Re: Do I need more than HAProxy for SSL webserver

2009-06-10 Thread Holger Just
On 10.06.2009 17:26 Uhr, Tom Potwin wrote: Thanks for that advice. Does anyone know where there are any how-to's for setting up something like this? The architecture.txt file doesn't go into much detail. At our site, we are using nginx for that task. This is layed out as follows:

Re: Do I need more than HAProxy for SSL webserver

2009-06-11 Thread Holger Just
Erik Gulliksson wrote: On Wed, Jun 10, 2009 at 6:07 PM, Holger wrote: --- | Backend 1 | /

Re: haproxy include config

2009-06-12 Thread Holger Just
On 12.06.2009 23:08 Uhr, Joe Williams wrote: I looked through the docs but didn't see anything. Is it possible to include config files from the main config file? So you could do something similar to a vhosts.d directory in Apache or Nginx. Hello Joe! Unfortunately, this is not supported by

Re: haproxy include config

2009-06-15 Thread Holger Just
On 15.06.2009 6:36 Uhr, Timh Bergström wrote: Hello Holger, If nothing else, I would be interested in this script. Cheers, Timh So, after checking with my chief about opensourcing our stuff I can finally conclude: Yes we can! :) You can find the script at

Re: Stripping some response headers

2009-06-15 Thread Holger Just
On 15.06.2009 19:24 Uhr, Karl Pietri wrote: Due to some strange things we are doing with our logging we have a bunch of info in the response headers that would be nice to strip out before sending to the client. Is this possible in haproxy? Essentially we are logging things like the user_id

Re: Performance issue with images.

2009-06-16 Thread Holger Just
On 17.06.2009 1:29 Uhr, Yves Accad wrote: Please let me know any detail I need to provide you to help troubleshooting the issue. Yves, Unfortunately your descriptions are rather vague and my crystal ball is still getting fixed by the mechanics. Sorry... To help you in the meantime, would you

Re: Help needed

2009-06-17 Thread Holger Just
On 17.06.2009 19:59 Uhr, Karthik Pattabhiraman wrote: We use HAProxy 1.3.17 for our setup. We faced an issue where the requests were redirected to a wrong cluster. We are still not able to figure out why this happened and would really appreciate any help. Please find attached a sample

Re: Duplicate checks in backup servers?

2009-06-26 Thread Holger Just
Pedro Mata-Mouros Fonseca wrote: This is my first post into this mailing list, been following it for a few days. So, greetings from Portugal. I have a small doubt: I have a few backend sections defined in my haproxy.conf, one of each is composed of server1 to 4 - and all of them using the

Re: Redirection with 301 for all subdomains with exception

2009-07-03 Thread Holger Just
Falco SCHMUTZ wrote: But we need one action when some users used old link maybe like this :*** do you know if with the first acl

Re: haproxy include config

2009-07-09 Thread Holger Just
On 09.07.2009 7:15 Uhr, Willy Tarreau wrote: As I said in earlier mail, I have implemented the multiple file loading in 1.4-dev :;a=commit;h=5d01a63b7862235fdd3119cb29d5a0cfd04edb91 If many people are interested, I know it will be quite easy to

Re: ACLs + header manipulation

2009-07-14 Thread Holger Just
On 14.07.2009 18:12 Uhr, Jeremy wrote: Is it possible to use 'reqirep' to i.e. rewrite a Host header, only if a certain ACL matches? As far as I can tell it doesn't look like you can combine ACL's with the req* header manipulation commands but I just wanted to double check. Jeremy,

Re: haproxy administration web interface

2009-12-07 Thread Holger Just
Hi, On 07.12.09 20:49, Israel Garcia wrote: Hi, A simple question, is there any web interface to administer haproxy via web? A simple answer: Nope, at least no free one I have heard of. Maybe you could find something from However, I am currently looking into developing a

Re: Session stickiness over HTTP and HTTPS

2009-12-07 Thread Holger Just
On 07.12.09 23:19, Anthony Urso wrote: Hi: I am looking for advice on the best way to load-balance HTTP and HTTPS traffic such that once a session is established with either protocol, haproxy continues to send new requests from that session to the same web server. Is this a common use

Re: Does anyone have an init.d script for Debian?

