Re: Secondary load balancing method (fallback)

On Fri, May 12, 2017 at 02:00:24PM -0700, redundantl y wrote: > Is it possible to configure a secondary load balancing method, something to > fall back on if the first method isn't met? > > For example, if I balance on the url_param email: > > balance url_param email > > Can it instead

Re: OpenSSL engine and async support

> On May 10, 2017, at 04:51, Emeric Brun wrote: > >> It looks like the main process stalls at DH_free(local_dh_1024) (part of >> __ssl_sock_deinit). Not sure why but I will debug and report back. >> >> Thanks, > > I experienced the same issue (stalled on a futex) if i run

Re: hostname to IP converter possible?

Hi Igor, On Sat, May 13, 2017 at 12:58:19AM +0800, Igor Pav wrote: > Hi list, > > Is now there's a converter for hostname to IPv4 available in haproxy? Funny that you asked the same question one year ago, but you didn't get a response, you are patient :-) Server addresses can be dynamically

Re: Bug: DNS changes in 1.7.3+ break UNIX socket stats in daemon mode with resolvers on FreeBSD

On 05/12/2017 09:37 AM, Willy Tarreau wrote: On Fri, May 12, 2017 at 08:58:56AM +0200, Lukas Tribus wrote: Hi, Am 11.05.2017 um 21:13 schrieb Jim Pingle: On 05/11/2017 01:58 PM, Frederic Lecaille wrote: I have reproduced (at home) the stats socket issue within a FreeBSD 9.3 VM. Replacing

Re: haproxy + RDP

Hi Antonio Trujillo Carmona. Antonio Trujillo Carmona have written on Fri, 12 May 2017 10:23:59 +0200: > El 11/05/17 a las 15:06, Aleksandar Lazic escribió: > > .../ > > How about to activate the 'option tcp-check' as mentioned in the > > Warning? > > In the config below is it's commented, any

Re: Bug: DNS changes in 1.7.3+ break UNIX socket stats in daemon mode with resolvers on FreeBSD

On 05/12/2017 09:52 AM, Willy Tarreau wrote: On Fri, May 12, 2017 at 09:48:56AM +0200, Frederic Lecaille wrote: On 05/12/2017 09:37 AM, Willy Tarreau wrote: On Fri, May 12, 2017 at 08:58:56AM +0200, Lukas Tribus wrote: Hi, Am 11.05.2017 um 21:13 schrieb Jim Pingle: On 05/11/2017 01:58 PM,

Re: Reloading maps?

On Thu, May 11, 2017 at 04:23:14PM -0700, James Brown wrote: > Is there any good way to reload a map, short of either (a) reloading > haproxy every time the map changes, or (b) feeding the entire map into the > control socket as a series of `set map` statements? > > I've got a map generated by an

Re: Bug: DNS changes in 1.7.3+ break UNIX socket stats in daemon mode with resolvers on FreeBSD

On Fri, May 12, 2017 at 08:58:56AM +0200, Lukas Tribus wrote: > Hi, > > > Am 11.05.2017 um 21:13 schrieb Jim Pingle: > > On 05/11/2017 01:58 PM, Frederic Lecaille wrote: > >> I have reproduced (at home) the stats socket issue within a FreeBSD 9.3 VM. > >> > >> Replacing your call to close() by

Re: haproxy not creating stick-table entries fast enough

On Tue, May 09, 2017 at 09:43:22PM -0700, redundantl y wrote: > For example, I have tried with the latest versions of Firefox, Safari, and > Chrome. With 30 elements on the page being loaded from the server they're > all being loaded within 70ms of each other, the first 5 or so happening on > the

Re: haproxy + RDP

El 11/05/17 a las 15:06, Aleksandar Lazic escribió: > .../ > How about to activate the 'option tcp-check' as mentioned in the > Warning? > In the config below is it's commented, any reason why? > > It's also active in the doc which you maybe know. > >

Re: Bug: DNS changes in 1.7.3+ break UNIX socket stats in daemon mode with resolvers on FreeBSD

Hi, Am 11.05.2017 um 21:13 schrieb Jim Pingle: > On 05/11/2017 01:58 PM, Frederic Lecaille wrote: >> I have reproduced (at home) the stats socket issue within a FreeBSD 9.3 VM. >> >> Replacing your call to close() by fd_delete() which removes the fd from >> the fd set used by kevent *and close

Re: Bug: DNS changes in 1.7.3+ break UNIX socket stats in daemon mode with resolvers on FreeBSD

On Fri, May 12, 2017 at 09:48:56AM +0200, Frederic Lecaille wrote: > On 05/12/2017 09:37 AM, Willy Tarreau wrote: > > On Fri, May 12, 2017 at 08:58:56AM +0200, Lukas Tribus wrote: > > > Hi, > > > > > > > > > Am 11.05.2017 um 21:13 schrieb Jim Pingle: > > > > On 05/11/2017 01:58 PM, Frederic

Re: hostname to IP converter possible?

