config file continuation lines?
i'm writing my config file for haproxy 2.0.0 reading through https://www.haproxy.com/blog/the-four-essential-sections-of-an-haproxy-configuration/ https://www.haproxy.org/download/2.0/doc/configuration.txt https://www.haproxy.com/documentation/hapee/1-9r1/administration/ I'm looking for if/how config lines can be continued. haven't found something that says you can, or you can't. can a 'single' config line, e.g. a "bind ..." line be broken into multiple lines, for readability, with backslashes, or some other delimiter? hal
Re: haproxy 2.0.0 build openssl version mismatch?
bob On Wed, Jul 17, 2019, at 10:06 AM, Zakharychev, Bob wrote: > rpath is not the best solution here IMO - if the dependency is moved or > removed (or replaced with a wrong SO in the right path, maybe even > maliciously) from the system haproxy will still fail to load. I > personally simply statically link OpenSSL into the HAProxy executable, > which makes it portable and independent of OS SO configuration or > paths. In order to statically link OpenSSL, simply build it without > shared library support (no-shared) and then relink haproxy against it > with the same SSL_INC and SSL_LIB. > > If you still want to use rpath, I believe you can add it with ADDLIB variable: > > make TARGET=linux-glibc ... ADDLIB="-rpath /opt/prod/openssl111c/lib64" I don't build OpenSSL statically. It's part of a production stack I manage/distribute with paths to the stack's dynamic libs rpath'd/hardcoded. So, trying with the ADDLIB/ADDINC you suggest, make \ ... USE_OPENSSL=1 \ SSL_LIB="/opt/prod/openssl11c/lib64" \ SSL_INC="/opt/prod/openssl11c/include" \ ADDLIB="-L/opt/prod/openssl11c/lib64 -Wl,-rpath,/opt/prod/openssl11c/lib64" \ ADDINC="-I/opt/prod/openssl11c/include" \ ... does seem to work, /opt/prod/haproxy/sbin/haproxy -vv HA-Proxy version 2.0.0 2019/06/16 - https://haproxy.org/ ... Built with OpenSSL version : OpenSSL 1.1.1c 28 May 2019 Running on OpenSSL version : OpenSSL 1.1.1c 28 May 2019 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 ... ldd /opt/prod/haproxy/sbin/haproxy | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl11c/lib64/libssl.so.1.1 (0x7efedb62b000) libcrypto.so.1.1 => /opt/prod/openssl11c/lib64/libcrypto.so.1.1 (0x7efedb125000) not exactly a 'standard' approach to linking, but it solves the problem. thanks! hal
Re: haproxy 2.0.0 build openssl version mismatch?
On Wed, Jul 17, 2019, at 9:13 AM, Aleksandar Lazic wrote: > > Can you try to adopt your system to the openssl path as I in the dockerfile. > > https://gitlab.com/aleks001/haproxy20-centos/blob/master/Dockerfile#L37 > > ``` > echo "/opt/prod/openssl111c/lib64" > /etc/ld.so.conf.d/openssl-111c.conf \ > && ldconfig -v \ > ``` ldconfig additions/changes are system-wide, and local environment specific -- and subject to end-user override. does haproxy simply support rpath -- which correctly solves the linking problem in the distributed package by hardcoding the specified/intended runtine path -- like most other packages? e.g., all rpath'd &/or config-managed build/installs, ldd `which nginx` | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl111c/lib64/libssl.so.1.1 (0x7f24ae9f6000) libcrypto.so.1.1 => /opt/prod/openssl111c/lib64/libcrypto.so.1.1 (0x7f24ae4f) ldd `which php` | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl111c/lib64/libssl.so.1.1 (0x7f4c1533a000) libcrypto.so.1.1 => /opt/prod/openssl111c/lib64/libcrypto.so.1.1 (0x7f4c14e34000) ldd `which mariadb` | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl111c/lib64/libssl.so.1.1 (0x7feb8998a000) libcrypto.so.1.1 => /opt/prod/openssl111c/lib64/libcrypto.so.1.1 (0x7feb89484000) ldd `which named` | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl111c/lib64/libssl.so.1.1 (0x7f539d468000) libcrypto.so.1.1 => /opt/prod/openssl111c/lib64/libcrypto.so.1.1 (0x7f539cf62000) ldd `which openvpn` | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl111c/lib64/libssl.so.1.1 (0x7fd1d891b000) libcrypto.so.1.1 => /opt/prod/openssl111c/lib64/libcrypto.so.1.1 (0x7fd1d8415000) ldd `which curl` | egrep "ssl|crypto" libssl.so.1.1 => /opt/prod/openssl111c/lib64/libssl.so.1.1 (0x7f5085647000) libcrypto.so.1.1 => /opt/prod/openssl111c/lib64/libcrypto.so.1.1 (0x7f5085149000) etc etc none of which need ldconfig.
