] MEDIUM: init: allow directory as argument of -f

2016-05-13 Thread Nenad Merdanovic
Hello Willy, On 5/13/2016 11:04 AM, Willy Tarreau wrote: > Hi Nenad, > > On Fri, May 13, 2016 at 11:02:01AM +0200, Nenad Merdanovic wrote: >> Hello, >> >> On 5/13/2016 8:07 AM, Willy Tarreau wrote: >>> I think I'm fine with this one (I'll still wait a bit to

Re: [PATCH] MEDIUM: init: allow directory as argument of -f

2016-05-13 Thread Nenad Merdanovic
Hello, On 5/13/2016 8:07 AM, Willy Tarreau wrote: > I think I'm fine with this one (I'll still wait a bit to let others respond). > I just have one small request, please move the addition of list_append_word() > to its own patch : if later we use it to fix a bug which needs to be > backported,

Re: Crash with kernel error

2016-05-11 Thread Nenad Merdanovic
Hello, On 5/11/2016 10:16 AM, Alex Litvak wrote: > Haproxy 1.6.15 crashes with following error > > haproxy[24074]: segfault at 3dbed94000 ip 003dbea897fb sp > 7fffc7278e68 error 4 in libc-2.12.so[3dbea0+18a000] > > Are you able to reliably reproduce this? Please post the output

[PATCH] BUG/MINOR: log: fix a typo that would cause %HP to log

2016-04-25 Thread Nenad Merdanovic
Typo was introduced in 57bc891 ("BUG/MEDIUM: log: fix risk of segfault when logging HTTP fields in TCP mode") which inverted the condition in the test and caused to be logged when using %HP. Signed-off-by: Nenad Merdanovic <nmer...@anine.io> --- src/log.c | 2 +- 1 file chan

[PATCH 2/2] CLEANUP: Use server_parse_maxconn_change_request for maxconn CLI updates

2016-04-24 Thread Nenad Merdanovic
--- src/dumpstats.c | 24 1 file changed, 4 insertions(+), 20 deletions(-) diff --git a/src/dumpstats.c b/src/dumpstats.c index da26f80..bb62c41 100644 --- a/src/dumpstats.c +++ b/src/dumpstats.c @@ -1827,34 +1827,18 @@ static int stats_sock_parse_request(struct

Re: [PATCH 1/2] MINOR: Add ability for agent-check to set server maxconn

2016-04-20 Thread Nenad Merdanovic
Hey Willy, On 4/19/2016 12:24 PM, Willy Tarreau wrote: > > Your patch looks fine but I'm a bit bothered by the choice of the syntax > here which is neither really intuitive nor future-proof. I even suspect > you had some head-scratching before coming to this. That was the hardest part actually

[PATCH 1/2] MINOR: Add ability for agent-check to set server maxconn

2016-04-16 Thread Nenad Merdanovic
This is very useful in complex architecture systems where HAproxy is balancing DB connections for example. We want to keep the maxconn high in order to avoid issues with queueing on the LB level when there is slowness on another part of the system. Example is a case of an architecture where each

[PATCH 2/2] CLEANUP: Use server_parse_maxconn_change_request for maxconn CLI updates

2016-04-16 Thread Nenad Merdanovic
--- src/dumpstats.c | 24 1 file changed, 4 insertions(+), 20 deletions(-) diff --git a/src/dumpstats.c b/src/dumpstats.c index da26f80..bb62c41 100644 --- a/src/dumpstats.c +++ b/src/dumpstats.c @@ -1827,34 +1827,18 @@ static int stats_sock_parse_request(struct

Re: Increased CPU usage after upgrading 1.5.15 to 1.5.16

2016-04-05 Thread Nenad Merdanovic
Hello Lukas, On 4/4/2016 8:56 PM, Lukas Tribus wrote: > Hi Nenad, > > >> I suggest you try reverting commit 7610073a. I have exhibited very >> similar issues and everything points to this commit (which was Willy's >> first suspect). > > So I assume this affects 1.6 and 1.7-dev as well, the bug

[PATCH] BUG/MAJOR: Fix crash in http_get_fhdr with exactly MAX_HDR_HISTORY headers