2010-01-10 Thread Holger Just
Hi Craig, (sorry, for double posting, missed the correct button...) On 10.01.10 11:01, Craig Carl wrote: Does anyone know where I can find a /etc/init.d/haproxy script for Debian? The simplest approach would probably be to use the one shipped with the official Haproxy package for Debian.

Re: Mode tcp and ACL's - missing something obvious?

2010-01-27 Thread Holger Just
Hi Harvey On 2010-01-28 00:42, Harvey Yau wrote: I've been trying to use ACLs to block or choose a backend based on source IP address. It works perfectly in mode HTTP, but fails miserably in mode TCP. Is there something obvious that I'm missing or is this a bug? mode tcp acl myips src

Re: Manipulate packet payload

2010-02-02 Thread Holger Just
Hi On 2010-02-02 16:19, Anthony D wrote: I understand that HAproxy can do L7 header manipulation, however I read in the manual that it doesn't touch the data contents. Are there any plans for adding this option? I can not speak for Willy, but as content manipulation (and also some kinds of

Re: URL rewrite question

2010-02-04 Thread Holger Just
On 2010-02-04 21:15, Sriram Chavali wrote: I am trying to rewrite URLs using haproxy's reqirep directive. The url that I am trying to rewrite is of the pattern /action/register?param1=fooparam2=barparam3=baz The URL that I want to be rewritten is /newaction?param1=fooparam2=barparam3=baz

Re: URL rewrite question

2010-02-06 Thread Holger Just
On 2010-02-06 10:55, Willy Tarreau wrote: reqrep ([^\ ]*)\ /action.register\?([^]*)*param2=bar(.*) \1\ /newaction\?\2param2=bar\3 This does it. Looks like your Regex Kung Fu is stronger than mine. But well, it was late :) --Holger

Re: [ANNOUNCE] haproxy-1.4.0

2010-02-27 Thread Holger Just
Hi all, On 2010-02-26 16:02, Willy Tarreau wrote: I'm obviously interested in any problem report :-) I'm trying to compile Haproxy 1.4 on Opensolaris Build 133 (i386 on a Core i7). This however fails. make TARGET=solaris CPU=i686 USE_STATIC_PCRE=1 SMALL_OPTS=-I/usr/include/pcre [...] gcc

Re: [ANNOUNCE] haproxy-1.4.0

2010-02-28 Thread Holger Just
Hi Willy, On 2010-02-28 07:29, Willy Tarreau wrote: Could you please try to add the two following lines at the top of the 3 faulty files (types/session.h, types/proxy.h, types/protocols.h) : #include sys/types.h #include sys/socket.h I think it should fix the build. Thanks for your

Re: [ANNOUNCE] haproxy-1.4.0

2010-03-02 Thread Holger Just
Hi Willy, On 2010-03-02 23:43, Willy Tarreau wrote: I could get the same errors on my ultra5 under solaris 8 which correctly builds 1.3. I finally tracked that down to the #define XOPEN_SOURCE 500 in auth.c. If I remove it, everything builds as before. just for the archives: 1.3 also

Re: queued health checks?

2010-03-20 Thread Holger Just
Hi Greg, On 2010-03-20 6:52 AM, Greg Gard wrote: i remember somewhere in the archives mention of a plan to make health checks get queued like any other request. did that happen in 1.4.x branch with all the work to health checks. i searched the archives, but didn't turn up what i remembered.