Thanks, Willy. I found DNS infrastructure improved a lot this year, so I ask it again, hope it is not so stupid :-) On Sat, May 13, 2017 at 7:19 AM, Willy Tarreau wrote: > Hi Igor, > > On Sat, May 13, 2017 at 12:58:19AM +0800, Igor Pav wrote: >> Hi list, >> >> Is now there's a

[PATCH] MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list

Hi, This patch depend of " [Patches] TLS methods configuration reworked ». Actually it will only work with BoringSSL because haproxy use a special ssl_sock_switchctx_cbk with a BoringSSL callback to select certificat before any handshake negotiation. This feature (and others depend of this

Re: Bug: DNS changes in 1.7.3+ break UNIX socket stats in daemon mode with resolvers on FreeBSD

On Fri, May 12, 2017 at 10:20:56AM +0200, Frederic Lecaille wrote: > Here is a more well-formed patch. > Feel free to amend the commit message if not enough clear ;) It was clear enough, thanks. I added the mention of the faulty commit, that helps tracking backports and credited Jim and Lukas for

Re: [PATCH] Lua medium bugfix

On Fri, May 12, 2017 at 04:41:48PM +0200, Thierry Fournier wrote: > Hi, > > A patch fixing a medium bugfix in attachment. > The backport in 1.6 and 1.7 is easy: it doesn't generate conflicts. > >In the case of a Lua sample-fetch or converter doesn't return any >value, an acces outside

Re: [PATCH] Add b64dec sample converter

Hi Holger, On Sat, May 06, 2017 at 02:08:29AM +0200, Holger Just wrote: > This patch against current master adds a new b64dec converter. It takes > a base64 encoded string and returns its decoded binary representation. > > This converter can be used to e.g. extract the username of a basic auth >

Re: [RFC][PATCHES] seamless reload

Hi Pavlos, Olivier, On Mon, May 08, 2017 at 02:34:05PM +0200, Olivier Houchard wrote: > Hi Pavlos, > > On Sun, May 07, 2017 at 12:05:28AM +0200, Pavlos Parissis wrote: > [...] > > Ignore ignore what I wrote, I am an idiot I am an idiot as I forgot the most > > important bit of the test, to

Re: [PATCH v3] MINOR: ssl: add prefer-client-ciphers

On Thu, May 04, 2017 at 03:45:40PM +, Lukas Tribus wrote: > Currently we unconditionally set SSL_OP_CIPHER_SERVER_PREFERENCE [1], > which may not always be a good thing. (...) Now merged, thank you Lukas! Willy

Re: Quick (hopefully) question about clearing stick table entry

Hi Franks, On Wed, May 10, 2017 at 10:29:08AM +, Franks Andy (IT Technical Architecture Manager) wrote: > Hi all, > Is there a way to clear a stick table entry (using socat obviously) by > referring to the individual 'reference' id given at the beginning of the > entry, e.g.

Re: Limiting bandwidth of connections

Hi Robin, On Wed, May 10, 2017 at 09:15:44PM +, Robin H. Johnson wrote: > Hi, > > I'm wondering about the status of bandwidth limiting that was originally > planned for 1.6. > > In the archives I see discussions in 2012 & 2013; Willy's responses: > 2012-04-17 planned for 1.6: >

Re: [Patches] TLS methods configuration reworked

Hi guys, On Tue, May 09, 2017 at 11:21:36AM +0200, Emeric Brun wrote: > It seems to do what we want, so we can merge it. So the good news is that this patch set now got merged :-) Thanks for your time and efforts back-and-forth on this one! Willy

[PATCH] Lua medium bugfix

Hi, A patch fixing a medium bugfix in attachment. The backport in 1.6 and 1.7 is easy: it doesn't generate conflicts. In the case of a Lua sample-fetch or converter doesn't return any value, an acces outside the Lua stack can be performed. This patch check the stack size before

Re: Automatic Certificate Switching Idea

Hi, On Tue, May 09, 2017 at 07:04:01PM +0200, Daniel Schneller wrote: > Hi! > > > On 9. May. 2017, at 00:30, Lukas Tribus wrote: > > > > [...] > > I'm opposed to heavy feature-bloating for provisioning use-cases, that > > can quite easily fixed where the fix belongs - the

