Links on haproxy.org using http

2022-12-03 Thread Shawn Heisey
Since the release of 2.7.0, I changed the repository I build to 2.7 instead of master.  I was noticing that some of the links in the table at the top of haproxy.org are http instead of https. All the links under Branch plus the git, web, and bugs links under Links are http. Those webservers

Possible problem with custom error pages -- backend server returns 503, haproxy logs 503, but the browser gets 403

2022-08-22 Thread Shawn Heisey
Here is the full haproxy -vv: HAProxy version 2.7-dev4-16972e-5 2022/08/22 - https://haproxy.org/ Status: development branch - not safe for use in production. Known bugs: https://github.com/haproxy/haproxy/issues?q=is:issue+is:open Running on: Linux 5.15.0-1017-aws #21~20.04.1-Ubuntu SMP Fri Aug

haproxy listening on lots of UDP ports

2022-08-05 Thread Shawn Heisey
I am running haproxy in a couple of places.  It is listening on multiple seemingly random high UDP ports. The one running "2.6.2-ce3023-30 2022/08/03" has the following ports.  This server is in AWS.  The first three lines are expected: elyograg@bilbo:/var/log$ sudo lsof -Pn -i | grep

Re: Thoughts on QUIC/HTTP3

2022-07-09 Thread Shawn Heisey
On 7/9/22 18:08, William Lallemand wrote: But is there any certificates in the /opt/quictls/ssl/certs/ directory ? No, it is empty.  I didn't think to actually look inside it because it didn't occur to me that it would be empty.  I just checked an install of stock openssl 3 and it also has

Re: Thoughts on QUIC/HTTP3

2022-07-08 Thread Shawn Heisey
On 7/8/22 03:30, William Lallemand wrote: HAProxy uses the ca-certificates provided by OpenSSL. The SSL_CERT_DIR by default is set to the "certs" directory inside your openssldir. You can check your openssldir by using the "openssl" binary you compiled with your library (not the one of your

Re: Thoughts on QUIC/HTTP3

2022-07-07 Thread Shawn Heisey
On 7/6/22 09:50, Илья Шипицин wrote: haproxy is built in CI against latest quictls, for example quictls-3.0.5 https://github.com/haproxy/haproxy/runs/721404?check_suite_focus=true please open an issue on github with failure details, no known build failures so far Shortly after I saw

Re: Thoughts on QUIC/HTTP3

2022-07-06 Thread Shawn Heisey
On 5/31/22 08:16, Amaury Denoyelle wrote: Thanks for your continuing your journey on HTTP/3 :) Yesterday I pulled down the haproxy 2.6 and quictls git repos. The branch for quictls was openssl-3.0.4+quic.  I built and installed quictls and then haproxy. This combination is working better

Re: haproxy 2.6.0 and quic

2022-06-03 Thread Shawn Heisey
On 6/3/22 06:47, Markus Rietzler wrote: my build command was make TARGET=linux-glibc USE_OPENSSL=1 SSL_INC=/opt/quictls/include SSL_LIB=/opt/quictls/lib64 LDFLAGS="-Wl,-rpath,/opt/quictls/lib64" ADDLIB="-lz -ldl" USE_ZLIB=1 USE_PCRE=1 USE_PCRE=yes USE_LUA=1 LUA_LIB_NAME=lua5.3 

Re: Thoughts on QUIC/HTTP3

2022-05-29 Thread Shawn Heisey
On 5/29/2022 12:49 PM, Илья Шипицин wrote: roundcube runs automatic browser tests https://github.com/roundcube/roundcubemail/runs/6642129873?check_suite_focus=true I think we can try to run those tests with haproxy between browser and roundcube That looks cool.  Are there instructions

Re: Thoughts on QUIC/HTTP3

2022-05-29 Thread Shawn Heisey
On 4/29/2022 10:10 AM, Shawn Heisey wrote: I did a build and install this morning, a bunch of quic-related changes in that.  Now everything seems to be working on my paste site.  Large pastes work, and I can reload the page a ton of times without it hanging until browser restart. I have

Re: What does HAProxy do?

