Re: H2 Protocol Errors in HTX Mode (1.9.4 & 1.9.4-dev)

2019-03-23 Thread Willy Tarreau
Hi Luke, On Sat, Mar 23, 2019 at 02:52:26PM +0100, Luke Seelenbinder wrote: > Hi Willy, > > I just upgraded to 1.9.5, and this bug is still present (but seems to be > somewhat diminished). On 1.9.4, approximately 5 of these images failed to > load, on 1.9.5, it's usually 1 or 2. So overall it

Re: [PATCH] MINOR: ssl: Add aes_gcm_dec converter

2019-03-23 Thread Willy Tarreau
Hi Nenad, On Sat, Mar 23, 2019 at 10:48:35AM +0100, Nenad Merdanovic wrote: > >CC src/ssl_sock.o > > src/ssl_sock.c: In function 'sample_conv_aes_gcm_dec': > > src/ssl_sock.c:9166:27: error: 'EVP_CTRL_AEAD_SET_IVLEN' undeclared (first > > use in this function) > >

Re: High p99 latency with HAProxy 1.9 in http mode compared to 1.8

2019-03-22 Thread Willy Tarreau
Hi Ashwin, We have found the root cause of this. The H2 streams were not getting the fairness they deserved due to their wake-up ordering : it happened very often that a stream interrupted on a ux buffer full condition could be placed at the end of the list and/or its place preempted by another

Re: [PATCH] MINOR: ssl: Add aes_gcm_dec converter

2019-03-22 Thread Willy Tarreau
Hmmm sorry, but I'm getting this here : CC src/ssl_sock.o src/ssl_sock.c: In function 'sample_conv_aes_gcm_dec': src/ssl_sock.c:9166:27: error: 'EVP_CTRL_AEAD_SET_IVLEN' undeclared (first use in this function) src/ssl_sock.c:9166:27: note: each undeclared identifier is reported only once

Re: [PATCH] MINOR: ssl: Add aes_gcm_dec converter

2019-03-22 Thread Willy Tarreau
Hi Nenad, On Fri, Mar 22, 2019 at 12:02:24PM +0100, Nenad Merdanovic wrote: > The converter can be used to decrypt the raw byte input using the > AES-GCM algorithm, using provided nonce, key and AEAD tag. This can > be useful to decrypt encrypted cookies for example and make decisions > based on

Re: [PATCH] BUG/MINOR: log: properly format IPv6 address when LOG_OPT_HEXA modifier is used.

2019-03-22 Thread Willy Tarreau
Hi Radek, On Fri, Mar 22, 2019 at 10:21:54AM +, Radek Zajic wrote: > In lf_ip(), when LOG_OPT_HEXA modifier is used, there is a code to format the > IP address as a hexadecimal string. This code does not properly handle cases > when the IP address is IPv6. In such case, the code only prints

Re: [PATCH] ssl: ability to set TLS 1.3 ciphers using ssl-default-server-ciphersuites

2019-03-22 Thread Willy Tarreau
On Fri, Mar 22, 2019 at 11:26:31AM +0100, Emeric Brun wrote: > Hi Pierre, > > On 3/21/19 5:15 PM, Pierre Cheynier wrote: > > Any attempt to put TLS 1.3 ciphers on servers failed with output 'unable > > to set TLS 1.3 cipher suites'. > > > > This was due to usage of SSL_CTX_set_cipher_list

Re: 400 SC on h2 xhr post

2019-03-19 Thread Willy Tarreau
Hi Maximilian, On Tue, Mar 19, 2019 at 01:17:52PM +, Maximilian Böhm wrote: > 172.17.0.1:46372 [19/Mar/2019:12:10:43.465] [fntnd] [bknd] 0/0/0/-1/8 400 187 > - - CH-- 1/1/0/0/0 0/0 "POST [URL] HTTP/1.1" This one could indicate a client close while uploading the contents, but it could also

[ANNOUNCE] haproxy-1.9.5

2019-03-19 Thread Willy Tarreau
PI. BUG/MAJOR: tasks: Use the TASK_GLOBAL flag to know if we're in the global rq. BUG/MEDIUM: tasks: Make sure we wake sleeping threads if needed. MINOR: cfgparse: Add a cast to make gcc happier. Richard Russo (1): BUG/MAJOR: fd/threads, task/threads: ensure all spin locks

Re: Status Codes in H2 Mode

2019-03-19 Thread Willy Tarreau
On Tue, Mar 19, 2019 at 08:59:38AM -0400, Luke Seelenbinder wrote: > Makes sense, Willy. Thanks for continuing to investigate this. > > > I'm assuming that this is always reproducible with H2 on the front and > > H1 on the back. > > I have not tried it with H1 -> H1, but I assume that case works

Re: Status Codes in H2 Mode

2019-03-18 Thread Willy Tarreau
Hi Luke, On Mon, Mar 18, 2019 at 11:14:12AM -0400, Luke Seelenbinder wrote: (...) > If I disable HTX, everything flows per normal and the status codes are even > correctly -1. > > I've replicated this on 1.9.4, 1.9.x master, and 2.0-dev master branches. The > global "this will work" and "this

