RE: Removed health check in combination with load-server-state-from-file (Bug)

Hello Cyril, This also can be achieved by using 'disabled' keyword on server, and update CLI to enable it. Are you sure that using server-state file to keep server DOWN from previous health check is the expected behaviour ? May be i'm wrong, but when i have a server in DOWN state because of

Re: HTTP/1.0 with compression enabled broken again in v1.7.9

On Tue, 29 Aug 2017 17:40:46 +0300 Christopher Faulet wrote > Damn ! I was pretty sure to have test this use-case when I fixed the > HTTP parser few weeks ago. But clearly not, because the bug is back. > > Could you check if the attached patch fixes the

Seatrade Europe- 2017 Attendees list

Hi, Hope this note finds you good I understand that you are one of the Exhibitor of upcoming event "Seatrade Europe - 2017" which is held on September 6th - 8th Hamburg|Germany. I thought I'd check if you are interested in acquiring "Seatrade Europe 2017 - Prospective Visitors List"

Re: Removed health check in combination with load-server-state-from-file (Bug)

> De: "Julien Laffaye" > Hello Cyril, > > > Well, you can also think of this use case which I find legit: > - you don't have probe > - you want to have probe so you add one and reload haproxy > - you realize your probe does not do want you intended, your backends > are

Re: Enable SSL Forward Secrecy

On 17-08-30 09:33:23, Julian Zielke wrote: > Hi, > > I'm struggeling with enabling SSL forward secrecy in my haproxy 1.7 setup. > > So far the global settings look like: > > tune.ssl.default-dh-param 2048 # tune shared secred to 2048bits > > ssl-default-bind-options force-tlsv12 no-sslv3 >

Re: Enable SSL Forward Secrecy

Ok, so that’s not it. What about the ciphers output? -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdevice.de |

Re: Removed health check in combination with load-server-state-from-file (Bug)

On 17-08-30 11:12:15, Julien Laffaye wrote: > On Wed, Aug 30, 2017 at 10:38 AM, Cyril Bonté wrote: > > > Well health checks or not, the state file reflects the state you want. > > You can absolutely imagine cases where health checks were never activated, > > and someone used

Re: Removed health check in combination with load-server-state-from-file (Bug)

On Wed, Aug 30, 2017 at 11:18 AM, Cyril Bonté wrote: > Isn't the state file part of the configuration? :-) > yes it is. it is also part of the previous working configuration.

AW: Enable SSL Forward Secrecy

Hi Georg, tried this already without effect. - Julian -Ursprüngliche Nachricht- Von: Georg Faerber [mailto:ge...@riseup.net] Gesendet: Mittwoch, 30. August 2017 11:51 An: haproxy@formilux.org Betreff: Re: Enable SSL Forward Secrecy On 17-08-30 09:33:23, Julian Zielke wrote: > Hi, > >

AW: Enable SSL Forward Secrecy

Whoips I copied thw wrong line. Here’s the output: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA SRP-DSS-AES-256-CBC-SHA SRP-RSA-AES-256-CBC-SHA SRP-AES-256-CBC-SHA DH-DSS-AES256-GCM-SHA384

Re: Enable SSL Forward Secrecy

Hi, You might want to include a link to your Qualys results to help others see what exactly they say. At a casual glance the ciphers looks ok, but it would be easier to see the SSLlabs output. If you don’t want to share it, I suggest scrolling down and looking at the results of the per-browser

AW: Enable SSL Forward Secrecy

Hi, sure I can share it since the site since it’s secured already in many ways: https://www.ssllabs.com/ssltest/analyze.html?d=portal-vonovia.next-level-apps.com=on * Julian Von: Daniel Schneller [mailto:daniel.schnel...@centerdevice.com] Gesendet: Mittwoch, 30. August 2017 11:39 An:

AW: Enable SSL Forward Secrecy

The output is: Built with OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016 Running on OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Haproxy Version is 1.7.9. *

Re: Removed health check in combination with load-server-state-from-file (Bug)