2022-05-24 Thread Shawn Heisey
On 5/24/22 07:01, Turritopsis Dohrnii Teo En Ming wrote: Subject: What does HAProxy do? Good day from Singapore, I notice that my company/organization uses HAProxy. What does it do? How do I setup and configure it? Are there excellent and well written guides on doing so? The first hit on a

Re: Latest http/3 info

2022-05-08 Thread Shawn Heisey
On 5/8/2022 3:16 AM, Willy Tarreau wrote: There's no good solution to this, except by forcing the exact address yourself. The BSD socket API doesn't permit to send UDP packets from a specific source, so the commonly used approach for clients is to bind while sending the first packet, but that

Re: Latest http/3 info

2022-05-07 Thread Shawn Heisey
On 5/7/2022 9:11 AM, Shawn Heisey wrote: A couple of days ago I noticed that quictls had made a 3.0.3 version available.  I upgraded and then tried to rebuild haproxy (master branch).  The compile failed.  Don't they know they shouldn't change API in a point release?  (It's not even a good

Latest http/3 info

2022-05-07 Thread Shawn Heisey
A couple of days ago I noticed that quictls had made a 3.0.3 version available.  I upgraded and then tried to rebuild haproxy (master branch).  The compile failed.  Don't they know they shouldn't change API in a point release?  (It's not even a good idea in a minor release unless there is

Re: Can HAProxy function as a firewall?

2022-05-04 Thread Shawn Heisey
On 5/4/22 05:30, Tom Browder wrote: From what I've seen of HAProxy's configuration, it seems it may be able to be used as an easy-to-configure firewall immediately downstream from my ISP's router and inside a small Debian computer feeding another router. Does that sound feasible? Or is there

Re: PEM Certificates for HAproxy

2022-04-29 Thread Shawn Heisey
On 4/29/22 12:42, Branitsky, Norman wrote: If you include the following in your HAProxy configuration global section you don't need to include DH Params in the certificate: tune.ssl.default-dh-param 2048 It takes several minutes to generate params, so I doubt that with that option that

Re: PEM Certificates for HAproxy

2022-04-29 Thread Shawn Heisey
On 4/29/22 11:16, Henning Svane wrote: I have tried to build a PEM Certificate, but with no luck. What should it include and in which order? I use certs issued by LetsEncrypt. My certificate file that I use for haproxy and most other software doing TLS has four PEM-encoded items in it:

Re: Thoughts on QUIC/HTTP3

2022-04-29 Thread Shawn Heisey
On 4/25/22 10:55, Shawn Heisey wrote: I was testing with the master branch from https://github.com/haproxy/haproxy.git. Just pulled down the latest changes, built it, and installed it.  Now I am sometimes seeing different behavior on the large POST.  It will load a page quickly sometimes

Re: Thoughts on QUIC/HTTP3

2022-04-25 Thread Shawn Heisey
On 4/25/22 08:13, Amaury Denoyelle wrote: I would not put too much faith in it for the near future. The OpenSSL team seems to have put aside a simple QUIC API integration in favor of a brand new full QUIC stack, which should take quite some time. So for now, manually rebuilding your SSL library

Thoughts on QUIC/HTTP3

2022-04-23 Thread Shawn Heisey
After seeing http/3 (orange lightning bolt with the HTTP Version Indicator extension) talking to a lot of websites, I had thought the standard was further along than it is.  I see that the openssl team is discussing it, and plans to fully embrace it, but hasn't actually started putting QUIC

Re: HTTP/3 -- POST requests not working

2022-04-15 Thread Shawn Heisey
On 4/15/22 06:40, Shawn Heisey wrote: The 403 is random.  While clicking around in my webmail, going to different folders, I occasionally see a red box that has an error message pop up, an error message I can't recall at the moment. That's when the 403 is logged. I noticed there was another

Re: HTTP/3 -- POST requests not working

2022-04-15 Thread Shawn Heisey
On 4/15/2022 1:20 AM, Amaury Denoyelle wrote: Hum this is strange. Do you have a way to reproduce it easily ? The 403 is random.  While clicking around in my webmail, going to different folders, I occasionally see a red box that has an error message pop up, an error message I can't recall at

Re: HTTP/3 -- POST requests not working

2022-04-14 Thread Shawn Heisey
On 4/14/22 03:27, Amaury Denoyelle wrote: So to summary, this option should be activated if you only have browsers as client and the traffic is big enough to saturate haproxy queues. I hope this will clarify your thoughts, Thanks for that detail.  For these setups, I really doubt that there

Re: HTTP/3 -- POST requests not working

2022-04-13 Thread Shawn Heisey
On 4/13/22 02:42, Amaury Denoyelle wrote: Ok this seems related to 'option abortonclose'. Without this, I do not have a 400 error. Can you confirm me this behavior on your side please ? If I remove that, it works.  I can have my webmail served via http/3 and login still works, which it

Re: [EXTERNAL] Re: HTTP/3 -- POST requests not working

2022-04-12 Thread Shawn Heisey
On 4/12/22 19:20, Shawn Heisey wrote: https://paste.elyograg.org/view/bd5df44d I repeated it, this time issuing the stream traces first, just in case the order of the trace commands might matter.  THat's the sort of thing that shouldn't matter, https://paste.elyograg.org/view/22ddec0a