Re: High p99 latency with HAProxy 1.9 in http mode compared to 1.8

2019-03-18 Thread Willy Tarreau
Hi Ashwin, On Mon, Mar 18, 2019 at 10:57:45AM -0700, Ashwin Neerabail wrote: > Hi Willy, > > Thanks for the reply. > > My Test setup: > Client Server1 using local HAProxy 1.9 > 2 Backend servers and > Client Server2 using local HAProxy 1.8 > same 2 backend servers. > > I am measuring latency

Re: 1.9.4 Make issue on Cygwin

2019-03-14 Thread Willy Tarreau
Hi Jeffrey, On Fri, Mar 15, 2019 at 10:22:14AM +0800, ??? wrote: > Hi, > I'm trying to compile haproxy under cygwin but get problem. > > I have try google search to resolve the probme but can't get any. > > Have anyone can let me know what's wrong ? > > Jeffrey_Chen@jeffrey_chen

Re: stable-bot: WARNING: 42 bug fixes in queue for next release

2019-03-14 Thread Willy Tarreau
On Thu, Mar 14, 2019 at 02:15:07PM +, stable-...@haproxy.com wrote: > Last release 1.9.4 was issued on 2019/02/06. There are currently 42 patches > in the queue cut down this way: > - 1 BUG, first one merged on 2019/02/10 > - 6 MAJOR, first one merged on 2019/02/10 > - 20 MEDIUM,

Re: 1.9.2: Crash with 300% CPU and stuck agent-checks

2019-03-14 Thread Willy Tarreau
On Thu, Mar 14, 2019 at 11:43:54AM +0100, Louis Chanouha wrote: > Hello, > Did I miss something ? Sorry I never used GDB. > > +--? (gdb) p task_per_thread[0].task_list_size > cannot subscript something of type `' Ah sorry, I thought from your kind offer that you did :-) You first need to attach

Re: 1.9.2: Crash with 300% CPU and stuck agent-checks

2019-03-14 Thread Willy Tarreau
Louis, I'd be interested in checking the values of task_per_thread[X].task_list_size for each value of X between 0 and your number of threads minus 1. Example for 4 threads : (gdb) p task_per_thread[0].task_list_size $2 = 0 (gdb) p task_per_thread[1].task_list_size $3 = 0 (gdb) p

Re: 1.9.2: Crash with 300% CPU and stuck agent-checks

2019-03-14 Thread Willy Tarreau
Hello Louis, On Thu, Mar 14, 2019 at 10:34:05AM +0100, Louis Chanouha wrote: > Hello, > I seems that i have the same problem than Mark Janssen. > I did not restart so i still can do gdb debug. Quite interesting as well, thank you. Indeed it looks identical, with not all threads looping. I'm

Re: High CPU with Haproxy 1.9.4 (and 1.9.2)

2019-03-14 Thread Willy Tarreau
On Thu, Mar 14, 2019 at 10:34:46AM +0100, Mark Janssen wrote: > This was the 'show activity' info > > Show activity: > thread_id: 7 > date_now: 1552497125.537000 > loops: 1876310231 2198499593 29388065 2234235968 2189969792 23322503 11681489 > 1867345227 > wake_cache: 4699089 4475087 5332367

Re: High CPU with Haproxy 1.9.4 (and 1.9.2)

2019-03-13 Thread Willy Tarreau
On Wed, Mar 13, 2019 at 05:45:31PM +0100, Bruno Henc wrote: > Hello Nick, The guy was called "Mark", but I agree that 25% of the letters are right. > Haproxy-1.9 is acting strange under certain conditions, Huh ? What's this story ? haproxy-1.9 was released 4 months ago and is in stable status,

Re: High CPU with Haproxy 1.9.4 (and 1.9.2)

2019-03-13 Thread Willy Tarreau
Hi Mark, On Wed, Mar 13, 2019 at 02:08:15PM +0100, Mark Janssen wrote: > Hi, > > I've recenly switched a system over from 1.6.9, which has been running fine > for years, to 1.9.4. > I've updated the configuration to use nbthread instead of nbproc, and > cleaned up the config a lot. > > A few

Re: Website access problem

2019-03-13 Thread Willy Tarreau
Hi, On Wed, Mar 13, 2019 at 11:43:55AM +0800, ?? wrote: > Hi,I'm a guy from China, "HTTP" access to the site cannot be 301 permanent > jump to HTTPS; I have no idea what you are talking about. There is no such redirect in place. And your screenshots show nothing useful. What is the problem you

Re: [PATCH] BUILD/MINOR : WURFL fix for build problems

2019-03-11 Thread Willy Tarreau
Hi Paul, On Mon, Mar 11, 2019 at 01:00:24PM +0100, Paul Stephen Borile wrote: > Hi, > > in attach patch for : > - build fix for 1.9/2.0 code base (0001) > - removed deprecated methods (0001) > - enabled multithreading mode (0001) > - added point of contact in MAINTAINERS file (0004) > > Module

Re: haproxy segfault

2019-03-07 Thread Willy Tarreau
Hi Tim, On Fri, Mar 08, 2019 at 01:43:58AM +0100, Tim Düsterhus wrote: > Willy, > > Am 16.02.19 um 06:23 schrieb Willy Tarreau: > > On Tue, Feb 12, 2019 at 10:28:01PM +0100, Lukas Tribus wrote: > >>> Did this bug has been introduced in 1.9.4 ? > >>>

Re: [PATCH] BUG/MINOR: ssl: fix warning about ssl-min/max-ver support

2019-03-05 Thread Willy Tarreau
On Tue, Mar 05, 2019 at 11:14:32PM +0100, Lukas Tribus wrote: > In 84e417d8 ("MINOR: ssl: support Openssl 1.1.1 early callback for > switchctx") the code was extended to also support OpenSSL 1.1.1 > (code already supported BoringSSL). A configuration check warning > was updated but with the wrong

Re: Does anyone *really* use 51d or WURFL ?

