Re: Can you block this?

2023-02-23 Thread Robin H. Johnson
On Thu, Feb 23, 2023 at 06:48:14PM -0700, Bryan Arenal wrote: > Hi there, > > I’m seeing some traffic from what appears to be bad actors and am > wanting to block them. I see this in the existing config but being > new to haproxy, it doesn’t seem like it’s configured correctly but I’m > not

[2.4.2] Thread .. is about to kill the process - Lua-involved

2021-08-19 Thread Robin H. Johnson
=== Resending this, with the threading broken, so that other readers hopefully see it. It was in the thread previously. === Hi, This is a followup to the prior threads about 100% in 2.2.x & 2.3.x; where I referenced heavy workloads causing HAProxy to initially hit 100% CPU, but then after

[2.4.2] Thread .. is about to kill the process - Lua-involved

2021-08-09 Thread Robin H. Johnson
Hi, This is a followup to the prior threads about 100% in 2.2.x & 2.3.x; where I referenced heavy workloads causing HAProxy to initially hit 100% CPU, but then after the watchdog detection was added, they just killed the process instead. After months searching, at work we stumbled onto an

Re: [2.2.11] 100% CPU again

2021-04-21 Thread Robin H. Johnson
On Wed, Apr 21, 2021 at 01:53:32PM +0200, Christopher Faulet wrote: > Le 21/04/2021 à 08:48, Maciej Zdeb a écrit : > > I'm very happy you managed to reproduce a similar issue! :) > The fix was merge in upstream : > > * BUG/MAJOR: mux-h2: Properly detect too large frames when decoding headers >

Re: [2.2.11] 100% CPU again

2021-04-20 Thread Robin H. Johnson
On Tue, Apr 20, 2021 at 06:38:48PM +0200, Christopher Faulet wrote: > I'm able to reproduce a similar bug hacking the nghttp2 client to send at > most > 16383 bytes per frame (instead of 16384). By sending too large headers, we > are > falling into a wakeup loop, waiting for more data while

Re: Still 100% CPU usage in 2.3.9 & 2.2.13 (Was: Re: [2.2.9] 100% CPU usage)

2021-04-15 Thread Robin H. Johnson
On Thu, Apr 15, 2021 at 07:53:15PM +, Robin H. Johnson wrote: > But your thought of CPU pinning was good. > I went to confirm it in the host, and I'm not certain if the cpu-map is > working > right. Ignore me, long day and I didn't think to check each thread PID: # ps -e -T | gre

Re: Still 100% CPU usage in 2.3.9 & 2.2.13 (Was: Re: [2.2.9] 100% CPU usage)

2021-04-15 Thread Robin H. Johnson
On Thu, Apr 15, 2021 at 09:23:07AM +0200, Willy Tarreau wrote: > On Thu, Apr 15, 2021 at 07:13:53AM +0000, Robin H. Johnson wrote: > > Thanks; I will need to catch it faster or automate this, because the > > watchdog does a MUCH better job restarting it than before, less than 30 >

Re: Still 100% CPU usage in 2.3.9 & 2.2.13 (Was: Re: [2.2.9] 100% CPU usage)

2021-04-15 Thread Robin H. Johnson
On Thu, Apr 15, 2021 at 08:59:35AM +0200, Willy Tarreau wrote: > On Wed, Apr 14, 2021 at 01:53:06PM +0200, Christopher Faulet wrote: > > > nbthread=64, nbproc=1 on both 1.8/2.x > > > > It is thus surprising, if it is really a contention issue, that you never > > observed slow down on the 1.8.

Re: Still 100% CPU usage in 2.3.9 & 2.2.13 (Was: Re: [2.2.9] 100% CPU usage)

2021-04-09 Thread Robin H. Johnson
On Fri, Apr 09, 2021 at 10:14:26PM +0200, Christopher Faulet wrote: > It seems you have a blocking call in one of your lua script. The threads dump > shows many threads blocked in hlua_ctx_init. Many others are executing lua. > Unfortunately, for a unknown reason, there is no stack traceback.