Re: [EXTERNAL] Re: HTTP/3 -- POST requests not working

2022-04-12 Thread Shawn Heisey
On 4/12/22 16:06, Frederic Lecaille wrote: so this command: $ echo "trace quic sink buf0; trace quic level developer; trace quic verbosity clean; trace quic start now; trace qmux sink buf0; trace qmux level developer; trace qmux verbosity minimal; trace qmux start now; trace stream sink

Re: [EXTERNAL] Re: HTTP/3 -- POST requests not working

2022-04-12 Thread Shawn Heisey
On 4/12/22 14:07, Frederic Lecaille wrote: Please, you could you double check on your side the "stream" traces are correctly enabled? Also ensure you provide use with traces dumped by haproxy when you validate the PHP form. These are the trace commands that I am sending to the stats socket:

Re: HTTP/3 -- POST requests not working

2022-04-12 Thread Shawn Heisey
On 4/12/22 09:45, Amaury Denoyelle wrote: After much analysis of the code, it may be useful to have a run with the stream traces as well : $ trace stream sink buf0; trace stream level developer; trace stream verbosity clean; trace stream start now All 3 traces enabled, this time it should

Re: HTTP/3 -- POST requests not working

2022-04-12 Thread Shawn Heisey
On 4/12/22 08:01, Shawn Heisey wrote: I didn't do the H3 debug yet, if you still need it after looking at > the traces, let me know. You'll also need to tell me how to make > those debugs active when I build haproxy. I figured this out.  I put those debug definitions in a DEBUG=

Re: HTTP/3 -- POST requests not working

2022-04-12 Thread Shawn Heisey
On 4/12/22 02:22, Amaury Denoyelle wrote: then you can display the traces with the following command : $ show events buf0 For the h3 layer, the trace mechanism is not currently implemented. You should instead recompile your haproxy binary with the DEBUG options : -DDEBUG_H3 -DDEBUG_QPACK and

Re: HTTP/3 -- POST requests not working

2022-04-11 Thread Shawn Heisey
On 4/11/2022 4:51 PM, Shawn Heisey wrote: I have a more reliable way of reproducing the problem.  Finally found a way to get a version of curl that supports http3.  On a machine with docker and Internet connectivity, run this command: sudo docker run -it --rm ymuski/curl-http3 curl -v https

Re: HTTP/3 -- POST requests not working

2022-04-11 Thread Shawn Heisey
On 4/11/2022 1:05 PM, Shawn Heisey wrote: I changed the backend to talk to nginx instead of apache.  It still throws a 400 when the POST is done via http/3.  It was an adventure trying to figure out how to allow POST requests in nginx.  The 400 appears to be coming from haproxy

Re: HTTP/3 -- POST requests not working

2022-04-11 Thread Shawn Heisey
On 4/11/22 12:16, Shawn Heisey wrote: Two different browsers have the same problem, so I am currently speculating that it's an issue with haproxy or apache.  I think I can install nginx without too much trouble ... I have almost no experience with it, so I get to learn something new

HTTP/3 -- POST requests not working

2022-04-11 Thread Shawn Heisey
Starting a new thread for this. I got HTTP/3 working with haproxy.  Everything seemed to be going great, and then I noticed that logins on PHP apps were getting a 400 response back.  At first I thought it might be something in PHP, but I have now eliminated PHP as the problem. I can

Re: QUIC and HTTP/3

2022-04-11 Thread Shawn Heisey
On 4/10/2022 11:32 PM, Willy Tarreau wrote: Interesting, and not much surprising, given that SSL is handled a bit differently. I suspect we'll see other funny stuff. By the way, if you're receiving this in the second process from the first one and the first one is using HTTP to connect to the

Re: QUIC and HTTP/3

2022-04-10 Thread Shawn Heisey
On 4/10/2022 5:54 PM, Shawn Heisey wrote: That would be a much simpler setup than duplicating the entire front end so one handles TCP and the other UDP.  I will do that. And if a future version enables ssl_fc for quic with TLS, I can drop that frontend. This is what I have done

Re: QUIC and HTTP/3

2022-04-10 Thread Shawn Heisey
On 4/10/2022 5:51 PM, John Lauro wrote: If you always redirect 80 to 443 then you could do a separate frontend for port 80 that always redirects (one simple rule) then you don't need to duplicate the rules.  If you have some sites you allow http, then the duplicates could get annoying,

Re: QUIC and HTTP/3

2022-04-10 Thread Shawn Heisey
On 4/10/2022 4:48 PM, Shawn Heisey wrote: I think that's probably a bug.  A workaround could maybe be found, if there is another condition I can use for the redirect that will redirect tcp/80 connections but not tcp/443 or udp/443. I did think of a workaround.  I can set up another frontend