2019-03-05 Thread Willy Tarreau
Hi all, back to this old thread : On Mon, Jan 21, 2019 at 03:36:22PM +0100, Willy Tarreau wrote: > I don't know if wurfl builds at all by the way since the last update to > the module is its introduction more than 2 years ago. So now at least I've got the response. This code doesn't

Re: [RFC PATCH] MEDIUM: compression: Add support for brotli compression

2019-03-04 Thread Willy Tarreau
On Mon, Mar 04, 2019 at 02:44:38PM +0100, Tim Düsterhus wrote: > One could limit the overall brotli resource usage by returning NULLs in > the custom allocator when the *total* (versus the per-stream) brotli > memory consumption exceeds a certain level. The handling of OOMs in the > remaining code

Re: [RFC PATCH] MEDIUM: compression: Add support for brotli compression

2019-03-04 Thread Willy Tarreau
Hi Tim, On Wed, Feb 27, 2019 at 01:23:28PM +0100, Tim Düsterhus wrote: > As mentioned in my reply to Aleks I don't have any numbers, because I > don't know to get them. My knowledge of both HAProxy's internals and C > is not strong enough to get those. > > The manpage documents this: > > >

Re: ACL, map: restrict access for dynamic hostname to some specific IPs

2019-03-04 Thread Willy Tarreau
Hi Guillaume, On Fri, Mar 01, 2019 at 12:33:57PM +0100, gdelafond+hapr...@aquaray.com wrote: > > On 9 Jan 2019, at 11:06, gdelafond+hapr...@aquaray.com wrote: > > > > Hello, > > > > I try to understand how to use the -M ACL flag. > > > > From the documentation : > > > > The "-M" flag allows

Re: Status Codes in H2 Mode

2019-03-04 Thread Willy Tarreau
On Mon, Mar 04, 2019 at 11:45:53AM +, Luke Seelenbinder wrote: > Hi Willy, > > > Do you have "option abortonclose" in your config ? > > We do not have abortonclose. Do you recommend this if we have a lot of > client-side request aborts (but not connection level closes)? From reading > the

Re: http2-issue with http2 enabled on frontend and on backend

2019-02-28 Thread Willy Tarreau
Hi Tom, On Wed, Feb 27, 2019 at 07:45:04AM +0100, Tom wrote: > Hi Willy > > I've applied your patch and now the website responds with http2..., many > thanks for this. > > The current situation looks like this: > > - When I directly connect with http2 to the nginx, which has >

Re: http/2 server-push support

2019-02-28 Thread Willy Tarreau
Hi Patrick, On Tue, Feb 26, 2019 at 02:13:28PM -0500, Patrick Hemmer wrote: > Now that we have h2 support on frontends, backends, trailers, etc, I'm > hoping that server side server-push is somewhere on the roadmap. By > "server side" I mean not this middleware based server-push methodology >

Re: %[] in use-server directives

2019-02-28 Thread Willy Tarreau
On Wed, Feb 20, 2019 at 10:43:22AM -0300, Joao Morais wrote: > Hi Bruno, thanks! Updating servers via api I'm currently using. From Willy > "in the past it was not possible to dynamically create servers" - so now I'm > wondering if there is a way or future plan to create a new server on an >

Re: H2 Protocol Errors in HTX Mode (1.9.4 & 1.9.4-dev)

2019-02-28 Thread Willy Tarreau
On Fri, Feb 22, 2019 at 01:35:19PM +0100, Luke Seelenbinder wrote: > Hi List, > > We recently started using HAProxy to act as a first point of entry for most > of our traffic. We initially set it up with H2 + HTX frontend and H1.1 > backend; however, this led to some strange behavior consistently

Re: Status Codes in H2 Mode

2019-02-28 Thread Willy Tarreau
Hi Luke, On Fri, Feb 22, 2019 at 10:03:12AM +, Luke Seelenbinder wrote: > Hi List, Willy, > > After transitioning to 1.9.4, I can say things are much more stable when > using h2 on the frontend. Thanks for all the bug fixes and patches since > 1.9.0! I'll be upgrading to 1.9.5 when it comes

Re: High p99 latency with HAProxy 1.9 in http mode compared to 1.8

2019-02-28 Thread Willy Tarreau
Ashwin, I've taken some time to read your tests completely now, and something bothers me : On Mon, Feb 25, 2019 at 11:11:08AM -0800, Ashwin Neerabail wrote: > > - by disabling server-side idle connections (using "pool-max-conn 0" on > > the server) though "http-reuse never" should be

Re: [RFC PATCH] MEDIUM: compression: Add support for brotli compression

2019-02-26 Thread Willy Tarreau
Hi Tim, On Tue, Feb 26, 2019 at 06:16:12PM +0100, Tim Düsterhus wrote: > Willy, > > Am 13.02.19 um 17:57 schrieb Tim Duesterhus: > > *snip* > > Are you able to give some (first, basic) feedback on this patch already? Not yet. In fact I don't know much what to think about it. The patch itself

