Hi Wily,
That's a bug and it shouldn't be like this.
>
You can find information about this here :
https://www.mail-archive.com/haproxy@formilux.org/msg43291.html
But don't waste too much time on this.
> > For those interested, the (small) necessary config changes were :
> > - option httpchk syn
Hello,
I've finally updated our load balancer, using HAProxy 2.0, to HAProxy 2.4
\o/
I was motivated by both the EOL on 2.0, and by a recurring segfault
everytime we reloaded. btw, that segfault is now gone with 2.4 :)
I did not update to a newer version because we are still heavy users of
"nbpro
Hello,
We are experiencing for the past weeks a segfault on haproxy processes when
reloading haproxy.
Each thread generates a coredump. Fortunately, this is the old process that
crashes, so there is no production impact.
The same behaviour happens with haproxy 2.0.25 compiled with OpenSSL 1.1.1l
Hi,
Le lun. 13 déc. 2021 à 19:38, John Lauro a écrit :
> http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or
> hdr_sub(user-agent) -i "\$\{jndi:" }
> was not catching the bad traffic. I think the escapes were causing issues
> in the matching.
>
> The following did work:
>
Hello there,
If you don't know yet, a CVE was published on friday about library log4j,
allowing a remote code execution with a crafted HTTP request.
We would like to filter these requests on HAProxy to lower the exposition.
At peak times, 20% of our web traffic is scanners about this bug !
The o
Hello,
I'm investigating an issue on specific rules for a customer.
The rules are the following :
stick-table type ipv6 size 6 expire 1h store conn_cur,conn_rate(10s)
http-request deny deny_status 429 if { src_conn_cur ge 100 }
http-request deny deny_status 429 if { src_conn_rate
Le jeu. 28 mai 2020 à 09:48, Willy Tarreau a écrit :
> No you're not :-) hdr_cnt() counts *values*. So :
>
> Range: bytes=0-,0-,0-,0-
>
> decomposes as the following values around the comma delimiter:
>
> "bytes=0-", "0-", "0-", "0-"
>
> And actually if you'd send several Range headers with
Hello,
Le jeu. 28 mai 2020 à 09:17, Willy Tarreau a écrit :
> http-request del-header range if { req.hdr_cnt(range) gt 1 }
>
This will only filter if header "Range" is present multiple times, not this
one :
Range: bytes=0-,0-,0-,0-
Am I correct ?
Olivier
Hello Willy,
Le ven. 15 mai 2020 à 17:33, Willy Tarreau a écrit :
>
> Is it 100% reproducible and if so can you please share a minimal config
> and reproducer so that we can quickly focus on it ?
>
Unfortunately I was unable to reproduce it. It only happens for several
hours in a row, then stop
Hello,
I'm spamming a lot these days :)
I found a strange coredump on HAProxy 2.0.14 that started a few days ago
for no reason. It's not a coredump but a raise().
Stacktrace :
#0 0x7fde8c9f8495 in raise () from /lib64/libc.so.6
#1 0x7fde8c9f9c75 in abort () from /lib64/libc.so.6
#2 0
Hi again,
Le mer. 6 mai 2020 à 17:47, Willy Tarreau a écrit :
> Hi Olivier,
>
> On Wed, May 06, 2020 at 05:29:59PM +0200, Olivier D wrote:
> > > Try applying this commit:
> > >
> > >
> https://github.com/haproxy/haproxy/commit/02c88036a61e09d0676a2b6b408
Hello,
Le mer. 6 mai 2020 à 15:30, Tim Düsterhus a écrit :
> Olivier,
>
> > I was not aware there were any change in the way HAProxy was doing its
> > checks over proxy-protocol in 2.0.14 ... any hint ?
>
> This sounds like this issue we've seen with Dovecot:
> https://www.mail-archive.com/hapro
Hello,
This morning I tried to upgrade HAProxy 2.0.13 to 2.0.14 but had to
rollback immediately : some backends checks started to fail.
Error reported was : SOCKERR - SSL handshake failure
The backends failing have a specific configuration as follows (I removed
anything unnecessary to trigger the
Hello,
I was creating counter-measures against a DOS attack, but I failed to
understand some numbers I received.
I'm using HAProxy 2.0.14
My (expurged) frontend config is :
listen test
bind X.X.X.X:443
maxconn 65536
rate-limit sessions 128
But during the attack, the following number
Hi,
Le mar. 21 avr. 2020 à 12:56, Tim Düsterhus a écrit :
> Olivier,
>
> PS: Personal opinion, but I prefer quotes in replies to be shortened as
> much as possible, while still providing context. I don't want to scroll
> through kilobytes of stuff I've already seen :-)
>
;)
Patch updated attac
Hello,
Le lun. 20 avr. 2020 à 20:37, Tim Düsterhus a écrit :
> Olivier,
>
> Am 20.04.20 um 20:03 schrieb Olivier D:
> > I'm using gmail so I add to attach patches and was not able to send them
> > directly. If format is wrong, tell me :)
> >
>
> Format
Hello,
Find attached two small patches to improve documentation on "option
forwardfor" and "http-request set-src".