Re: QUIC and HTTP/3

2022-04-10 Thread Shawn Heisey
On 4/10/2022 4:35 PM, Shawn Heisey wrote: I *DID* have it working.  It seems to have stopped working and I do not know what I did to break it. :)  The http/3 checker page still says everything's OK. Ah, I figured it out!  It seems that ssl_fc is not set to true for encrypted quic

Re: QUIC and HTTP/3

2022-04-10 Thread Shawn Heisey
On 4/10/2022 4:16 PM, Shawn Heisey wrote: I have this working. I *DID* have it working.  It seems to have stopped working and I do not know what I did to break it. :)  The http/3 checker page still says everything's OK.

Re: QUIC and HTTP/3

2022-04-10 Thread Shawn Heisey
On 4/9/2022 3:30 AM, Willy Tarreau wrote: I'd encourage you to place QUIC in a separate haproxy process. I have this working. On another system where things are less important, I want to try and run it all in one haproxy process.  Is that doable? I added the new bind line, put the alt-svc

Possible bug in stats page dark mode

2022-04-10 Thread Shawn Heisey
On the dark mode stats page served by version 2.6-dev5, the frontend or backend description is grey text on a white background.  It's very hard to read. This problem can't be seen on stats.haproxy.org, possibly because the frontend and backend configs do not have any descriptions. Thanks,

Re: [EXTERNAL] Re: QUIC and HTTP/3

2022-04-10 Thread Shawn Heisey
On 4/10/2022 10:38 AM, Shawn Heisey wrote: Now that I've dealt with all the problems, I'm having fun with it.  Thanks to all who provided help on getting QUIC working. I spoke a little too soon. When I would visit the stats URL, I only got the 2.4.15 page, not the newer one.  I thought I

Re: [EXTERNAL] Re: QUIC and HTTP/3

2022-04-10 Thread Shawn Heisey
On 4/10/2022 10:19 AM, Shawn Heisey wrote: After a whole bunch of OTHER config issues dealt with, I now have the following website using http3.  Green lightning bolt in Chrome and orange in Firefox. I get a green lightning bolt in both chrome and firefox now.  Not sure why it was orange

Re: [EXTERNAL] Re: QUIC and HTTP/3

2022-04-10 Thread Shawn Heisey
On 4/10/2022 8:09 AM, Shawn Heisey wrote: I still have config errors. I figured out why I was getting those errors.  When I stated that the build worked, I had done the "make" command manually.  Then I updated my script and ran that to build and install haproxy. Turns out t

Re: [EXTERNAL] Re: QUIC and HTTP/3

2022-04-10 Thread Shawn Heisey
On 4/10/2022 3:41 AM, Frederic Lecaille wrote: Here is a "bind" line example (SSL must be enable as for TCP) for a QUIC/h3 listener: bind quic4@ ssl crt proto quic alpn h3 Frederic is replying only to me, not including the list. I'm following the advice from Willy to put quic handling

Re: [EXTERNAL] Re: QUIC and HTTP/3

2022-04-09 Thread Shawn Heisey
The message I am replying to did not go to the list. On 4/9/2022 5:10 PM, Frederic Lecaille wrote: So, try to replace /opt/quictls/lib path by /opt/quictls/lib64 You caught me, I made an unwarranted assumption.  I assumed that the info gotten from Илья Шипицин was correct, and copied the

Re: QUIC and HTTP/3

2022-04-09 Thread Shawn Heisey
On 4/9/2022 11:59 AM, Илья Шипицин wrote: please share commands you used for build For quictls: cd /usr/local/src sudo mkdir quictls sudo chown -R elyograg:elyograg quictls git clone g...@github.com:quictls/openssl.git quictls cd quictls ./config enable-tls1_3 --prefix=/opt/quictls make clean

Re: QUIC and HTTP/3

2022-04-09 Thread Shawn Heisey
On 4/9/2022 3:30 AM, Willy Tarreau wrote: On Sat, Apr 09, 2022 at 09:21:31AM +0500, ??? wrote: there are missing bits ... https://github.com/haproxy/haproxy/blob/master/INSTALL#L392 Yep and it does work, as I've applied it as-is two weeks ago and it worked. It didn't work for me on

Re: QUIC and HTTP/3

2022-04-09 Thread Shawn Heisey
On 4/9/2022 3:30 AM, Willy Tarreau wrote: Shawn, however, please use the latest 2.6-dev for QUIC. A lot of progress has been made since 2.5, so much that it has been running for one week on haproxy.org without major issues. I'm going to issue 2.6-dev5 today so I would suggest starting from this