Re: [PATCH 1/2] CLEANUP: http: Remove unreachable code in parse_http_req_capture

2019-02-26 Thread Willy Tarreau
both applied, thanks Tim. Willy

[ANNOUNCE] haproxy-2.0-dev1

2019-02-26 Thread Willy Tarreau
ed Thierry FOURNIER (2): BUG/MINOR: lua: bad args are returned for Lua actions BUG/MEDIUM: lua: dead lock when Lua tasks are trigerred Tim Duesterhus (4): BUG/MINOR: stick_table: Prevent conn_cur from underflowing CLEANUP: h2: Remove debug printf in mux_h2.c BUG/MED

Re: High p99 latency with HAProxy 1.9 in http mode compared to 1.8

2019-02-26 Thread Willy Tarreau
On Mon, Feb 25, 2019 at 11:11:08AM -0800, Ashwin Neerabail wrote: > Any ideas on this ? Seeing issues with HAProxy 1.9 performance with > connection pooling turned on. No idea for now, we really need to find a way to accurately measure this in order to spot when the problem happens. It could be

Re: http2-issue with http2 enabled on frontend and on backend

2019-02-26 Thread Willy Tarreau
update the function to properly advertise this to the servers, otherwise they will rightfully use PUSH. Thanks for reporting this, Willy >From 6034728ef888eaef60225cc737d7595b07a0cd0e Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Tue, 26 Feb 2019 16:01:52 +0100 Subject: BUG/MEDIUM: h2: adv

Re: http2-issue with http2 enabled on frontend and on backend

2019-02-26 Thread Willy Tarreau
On Tue, Feb 26, 2019 at 12:37:11PM +0100, Tom wrote: > Hi Jérôme > > Many thanks for your hint. This solved the initial problem. But there are > other issues regarding http2: > > 1) > When I enable "errorfile 503 /etc/haproxy/503.html" in the defaults-section, > then haproxy comes not up and

Re: Wrong sha256 checksum for HAProxy 1.8 and 1.9?

2019-02-26 Thread Willy Tarreau
Hi all, On Tue, Feb 26, 2019 at 01:29:54PM +0100, Cyril Bonté wrote: > > De: "Tim Düsterhus" > > À: "Cyril Bonté" , "Willy Tarreau" , > > "Kevin Mao" > > Cc: haproxy@formilux.org > > Envoyé: Mardi 26 Février 2019

Re: Wrong sha256 checksum for HAProxy 1.8 and 1.9?

2019-02-25 Thread Willy Tarreau
Hi Kevin, On Tue, Feb 26, 2019 at 06:27:30AM +, Kevin Mao wrote: > Hi haproxy@, > > It seems like the sha256 checksum's are wrong for the latest 1.8 and 1.9 > HAProxy versions, Can you please confirm? > https://www.haproxy.org/download/1.9/src/,  > $  shasum -a 256 -c

Re: Idea for the Wiki

2019-02-21 Thread Willy Tarreau
On Fri, Feb 22, 2019 at 01:54:00AM +0100, Tim Düsterhus wrote: > I suggest to create new pages using the web interface only to make sure > it can handle it. Editing can be done using git. I agree. I'm seeing antoher benefit to this, which is that it will guarantee that we only use simple things

Re: %[] in use-server directives

2019-02-21 Thread Willy Tarreau
Hi Joe, On Thu, Feb 21, 2019 at 08:23:29AM +, Joe K wrote: > Hello everybody again ... > > So here's what I have right now, just from copy-pasting and slightly > editing 702d44f. > > The config check passes, but haproxy crashes with segmentation fault after > the first request with an

Re: Idea for the Wiki

2019-02-20 Thread Willy Tarreau
On Wed, Feb 20, 2019 at 07:44:46AM +0100, Baptiste wrote: > How should we organize directories and pages? > IE for TLS offloading: > /common/acceleration/tls_offloading.md ? > I think it's quite important to agree on it now, because the folders will > be part of the URL indexed by google :) I

Re: %[] in use-server directives

2019-02-19 Thread Willy Tarreau
On Tue, Feb 19, 2019 at 09:14:40AM +, Joe K wrote: > I have next to zero experience with C but the commit 702d44f seems to be > small enough for me to be able to wrap my head around. > > I'll try making it work for use-server tomorrow! Thank you! Ah great, thanks for this! Do not hesitate to

Re: %[] in use-server directives

2019-02-19 Thread Willy Tarreau
Hi Joe, On Tue, Feb 19, 2019 at 08:45:48AM +, Joe K wrote: > Hi Willy! > > My use case is very similar to gitlab's review apps: > https://gitlab.com/help/ci/review_apps/index.md, > on some PRs I want to be able to start web apps each with its own subdomain > which would register themselves

Re: %[] in use-server directives

2019-02-19 Thread Willy Tarreau
Hi guys, On Mon, Feb 18, 2019 at 08:20:03PM +0100, William Lallemand wrote: > > > I wonder if there is a way to use %[...] syntax in use-server directives. (...) > Indeed it's not possible to parse a log-format string there. > > However, you can set dynamically the destination IP with

Re: Idea for the Wiki

2019-02-19 Thread Willy Tarreau
Hi Baptiste, On Wed, Feb 06, 2019 at 03:55:37PM +0100, Baptiste wrote: > I think one of the most important piece is guide lines on integrating > HAProxy with third parties, IE: Observing HAProxy with influxdb, HAProxy as > a Kubernetes External Load-balancer, Service discovery with consul, and so