2016-03-29 Thread Nenad Merdanovic
Similar issue was fixed in 67dad27, but the fix is incomplete. Crash still happened when utilizing req.fhdr() and sending exactly MAX_HDR_HISTORY headers. This fix needs to be backported to 1.5 and 1.6. Signed-off-by: Nenad Merdanovic <nmer...@anine.io> --- src/proto_http.c | 7 +--

Re: [PATCH] BUG/MEDIUM: Fix RFC5077 resumption when more than TLS_TICKETS_NO are present

2016-03-27 Thread Nenad Merdanovic
Hey Lukas, On 3/27/2016 8:22 AM, Lukas Tribus wrote: > The patch fixes the issue for me. Thanks for confirming. > > But I have seen another behavior which does not really match my > expectation, we are saying: > > Last TLS_TICKETS_NO keys will be used for decryption > > > But my tests with

[PATCH] BUG/MEDIUM: Fix RFC5077 resumption when more than TLS_TICKETS_NO are present

2016-03-25 Thread Nenad Merdanovic
to 1.6. Signed-off-by: Nenad Merdanovic <nmer...@anine.io> --- src/ssl_sock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 1017388..994cdcc 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -5406,8 +5406,8 @@ stat

Re: TLS Tickets and CPU usage

2016-03-25 Thread Nenad Merdanovic
Hello Willy, On 03/25/2016 03:29 PM, Nenad Merdanovic wrote: [..snip..] Ah, just ignore this :) I've now realized what you meant. Sure, I'll rewrite the patch like that. To me it doesn't make much difference in readability and they do accomplish the same purpose, so we can do it as you prefer

Re: TLS Tickets and CPU usage

2016-03-25 Thread Nenad Merdanovic
Hello Willy, On 03/25/2016 01:37 PM, Willy Tarreau wrote: > Hi Nenad, > > On Fri, Mar 25, 2016 at 11:35:01AM +0100, Nenad Merdanovic wrote: >> diff --git a/src/ssl_sock.c b/src/ssl_sock.c >> index 1017388..767d6e9 100644 >> --- a/src/ssl_sock.c >> +++ b/src

Re: TLS Tickets and CPU usage

2016-03-25 Thread Nenad Merdanovic
to full negotiation): > > https://gist.github.com/anonymous/6ec7c863f497cfd849a4 > > > Workaround would be to remove the oldest key from the file, so > that the number of keys in the file remains below 5. > > That's what I did : keep last 2 keys and add a new o

Re: TLS Tickets and CPU usage

2016-03-24 Thread Nenad Merdanovic
Hey Lucas, On 03/24/2016 09:15 PM, Lukas Tribus wrote: > Hi Nenad, > > >>> Well, its not supposed to look like this, there is clearly something >>> wrong. Master key fluctuates between the requests with TLS tickets >>> and the reuse collumn shows failure. >> >> Looks like a haproxy bug, I think

Re: General SSL vs. non-SSL Performance

2016-03-19 Thread Nenad Merdanovic
Hello Pavlos, On 3/17/2016 4:45 PM, Pavlos Parissis wrote: > I am working(not very actively) on a solution which utilizes this. > It will use www.vaultproject.io as central store, a generating engine > and a pull/push mechanism in place. > > But, the current version of HAProxy doesn't support

Re: General SSL vs. non-SSL Performance

2016-03-19 Thread Nenad Merdanovic
Hello, On 3/16/2016 6:25 PM, Christian Ruppert wrote: > > Some customers may require 4096 bit keys as it seems to be much more > decent than 2048 nowadays. So you may be limited here. A test with a > 2048 bit Cert gives me around ~770 requests per second, a test with an > 256 bit ECC cert around

Re: General SSL vs. non-SSL Performance

2016-03-19 Thread Nenad Merdanovic
Hello Aleksandar On 3/17/2016 6:00 PM, Aleksandar Lazic wrote: > Okay I'm now lost 8-O > > please can anyone help me to understand how the flow works. > > 1st Request > client -> ssl handshake -> haproxy server 1 (tls ticket?!) > > 2nd Request > Same client -> ssl handshake -> haproxy server 2

Re: General SSL vs. non-SSL Performance

2016-03-18 Thread Nenad Merdanovic
Hello Gary, On 3/17/2016 11:51 AM, Gary Barrueto wrote: > > While that would help a single server, how about when dealing with multi > servers + anycast: Has there been any thoughts about sharing ssl/tls > session cache between servers? Like how apache can use memcache to store > its cache or