Re: Changing HA Proxy return codes

2010-04-07 Thread Holger Just
Hi Matt, On 2010-04-07 14:34, Matt wrote: If I wanted to change the error return code submitted by haproxy (not the backend server) is this possible? i.e. change haproxy to return a 502 when it's going to return a 504? You could (ab)use the errorfile parameter and have haproxy send arbitrary

Re: error page problem

2010-04-13 Thread Holger Just
Hi Mikołaj, On 2010-04-13 12:47, Mikołaj Radzewicz wrote: I was trying to configure custom error pages on haproxy but after waisting a lot of time I'm not successful. I wanted to serve it all the time as my backends give it to the clients. if I understand you correct you want to check if one

Re: Hardware recommendations

2010-04-28 Thread Holger Just
On 2010-04-28 19:10, Alex Forrow wrote: We're looking to upgrade our HAProxy hardware soon. Does anyone have any recommendations on the things we should be looking for? e.g. Are there any NICs we should use/avoid? Hi Alex, I'm just writing down here what comes to my mind. Sorry if it looks a

Re: Downgrade backend request/response to HTTP/1.0

2010-05-04 Thread Holger Just
Hi Dave, On 2010-05-04 18:55, Dave Pascoe wrote: Is there a way in haproxy 1.4 to perform the equivalent function that these Apache directives perform? SetEnv downgrade-1.0 1 SetEnv force-response-1.0 1 i.e., force haproxy to downgrade to HTTP/1.0 even though the client is HTTP/1.1

Re: Different URL on backend

2011-01-24 Thread Holger Just
Sorry for the impersonation. My virtual identity setup got a bit overly excited and made an aweful mess in the whole room. Guess I need some napkins now... --Holger

Re: Help on SSL termination and balance source

2011-06-09 Thread Holger Just
Habeeb, given your Apache does actually insert/append an X-Forwarded-For header you can use this statement instead of balance source in HAProxy: balance hdr(X-Forwarded-For) This has a few caveats you should be aware. Users can set the X-Forwarded-Header themselves (which is done by some

Re: HAProxy for PostgreSQL Failover

2011-06-22 Thread Holger Just
Alan, On 2011-06-15 19:54, Alan Gutierrez wrote: I'd like to use HAProxy to implement a simple proxy that can perform failover for a pair of PostgreSQL configured as master/slave with PostgreSQL 9.0 streaming replication to replicate the master to the slave. Only the master is active for

Re: Parsing httplog with java

2011-07-04 Thread Holger Just
Hi Damien, On 2011-07-04 14:34, Damien Hardy wrote: Does anyone have ever done the regex to parse the haproxy apachelog. (we want to inject logs in hbase via flume :) although it's not directly targeted for Java, but written in Python, but I have already posted my approach of parsing the

Re: Automate backend registration

2011-08-03 Thread Holger Just
Jens, Many people have a script that builds a working configuration file from various bits and pieces. As the actual needed configuration typically isn't something which follows a common path but depends on the environment and the actual applications and a thousand other bits, there isn't a

Re: Haproxy -v 1.4.18 and amazon rds

2011-10-14 Thread Holger Just
Rhys, HAProxy resolves IPs of backend servers only once during startup. As new EC2 instances get an new IP on every startup, HAProxy doesn't find your new instance. Because of that, it is generally discouraged to use hostnames in backend sepcifications. You have basically two ways to solve that:

Re: Cookie persistence

2011-10-17 Thread Holger Just
On 2011-10-17 14:48, Ist Conne wrote: HAProxy is supported cookie-based persistence. But, cookie-based Load balancing has a patented F5 Networks. Without being a lawyer, I'd play the prior art card as HAProxy supported cookie based

Re: Autoscaling in haproxy with persistence sessions

2011-11-07 Thread Holger Just
On 2011-11-07 21:32, Erik Torlen wrote: If you get a burst against 3 active backend servers they will take care of all the request and connections. The clients that are active will then get a persistence sessions against 1 of these 3 servers. It will take ~5min to scale up a new server so

Re: Using same health check result for multiple backends

2011-12-21 Thread Holger Just
Damien, you can use the track keyword on the server line to define which server to, well, track. Find an example below: backend foo server foo1 check backend bar server bar1 track foo/foo1 --Holger On 2011-12-21 12:28, Damien Churchill wrote: Hi there, Apologies if