Re: Early connection close, incomplete transfers

2019-02-18 Thread Willy Tarreau
Hi Veiko, On Thu, Feb 14, 2019 at 02:31:42PM +, Veiko Kukk wrote: > > On 2019-02-01 13:30, Veiko Kukk wrote: > > On 2019-02-01 12:34, Aleksandar Lazic wrote: > > > > > Do you have any errors in lighthttpds log? > > > > Yes, it has error messages about not being enable to write to socket. >

Re: Early connection close, incomplete transfers

2019-02-18 Thread Willy Tarreau
On Fri, Feb 15, 2019 at 09:31:35AM +0100, Aleksandar Lazic wrote: > Am 15.02.2019 um 08:47 schrieb Veiko Kukk: > > On 2019-02-14 18:29, Aleksandar Lazic wrote: > >>> Replaced HAproxy with Nginx for testing and with Nginx, not a single > >>> connection > >>> was interrupted, did millions of

Re: Tune HAProxy in front of a large k8s cluster

2019-02-18 Thread Willy Tarreau
Hi Joao, On Mon, Feb 18, 2019 at 09:31:39PM -0300, Joao Morais wrote: > > > > Em 16 de fev de 2019, à(s) 03:16, Willy Tarreau escreveu: > > > > If you have some time to run some extra tests, it would be nice to rebuild > > haproxy with "ARCH_FLAGS=-pg"

Re: haproxy reverse proxy to https streaming backend

2019-02-18 Thread Willy Tarreau
Hello Thomas, On Sun, Feb 17, 2019 at 05:55:29PM +0100, Thomas Schmiedl wrote: > Hello Bruno, > > I think the problem is the parsing of the .m3u8-playlist in xupnpd2. The > first entry to the .ts-file is 4 hours behind the actual time. But I > have no c++ experience to change the code. For me

Re: haproxy segfault

2019-02-15 Thread Willy Tarreau
On Tue, Feb 12, 2019 at 10:28:01PM +0100, Lukas Tribus wrote: > > Did this bug has been introduced in 1.9.4 ? > > I haven't notice this behavior before. > > Yes. Also see the 1.8.19 release notes. I forgot we backported it to 1.9.4, I thought it was only queued after 1.9.4, we should have

Re: Tune HAProxy in front of a large k8s cluster

2019-02-15 Thread Willy Tarreau
On Fri, Feb 15, 2019 at 08:35:58PM -0200, Joao Morais wrote: > This is just theory - and 5 digits starts on 1 =) . The problem is the > " if " multiplied by 3000 or so. > Moving everything to the backend or a map is a really big step forward. I > suspect my frontend will have about 10 lines

Re: HAProxy with OpenSSL 1.1.1 breaks when TLS 1.3 KeyUpdate is used.

2019-02-14 Thread Willy Tarreau
Hi Lukas, On Thu, Feb 14, 2019 at 06:28:29PM +0100, Lukas Tribus wrote: > Hello, > > > FYI the behavior was also changed on the openssl side (and will be in 1.1.1b): > https://github.com/openssl/openssl/commit/4af5836b55442f31795eff6c8c81ea7a1b8cf94b > > So applications fixes are only

[ANNOUNCE] haproxy-1.8.19

2019-02-11 Thread Willy Tarreau
documenting ciphers example to use Christopher Faulet (2): BUG/MAJOR: spoe: Don't try to get agent config during SPOP healthcheck BUG/MINOR: config: Reinforce validity check when a process number is parsed Willy Tarreau (5): BUG/MINOR: spoe: do not assume agent->rt is valid on e

Re: Does anyone *really* use 51d or WURFL ?

2019-02-08 Thread Willy Tarreau
Hi Ben, On Tue, Feb 05, 2019 at 01:37:59PM +, Ben Shillito wrote: > Hi Willy, > > I have attached two patches. > > One is the threading change which maps the threading flag in 51Degrees to the > one in HAProxy. There are also some changes in the 51d.c module code to make > everything thread

Re: http-use-htx and IIS

2019-02-08 Thread Willy Tarreau
Hi Marco, On Fri, Feb 08, 2019 at 02:20:53PM +0100, Marco Corte wrote: > Il 2019-02-07 17:50 Marco Corte ha scritto: > > Hello! > > > > I am testing haproxy version 1.9.4 on Ubuntu 18.04. > > > > With the "option http-use-htx", haproxy shows a strange behaviour when > > the real server is IIS

Re: [PATCH] CONTRIB: contrib/prometheus-exporter: Add a Prometheus exporter for HAProxy

2019-02-08 Thread Willy Tarreau
Hi Christopher, On Thu, Feb 07, 2019 at 10:09:52PM +0100, Christopher Faulet wrote: > Hi, > > This patch adds a new component in contrib. It is a Prometheus exporter for > HAProxy. (...) Thanks for doing this. After reading the whole patch, I measure how uninteresting an experience this must

Re: possible use of unitialized value in v2.0-dev0-274-g1a0fe3be

2019-02-07 Thread Willy Tarreau
On Wed, Feb 06, 2019 at 07:12:31PM +0100, Tim Düsterhus wrote: (...) > Thus I believe this is a false-positive. I should have read the whole thread, it would have saved me a reply :-) Willy

