Re: haproxy reloads, stale listeners, SIGKILL required

Hi David, On Tue, Feb 09, 2016 at 02:13:27PM +, David Birdsong wrote: > Ok, I think this thread helped to uncover the root issue: > https://github.com/hashicorp/consul-template/issues/442 > > root cause in go 1.5: > https://github.com/golang/go/issues/13164 I have only quickly read some of

Re: [PATCH] MAJOR: ssl: add 'tcp-fallback' bind option for SSL listeners

Hi Christopher, thanks for this. It looks clean enough to be merged. I'm a little bit concerned with the addition of conn->ssl_detection_exp because we try to keep the connection struct as small as possible. But in this case there's no other place to store it. Thus I would change it to "exp" and

Re: [PATCH] MAJOR: ssl: add 'tcp-fallback' bind option for SSL listeners

Le 09/02/2016 09:04, Willy Tarreau a écrit : thanks for this. It looks clean enough to be merged. I'm a little bit concerned with the addition of conn->ssl_detection_exp because we try to keep the connection struct as small as possible. But in this case there's no other place to store it. Thus

Re: Offset in server definition not usable in 1.6.3

> But I don't get your point. I may have not been accurate enough. > I can't see any discrepancies. > Could you give me a hint what are you talking about? > >>> => bind's port is being used for health checks => If multiple bind are >>> present, the first one is used. > >

RE: RFC: Statically enable SSL_OP_SINGLE_DH_USE

>> I don't see it. Can you please elaborate what exact commit ID your are >> refering to? > > You are probably refering to the github fork, which is as always outdated, > and where line 2539 points to the local definition of SSL_OP_SINGLE_DH_USE: > #ifndef SSL_OP_SINGLE_ECDH_USE > #define

Re: RFC: Statically enable SSL_OP_SINGLE_DH_USE

Hi Lukas, Lukas Tribus wrote: >>> I don't see it. Can you please elaborate what exact commit ID your are >>> refering to? >> You are probably refering to the github fork, which is as always outdated, >> and where line 2539 points to the local definition of SSL_OP_SINGLE_DH_USE: >> #ifndef

Re: Offset in server definition not usable in 1.6.3

> Baptiste, thanks a lot for your patience and your detailed answer. You're welcome! > Et pour toi en francais: je suis désolé si tu es maintenant faché. Fur disch in Deutsch: kein problem. Ich will ein Bier! >> listen activemq-works >> bind :8162 >> bind :8192 >> bind :9400 >> option

Re: haproxy reloads, stale listeners, SIGKILL required

On Wed, Feb 3, 2016 at 7:48 PM Willy Tarreau wrote: > Hi David, > > On Tue, Feb 02, 2016 at 11:56:25PM +, David Birdsong wrote: > > Has nobody else run into this w/ consul? Given the plethora of tools > around > > consul and haproxy and templating, I know others are using

Re: RFC: Statically enable SSL_OP_SINGLE_DH_USE

Hi Lukas, Lukas Tribus wrote: > I don't see it. Can you please elaborate what exact commit ID your are > refering to? I was looking at http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/src/ssl_sock.c;h=5cec6a4cd6ce5d16f9564e60fa57b24c46112bac;hb=HEAD#l2539 > As far as I an see we do the exact

RE: RFC: Statically enable SSL_OP_SINGLE_DH_USE

>> In HAProxy, this flag is currently statically disabled by default in >> src/ssl_sock.c line 2539. Thus, when used with older OpenSSL versions >> than 1.0.1r or 1.0.2f, users could be vulnerable. > > I don't see it. Can you please elaborate what exact commit ID your are > refering to? You are

AW: Offset in server definition not usable in 1.6.3

Baptiste, thanks a lot for your patience and your detailed answer. Et pour toi en francais: je suis désolé si tu es maintenant faché. > listen activemq-works > bind :8162 > bind :8192 > bind :9400 > option httpchk HEAD / > server zd-activemq-s21 10.50.241.93:+1 check > server