Re: Parsing Logs

2012-01-09 Thread Holger Just
Hi Joe, On 2012-01-09 14:25, Joseph Hardeman wrote: I was wondering if anyone has a way to parse the logs and present them in a friendly format? Such as with AWStats or another log parser. There is Logstash [1] which includes patterns for parsing the HAProxy HTTP log format. It can either

Re: Duplicate X-Forwarded-For

2012-02-01 Thread Holger Just
Hey, On 2012-02-01 17:41, habeeb rahman wrote: When there is X-Forwarded-For added by the client(I used chrome rest client) I can see haproxy is sending two X-Forwarded-For to the backend instead of appending the values. One is client sent and the other one is the one haproxy created newly.To

Re: Duplicate X-Forwarded-For

2012-02-01 Thread Holger Just
On 2012-02-01 20:00, habeeb rahman wrote: I know that apache comma separates the values for X-Forwarded-For and I thought haproxy behaves the same. Both types are semantically the same. So for an application, it shouldn't matter if you get these headers X-Forwarded-For:

Re: haproxy content switching on url parameters?

2012-07-29 Thread Holger Just
Reve, On 2012-07-28 19:46, Reve wrote: let's say I have this URL /blah?x1=5x2=-5y1=-1y2=50 I want to go to a different set of backends if x10, y10 - backends set 1 x10, y10 - backends set 2 x10, y10 - backends set 3 x10, y10 - backends set 4 You can't actually parse the URL and match

Re: haproxy content switching on url parameters?

2012-07-30 Thread Holger Just
On 2012-07-29 12:56, Reve wrote: How about parsing the same thing but if those have been posted as post, not get. When POSTing data, it will be transmitted in the request body. As the body size can be of an arbitrary size and caching and potentially parsing it would be a really complex, slow

Inaccurate message for errors on bind parsing

2012-10-24 Thread Holger Just
Hi there, after half a day of debugging (and subsequently kicking myself), I finally noticed that whenever HAProxy (1.5-dev12 in this case) encounters an unknown option on a bind line, it will error out with this message irregardless of OpenSSL being enabled or not: [ALERT] 296/194609

Re: Backend Configuration Templating

2013-02-06 Thread Holger Just
Hi Michael Glenney wrote: We do something similar with chef where we've turned each backend config associated with an application into json and can dynamically build configs based on an application list. Completely avoiding using a template. In my HAProxy Chef cookbook[1], I have defined

Re: AW: haproxy in cluster with pacemaker and corosync

2013-03-25 Thread Holger Just
Hi there, Wolfgang Routschka wrote: One question about the script. What means config in line 20 HAPROXY_CONFIG=/usr/local/sbin/ Configurationfile is setting on line 17 the haproxy-init script in that repo is basically the init script from the HAProxy Debian package from

Randomly added byte in GET request line with HAProxy 1.5 + OpenSSL

2013-06-14 Thread Holger Just
Hello all, we see some strange errors in our logs after having introduced HAProxy 1.5 snapshot 20130611 before our nginx. It seems like HAProxy sometimes (seldom) inserts a rather random byte as the second byte of a GET request line on SSL requests. Some (anonymized) log lines follow:

Re: Randomly added byte in GET request line with HAProxy 1.5 + OpenSSL

2013-06-14 Thread Holger Just
Hi Lukas, Lukas Tribus wrote: sounds like a tricky issue ... indeed :) - has the Windows 7 box all the latest patches from MS? Yes. - any reason not to use openssl1.0.1e? I couldn't get it to compile, or in fact, I could compile it, but it would break at the `make test` step and I

Re: HAProxy Next?