Re: possible use of unitialized value in v2.0-dev0-274-g1a0fe3be

2019-02-07 Thread Willy Tarreau
Hello, On Wed, Feb 06, 2019 at 02:28:27PM -0200, Ricardo Nabinger Sanchez wrote: > Hello, > > scan-build found a 28-step path where an unitialized value could be used in > h2s_htx_bck_make_req_headers(). > > Here is a shortened version: > > 4378 idx = htx_get_head(htx); // returns the

Re: HAProxy returns a 502 error when ssl offload and response has a large header

2019-02-07 Thread Willy Tarreau
On Thu, Feb 07, 2019 at 06:37:28PM +0100, Willy Tarreau wrote: > > I'll try with h2c and see if I can put it between client and haproxy. > > Then I suspect that you'll see haproxy either emit RST_STREAM or emit > too large a frame and this frame get rejected. So after checking

Re: HAProxy returns a 502 error when ssl offload and response has a large header

2019-02-07 Thread Willy Tarreau
On Thu, Feb 07, 2019 at 06:44:01PM +0200, Jarno Huuskonen wrote: > At least on my test case haproxy listens http2 and uses http/1.1 > to backend server > (example config and example backend server (in go) are in earlier > mail: https://www.mail-archive.com/haproxy@formilux.org/msg32727.html >

Re: HAProxy returns a 502 error when ssl offload and response has a large header

2019-02-07 Thread Willy Tarreau
Hi, On Thu, Feb 07, 2019 at 04:50:12PM +0200, Jarno Huuskonen wrote: > Hi, > > On Thu, Feb 07, Steve GIRAUD wrote: > > Thanks Jarno for the investigation. > > No problem. > > > The large header is only on response and there is only one large header > > (18k). > > > > haproxy + ssl + http2

Re: [PATCH 2/2] DOC: ssl: Specify stronger example ciphers

2019-02-06 Thread Willy Tarreau
Hi Bertrand, On Wed, Feb 06, 2019 at 10:00:14PM +, Bertrand Jacquin wrote: > Yep, all of this sounds legit. Please find attache a new patch serie > attempting to address all your concerns. Perfect and fairly complete, thank you! I've just applied them both. Cheers, Willy

Re: [ANNOUNCE] haproxy-1.9.4

2019-02-06 Thread Willy Tarreau
Hi Aleks, On Wed, Feb 06, 2019 at 05:16:58PM +0100, Aleksandar Lazic wrote: > Maybe this patch was to late for 1.9.4 please can you consider to add it > to 2.0 and later 1.9.5, thanks. > > https://www.mail-archive.com/haproxy@formilux.org/msg32693.html I wanted to check it with Christopher

[ANNOUNCE] haproxy-1.8.18

2019-02-06 Thread Willy Tarreau
. MINOR: xref: Add missing barriers. BUG/MEDIUM: stream: Don't forget to free s->unique_id in stream_free(). Tim Duesterhus (1): BUG/MINOR: stick_table: Prevent conn_cur from underflowing Willy Tarreau (27): BUG/MAJOR: cache: fix confusion between zero and uninitialized cache

[ANNOUNCE] haproxy-1.9.4

2019-02-06 Thread Willy Tarreau
he reasons for disabled compression Willy Tarreau (48): SCRIPTS: add the issue tracker URL to the announce script BUG/MINOR: server: fix logic flaw in idle connection list management BUG/MINOR: stream: don't close the front connection when facing a backend error DOC: htx: ma

Re: [PATCH 2/2] DOC: ssl: Specify stronger example ciphers

2019-02-04 Thread Willy Tarreau
Hi guys, On Mon, Feb 04, 2019 at 10:13:11PM +0100, Lukas Tribus wrote: > > Since TLS ciphers are not well understand, it is very common parameters > > from documentation are used as is. Since RC4 should not be used anymore > > I believe it is wiser to show example including stronger ciphers to >

Re: cQ-- termination state doubts

2019-02-04 Thread Willy Tarreau
Hi, On Mon, Feb 04, 2019 at 04:05:15PM +, Juan Pablo Mora wrote: > > During a period of slowness of my database I see this log (HAProxy 1.7.5): > > > Feb 4 11:09:30 localhost.localdomain haproxy[23601]: 185.198.176.21:41987 > [04/Feb/2019:11:09:12.408] WWW BUS/BUS2 9/8785/2/8860/17657

Idea for the Wiki

2019-02-04 Thread Willy Tarreau
Hi all, as discussed a few times in the past, we have the possibility to enable the Wiki on the github repository. In the past a few of us thought it would be a nice alternative to the obsolete architecture manual because it would allow a number of people to contribute to various areas with a

Re: Early connection close, incomplete transfers

2019-02-04 Thread Willy Tarreau
Hi Veiko, On Mon, Feb 04, 2019 at 01:52:28PM +, Veiko Kukk wrote: > I'm sure it happens with all versions we have tried: 1.6, 1.7, 1.9 (did not > try 1.8, because we have never used it in production and decided to switch > directly to 1.9), but how could we make sure it's caused by something

Re: support for FreeBSD accept filters

2019-02-01 Thread Willy Tarreau
Hi Lukas, On Sat, Feb 02, 2019 at 01:14:06AM +0100, Lukas Tribus wrote: > Try something like this instead: > > tcp-request inspect-delay 30s > tcp-request content accept if { req_len gt 0 } > > The TCP session is only forwarded to the backend (and therefor, will > need source-ports) if there

Re: h1-client to h2-server host header / authority conversion failure.?