QUIC and HTTP/3

2022-04-08 Thread Shawn Heisey
I've been trying to figure out a way to get haproxy doing QUIC.  If I add USE_QUIC=1 then compiling fails on the latest code for both 2.4 and 2.5. I may have uncovered something significant -- QUIC may require BoringSSL.  I cloned the boringssl repo, and figured out how to build it.  But I

Re: Specific kind of 404 handling

2022-03-28 Thread Shawn Heisey
On 3/28/22 03:21, Andrew Smalley wrote: Now the unknown host header,, you want this.com and the user requests that.com and now what do we do? add a host header? reject by host header Handling invalid host headers like I want was already done, by the default virtualhost in Apache. I managed

Specific kind of 404 handling

2022-03-26 Thread Shawn Heisey
I would like to do a specific kind of 404 handling.  I did look for a way to do this before asking here.  I bet it's out there, I just haven't found the right search keywords. I have a virtualhost in Apache ... it is the first virtualhost in /etc/apache2/sites-enabled, configured without

Re: Self-signed cert at haproxy, formal cert on backend web server

2022-03-18 Thread Shawn Heisey
On 3/18/2022 9:28 AM, Moore, Dan [TREAS] wrote: This all works except the client browser is showing the connection as insecure. Would a formal certificate at haproxy fix this or is there another way to keep the browser happy using the self-signed cert? The config I'm using is below. Thanks!

Re: Is there some kind of program that mimics a problematic HTTP server?

2022-03-01 Thread Shawn Heisey
On 3/1/2022 4:27 PM, Aleksandar Lazic wrote: I don't know such a tool but this sounds like a interesting project Idea. Maybe some parts could be done via LUA but as HAProxy internally handle a lot of errors it could be tricky to force HAProxy do behave "weird" and not standard compliant.

Re: Is there some kind of program that mimics a problematic HTTP server?

2022-03-01 Thread Shawn Heisey
On 3/1/2022 4:46 PM, Camilo Lopez wrote: If I read your question correctly maybe https://github.com/Shopify/toxiproxy can help? That looks interesting. I'll need to investigate. But I really would like such a proxy to handle SSL and HTTP like haproxy

Is there some kind of program that mimics a problematic HTTP server?

2022-03-01 Thread Shawn Heisey
I was thinking about ways to help pinpoint problems a client is having connecting to services.  And a thought occurred to me. Is there any kind of software available that can stand up a broken HTTP server, such that it is broken in very specific and configurable ways? Imagine a bit of

Re: HAProxy thinks Plex is down when it's not

2022-02-20 Thread Shawn Heisey
On 2/19/2022 9:46 AM, Moutasem Al Khnaifes wrote: I use HAProxy to get access to NextCloud and Plex from outside the network. but for some reason HAProxy thinks that Plex is down, and the status page is inaccessible Here's my plex backend which has not failed me yet. Currently running

Is "http-request del-header" case sensitive?

2022-01-06 Thread Shawn Heisey
Running haproxy 2.4.10. Trying to find out if "http-request del-header" is case-sensitive.  I have the following in my front end and would like to know if I need all of them or if I can reduce the list:     http-request del-header x-forwarded-for     http-request del-header

Re: How to compile with packaged openssl when custom openssl installed?

2021-11-07 Thread Shawn Heisey
On 11/6/2021 3:22 AM, Erwan Le Pape wrote: Try building with SSL_INC=/usr/include and you should be good to build. When running HAProxy you'll have to make sure that the library resolution order is consistent with the library you linked against (ie. /usr/local/lib is searched after /usr/lib)

Re: How to compile with packaged openssl when custom openssl installed?

2021-11-04 Thread Shawn Heisey
On 11/4/21 7:55 AM, Willy Tarreau wrote: Normally you just have to specify SSL_INC and SSL_LIB at build time to specify the one you want to build with. I'm doing exactly this when I want to build with older versions: I tried this.  My make command (building 2.4.8) had these env additions:    

Re: How to compile with packaged openssl when custom openssl installed?

2021-11-03 Thread Shawn Heisey
On 11/3/21 10:56 AM, Shawn Heisey wrote: Everything I have seen says that haproxy's build system is ignoring the SSL_INC and SSL_LIB settings I told it to use, and autodetecting the openssl in /usr/local. I thought the following patch would take care of it, but it did not work.  So I

Re: How to compile with packaged openssl when custom openssl installed?

2021-11-03 Thread Shawn Heisey
On 11/3/21 9:25 AM, Илья Шипицин wrote: you either need to specify LD_LIBRARY_PATH or add rpath during link, here's example how to use rpath via ADDLIB haproxy/.travis.yml at 57610c694e56a6b0d55bf42f1170bad93b7b3297 · haproxy/haproxy (github.com)

How to compile with packaged openssl when custom openssl installed?

