On 2019-09-18 at 08:27 +0200 Lukas Tribus sent off:
> If you want to see the ulimit value move, bump your global maxconn and you
> will see how haproxy adjusts the ulimit.
true, I can confirm this.
Thanks
Björn
On 2019-09-18 at 08:06 +0200 Björn Jacke sent off:
> unless the systemd limit is removed with the change I made in the systemd
> service file?
systemd uses cgroups and cgroup limits, which are enforced independently from
ulimits, and this is probably why this is required and why h
Hi,
On 2019-09-18 at 01:23 +0200 Lukas Tribus sent off:
> On Wed, Sep 18, 2019 at 1:14 AM PR Bot
> wrote:
> > Description:
> >systemd by default limits the max open files to 1k, which also limits
> >the socket connections to 1k, the service script must be told to
> >remove the limit.
Hi,
I would like to compare two different stick-table values in an ACL. What
I tried to do was an obvious comparison like this:
http-request deny if { sc_conn_rate(0) le sc_http_req_rate(1) }
but this results in:
[ALERT] 340/213554 (9804) : parsing [/etc/haproxy/haproxy.cfg:203] :
error
Hi,
currently if you use stick-tables and you follow most of the examples
and tutorials out there, you use it with "stick-table type ip ...". I
guess that many people (like me in the beginning) don't realize that ip
is IPv4 only and you have to use type ipv6 to have support for IPv4
*and*
Hello Aleksandar,
On 20.12.19 15:28, Aleksandar Lazic wrote:
It's mentioned in the doc, isn't it.
http://cbonte.github.io/haproxy-dconv/2.1/configuration.html#4.2-stick-table%20type
yes it is but it's not nice that "ip" does not include v6 and that most
of the example config sniplets are
Hello,
I looked into setting up an ACL using Forward-confirmed reverse DNS
(FCrDNS) to verify clients like googebot.
I looked into "http-request do-resolve" for this but as far as I can see
it only allows "ipv4" and "ipv6" resolution but no other generic DNS
lookups. Is there a reason why it
On 09.03.20 20:37, Lukas Tribus wrote:
>> I think the wording from the patch is still quite relaxed :). One of the best
>> summaries describing the session ticket flaws, which I recommend is this:
>> https://blog.filippo.io/we-need-to-talk-about-session-tickets/
> Nothing about this is a MITM
On 2020-03-09 at 17:44 +0100 Lukas Tribus sent off:
> Perhaps we can relax the wording a bit here and describe the actual
> technical issue along with some recommendations. Apache for example
> documents [1]:
I think the wording from the patch is still quite relaxed :). One of the best
summaries
Hi Reinhard,
On 08.09.20 21:20, Reinhard Vicinus wrote:
> the only official supported way to identify a google bot is to run a
> reverse DNS lookup on the accessing IP address and run a forward DNS
> lookup on the result to verify that it points to accessing IP address
> and the resulting domain
Hi,
I ran into an issue with haproxy 2.2.6, where I'm not sure if this is
working as intended or not. I have a frontend, which has a ssl cert
configured in a combined pam file, containing the private, public and
intermediate certificate. The bind line looks like this:
bind 203.0.113.1 ssl crt
Hi William,
On 08.12.20 15:13, William Lallemand wrote:> I then updated the
certificate this way:
>
> $ echo -e -n "@1 set ssl cert server1.fullchain.pem <<\n$(cat
> server2.fullchain.pem)\n\n" | socat - /tmp/master.socket
> Transaction created for certificate
Hi William,
On 09.12.20 09:27, William Lallemand wrote:
> $ echo -e -n "@1 set ssl cert server1.fullchain.pem <<\n$(cat
> server2.fullchain.pem)\n\n" | socat - /tmp/master.socket
> $ echo -e "@1 set ssl cert server1.fullchain.pem.ocsp <<\n$(base64 -w
> 1
Hello William,
On 10.12.20 15:55, William Lallemand wrote:
>> As far as I can see the "set ssl cert fullchain.pem.ocsp" method is
>> *generally* suitable to update ocsp responses and can be used as a drop
>> in replacement for the "set ssl ocsp-response" method, which is not
>> working correctly
Hi William,
On 11.12.20 12:29, William Lallemand wrote:
> If we want the "set ssl ocsp-response" command to work in this particular
> case,
> I think we need to change the key, but the problem is that the OCSP response
> only contains an OCSP_CERTID for helping us finding where we should apply
Hello,
okay, the link to the MR patch landed on the list, so I assume I don't
need to attache it here again. Confusing, that the issues are tracked
there...
Cheers
Björn
On 12.01.21 20:22, PR Bot wrote:
> Dear list!
>
> Author: Björn Jacke
> Number of patches: 1
>
> Th
Hi,
On 19.10.21 11:06, Christopher Faulet wrote:
Sorry Björn, I missed your reply. It is strange, there is no known bug
in this area for now. There is probably something in the request or
response headers preventing the compression to be enabled.
I found the error: the "compression offload"
Hi,
I noticed that the compression offload feature is not working with
backends using h2. I couldn't find any note in the documentation that
the compression offload feature is limited to http 1 only. Is it a bug
that it doesn't work with http2 or is it by design and just the
documentation
On 15.10.21 10:10, Christopher Faulet wrote:
It should work. What is your HAProxy version ?
2.4.7
Björn
Hi,
are there any objections for adding ::1 to the LOCALHOST acl? See
attached patch...
Björn
>From 5dcb29346e65549afdaaa035468f8d9d8c9c23ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Jacke?=
Date: Fri, 15 Oct 2021 16:32:15 +0200
Subject: [PATCH] MINOR: add ::1 to predefined
Hi Willy,
On 07.10.21 08:57, Willy Tarreau wrote:
I'm attaching the experimental patch I added on top of yours to produce
that output. Be careful, it contains the setsockopt() redefinition and
the resizing of the protocol_bind_all() buffer. Also I spotted a leftover
from an earlier "msg" that
. The
frontend support is working fine for me already.
Björn
On 15.01.21 11:17, Willy Tarreau wrote:
Hi Björne,
On Tue, Jan 12, 2021 at 08:40:44PM +0100, Björn Jacke wrote:
Hello,
okay, the link to the MR patch landed on the list, so I assume I don't
need to attache it here again. Confusing
Hello,
I just experienced that maxconn can easily not work as expected and lead
to unavailable services. Take this example backend configuration of a
2.8.3 haproxy setup:
backend bk_example
balance first
server server1 192.168.4.1:8000 id 1 maxconn 10
server server2
23 matches
Mail list logo