2019-02-01 Thread Willy Tarreau
On Sat, Feb 02, 2019 at 12:16:27AM +0100, PiBa-NL wrote: > Sorry, indeed all 4 tests pass. ( Using 2.0-dev0-32211a1 2019/02/01 ) Ah cool, thanks! > I must have mixed the git-id to sync up with in my makefile, thought i > picked the last one.. > > Sorry for the noise! Thanks for fixing and

Re: h1-client to h2-server host header / authority conversion failure.?

2019-02-01 Thread Willy Tarreau
On Fri, Feb 01, 2019 at 09:43:13PM +0100, PiBa-NL wrote: > The 'last' part is in TCP mode, and is intended like that to allow me to run > tcpdump/wireshark on the un-encrypted traffic, and being certain that > haproxy would not modify it before sending. But maybe the test contained a > 'half done'

Re: H2 Server Connection Resets (1.9.2 & 1.9.3)

2019-02-01 Thread Willy Tarreau
On Fri, Feb 01, 2019 at 07:50:23PM +, Luke Seelenbinder wrote: > Hi Willy, > > I just had a chance to check this--I haven't run every test I could think of > yet, but it works! Not a single server-side error or disconnection! Excellent, many thanks! > I'll definitely be rolling this out

Re: Early connection close, incomplete transfers

2019-02-01 Thread Willy Tarreau
Hi Veiko, On Thu, Jan 31, 2019 at 09:29:43AM +, Veiko Kukk wrote: > Connections are getting closed during data transfer phase at random sizes on > backend. Sometimes just as little as 420 bytes get transferred, but usually > more is transferred before sudden end of connection. HAproxy logs

Re: h1-client to h2-server host header / authority conversion failure.?

2019-02-01 Thread Willy Tarreau
Hi Pieter, I'm finally back to this one. On Sat, Jan 26, 2019 at 09:04:06PM +0100, PiBa-NL wrote: > It seems google replies "Header: :status: 400 Bad Request" But leaves me > 'guessing' why it would be invalid, also the 'body' doesn't get downloaded > but haproxy terminates the connection, which

Re: Browser downloads failing because of h2c_send_goaway_error (1.8.17 + 1.9.1)

2019-02-01 Thread Willy Tarreau
Hi Wert, On Thu, Jan 17, 2019 at 01:38:52PM +0300, Wert wrote: > It makes large downloads completely unusable even with not very often reloads. Yesterday while addressing some H2 issues, I found a bug which can cause exactly what you were seeing. I'm interested in knowing whether the latest 1.9

Re: H2 Server Connection Resets (1.9.2 & 1.9.3)

2019-02-01 Thread Willy Tarreau
Hi Luke, On Wed, Jan 30, 2019 at 07:43:06PM +0100, Willy Tarreau wrote: > I've also found a few erroneous state transitions and an issue affecting > trailers which could also break the connection. For now it's only in > 2.0-dev because it'll take me a while to collect all pendin

Re: High p99 latency with HAProxy 1.9 in http mode compared to 1.8

2019-01-31 Thread Willy Tarreau
Hi Ashwin, On Thu, Jan 31, 2019 at 10:32:33AM -0800, Ashwin Neerabail wrote: > Hi, > > We are in process of upgrading to HAProxy 1.9 and we are seeing consistent > high latency with HAProxy 1.9.2 as compared to 1.8.17 when using HTTP Mode > ( both with and without TLS). However no latency issues

Re: HTTP connection is reset after each request

2019-01-31 Thread Willy Tarreau
On Wed, Jan 30, 2019 at 01:11:41PM +0100, Aleksandar Lazic wrote: > Looks like You are also right for h2 case. > I haven't seen h2 in Marco's configuration therefor I haven't assumed he use > h2. It's hidden at the end of the "bind" line :-) Willy

Re: HTTP connection is reset after each request

2019-01-31 Thread Willy Tarreau
On Wed, Jan 30, 2019 at 11:58:53AM +, Luke Seelenbinder wrote: > Hi Aleks, > > You're correct for http/1.1, but unfortunately, nothing I found after a > pretty long search indicated 1.8.x supports an h2 frontend with reusable > backend connections (h1.1 or h2). I confirm, that was the main

Re: H2 Server Connection Resets (1.9.2 & 1.9.3)

2019-01-31 Thread Willy Tarreau
Hi again, On Wed, Jan 30, 2019 at 07:43:06PM +0100, Willy Tarreau wrote: > It was indeed caused by late frames triggering GOAWAY, while we were > missing some info to determine if the frame was violating the protocol > or just a late response. I found another cause of GOAWAY that

Re: [PATCH] DOC: compression: Update the reasons for disabled compression

2019-01-30 Thread Willy Tarreau
On Wed, Jan 30, 2019 at 11:46:04PM +0100, Tim Duesterhus wrote: > - Update the list of status codes to include 201 - 203. > - Remove the fact about the temporary workaround for chunked responses > (this is verified using reg-test compression/h0.vtc). > - Add malformed ETags Ah cool, I was

Re: H2 Server Connection Resets (1.9.2 & 1.9.3)

2019-01-30 Thread Willy Tarreau
Hi Luke, I finally managed to kill them all, and everything works fine for me. It was indeed caused by late frames triggering GOAWAY, while we were missing some info to determine if the frame was violating the protocol or just a late response. I've also found a few erroneous state transitions

Re: H2 Server Connection Resets (1.9.2 & 1.9.3)

2019-01-30 Thread Willy Tarreau
On Wed, Jan 30, 2019 at 10:18:03AM +, Luke Seelenbinder wrote: (...) > I don't know if any of this rings any bells, but that's what I've been able > to determine so far. Overall the patch improves things significantly, but > some latent issues are still around. No bell yet but that's detailed

Re: h1-client to h2-server host header / authority conversion failure.?