I'm using gmail so I add to attach patches and was not able to send them
directly. If format is wrong, tell me :)
Olivier
From efbc320861c9c5a43219983cfc1073070b3e6622 Mon Sep 17 00
Le ven. 17 avr. 2020 à 20:49, Tim Düsterhus a écrit :
> Olivier,
>
> Am 17.04.20 um 20:22 schrieb Olivier D:
> > My first tries are based on something like this :
> >stick-table type ipv6 size 100k expire 30s store http_req_rate(10s)
> Not sure whether that'
Hello everyone,
I would like to implement a "max concurrent connection" in HAProxy. This is
easy to do at TCP level :
stick-table type ipv6 size 100k expire 30s store conn_cur
http-request track-sc0 src
http-request deny deny_status 429 if { src_conn_cur ge 20 }
But now, I want to
Hello,
With latest haproxy 2.0, you can generate a simple segfault with only
configuration test (haproxy -f test.cfg -c)
Config content :
--
defaults
mode http
backend test
stick-table type ip size 10k expire 1h store http_req_rate(1h) peers
mypeers
peers mypeers
Le mer. 19 févr. 2020 à 16:24, Christopher Faulet a
écrit :
> Le 19/02/2020 à 16:05, Olivier D a écrit :
> > A bug was fixed in 2.0.12 that could explain such of crashes. The
> upstream
> > commit id is eec7f8ac0 (or 0ed1e8963 in the 2.0 tree). It is related
> to the
Hello,
Le mer. 19 févr. 2020 à 15:27, Christopher Faulet a
écrit :
> Le 19/02/2020 à 11:35, Olivier D a écrit :
> > Hello,
> >
> > I would like to report a segfault on HAProxy 2.0.11 ; this version has
> been
> > running fine for two months, and this morning starti
Hello,
I would like to report a segfault on HAProxy 2.0.11 ; this version has been
running fine for two months, and this morning starting segfaulting over and
over.
Mitigation was performed by adding "no option http-use-htx" on 'defaults'
block.
I know it's not the latest version :) I'll update t
Hello,
Le mar. 17 déc. 2019 à 11:11, Willy Tarreau a écrit :
> Hi Olivier,
>
> On Tue, Dec 17, 2019 at 09:20:21AM +0100, Olivier D wrote:
> > That's not what I was saying. I'm already using "show server state", and
> > that's exactly what leads m
Hello Igor,
Le lun. 16 déc. 2019 à 23:41, Igor Cicimov
a écrit :
> Hi,
>
> On Tue, Dec 17, 2019 at 2:55 AM Olivier D wrote:
>
>> Hello,
>>
>> I found what was wrong : I was using "load-server-state-from-file" and
>> previous config file was using
19 à 18:32, Olivier D a écrit :
> Hello all,
> I struggle with what seemed a very easy config :
>
> listen test:443
> id 20609
> bind-process 16
> balance source
> hash-type consistent
> mode tcp
> bind x.x.x.x:443
> server s1 192.168.x.x:44
Hello all,
I struggle with what seemed a very easy config :
listen test:443
id 20609
bind-process 16
balance source
hash-type consistent
mode tcp
bind x.x.x.x:443
server s1 192.168.x.x:443 id 2158 check weight 5 send-proxy port 80
server s2 192.168.x.x:443 id 2168 c
Hello,
I'm rewriting a complex HAProxy config file and would like to be sure how
ssl-default-bind-options and bind options work together.
I would like to configure safe options by default, but still allow
less-safe protocols on some frontend. I'm puzzled by "force-X"
documentation (does it really
Hello,
I know I'm reporting an issue with an old version, but I got 2 segfaults
in 48h.
As I only got 3 segfaults with HAProxy in +10 years, I just wanted to make
sure these bugs have been caught and are now fixed.
haproxy -vv output:
HA-Proxy version 1.9.6 2019/03/29 - https://haproxy.org/
Bui
Hello,
I'm rewriting a complex HAProxy config file and would like to be sure how
ssl-default-bind-options and bind options work together.
I would like to configure safe options by default, but still allow
less-safe protocols on some frontend. I'm puzzled by "force-X"
documentation (does it really
Hi,
Le mer. 12 juin 2019 à 19:19, Willy Tarreau a écrit :
> Hi guys,
>
> On Wed, Jun 12, 2019 at 04:27:42PM +0200, Lukas Tribus wrote:
> (...)
> > I think it's a bad idea.
> >
> > Basically what Tim says (I was interrupted several times while writing
> > this email).
>
> OK, and this morning Wi
Hello,
Le sam. 12 janv. 2019 à 13:19, Willy Tarreau a écrit :
> Hi Olivier,
>
> On Wed, Jan 09, 2019 at 07:23:42PM +0100, Olivier D wrote:
> > Hello folks,
> >
> > Just wanted to raise an issue with a compilation error on HAProxy that I
> > was able to solve
Hello folks,
Just wanted to raise an issue with a compilation error on HAProxy that I
was able to solve by myself. Just wanted to know if this issue is
haproxy-related or compiler-related (and if a fix should be provided in the
future)
Compiling haproxy (1.8.17) failed with this error :
make TAR
33 matches
Mail list logo