Re: [PATCH] Add b64dec sample converter

Hi Willy, Willy Tarreau wrote: > The thing is that we normally don't backport any feature anymore to > stable branches due to the terrible experience in 1.4 where too much > riskless stuff was backported, then fixed, then removed etc... making > each subsequent version a pain for certain users. >

Re: [PATCH] Add b64dec sample converter

On Fri, May 12, 2017 at 05:39:28PM +0200, Holger Just wrote: > >> Once verified, I think this converter can be safely added to the > >> supported stable versions of HAProxy. > > > > Yes I think it can make sense to backport it at least to 1.7, it can > > help sometimes. > > That would be much

Re: Automatic Certificate Switching Idea

Willy, thanks for your elaborate reply! See my remarks below. > possible impacts nor complexity (but I don't want to have the complete MS > Office suite merged in, just Word, Excel and PowerPoint :-)). :-D > - renewed certs can and will sometimes provide extra alt names, so >they are not

Re: [PATCH] Add b64dec sample converter

Hi Willy, thanks for applying the patch! Willy Tarreau wrote: > Thanks for the warning, much appreciated. It made me re-read it after > applying it. But your code is fine, no problem detected! So you're > becoming a C programmer ;-) Yeah, we will see about that :) >> Once verified, I think

Re: Failed to compile haproxy with lua on Solaris 10

Le 12/05/2017 à 15:54, Willy Tarreau a écrit : > Hi Benoît, > > On Thu, May 04, 2017 at 08:50:33AM +0200, Benoît GARNIER wrote: > (...) >> If you do the following operation : time_t => localtime() => struct tm >> => timegm() => time_t, your result will be shift by the timezone time >> offset (but

Re: haproxy

> On May 11, 2017, at May 11, 7:51 AM, Jose Alarcon > wrote: > > Hello, > > excuseme my english is very bad, i need know how change configuration haproxy > pasive/active manually not using keepalived. > There is no standard way because that is not a feature of

Re: haproxy not creating stick-table entries fast enough

On Fri, May 12, 2017 at 12:51 AM, Willy Tarreau wrote: > On Tue, May 09, 2017 at 09:43:22PM -0700, redundantl y wrote: > > For example, I have tried with the latest versions of Firefox, Safari, > and > > Chrome. With 30 elements on the page being loaded from the server > they're >

Re: haproxy not creating stick-table entries fast enough

On Fri, May 12, 2017 at 10:20:02AM -0700, redundantl y wrote: > As I've said before, the issue here is these objects aren't hosted on the > same server that they're being called from. > > "A separately hosted application will generate HTML with several (20-30) > elements that will be loaded

hostname to IP converter possible?

Hi list, Is now there's a converter for hostname to IPv4 available in haproxy? Regards, Igor

Re: Automatic Certificate Switching Idea

On Fri, May 12, 2017 at 06:42:20PM +0200, Daniel Schneller wrote: > > That said, given that we can already look up a cert based on a name, > > maybe in fact we could load all of them and just try to find a more > > recent one if the first one reported by the SNI is outdated. I don't > > know if

Re: haproxy not creating stick-table entries fast enough

On Fri, May 12, 2017 at 10:46 AM, Willy Tarreau wrote: > On Fri, May 12, 2017 at 10:20:02AM -0700, redundantl y wrote: > > As I've said before, the issue here is these objects aren't hosted on the > > same server that they're being called from. > > > > "A separately hosted

Re: [PATCH]: CLEANUP/MINOR: retire obsoleted USE_GETSOCKNAME build option

On Thu, May 11, 2017 at 01:04:50PM +0300, Dmitry Sivachenko wrote: > Hello, > > this is a patch to nuke obsoleted USE_GETSOCKNAME build option. Applied, thanks Dmitry. BTW, your attached patch was strangely missing a header so I rewrote the commit message since this one was not too hard to

Re: Failed to compile haproxy with lua on Solaris 10

Hi Benoît, On Thu, May 04, 2017 at 08:50:33AM +0200, Benoît GARNIER wrote: (...) > If you do the following operation : time_t => localtime() => struct tm > => timegm() => time_t, your result will be shift by the timezone time > offset (but without any DST applied). > > Technically, if you live

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

On Tue, May 09, 2017 at 12:12:42AM +0200, Lukas Tribus wrote: > Haproxy can verify the certificate of backend TLS servers since day 1. > > The only thing missing is client SNI based backend certificate > verification, which yes - since we can pass client SNI to the TLS server > - we need to

Secondary load balancing method (fallback)

Is it possible to configure a secondary load balancing method, something to fall back on if the first method isn't met? For example, if I balance on the url_param email: balance url_param email Can it instead balance on another url_param: balance url_param id Or have it balance based