Re: Only using map file when an entry exists

2016-03-11 Thread Nenad Merdanovic
Hello Neil, You seem to have missed my answer, so I am gonna top post this time :) http-request redirect location %[hdr(host),map(/etc/haproxy/redirect_host.map)] code 301 if { hdr(host),map(/etc/haproxy/redirect_host.map) -m found } Regards, Nenad On 03/11/2016 11:32 PM, Neil - HAProxy List

Re: Only using map file when an entry exists

2016-03-03 Thread Nenad Merdanovic
Hello On 3/3/2016 1:40 PM, Neil - HAProxy List wrote: > Hello > This works but is yuck (I'd have to automate generating the acl file > from the map - not hard but not clean). Ideally I'd like a way to only > redirect when a value is in the map what would be fine is if there were > a

Re: req.ssl_ver possible values

2016-02-17 Thread Nenad Merdanovic
Hello Nick, On 2/17/2016 11:01 PM, Nick Ramirez wrote: > After reading through the documentation on the req.ssl_ver ACL and its > possible values, I still don't fully understand the possible values that > it might return. > > From the docs, SSL ver 3.0 will return 3 for req.ssl_ver and TLS

Re: Keep-Alive not working between frontend and backend?

2016-02-02 Thread Nenad Merdanovic
Hello Nick, On 2/2/2016 4:32 PM, Nick Ramirez wrote: > This all seems to me like keep-alive is not working between frontend and > backend. Like, it keeps the connection between client and frontend, but > not between frontend and backend. This is the behavior I would expect if > I had set

Re: SSL acceleration

2016-01-30 Thread Nenad Merdanovic
Hello Eric, On 1/30/2016 3:44 PM, Eric Chan wrote: > Thank you all for your replies. > Yes I want to accelerate the RSA and DHE operations also, which needs approx > 2 million CPU cycles per key pair if done in pure SW. The Coleto Creek HW > will give big boost if we can get it to work.

Re: DROP/DENY before forwarding behind connections

2016-01-25 Thread Nenad Merdanovic
Hello, On 01/25/2016 04:17 PM, Willy Tarreau wrote: > On Mon, Jan 25, 2016 at 04:46:36PM +0200, mat.mar...@yahoo.com wrote: >> On 20.01.2016 12:31, mat.mar...@yahoo.com wrote: >>> Just a short correction. >>> Before was from an allowed IP. >>> This is the output from a not allowed IP : >>> >>> ~#

Re: bug in state-from-file with resolvers?

2016-01-16 Thread Nenad Merdanovic
Forgot to add the ML :/ On 01/16/2016 07:43 PM, Nenad Merdanovic wrote: > Hello Robert, > > + Baptiste > >> >> Connect() failed for backend bk: no free ports. >> >> If you comment out either the load-server-state-from-file line or remove >> 'reso

Re: lua, changing response-body in http pages 'supported' ?

2015-12-14 Thread Nenad Merdanovic
Hello, Sorry for top posting, but has there been any progress in getting the ability to rewrite response body with Lua in HAproxy (easy way)? I would assume AppletHTTP could be used for this, but I see that http-response doesn't support use-service. Regards, Nenad On 10/26/2015 12:00 PM,

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

2015-12-01 Thread Nenad Merdanovic
Hello Oliver, On 12/1/2015 12:32 AM, Olivier Doucet wrote: > Hello, > > I'm digging out this thread, because having multiple certificate for one > single domain (SNI) but with different key types (RSA/ECDSA) can really > be a great functionality. Is there some progress ? How can we help ? > In

Re: ssl parameters ignored

2015-11-24 Thread Nenad Merdanovic
Hello, On 11/24/2015 1:47 PM, Sander Klein wrote: > On 2015-11-23 22:36, Lukas Tribus wrote: >> Can you elaborate what kind of OS we are talking about, and where the >> openssl lib comes from (is it just a openssl-dev package from the >> repository, or a custom build? static or shared?) > > It

Re: Debug mode not working?!