2021-11-03 Thread Shawn Heisey
I ran into a problem when I compiled haproxy 2.4.8.  I had installed openssl 3.0.1-dev from source between installing haproxy 2.4.7 and 2.4.8, and haproxy's build system picked up the newer openssl instead of the one packaged by Ubuntu. I tried adding SSL_INC and SSL_LIB to my make command:  

Re: Does haproxy utlize openssl with AES-NI if present?

2021-10-29 Thread Shawn Heisey
On 10/29/21 3:58 AM, Emerson Gomes wrote: If you want "definitive proof" that you're not using AES-NI instructions during your benchmark, you could simply compile OpenSSL (and then HAproxy, linking it to this OpenSSL version) passing "-noaes" flag to GCC in the process. I know from other

Re: Does haproxy utlize openssl with AES-NI if present?

2021-10-28 Thread Shawn Heisey
On 10/28/21 2:11 PM, Lukas Tribus wrote: You would have to run a single request causing a large download, and run haproxy through a cpu profiler, like perf, and compare outputs. I am learning all sorts of useful things. I see evidence of acceleration when pulling a large file with curl! 

Re: Does haproxy utlize openssl with AES-NI if present?

2021-10-28 Thread Shawn Heisey
On 10/28/21 10:02 AM, Lukas Tribus wrote: You seem to be trying very hard to find a problem where there is none. Definitely do NOT overwrite CPU flags in production. This is to *test* AES acceleration, I put the link to the blog post in there for context, not because I think you need to force

Re: Does haproxy utlize openssl with AES-NI if present?

2021-10-28 Thread Shawn Heisey
On 10/28/21 7:34 AM, Shawn Heisey wrote: Does haproxy's use of openssl turn on the same option that the commandline does with the -evp argument?  If it does, then I think everything is probably OK. Running "grep -r EVP ." in the haproxy source tree turns up a lot of hits in t

Re: Does haproxy utlize openssl with AES-NI if present?

2021-10-28 Thread Shawn Heisey
On 10/28/21 12:31 AM, Lukas Tribus wrote: You want evidence. That would be preferred, yes. Then get a raspberry pi, and run haproxy manually, fake the cpu flag aes-ni and it should crash when using aes acceleration, because the cpu doesn't support it.

Re: Does haproxy utlize openssl with AES-NI if present?

2021-10-27 Thread Shawn Heisey
On 10/27/2021 2:54 PM, Lukas Tribus wrote: I'd be surprised if the OpenSSL API calls we are using doesn't support AES-NI. Honestly that would surprise me too. But I have no idea how to find out whether it's using the acceleration or not, and the limited (and possibly incorrect) evidence I

Does haproxy utlize openssl with AES-NI if present?

2021-10-27 Thread Shawn Heisey
I am building haproxy from source. For some load balancers that I used to manage, I also built openssl from source, statically linked, and compiled haproxy against that, because the openssl included with the OS (CentOS 6 if I recall correctly) was ANCIENT.  I don't know how to get haproxy to

Re: Help

2021-07-07 Thread Shawn Heisey
On 7/7/2021 6:45 AM, Anilton Silva Fernandes wrote: Hi there. Can I get some help from you. I’m configuring HAProxy as a frontend on HTTPS with centified and I want clients to be redirect to BACKEND on HTTPS as well (443) but I want clients to see only HAProxy certificate, as the backend

Apache/mod_wsgi complaining that the client closed the connection

2021-07-04 Thread Shawn Heisey
I have an application behind haproxy 2.4.1 that is wsgi -- python.  It is this one: https://github.com/atoponce/d-note It appears to work perfectly, but the Apache error log shows this every time the page is loaded: [Sun Jul 04 13:06:09.790898 2021] [wsgi:error] [pid 23697:tid

OT: About WebPageTest results (was Re: SSL Labs says my server isn't doing ssl session resumption)

2021-06-21 Thread Shawn Heisey
On 2021-06-20 06:03, Shawn Heisey wrote: Unrelated, and off topic because it's mostly about Apache, but strange: I've been doing some tests with webpagetest.org, and seeing REALLY long load times for some resources in their waterfall graph. I see no speed problems when I load the pages from my

Re: SSL Labs says my server isn't doing ssl session resumption

2021-06-20 Thread Shawn Heisey
On 6/20/2021 3:16 PM, Lukas Tribus wrote: It's a haproxy bug, affecting 2.4 releases, I've filed an issue in our tracker: https://github.com/haproxy/haproxy/issues/1297 Almost always when I report a problem I'm having with a mature piece of software, I expect the issue to be PEBCAK, not an