Re: haproxy 2.0.0 build openssl version mismatch?
bob On Wed, Jul 17, 2019, at 8:29 AM, Zakharychev, Bob wrote: > you are using SSL_INC and SSL_LIB incorrectly: they should ONLY contain > paths to corresponding include and library directories, not GCC > options. So in your case they should look like this: > > SSL_LIB=/opt/prod/openssl111c/lib64 \ > SSL_INC=/opt/prod/openssl111c/include \ switching to make V=1 \ TARGET=linux-glibc \ USE_SYSTEMD=1 \ USE_PCRE2=1 \ USE_PCRE2_JIT=1 \ USE_OPENSSL=1 \ SSL_LIB=/opt/prod/openssl111c/lib64 \ SSL_INC=/opt/prod/openssl111c/include \ USE_THREAD=1 \ USE_PTHREAD_PSHARED=1 \ USE_TFO=1 \ USE_NS=1 now, after build, /opt/prod/haproxy/sbin/haproxy -vv /opt/prod/haproxy/sbin/haproxy: /usr/lib64/libssl.so.1.1: version `OPENSSL_1_1_1' not found (required by /opt/prod/haproxy/sbin/haproxy) /opt/prod/haproxy/sbin/haproxy: /usr/lib64/libcrypto.so.1.1: version `OPENSSL_1_1_1' not found (required by /opt/prod/haproxy/sbin/haproxy) it completely ignores the specified paths, and incorrectly links the distro-installed, system libs. hal
haproxy 2.0.0 build openssl version mismatch?
I'm building haproxy 2.0.0, git log | head commit ba23630ad009464dc8e4d01dac9ce779eb84cc2a Author: Willy Tarreau Date: Sun Jun 16 20:00:26 2019 +0200 [RELEASE] Released version 2.0.0 Released version 2.0.0 with the following main changes : - MINOR: fd: Don't use atomic operations when it's not needed. - DOC: mworker-prog: documentation for the program section - MINOR: http: add a new "http-request replace-uri" action on linux. I use a local openssl build/install, which openssl /opt/prod/openssl111c/bin/openssl openssl version OpenSSL 1.1.1c 28 May 2019 setting ssl flags to use that local instance, with rpath, haproxy build has no errors make V=1 \ TARGET=linux-glibc \ USE_SYSTEMD=1 \ USE_PCRE2=1 \ USE_PCRE2_JIT=1 \ USE_OPENSSL=1 \ SSL_LIB=" -L/opt/prod/openssl111c/lib64 -Wl,-rpath,/opt/prod/openssl111c/lib64" \ SSL_INC=" -I/opt/prod/openssl111c/include" \ USE_THREAD=1 \ USE_PTHREAD_PSHARED=1 \ USE_TFO=1 \ USE_NS=1 Checking the install, make install PREFIX=/opt/prod/haproxy /opt/prod/haproxy/sbin/haproxy -vv HA-Proxy version 2.0.0 2019/06/16 - https://haproxy.org/ Build options : TARGET = linux-glibc ... Built with multi-threading support (MAX_THREADS=64, default=4). Built with OpenSSL version : OpenSSL 1.1.0i-fips 14 Aug 2018 Running on OpenSSL version : OpenSSL 1.1.1c 28 May 2019 (VERSIONS DIFFER!) reports an OpenSSL version mismatch. What do I need to change in the haproxy build config so that is correctly recognizes the rpath, and consistently builds & links with the specified openssl local instance? hal