2015-11-09 Thread Nenad Merdanovic
Hello Aleksandar, > Okay after removing accept-proxy from > > bind *:${HTTP_BIND_PORT} accept-proxy tfo > > It comes what expected. If you are using 'accept-proxy', HAproxy expects the payload to start with a PROXY protocol header. http://www.haproxy.org/download/1.6/doc/proxy-protocol.txt

Re: Log if the connection reuses SSL session or not in 1.5

2015-09-09 Thread Nenad Merdanovic
gt; hard to detect whether or not it's a new SSL session in logs. > I just need this binary info if it exists. > > Thanks all, > Vincent > Regards. -- Nenad Merdanovic | PGP: 0x423edcb2 Linkedin: http://www.linkedin.com/in/nenadmerdanovic

Re: [PATCH] [BUG/MINOR]: TLS Ticket Key rotation broken via socket command

2015-08-20 Thread Nenad Merdanovic
Hello, On 8/20/2015 2:55 PM, Pradeep Jindal wrote: Hi, It seems haproxy was doing wrong pointer arithmetic to update the ticket ring correctly. Here's a small patch, self descriptive. This patch is against the github master branch. Thanks for spotting this. Looking at it, I am not sure

Re: haproxy can't bind to mysql port

2015-07-24 Thread Nenad Merdanovic
Hello Tim, On Fri, Jul 24, 2015 at 1:46 PM, Tim Dunphy bluethu...@gmail.com mailto:bluethu...@gmail.com wrote: listen mysql-cluster bind 127.0.0.1:3306 http://127.0.0.1:3306 mode tcp option mysql-check user haproxy_check

Re: Server IP resolution using DNS in HAProxy

2015-07-15 Thread Nenad Merdanovic
/dns.html), which are currently very widely used to provide service discovery. -Robin- Regards, -- Nenad Merdanovic | PGP: 0x423edcb2 Linkedin: http://www.linkedin.com/in/nenadmerdanovic

[PATCH] BUG/MINOR: payload: Add volatile flag to smp_fetch_req_ssl_ec_ext

2015-07-15 Thread Nenad Merdanovic
This bug was introduced in 5fc7d7e. No backport to 1.5 needed. Signed-off-by: Nenad Merdanovic nmer...@anine.io --- src/payload.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/payload.c b/src/payload.c index 78f5608..852727a 100644 --- a/src/payload.c +++ b/src/payload.c @@ -161,6

Re: [PATCH] MINOR: Add sample fetch to detect Supported Elliptic Curves Extension

2015-07-09 Thread Nenad Merdanovic
Hello Willy, On 7/8/2015 10:44 PM, Willy Tarreau wrote: [...] +req.ssl_ec_ext : boolean +req_ssl_ec_ext : boolean (deprecated) The deprecated req_ssl_* keywords were for compatibility with historic versions and should not be introduced right now, so I'd rather not add it now to remove

Re: [PATCH] MINOR: Add sample fetch to detect Supported Elliptic Curves Extension

2015-07-09 Thread Nenad Merdanovic
Hello Lukas, On 7/9/2015 9:53 AM, Lukas Tribus wrote: I like this, I'm glad we have this possibility now. It isn't however an alternative to Dave Zhu's work, its rather an additional possibility. We still ought to work with Dave to get his proposals merged, imho. Absolutely, it is by no

[PATCH] MINOR: Add sample fetch to detect Supported Elliptic Curves Extension

2015-07-07 Thread Nenad Merdanovic
bind unix@/var/run/haproxy_ssl_ecc.sock accept-proxy ssl crt /usr/local/haproxy/ecc.foo.com.pem user nobody bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt /usr/local/haproxy/www.foo.com.pem user nobody Signed-off-by: Nenad Merdanovic nmer...@anine.io --- doc

Re: Capture sequencing in logs

2015-07-06 Thread Nenad Merdanovic
Hello Philip On 7/6/2015 9:47 PM, Phillip Decker wrote: Hello again all, I have a configuration problem, and I have a workaround that I don't like, so I'm hoping someone here might have a better solution - I have a number of capture fields such as ssl_c_s_dn, request header referrer,

Re: Capture sequencing in logs

2015-07-06 Thread Nenad Merdanovic
, Nenad Merdanovic ni...@nimzo.info mailto:ni...@nimzo.info wrote: Hello Philip On 7/6/2015 9:47 PM, Phillip Decker wrote: Hello again all, I have a configuration problem, and I have a workaround that I don't like, so I'm hoping someone here might have a better