RE: RFC: Statically enable SSL_OP_SINGLE_DH_USE

> In HAProxy, this flag is currently statically disabled by default in > src/ssl_sock.c line 2539. Thus, when used with older OpenSSL versions > than 1.0.1r or 1.0.2f, users could be vulnerable. I don't see it. Can you please elaborate what exact commit ID your are refering to? As far as I an

RFC: Statically enable SSL_OP_SINGLE_DH_USE

Hi there, following CVE-2016-0701, the OpenSSL project switched the behavior of the SSL_OP_SINGLE_DH_USE flag to a no-op and forcefully enabled the feature. This results in OpenSSL always generating a new DH parameters for each handshake which can protect the private DH exponent from certain

Re: lua core.register_task

On Mon, 8 Feb 2016 21:20:25 +0100 Beluc wrote: > Hi, > Thank you for answering ! > > Le 8 févr. 2016 9:05 PM, "Thierry FOURNIER" > a écrit : > > > > On Mon, 8 Feb 2016 18:36:38 +0100 > > Beluc wrote: > > > > > Hi, > > > > >

Limiting the size of the backend queues

I have been looking at the documentation for haproxy and I can’t seem to find anyway of limiting the size of each backend proxy queue. I can see how to limit the queue size and number of connections handle by each of the backend servers. I can see how to configure the backend queue timeout,

POST data logging works without option http-buffer-request

Hi, i'm currently testing 1.6.3 and request body logging. I'm wondering that logging of req body even works without setting "option http-buffer-request". Also "no option http-buffer-request" seems to have no effect. Is this intended or have i missed something? simplified config: frontend

Silencing DOWN alerts if the backend wasn't seen UP before

Hi, In our deployment we sometimes spin up a HAProxy container simultaneously with backends, and since they're registered the moment a container is spawned, they will be added to rotation immediately, before the process inside had a chance to start up. Because HAProxy starts up much faster, this

Re: Limiting the size of the backend queues

On Tue, Feb 09, 2016 at 03:45:15PM +, Chris White wrote: > I have been looking at the documentation for haproxy and I can???t seem to > find anyway of limiting the size of each backend proxy queue. I can see how > to limit the queue size and number of connections handle by each of the >

Re: Offset in server definition not usable in 1.6.3

On Tue, Feb 09, 2016 at 01:26:30PM +, Grüninger, Andreas (LGL Extern) wrote: > I would perform the health checks on exactly the ports which are used for the > server definition. > I would use the default port and add the offset. Exactly that what is done > for the server definition. There's

Re: Old instances continue to accept connections after graceful reload

On Mon, Feb 08, 2016 at 10:51:43PM -0800, Peter Mellquist wrote: > How can I get off this mailing list please! ( I love HAProxy but not all > the mails ). You have all the links here : http://www.haproxy.org/#tact If this doesn't work for you (there's no reason) you can e-mail me privately

Re: POST data logging works without option http-buffer-request

On Tue, Feb 09, 2016 at 06:10:01PM +0100, bjun...@gmail.com wrote: > Hi, > > i'm currently testing 1.6.3 and request body logging. I'm wondering that > logging of req body even works without setting "option > http-buffer-request". Also "no option http-buffer-request" seems to have no > effect. >

Re: Silencing DOWN alerts if the backend wasn't seen UP before

Hi, On Tue, Feb 09, 2016 at 01:59:40PM -0800, Maciej Katafiasz wrote: > Hi, > > In our deployment we sometimes spin up a HAProxy container > simultaneously with backends, and since they're registered the moment > a container is spawned, they will be added to rotation immediately, > before the

Re: Stats page refresh increases backend session count

Hi Pedro, On Mon, Feb 08, 2016 at 05:05:02PM +, Pedro Mata-Mouros wrote: > Hi all, > > I was sure that stats page refreshes in the browser would not increase the > sessions on a given backend, but I???m seeing otherwise. Could you please > just confirm if this is normal, as I can???t