> De: "Arnaud Jost" > À: haproxy@formilux.org > Envoyé: Mercredi 30 Août 2017 10:01:37 > Objet: RE: Removed health check in combination with > load-server-state-from-file (Bug) > > > > > Hello Cyril, > > > This also can be achieved by using 'disabled' keyword on server, and

Enable SSL Forward Secrecy

Hi, I'm struggeling with enabling SSL forward secrecy in my haproxy 1.7 setup. So far the global settings look like: tune.ssl.default-dh-param 2048 # tune shared secred to 2048bits ssl-default-bind-options force-tlsv12 no-sslv3 ssl-default-bind-ciphers

Re: Enable SSL Forward Secrecy

Also, please run haproxy -vv to get some idea about what SSL library it actually uses. -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland

AW: Enable SSL Forward Secrecy

Output is: SRP-DSS-AES-256-CBC-SHA SRP-RSA-AES-256-CBC-SHA SRP-AES-256-CBC-SHA ECDH-RSA-AES256-SHA ECDH-ECDSA-AES256-SHA AES256-SHA PSK-AES256-CBC-SHA SRP-DSS-AES-128-CBC-SHA SRP-RSA-AES-128-CBC-SHA SRP-AES-128-CBC-SHA ECDH-RSA-AES128-SHA ECDH-ECDSA-AES128-SHA AES128-SHA PSK-AES128-CBC-SHA *

Re: Removed health check in combination with load-server-state-from-file (Bug)

On Wed, Aug 30, 2017 at 10:38 AM, Cyril Bonté wrote: > Well health checks or not, the state file reflects the state you want. > You can absolutely imagine cases where health checks were never activated, > and someone used the CLI to set a server DOWN. If you save the servers

Re: Enable SSL Forward Secrecy

The cipher suite list only shows two possible ciphers — both not suitable for FS. TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA This is also why all the modern browsers are marked as “No FS” — they can’t use a FS cipher. Try this on your haproxy instance: $ openssl ciphers

Re: Enable SSL Forward Secrecy

Well, that’s quite extensive. But still, the server at portal-vonovia.next-level-apps.com only agrees to one of TLS_RSA_WITH_AES_256_CBC_SHA (0x35) TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) which according to https://testssl.sh/openssl-rfc.mapping.html

AW: Enable SSL Forward Secrecy

Hi, I see the handshake failures in debug mode, yes. The machine inly has IPTABLES running with a few rules but not SNAT, DNAT or any other kind of software instance in front of it. Here’s a small part of the config: frontend f_ui_https_vonovia_00_01 bind :443 ssl crt /dvol01/haproxy/certs/

Re: HAproxy 1.7 "Bad" errors on centos 7 haproxy@formilux.org

Try this, no any errors: # Install HAProxy 1.5 and Upgrade to 1.7 sudo yum -y install haproxy # Install Generic Version (1.5) this will create necessary folders, config files, etc. wget https://www.haproxy.org/download/1.7/src/haproxy-1.7.9.tar.gz tar -xzf haproxy-1.7.9.tar.gz cd haproxy-1.7.9

Fwd: HAproxy 1.7 "Bad" errors on centos 7 haproxy@formilux.org

Good evening, Hope you’re well, this is a bit cheeky but I’m hoping you may be able to advise ….. When I install haproxy on Centos 7 via the repo “ sudo yum install haproxy” it installs 1.5 and eveyrthings fine When I install via the below method I get an error saying the service is bad,

[SPAM] 《推荐：化学品类电池等等，无需更换品名，原品名出口渠道价格优惠》

您好：专业代理国际快递 EMS，DHL，TNT，UPS， FEDEX 等，并提供多条国际特快专线的门到门服务。本公司送货范围（地 区大类）：香港、澳门、台湾、日本、韩国、东南亚、南太平洋、西欧、 美国、加拿大、南亚、中南美、中东、非洲、独联体、东欧等世界各地。 我公司与国际物流公司携手合作，开辟了到欧美、台湾、日本、韩国、 新加坡、马来西亚、中东、南非的大货专线，我们秉承“以速度求发展，以诚信求生存” 为服务宗旨，根据客户的不同需求，竭诚为客户量身打造最实惠、最快捷、