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

2015-06-25 Thread Nenad Merdanovic
Hello, Everything said here is based on my opinion, so just add IMO in front of every sentence :) On 6/25/2015 6:01 PM, Remi Gacogne wrote: Hi, I was unaware that BoringSSL removed the callback, but in that case, could we limit this feature to only OpenSSL? I¹m also not seeing how using

Re: log SSL/TLS protocol version

2015-06-09 Thread Nenad Merdanovic
Hello, On 6/9/2015 5:44 PM, Sylvain Faivre wrote: Hello, We use Haproxy in front of HTTP servers, SSL termination is done on HAproxy. Is there a way to have HAproxy log the SSL or TLS protocol version (TLS 1.0 / 1.1 / 1.2) or specific cipher that was used for requests ? Yes, you can

Re: [PATCH] MINOR: Add sample fetch which identifies if the SSL session has been resumed

2015-05-17 Thread Nenad Merdanovic
Hello Willy, On 5/16/2015 11:27 AM, Willy Tarreau wrote: Hi Nenad, It looks OK but you forgot to update the doc! Should be fixed in the attached patch, sorry about that. Also just a cosmetic comment below : On Tue, May 12, 2015 at 12:14:58AM +0200, Nenad Merdanovic wrote: /* string

Re: send-proxy and x-forward-for

2015-05-17 Thread Nenad Merdanovic
Hello Phil, On 5/12/2015 8:54 AM, Phil Daws wrote: the issue is that if I go to the web site via HTTPS, which does not pass through a CDN, then the correct client IP is being passed through but if I go via HTTP its the CDN's IP which is being presented. When I was using real_ip_header

[PATCH] MINOR: Add sample fetch which identifies if the SSL session has been resumed

2015-05-11 Thread Nenad Merdanovic
Signed-off-by: Nenad Merdanovic nmer...@anine.io --- src/ssl_sock.c | 14 ++ 1 file changed, 14 insertions(+) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index b3adf9a..59e3630 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3716,6 +3716,19 @@ smp_fetch_ssl_fc_has_sni(const

[PATCH 1/3] MINOR: Add TLS ticket keys reference and use it in the listener struct

2015-05-09 Thread Nenad Merdanovic
Within the listener struct we need to use a reference to the TLS ticket keys which binds the actual keys with the filename. This will make it possible to update the keys through the socket Signed-off-by: Nenad Merdanovic nmer...@anine.io --- include/types/listener.h | 3 +-- include/types

[PATCH 3/3] DOC: Document new socket commands show tls-keys and set ssl tls-key

2015-05-09 Thread Nenad Merdanovic
Signed-off-by: Nenad Merdanovic nmer...@anine.io --- doc/configuration.txt | 12 1 file changed, 12 insertions(+) diff --git a/doc/configuration.txt b/doc/configuration.txt index 85d94d9..4ecde15 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -14678,6 +14678,13

[PATCH 2/3] MEDIUM: Add support for updating TLS ticket keys via socket

2015-05-09 Thread Nenad Merdanovic
Until now, HAproxy needed to be restarted to change the TLS ticket keys. With this patch, the TLS keys can be updated on a per-file basis using the admin socket. Two new socket commands have been introduced: show tls-keys and set ssl tls-keys. Signed-off-by: Nenad Merdanovic nmer...@anine.io

[PATCH 0/3] Add support for TLS ticket key socket updates

2015-05-09 Thread Nenad Merdanovic
This patchset adds support for updating TLS ticket keys using the admin socket. Nenad Merdanovic (3): MINOR: Add TLS ticket keys reference and use it in the listener struct MEDIUM: Add support for updating TLS ticket keys via socket DOC: Document new socket commands show tls-keys and set

Re: CPU saturated with 250Mbps traffic on frontend

2015-04-05 Thread Nenad Merdanovic
Evgeniy, On 4/5/2015 4:47 PM, Evgeniy Sudyr wrote: Lukas, thank you for pointing to possible keep-alive issues, I've tested it before, but did it again just to make one more check! I've increased keep alives timeout to 10se and removed http-server-close, restarted haproxy :) Changes I've

  1   2   >