2013-12-17 Thread Holger Just
Annika Wickert wrote: - Include possibility in configfile to maintain one configfile for each backend / frontend pair There are several scripts out there which concat files in a well-known directory structure together to form a single final config file. These can be used in your init script

Re: problem w/ host header on download servers

2014-06-23 Thread Holger Just
Hi Bernhard, Bernhard Weißhuhn wrote: When downloading the tar.gz, the chef client sends :80 as part of the host header (which is legal from my understanding of the rfc). This header reliably results in a 404, whereas leaving out the port number results in a successful download: This

Re: how to sync HaProxy config with ZooKeeper

2014-07-10 Thread Holger Just
Hi, Зайцев Сергей Александрович wrote: So the question is - is the a way to synchronized HaProxy's configuration with ZooKeeper ( somehow ). Airbnb uses a tool called Synapse [1] as part of their Smartstack platform [2]. It integrates HAProxy and zookeeper to provide high availability by using

Updating a stick table from the HTTP response

2015-04-29 Thread Holger Just
server responses? * If this is not possible right now, would it be feasible to implement the possibility to track responses similar to what is possible with requests right now? Thank you for your feedback, Holger Just

Re: Choosing servers based on IP address

2015-06-03 Thread Holger Just
Hi Andy, Franks Andy (IT Technical Architecture Manager) wrote: Quick question – can anyone think of a way to change a server’s weight based on some criteria, for example source IP address? It would be so useful when dealing with a common service that has two distinct sites, and rules in

Re: Choosing servers based on IP address

2015-06-04 Thread Holger Just
Hi Andy, Please always CC the mailing list so that others can help you too and can learn from the discussion. Franks Andy (IT Technical Architecture Manager) wrote: Hi Holger, Sorry, I will elaborate a bit more! We are going to implement Microsoft exchange server 2010 (sp3) over two AD

Re: Updating a stick table from the HTTP response

2015-06-30 Thread Holger Just
sure on their own that the data required to update the stick table entry is still available? Thank you for your feedback. --Holger Holger Just wrote: Hello all, with HAProxy 1.5.11, we have implemented rate limiting based on some aspects of the request (Host header, path, ...). In our

Re: ha-proxy strange behavior with check localhost option

2015-08-10 Thread Holger Just
Hi BLN, bln prasad wrote: I'm not sure why health check is failing if it's localhost on few systems and this is observed with only 1.5.14 version. ideally there should not be any difference between localhost and right. Localhost can resolve to several different IPs, including *

Re: HAProxy does not write 504 on keep-alive connections

2015-11-11 Thread Holger Just
Hi, Willy Tarreau wrote: > As explained above, it's because a keep-alive enabled client must implement > the ability to replay requests for which it didn't get a response because > the connection died. In fact we're forwarding to the client what we saw on > the server side so that the client can points to

2015-11-10 Thread Holger Just
Hi Willy, It seems that the loadbalancer or DNS configuration of is broken right now. When navigating to, only Willy's personal website, normally reachable at is returned. currently resolves to and 2001:7a8:363c:2::2. The

Re: points to

2015-11-10 Thread Holger Just
Hi Willy, Willy Tarreau wrote: > Some virtual host routing needs to be fixed there. For now the PSU was > replaced and everything's OK. Thanks for the quick turnaround! A+ support. Would buy again :) Best, Holger

Invalid 301 redirect target URL on

2016-06-09 Thread Holger Just
Hi, when navigating to a directory of the downloads section on while omitting the trailing slash, e.g. the response is a 301 redirect to which I assume is generated by the backend Apache by adding

Re: external-check error ??