Still 100% CPU usage in 2.3.9 & 2.2.13 (Was: Re: [2.2.9] 100% CPU usage)

2021-04-09 Thread Robin H. Johnson
Hi, Maciej had said they were going to create a new thread, but I didn't see one yet. I want to start by noting problem was much worse on 2.2.8 & 2.2.9, and that 2.2.13 & 2.3.9 don't get entirely hung at 100% anymore: a big thanks for that initial work in fixing the issue. As I mentioned in my

Request for new 1.8.x release due to freq counter bug

2021-04-09 Thread Robin H. Johnson
Hi, Wondering if you could make a new 1.8.x release to get the fix for the freq counter bug into more systems? dde80e111 BUG/MEDIUM: time: make sure to always initialize the global tick 491b86ed0 BUG/MEDIUM: freq_ctr/threads: use the global_now_ms variable It's a problem for anybody using

Request for new 1.8.x release due to freq counter bug

2021-04-09 Thread Robin H. Johnson
Hi, Wondering if you could make a new 1.8.x release to get the fix for the freq counter bug into more systems? dde80e111 BUG/MEDIUM: time: make sure to always initialize the global tick 491b86ed0 BUG/MEDIUM: freq_ctr/threads: use the global_now_ms variable It's a problem for anybody using

Re: 'show errors' - logging & reasons

2021-04-03 Thread Robin H. Johnson
On Fri, Apr 02, 2021 at 06:38:35PM +0200, Willy Tarreau wrote: > > This has come out of cases where we upgraded HAProxy 1.8 -> 2.2, and > > $work customers started reporting requests that previously worked fine > > now return 400 Invalid Request errors. > That's never good. Often it indicates that

'show errors' - logging & reasons

2021-04-01 Thread Robin H. Johnson
Hi, I'm wondering if there is any ongoing development or improvement plans around the 'show errors' functionality? This has come out of cases where we upgraded HAProxy 1.8 -> 2.2, and $work customers started reporting requests that previously worked fine now return 400 Invalid Request errors.

Re: Removal / obsolescence of keywords in 2.3 and future - replacing 'monitor-uri' w/ Lua

2020-10-20 Thread Robin H. Johnson
On Wed, Oct 14, 2020 at 03:35:30PM +0200, Tim Düsterhus wrote: > I believe I already said it somewhere: The most valuable thing about > monitor-uri is that it does not create entries within the access log. I > don't think that can be replicated with http-request return as of now, > but I am happy

Re: Loading multiple TLS certificates

2019-05-14 Thread Robin H. Johnson
On Mon, May 13, 2019 at 09:10:15PM +, Gibson, Brian (IMS) wrote: > > For the first time, I have a client that refused to let me use a wildcard > certificate. > So I submitted 6 separate CSRs and now have 6 separate certificates and 6 > separate keys. > The intermediate certificates all

[PATCH] MINOR: skip get_gmtime where tm is unused

2019-04-10 Thread Robin H. Johnson
For LOG_FMT_TS (%Ts), the tm variable is not used, so save some cycles on the call to get_gmtime. Backport: 1.9 1.8 Signed-off-by: Robin H. Johnson --- src/log.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/log.c b/src/log.c index f8d3414e2..39e472b33 100644 --- a/src/log.c +++ b/src

[PATCH 3/3] MEDIUM: lua: expose safe fetch/conv via val_args_flags

2018-12-15 Thread Robin H. Johnson
- distcc_param - bool - meth - json - field - word - regsub Initial-Discovery: Yue Zhu Signed-off-by: Robin H. Johnson Signed-off-by: Robin H. Johnson --- src/hlua.c | 28 +++- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/src/hlua.c b/src/hlua.c index a9d126b53

[PATCH 1/3] MINOR: samples: Prep for val_args_flags

2018-12-15 Thread Robin H. Johnson
.*kw_list.*ILH' -A5000 \ | sed -r -n '/struct sample_(conv|fetch)_kw_list\>/,/};/p' Initial-Discovery: Yue Zhu Signed-off-by: Robin H. Johnson Signed-off-by: Robin H. Johnson --- include/types/sample.h | 6 + src/51d.c | 4 +- src/backend.c | 28 ++--- src/connectio

[PATCH 2/3] MEDIUM: samples: add val_args_flags

2018-12-15 Thread Robin H. Johnson
-Discovery: Yue Zhu Signed-off-by: Robin H. Johnson Signed-off-by: Robin H. Johnson --- include/types/sample.h | 22 -- src/51d.c | 2 ++ src/hlua.c | 3 +++ src/map.c | 1 + src/payload.c | 2 ++ src/proto_http.c | 1