Re: Enable SSL Forward Secrecy

Hello, > Hehe yikes! This was it. It’s normal that someone get’s lost in all > this cipher crap and it should be written in the HaProxy manual as > an important step on how to harden security. Its not a good idea to suggest specific cipher settings in the manual, as the situation may change

Re: Enable SSL Forward Secrecy

Ok, running out of ideas here. You might want to try re-enabling TLS 1.0 and 1.1, just to to see if the response clients see changes at all. Please post the haproxy log output — if necessary, reproduce on a separate instance, should it contain sensitive information. If that doesn’t shed any

AW: Enable SSL Forward Secrecy

Hehe yikes! This was it. It’s normal that someone get’s lost in all this cipher crap and it should be written in the HaProxy manual as an important step on how to harden security. Thank you guys for your help! Really appreciate it! * Julian Von: Daniel Schneller

Re: Issue with src_http_req_rate count

Hello Sikander, Sorry for this late reply. On 08/16/2017 01:24 PM, Sikander Dhaliwal wrote: Dear Support, We are using HA-Proxy version 1.8-dev1-7b67726 on four servers. To handle the DDOS attacks, we have configured sticky-table rules. The issue is, the same configuration is working on 3

Re: AW: Enable SSL Forward Secrecy

> De: "Julian Zielke" > À: "Cyril Bonté" > Cc: haproxy@formilux.org > Envoyé: Mercredi 30 Août 2017 15:11:47 > Objet: AW: Enable SSL Forward Secrecy > > Hi Cyril, > > tired it without success. Maybe HaProxy isn't just capable of doing >

Re: Enable SSL Forward Secrecy

Darn! Looking at the “openssl ciphers” Julian provided earlier, my mind “autocompleted" the missing trailing “E” in ECDH (/me facepalms). Thanks, Cyril, for pointing that out! I was starting to doubt myself here :) Cheers, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice

AW: Enable SSL Forward Secrecy

Hi Cyril, tired it without success. Maybe HaProxy isn't just capable of doing this. Julian -Ursprüngliche Nachricht- Von: Cyril Bonté [mailto:cyril.bo...@free.fr] Gesendet: Mittwoch, 30. August 2017 14:49 An: Julian Zielke Cc: haproxy@formilux.org

Re: Enable SSL Forward Secrecy

Hi Julian, > De: "Julian Zielke" > Hi, > > I’m struggeling with enabling SSL forward secrecy in my haproxy 1.7 > setup. > > So far the global settings look like: > > tune.ssl.default-dh-param 2048 # tune shared secred to 2048bits > ssl-default-bind-options

[SPAM] Fw: Self-Affirmation Audio "Think Lean - Get Lean"

Hi! The simplest and most powerful secrets to overcoming life's common obstacles.How to tap into "invisible" sources of motivation to stay on track with your goals. A powerful, but rarely used, mind-trick to reverse negative situations into positive ones.Check it out continue

Re: HAproxy 1.7 "Bad" errors on centos 7 haproxy@formilux.org

Sorry, I've forgotten: rpmbuild -bs /root/rpmbuild/SPECS/haproxy.spec before mock. On Thu, Aug 31, 2017 at 6:40 AM, Juriy Strashnov wrote: > Hi! > > To use HAProxy 1.7 on CentOS 7 you can simply recompile src.rpm from > Fedora repo. You only need to disable LUA support

Re: HAproxy 1.7 "Bad" errors on centos 7 haproxy@formilux.org

Hi! To use HAProxy 1.7 on CentOS 7 you can simply recompile src.rpm from Fedora repo. You only need to disable LUA support in spec-file. It is not very tricky: rpm -Uvh