2016-06-09 Thread Holger Just
Hi Hugo Hugo Delval wrote: > global > # [...] > chroot /var/lib/haproxy > > # [...] > > backend web-backend > balance roundrobin > option external-check > external-check path "/usr/bin:/bin:/tmp" > external-check command /bin/true > server web1 check >

Re: 100% cpu , epoll_wait()

2016-06-10 Thread Holger Just
Hi Willy et al., > Thank you for this report, it helps. How often does it happen, and/or after > how long on average after you start it ? What's your workload ? Do you use > SSL, compression, TCP and/or HTTP mode, peers synchronization, etc ? Yesterday, we upgraded from 1.5.14 to 1.5.18 and now

Re: Refuse connection if no certificate match

2016-06-22 Thread Holger Just
Hi Olivier, Olivier Doucet wrote: > Is there a way to not present the first loaded certificate and refuse > connection instead ? You can use the strict-sni argument on the bind line to force the client to speak SNI and refuse the TLS handshake otherwise. See the documentation for details at

Re: RFC: Statically enable SSL_OP_SINGLE_DH_USE

2016-02-09 Thread Holger Just
Hi Lukas, Lukas Tribus wrote: >>> I don't see it. Can you please elaborate what exact commit ID your are >>> refering to? >> You are probably refering to the github fork, which is as always outdated, >> and where line 2539 points to the local definition of SSL_OP_SINGLE_DH_USE: >> #ifndef

Re: RFC: Statically enable SSL_OP_SINGLE_DH_USE

2016-02-09 Thread Holger Just
Hi Lukas, Lukas Tribus wrote: > I don't see it. Can you please elaborate what exact commit ID your are > refering to? I was looking at;a=blob;f=src/src/ssl_sock.c;h=5cec6a4cd6ce5d16f9564e60fa57b24c46112bac;hb=HEAD#l2539 > As far as I an see we do the exact

RFC: Statically enable SSL_OP_SINGLE_DH_USE

2016-02-09 Thread Holger Just
Hi there, following CVE-2016-0701, the OpenSSL project switched the behavior of the SSL_OP_SINGLE_DH_USE flag to a no-op and forcefully enabled the feature. This results in OpenSSL always generating a new DH parameters for each handshake which can protect the private DH exponent from certain

Re: http_date converter gives wrong date

2016-01-22 Thread Holger Just
rds, Holger From 32cf0c931f0c4bfd3ea687aa7399e4f95626b6ad Mon Sep 17 00:00:00 2001 From: Holger Just <> Date: Fri, 22 Jan 2016 19:23:43 +0100 Subject: [PATCH] BUG/MINOR: Correct weekdays in http_date converter Days of the week as returned by gmtime(3) are defined as the numbe

Re: use env variables in bind for bind options

2016-05-20 Thread Holger Just
Hi Aleks, Aleksandar Lazic wrote: > ### bind :${ROUTER_SERVICE_HTTP_PORT} > ${ROUTER_SERVICE_HTTP_PORT_BIND_OPTONS} ### > > It's look to me that this is not possible. To quote from Section 2.3 of configuration.txt: > Those variables are interpreted only within double quotes. Variables > are

Re: use env variables in bind for bind options

2016-05-20 Thread Holger Just
Hi Aleks, Aleksandar Lazic wrote: > My conclusion is that with or without " the ${...} is not substituted, > at least in the bind line. >From your output, it looks like you are using an older version of HAProxy. The behavior of quoted strings in the config changed in HAProxy 1.6. It appears you

Re: I cannot %[] in server directive

2016-07-13 Thread Holger Just
Hi Takada, Takada Shigeomi wrote: > global > lua-load get_backend.lua > > listen example > mode tcp > bind :3-5 > server MYSERVER %[lua.backend] > --- > > ---ERROR CONTENT-- > [ALERT] 194/145111 (21636) : parsing [haproxy.cfg:20] : 'server

Re: counters for specific http status code

2016-07-13 Thread Holger Just
Hi Willy, Willy Tarreau wrote: >> At first I was thinking whether we could track the response status in stick >> table, then it may be neat. but currently there isn't `http-response >> track-sc?` directive. can it? > > Interesting. No it isn't, just because I think we never found a valid > use

Re: Strange behavior of sample fetches in http-response replace-header option

2017-02-07 Thread Holger Just
irect". However, I couldn't reproduce my issue when `http-request redirect`, neither with the patch nor without so it might also be a red herring. Regards, Holger Holger Just wrote: > Hi there, > > I observed some strange behavior when trying to use a `http-response > replace-header` ru

Re: Strange behavior of sample fetches in http-response replace-header option

2017-02-08 Thread Holger Just
Hi Christopher, Christopher Faulet wrote: > You did well to reopen the issue. And you're right, this bug is similar > to the one on redirect rules. I submitted a patch and it will be merged > soon by Willy (see "[PATCH] 2 fixes for replace-header rules"). Thank you for the fix! Best, Holger

Re: Hitting rate limit?