2019-01-30 Thread Willy Tarreau
On Wed, Jan 30, 2019 at 10:37:29AM +0100, Willy Tarreau wrote: > > It seems google replies "Header: :status: 400 Bad Request" But leaves me > > 'guessing' why it would be invalid, > > Interesting case. Actually we're doing something wrong, and we cannot rule out t

Re: Cache question

2019-01-30 Thread Willy Tarreau
Hi Aleks, On Tue, Jan 29, 2019 at 09:48:08PM +0100, Aleksandar Lazic wrote: > Hi. > > I plan to use HAProxy 1.9.x cache with ~50-100k Objects which will could use > 1-2G RAM. > > Have anyone used the cache features in prod with such specs? It's used on haproxy.org actually, though with a

Re: h1-client to h2-server host header / authority conversion failure.?

2019-01-30 Thread Willy Tarreau
Hi Pieter, On Sat, Jan 26, 2019 at 09:04:06PM +0100, PiBa-NL wrote: > Today ive given it another shot. (connecting to mail.google.com). > Is there a way in haproxy to directly 'manipulate' the h2 headers? Setting > h2 header with set-header :authority didn't seem to work.? No, these ones are

Re: [PATCH] BUG/MINOR: tcp_rep.inspect_rules not deinit, add to deinit

2019-01-30 Thread Willy Tarreau
On Wed, Jan 30, 2019 at 04:07:54PM +0800, Kevin Zhu wrote: > Hi Willy, > I find tcp_rep.inspect_rule forgot to deinit, the mail attached patch > should fix that. Merged, thank you! Willy

Re: H2 Server Connection Resets (1.9.2 & 1.9.3)

2019-01-30 Thread Willy Tarreau
Hi Luke, On Wed, Jan 30, 2019 at 08:41:03AM +, Luke Seelenbinder wrote: > It works! I'm seeing very, very few CD-- -> SD-- chains now. I did see a few > in h2<->h2 mode, but precious few, so I'm very happy to say the bug as > previous manifested is remedied! Thanks for digging so wide and

Re: [RFC PATCH v2] BUG/MEDIUM: compression: Rewrite strong ETags

2019-01-29 Thread Willy Tarreau
On Tue, Jan 29, 2019 at 04:38:56PM +0100, Tim Duesterhus wrote: > Willy, > > new patch with the requested changes and updated tests. > > Note: I added an `assert` in there to make sure that ht*_select_comp_reshdr > actually verified the ETag header before I am touching it. There *is* >

Re: [RFC PATCH] BUG/MEDIUM: compression: Rewrite strong ETags

2019-01-29 Thread Willy Tarreau
On Tue, Jan 29, 2019 at 12:56:14PM +0100, Tim Düsterhus wrote: > I just notice the `http_select_comp_reshdr` function. I guess I can put > the ETag validation there and only check for strong / weak in > `http_set_comp_reshdr`. Yes, good idea! Willy

Re: H2 Server Connection Resets (1.9.2 & 1.9.3)

2019-01-29 Thread Willy Tarreau
, it should apply cleanly on top of 1.9.3. Thanks, Willy >From 3ad5d31bdf66c3a9449bb4af4cb131ff8e2ca662 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Tue, 29 Jan 2019 18:33:26 +0100 Subject: BUG/MEDIUM: mux-h2: only close connection on request frames on closed streams A subtle bug was introduced with H2

Re: H2 Server Connection Resets (1.9.2 & 1.9.3)

2019-01-29 Thread Willy Tarreau
On Tue, Jan 29, 2019 at 11:39:32AM +0100, Willy Tarreau wrote: > By the way, how do you manage to cancel a single stream in the browser ? > Pressing Esc might break all of them I guess ? Thus I'm uncertain how to > achieve this. I think I found a solution for this, I open two tabs in th

Re: H2 Server Connection Resets (1.9.2 & 1.9.3)

2019-01-29 Thread Willy Tarreau
Hi Luke, On Tue, Jan 29, 2019 at 10:06:03AM +, Luke Seelenbinder wrote: > I just pulled, compiled, and tested the newly minted 1.9.3, and I'm > experiencing the same issue with alpn h2 on the backend definition. Ah sh*t :-( > I also > strongly suspect it's not related to maximum streams per

Re: 1.9.2: Crash with 300% CPU and stuck agent-checks

2019-01-29 Thread Willy Tarreau
On Tue, Jan 29, 2019 at 10:41:52AM +0100, Louis Chanouha wrote: > I'm pretty sure this bug is specific to version 1.9. Last week i restarted > the process because is seemed to be stuck at around 100% CPU, but without > anormal behaviour. > I've never saw that in 1.7 or 1.8 series. We migrated from

  1   2   3   4   5   6   7   8   9   10   >