Re: [PATCH] BUG/MEDIUM: Expose all converters & fetches

2018-12-13 Thread Robin H. Johnson
On Fri, Dec 07, 2018 at 01:14:47PM +0100, Willy Tarreau wrote: > I had a quick look, some converters use check_operator() which creates > a variable upon each invocation of the parsing function. Some people > might inadvertently get caught by using these ones to look up cookie > values or session

rsync deny & healthcheck

2018-12-11 Thread Robin H. Johnson
Seeing the MQTT CONNECT parsing recently, I thought to share my draft work in rsync balancing: - Lua to generate deny messages for rate-limited clients - tcp-check to check rsync health https://gist.github.com/robbat2/2c8414bd617c013be12cb9b41830e010 I want to try and finish my lua-check code,

[PATCH] BUG/MEDIUM: Expose all converters & fetches

2018-12-06 Thread Robin H. Johnson
m/haproxy/haproxy/commit/594afe76e4694d9faf281ae87f2d026506f7a9d9#diff-fc1678dd7de891cf951a19f59a9a7375R4003 [5] https://gist.github.com/robbat2/6c75f78e0d857b6d8649d591bc44c452 Initial-Discovery: Yue Zhu Tracing: Robin H. Johnson Signed-off-by: Robin H. Johnson Signed-off-by: Robin H. Johnson --- src/hlua.c | 15 ---

Re: Design Proposal: http-agent-check, explict health checks & inline-mode

2018-10-29 Thread Robin H. Johnson
On Sat, Oct 27, 2018 at 01:52:29PM +0200, Aleksandar Lazic wrote: > > Right now, if you want to use load feedback for weights, you either need > > something entirely out-of-band from the servers back to HAProxy, or you > > have to use the agent-check option and run a separate health agent. > >

design proposal: lua-agent-check

2018-10-26 Thread Robin H. Johnson
As a followup to the http-agent-check design idea, I wondered if implementing a general-case lua-agent-check mode would be beneficial. lua-agent-check keyword would take one parameter, the name of a function that can be called to determine the health of a server. The finer details about the

Design Proposal: http-agent-check, explict health checks & inline-mode

2018-10-26 Thread Robin H. Johnson
Hi, This is something I have a vague recollection of existing somewhere, but didn't find any leads in documentation or source. Right now, if you want to use load feedback for weights, you either need something entirely out-of-band from the servers back to HAProxy, or you have to use the

url_param not matching key-only params (also testcases for fetchers)

2018-07-16 Thread Robin H. Johnson
I looked in tests & reg-tests, but didn't see any clear way to add tests for verifying that fetchers work correctly. I think my co-worker found an edge-case on smp_fetch_url_param/smp_fetch_param. Trying to identify URLs that have a URL parameter set, that MIGHT not have a value. This is

Limiting bandwidth of connections

2017-05-10 Thread Robin H. Johnson
Hi, I'm wondering about the status of bandwidth limiting that was originally planned for 1.6. In the archives I see discussions in 2012 & 2013; Willy's responses: 2012-04-17 planned for 1.6: https://www.mail-archive.com/haproxy@formilux.org/msg07096.html 2013-05-01 planned for 1.6:

Re: Introduction and small changes to HAProxy for adding custom errorfiles for 401 and 407 http status page

2017-02-11 Thread Robin H. Johnson
On Sat, Feb 11, 2017 at 07:17:20PM +0100, Michael Hamburger wrote: > If you nonetheless like a git patch I will try to send one. Please do send a patch, it's a LOT easier to review, and if it's good, it can be applied with your name on it :-). If you have all of your changes in a single commit,

Re: [PATCH] MEDIUM: ssl: Add TLS-PSK client and server side support

2017-02-03 Thread Robin H. Johnson
On Fri, Feb 03, 2017 at 02:19:29AM +0100, Nenad Merdanovic wrote: > +psk-file > + Enables use of PSK cipher suites with PSKs stored in the specified file. > + The entries should be in form "identity:key", one per line. > + Rather than new file handling routine, could you instead hook this into