Re: SSL Labs says my server isn't doing ssl session resumption

2021-06-20 Thread Shawn Heisey
On 6/20/2021 1:52 AM, Lukas Tribus wrote: Can you try disabling threading, by putting nbthread 1 in your config? That didn't help. From testssl.sh: SSL Session ID support yes Session Resumption Tickets: yes, ID: no An upgrade to 2.4.1 would also be advisable, it actually

Re: SSL Labs says my server isn't doing ssl session resumption

2021-06-20 Thread Shawn Heisey
On 6/17/2021 1:01 AM, Willy Tarreau wrote: I don't know if the config is responsible for this but I've just tested on haproxy.org and it does work there: Session resumption (caching) Yes Session resumption (tickets) Yes Many thanks to everyone who replied, and countless

Re: SSL Labs says my server isn't doing ssl session resumption

2021-06-19 Thread Shawn Heisey
On 6/16/2021 9:26 AM, Lukas Tribus wrote: That is not true, you can disable TLS tickets and still get resumption on TLSv1.2. Disabling TLSv1.0 does not mean disabling Session ID caching. What do you see with testssl.sh ? That was an interesting rabbit hole. Finally got it downloaded

SSL Labs says my server isn't doing ssl session resumption

2021-06-11 Thread Shawn Heisey
I'm fiddling with ssl labs to see how I can improve my TLS setup. Here's what they say about a site I have behind haproxy with TLS: https://www.elyograg.org/foo/haproxy-ssllabs-session-resumption-not-working.png They claim that session resumption isn't working. I'm hoping that I've just done

Re: Upgrading from 1.8 to 2.4, getting warning I can't figure out

2021-06-10 Thread Shawn Heisey
On 6/8/2021 1:47 AM, Remi Tricot-Le Breton wrote: OCSP stapling won't work on any version that shows this warning (for this specific response). But apart from that, everything else should work fine, that's why you only get a warning when parsing the configuration file. If you are positive that

Re: Upgrading from 1.8 to 2.4, getting warning I can't figure out

2021-06-06 Thread Shawn Heisey
On 6/5/2021 10:47 PM, Shawn Heisey wrote: On 6/5/2021 9:30 PM, Shawn Heisey wrote: [WARNING]  (81457) : Loading: OCSP response status not successful. Content will be ignored. Another self-followup: Apparently that warning also happens with 1.8.22 ... I was unaware of this, as I haven't

Re: Upgrading from 1.8 to 2.4, getting warning I can't figure out

2021-06-05 Thread Shawn Heisey
On 6/5/2021 9:30 PM, Shawn Heisey wrote: [WARNING]  (81457) : Loading: OCSP response status not successful. Content will be ignored. I deleted the .ocsp file sitting next to the certificate file, and now when I check the config file, it's says it's valid with no other messages. root@smeagol

Upgrading from 1.8 to 2.4, getting warning I can't figure out

2021-06-05 Thread Shawn Heisey
I am upgrading haproxy on my servers from 1.8.22 to 2.4.0. I have been slowly working to fix the messages that I get when I check the config file. I have one left, but I cannot find any info about how to fix it: [WARNING] (81457) : Loading: OCSP response status not successful. Content will

Re: Idea + question regarding the build targets

2019-06-15 Thread Shawn Heisey
On 6/15/2019 2:54 AM, Willy Tarreau wrote: Actually maybe we should have some super-options separate from the target to decide what feature set to enable. Instead of having just TARGET being mandatory, we could have both TARGET and OPTIONS for example. Then one could just build like this :

Re: Idea + question regarding the build targets

2019-06-14 Thread Shawn Heisey
On 6/14/2019 7:01 AM, Willy Tarreau wrote: OK. When discussing this with William, we figured it could be interesting instead to have some aliases which are maybe more symbolic, such as : - linux-complete : full set of supported features, will simply fail if you don't have all libs

Re: haproxy architecture

2019-05-20 Thread Shawn Heisey
On 5/20/2019 6:58 AM, Jeff Abrahamson wrote: We set up an haproxy instance to front several rails servers.  It's working well, so we're quickly wanting to use it for other services. Since the load on the haproxy host is low (even miniscule), we're tempted to push everything through a single

Re: DDoS protection: ban clients with high HTTP error rates

2019-01-23 Thread Shawn Heisey
On 1/23/2019 8:16 AM, Marco Colli wrote: 1. Based on advanced conditions (e.g. current user) our Rails application decides whether to return a normal response (e.g. 2xx) or a 429 (Too Many Requests); it can also return other errors, like 401 2. HAProxy bans clients if they produce too many 4xx