2017-01-17 Thread Holger Just
Hi Atha, Atha Kouroussis wrote: > Output from ab against haproxy: > Concurrency Level: 200 > Time per request: 49.986 [ms] (mean) If you check these numbers, you'll notice that with a time of 49 ms per request and 200 concurrent requests, you;ll end up at exactly 4000 requests /

Strange behavior of sample fetches in http-response replace-header option

2016-10-05 Thread Holger Just
Hi there, I observed some strange behavior when trying to use a `http-response replace-header` rule. As soon as I start using fetched samples in the replace-fmt string, the resulting header value is garbled or empty (depending on the HAProxy version). Please consider the config in the attachment

Re: nbproc best practices

2016-10-04 Thread Holger Just
Hi Mariusz, Mariusz Gronczewski wrote: > we've come to the point when we have to start using nbproc > 1 (mostly > because going SSL-only in coming months) and as I understand I have > to bind each process to separate admin socket and then repeat every > command for each process, and in case of

Re: HAProxy reloads lets old and outdated processes

2016-10-25 Thread Holger Just
Hey Willy, Willy Tarreau wrote: > I absolutely despise systemd and each time I have to work on the > wrapper I feel like I'm going to throw up. So for me working on this > crap is a huge pain each time. But I'm really fed up with seeing > people having problems in this crazy environment because

Update of SSL certificate on

2016-12-27 Thread Holger Just
Hi Willy, Recently, you updated the SSL certificate of,, ... to a new certificate from StartSSL. Unfortunately, recently, there was an incident of several misissued certificates by this CA as well as shady business decisions involving WoSign which resulted in Chrome

Re: LUA: using converters in init phase

2017-03-24 Thread Holger Just
Hi Gabor, Gabor Lekeny wrote: > I would like to create a service which balances the HTTP requests on > many servers without passing through the traffic on the proxy: > actually it would redirect (HTTP 3xx) to the target server. You might be able to use the redir parameter [1] on the server line

Re: client connections being help open, despite option foceclose

2017-03-31 Thread Holger Just
Hi Patrick, Patrick Kaeding wrote: > I have one frontend, listening on port 443, and two backends, which send > traffic to either port 5050 or 5051. The haproxy stats screen is > showing many more frontend connections than backend (in one case, 113k > on the frontend, 97k on one backend, and 3k

Re: ACL with dynamic pattern

2017-04-11 Thread Holger Just
Hi Alexander, Alexander Lebedev wrote: > I want to implement CSRF check with haproxy. > I want to check cookie value matched the header value and deny request > if they're didn't equal. The ACLs are only equipped to compare a dynamic value (e.g. from a fetch) with a statically define value. It

Re: Restricting RPS to a service

2017-04-19 Thread Holger Just
Hi Krishna, Krishna Kumar (Engineering) wrote: > Thanks for your response. However, I want to restrict the requests > per second either at the frontend or backend, not session rate. I > may have only 10 connections from clients, but the backends can > handle only 100 RPS. How do I deny or delay

Re: Restricting RPS to a service

2017-04-19 Thread Holger Just
Hi Krishna, Krishna Kumar (Engineering) wrote: > What is the way to rate limit on the entire service, without caring > about which client is hitting it? Something like "All RPS should be < > 1000/sec"? You can set a rate limit per frontend (in a frontend section): rate-limit sessions 1000