Re: HAProxy Lua Map.end & reserved keywords

2017-01-12 Thread Robin H. Johnson
On Wed, Jan 11, 2017 at 12:17:26PM +0100, Willy Tarreau wrote: > On Mon, Jan 09, 2017 at 08:47:17PM +0000, Robin H. Johnson wrote: > > Maybe Willy would considering changing the name of the matches to 'prefix' > > & 'suffix' instead of 'beg' & 'end', and just keep beg/e

Re: HAProxy Lua Map.end & reserved keywords

2017-01-09 Thread Robin H. Johnson
On Mon, Jan 09, 2017 at 07:49:40PM +0100, thierry.fourn...@arpalert.org wrote: > > I see two potential ways forward: > > a) Map['end'] # works right now, but ugly > > b) Map.match_end # intent is much clearer > Hi, thank for you comment ! You're absolutely right. This keyword > doesn't run because

HAProxy Lua Map.end & reserved keywords

2017-01-09 Thread Robin H. Johnson
TL;DR: 'end' is a reserved Lua keyword, and cannot be used as a structure member as in Map.end. Need to change the naming of constants maybe? http://www.arpalert.org/src/haproxy-lua-api/1.7/index.html#map-class > -- Create and load map > geo = Map.new("geo.map", Map.ip); Now if you want to use

[PATCH v2] MINOR: cfgparse: Allow disable of stats

2017-01-02 Thread Robin H. Johnson
' option just disables the stats without generating the warning message; it uses the exact same means to disable the stats as used by the warning path. Changes since v1: Free uri_auth structure as suggested by Willy Tarreau <w...@1wt.eu>. X-Backport: 1.7 Signed-off-by: Robin H. Johnson

Re: [PATCH] MINOR: http: custom status reason.

2017-01-02 Thread Robin H. Johnson
On Mon, Jan 02, 2017 at 11:47:36AM +0100, Willy Tarreau wrote: > On Sun, Jan 01, 2017 at 01:10:52PM -0800, Robin H. Johnson wrote: > > The older 'rsprep' directive allows modification of the status reason. > > > > Extend 'http-response set-status' to take an optional string

[PATCH-1.6] MINOR: http: custom status reason.

2017-01-01 Thread Robin H. Johnson
set_status Signed-off-by: Robin H. Johnson <robb...@gentoo.org> (cherry picked from commit 4ce5080b32cfc8591f5639e740a1a83079e9a308) --- doc/configuration.txt | 9 ++--- doc/lua-api/index.rst | 11 +++ include/proto/proto_http.h | 2 +- includ

[PATCH-1.7] MINOR: http: custom status reason.

2017-01-01 Thread Robin H. Johnson
set_status Signed-off-by: Robin H. Johnson <robb...@gentoo.org> (cherry picked from commit 4ce5080b32cfc8591f5639e740a1a83079e9a308) --- doc/configuration.txt | 9 ++--- doc/lua-api/index.rst | 11 +++ include/proto/proto_http.h | 2 +- includ

git.haproxy.org down?

2017-01-01 Thread Robin H. Johnson
fatal: unable to access 'http://git.haproxy.org/git/haproxy.git/': Failed to connect to git.haproxy.org port 80: Connection refused -- Robin Hugh Johnson E-Mail : robb...@orbis-terrarum.net Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 ICQ# : 30269588 or 41961639 GnuPG

[PATCH] MINOR: http: custom status reason.

2017-01-01 Thread Robin H. Johnson
set_status Signed-off-by: Robin H. Johnson <robb...@gentoo.org> --- doc/configuration.txt | 9 ++--- doc/lua-api/index.rst | 11 +++ include/proto/proto_http.h | 2 +- include/types/action.h | 1 + include/types/applet.h |

[RFC] Setting custom reasons with http-response: optional param vs new directive

2016-12-29 Thread Robin H. Johnson
'rsprep' allows modification of the reason text, for custom status reasons. 'http-response set-status' however just uses the hard-coded reason for each status code. Should set-status get an additional optional second parameter of a string, or should we add a set-reason directive instead? The

[PATCH] MINOR: cfgparse: Allow disable of stats

2016-12-15 Thread Robin H. Johnson
' option just disables the stats without generating the warning message; it uses the exact same means to disable the stats as used by the warning path. This patch should be back-ported to 1.7. Signed-off-by: Robin H. Johnson <robb...@gentoo.org> --- doc/configuration.txt | 12 +++