Re: Trying to get logging above 1024 characters

2018-08-14 Thread Shawn Heisey
On 8/14/2018 3:06 PM, Cyril Bonté wrote: >> Is there any config that will successfully log the full request? > > Please read the documentation about the length option for the log > keyword, particularly the part about tune.http.logurilen ;-) Thank you! That fixed it, I'm now successfully

Trying to get logging above 1024 characters

2018-08-14 Thread Shawn Heisey
I'm trying with 1.8.13 to get full logging of requests that would push the syslog message beyond 1024 characters. I'm not having very good luck. I have this config in global: log 127.0.0.1 len 65535 format rfc5424 local0 log 127.0.0.1 len 65535 format rfc5424 local1 notice In some of

Re: Setting up per-domain logging with haproxy

2018-07-17 Thread Shawn Heisey
On 7/17/2018 2:17 PM, Jonathan Matthews wrote: > That's *entirely* your local syslog daemon's responsibility - > configure it appropriately, and it'll do what you want. I seem to remember there being logging options to have haproxy create logfiles directly, in addition to syslog. But now when I

Setting up per-domain logging with haproxy

2018-07-17 Thread Shawn Heisey
I have a setup that works like this: internet->haproxy->apache->tomcat I have been doing some experiments where the apache server is skipped, and traffic goes directly from haproxy to tomcat. These experiments have gone very well. Removing Apache from the mix would simplify things greatly. I

Re: 502 Bad Gateway

2018-05-08 Thread Shawn Heisey
On 5/7/2018 11:25 PM, UPPALAPATI, PRAVEEN wrote: > If I add ssl termination to the config: > > listen http_proxy-1000 > bind *:1000 ssl test.pem > mode http > option httplog > http-request set-uri https://%[url_param(redirHost)]%[capture.req.uri] > option http_proxy > > I get

Re: Backup server takes too long to go active

2018-04-25 Thread Shawn Heisey
On 4/25/2018 1:29 AM, Lukas Tribus wrote: You seem to be able to reproduce this easily, so please share the logs when this happens including the requests (don't use dontlognull), so that we can see the server up/down events and the all the successful and failing requests together with

Re: Backup server takes too long to go active

2018-04-24 Thread Shawn Heisey
On 4/24/2018 3:38 PM, Cyril Bonté wrote: Le 24/04/2018 à 23:07, Shawn Heisey a écrit : The configuration I had is with a backend that has two servers, one of them tagged as backup. This is the actual config that I had active when I saw the problem: backend be-cdn-9000 description Back

Backup server takes too long to go active

2018-04-24 Thread Shawn Heisey
I sent this query to the list previously nine days ago. I got no response. Trying again. == Kernel info: root@lb1:/etc/haproxy# uname -a Linux lb1 3.13.0-52-generic #86-Ubuntu SMP Mon May 4 04:32:59 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux Here's the haproxy version output:

Re: Version 1.5.12, getting 502 when server check fails, but server is still working

2018-04-17 Thread Shawn Heisey
On 4/17/2018 2:54 PM, Lukas Tribus wrote: >> Originally, the "hollywood" entry on the be-cdn-9000 backend (which you can >> see at the config I linked above) had the backup keyword. But what I >> noticed happening was that when planet went down, it took about ten >> additional seconds (no precise

Re: Version 1.5.12, getting 502 when server check fails, but server is still working

2018-04-17 Thread Shawn Heisey
On 4/17/2018 3:41 AM, Willy Tarreau wrote: Here I'm afraid we're all wasting a lot of time trying to guess what you have in your config that causes the problem. It's OK if you cannot post your config here, but please at least post a smaller one reproducing the issue so that we can help you. I

Re: Version 1.5.12, getting 502 when server check fails, but server is still working

2018-04-16 Thread Shawn Heisey
On 4/16/2018 1:46 PM, Willy Tarreau wrote: > On Mon, Apr 16, 2018 at 10:03:44AM -0600, Shawn Heisey wrote: >> I am curious about why I couldn't use "track". > "track" means that your current server will always be in the same state > as the designated on

Re: Version 1.5.12, getting 502 when server check fails, but server is still working

2018-04-16 Thread Shawn Heisey
On 4/16/2018 6:43 AM, Jarno Huuskonen wrote: There's also http-check disable-on-404 (http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-http-check%20disable-on-404) I couldn't get this to work at first.  If I put the disable-on-404 option in the actual back end, it complains

Re: Version 1.5.12, getting 502 when server check fails, but server is still working

2018-04-16 Thread Shawn Heisey
On 4/16/2018 9:15 AM, Lukas Tribus wrote: Hello Shawn, please keep the mailing-list in the loop. Sorry about that.  Looks like the haproxy list doesn't set a reply-to header sending replies to the list.  Most mailing lists I have dealt with do this, so just hitting "reply" does the right

  1   2   3   >