Re: fields vs word converter, unexpected "0" result

2017-08-01 Thread Holger Just
Hi Daniel, Daniel Schneller wrote: > root@haproxy-1:~# curl -s > Aug 1 15:12:55 haproxy-1 haproxy[3049]: > [01/Aug/2017:15:12:55.198] "0" > > While the first three are expected, the last one confuses me. Why would > leaving the header out result in “0”

Re: very low requests per second rate with option forceclose (now with details)

2017-08-16 Thread Holger Just
Hi Stefan Stefan Sticht wrote: > I also can test the webserver directly bypassing the haproxy completely > (apache2.4 on webserver has "KeepAlive Off” configured) > $ ab -v 1 -c 10 -n 1000 | grep -e > Requests -e Complete -e Failed > Complete requests:

Re: [PATCH] Add b64dec sample converter

2017-05-12 Thread Holger Just
Hi Willy, Willy Tarreau wrote: > The thing is that we normally don't backport any feature anymore to > stable branches due to the terrible experience in 1.4 where too much > riskless stuff was backported, then fixed, then removed etc... making > each subsequent version a pain for certain users. >

Re: [PATCH] Add b64dec sample converter

2017-05-12 Thread Holger Just
Hi Willy, thanks for applying the patch! Willy Tarreau wrote: > Thanks for the warning, much appreciated. It made me re-read it after > applying it. But your code is fine, no problem detected! So you're > becoming a C programmer ;-) Yeah, we will see about that :) >> Once verified, I think

Re: Trouble getting rid of Connection Keep-Alive header

2017-06-21 Thread Holger Just
Hi Mats, Mats Eklund wrote: > I am running a load balanced Tomcat application on Openshift Online > v2, with HAProxy ver. 1.4.22 as load balancer. With your current config, HAProxy will add a "Connection: close" header to responses. However, since you mentioned you are running this in an

Re: Compare against variable string in ACL

2017-05-08 Thread Holger Just
Hi Tim. Tim Düsterhus wrote: > I basically want an ACL that matches if 'hdr(host) == ssl_fc_sni' to use > programming language terminology. This is not directly possible right now using haproxy ACLs since they are only ablle to to compare a dynamic value (the fetch) to a static value. There is

Re: reqrep syntax

2017-05-08 Thread Holger Just
Hi Ari, Aristedes Maniatis wrote: > In the manual [1] there is an example for using reqrep with syntax > like this: > > # replace "/static/" with "/" at the beginning of any request path. > reqrep ^([^\ :]*)\ /static/(.*) \1\ /\2 > > [...] > > Firstly, is there no better/cleaner way to

[PATCH] Add b64dec sample converter

2017-05-05 Thread Holger Just
d, I think this converter can be safely added to the supported stable versions of HAProxy. Cheers, Holger >From b6d63d491a82d9297b649b0a4bf043b93e8161ad Mon Sep 17 00:00:00 2001 From: Holger Just <> Date: Sat, 6 May 2017 00:56:53 +0200 Subject: [PATCH] MINOR: sample

Re: Will HAProxy community supports mailers section?

2017-08-24 Thread Holger Just
Hi Rajesh, Rajesh Kolli wrote: > i am getting this error if i use mailers section in my configuration. The ability to send mail alerts (and thus to configure this with a mailers section) was added in HAProxy 1.6. If you use an older version, this feature is not yet available to you. Once you

Re: Domain fronting

2018-05-07 Thread Holger Just
Hi Mildis (and this time the list too), Mildis wrote: > Is there a simple way to limit TLS domain fronting by forcing SNI and Host > header to be the same ? > Maybe add an optional parameter like "strict_sni_host" ? You can do a little trick here to enforce this without having to rely on

Re: HAProxy 1.8.4 crashing

2018-07-05 Thread Holger Just
Hi Praveen, There are several fixes for segfaults which might occur in your version of HAProxy. Before checking anything else, you should upgrade to the latest version of HAProxy 1.8 (currently 1.8.12). See for bugs fixed in this version compared to