Re: srv_is_up : unable to find server.

2018-06-05 Thread Jerome Magnin
Hi Brent, On Tue, Jun 05, 2018 at 01:18:36PM +0200, Brent Clark wrote: > Good day Guys > > I am at a total loss, and Im hoping someone on this list, would be so kind > to review my setup. > > I am trying to get haproxy to monitor redis / sentinel. But I keep getting. > > [WARNING] 155/110602

Re: Alpn in debian/ubuntu ppa 1.8

2018-01-25 Thread Jerome Magnin
Hi Igor, On Thu, Jan 25, 2018 at 11:26:14PM +1100, Igor Cicimov wrote: > Hi, > > I was testing haproxy 1.8 from the ppa repository and noticed it is not > build with alpn support so just wonder why? what's the output of haproxy -vv ? Jérôme

Re: Use SNI with healthchecks

2018-04-23 Thread Jerome Magnin
Hi Vincent, On Mon, Apr 23, 2018 at 02:38:32PM +, GALLISSOT VINCENT wrote: > Hi all, > > > I want to use SNI with httpchk on HAProxy 1.7.10 to connect to CloudFront > distributions as backend servers. > > I saw in this mailing-list archives that SNI is not used by default even when >

Re: Difference between rspdel and http-response del-header use case?

2018-11-15 Thread Jerome Magnin
Hi, On Thu, Nov 15, 2018 at 02:01:18PM +, Ricardo Fraile wrote: > Hello, > > > What is the difference between using one of the following rules instead > of the other? > > I think that rspdel is the historic way to do, but maybe it have other > implications. > > > rspdel ^Server.* > > or

Re: Combine different ACLs under same name

2018-10-05 Thread Jerome Magnin
Hello, On Fri, Oct 05, 2018 at 10:46:20AM +0200, Ricardo Fraile wrote: > Hello, > > > I have tested that some types of acls can't be combined, as example: > > Server 192.138.1.1, acl with combined rules: > > acl rule1 hdr_dom(host) -i test.com > acl rule1 src 192.168.1.2/24 >

Re: DNS resolution issue with Docker swarm and HAProxy 1.8.15/1.9.0

2018-12-20 Thread Jerome Magnin
Hi, On Thu, Dec 20, 2018 at 03:42:40PM +0100, Leonhard Wimmer wrote: > Hello, > > We are running HAProxy in our Docker (18.09.0) swarm and we are relying on > the Docker embedded DNS server for service discovery. > > The backend servers are configured to resolve the IP addresses via a >

Re: DNS resolution issue with Docker swarm and HAProxy 1.8.15/1.9.0

2018-12-20 Thread Jerome Magnin
Hi Vincent, On Thu, Dec 20, 2018 at 10:22:25PM +0100, Vincent Bernat wrote: > ❦ 20 décembre 2018 17:14 +01, Willy Tarreau : > > >> this is indeed a regression in haproxy. thanks for reporting it. > >> attached patch should fix it. > >> CC'ing Remi as the original author, and Baptiste, as DNS

Re: sample fetch: add bc_http_major

2018-12-07 Thread Jerome Magnin
Hi Aleks, On Fri, Dec 07, 2018 at 01:46:53PM +0100, Aleksandar Lazic wrote: > Hi Jerome. > [...] > I suggest to use a dedicated function for that, jm2c. > > { "bc_http_major", smp_fetch_bc_http_major, 0, NULL, SMP_T_SINT, > SMP_USE_L4SRV }, > If you look at src/ssl_sock.c there are several

sample fetch: add bc_http_major

2018-12-07 Thread Jerome Magnin
Hi, the attached patch adds bc_http_major. It returns the HTTP major encoding of the backend connection, based on the the on-wire encoding. Jérôme >From e0a28394ea2da5757c1e72773ab4c9fb97565a35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Magnin?= Date: Fri, 7 Dec 2018 09:03:11

Re: http2-issue with http2 enabled on frontend and on backend

2019-02-26 Thread Jerome Magnin
On Tue, Feb 26, 2019 at 11:19:12AM +0100, Tom wrote: > Hi list > > When I enable health-checks on the backend, then the backend comes not up, > because of "Layer7 invalid response". The backend is a simple nginx with > http2 enabled. As I mentioned: When I directly talk to the backend with >

Re: http2-issue with http2 enabled on frontend and on backend

2019-02-26 Thread Jerome Magnin
On Tue, Feb 26, 2019 at 11:19:12AM +0100, Tom wrote: > Hi list > > I'm using haproxy-1.9.4 and trying to enable http2 in frontend and on one > backend server (nginx with http2 enabled). I'm always receiving a http/502 > from haproxy. I'm successfully able to directly talk to the backend with >

Re: Server IP address not being preserved from server state file

2019-07-11 Thread Jerome Magnin
Hi On Thu, Jul 11, 2019 at 12:15:19PM -0400, Shaun Tarves wrote: > Hi - > > I am trying to determine why my servers' IP address is not being preserved > through a reload when written to the server state file. I'm using version > 1.9.8 on alpine linux. > > CONFIGURATION: > global >

Re: FreeBSD CI builds fail

2019-07-29 Thread Jerome Magnin
On Tue, Jul 23, 2019 at 08:37:37PM +0200, Jerome Magnin wrote: > On Tue, Jul 23, 2019 at 07:09:57PM +0200, Tim Düsterhus wrote: > > Jérôme, > > Ilya, > > > > I noticed that FreeBSD CI fails since > > https://github.com/haproxy/haproxy/commit/885f64f

Re: fullconn not working

2019-07-16 Thread Jerome Magnin
Hi Patrick, On Tue, Jul 16, 2019 at 09:40:31AM -0400, Patrick Hemmer wrote: > > > > *From:* Pavlos Parissis [mailto:pavlos.paris...@gmail.com] > *Sent:* Tuesday, July 16, 2019, 09:32 EDT > *To:* haproxy@formilux.org >

Re: FreeBSD CI builds fail

2019-07-23 Thread Jerome Magnin
On Tue, Jul 23, 2019 at 07:09:57PM +0200, Tim Düsterhus wrote: > Jérôme, > Ilya, > > I noticed that FreeBSD CI fails since > https://github.com/haproxy/haproxy/commit/885f64fb6da0a349dd3182d21d337b528225c517. > > > One example is here: https://github.com/haproxy/haproxy/runs/169980019 > > It

Re: [PATCH] DOC: give a more accuration description of what check does

2020-04-28 Thread Jerome Magnin
he context of checks. I don't think there are ways around this. - the "alpn" setting of a server line is also not used for checks, one must define it with check-alpn. This will probably change soon now that haproxy can do h2 checks natively. Jérôme >From 6a8e8ecfa

[PATCH] DOC: give a more accuration description of what check does

2020-04-26 Thread Jerome Magnin
Hi, here's a documentation patch for the check keyword. regards, Jérôme >From 10e90939d9fd1bd4f1e651d679d0b99e8da91afb Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Sun, 26 Apr 2020 14:23:04 +0200 Subject: [PATCH] DOC: give a more accurate description of what check does The documentat

Re: How to suppress weak ciphers

2020-04-22 Thread Jerome Magnin
Hi Norman, On Wed, Apr 22, 2020 at 03:29:28PM +, Branitsky, Norman wrote: > HA-Proxy version 1.7.10-a7dcc3b 2018/01/02 > SSL Labs reports the CBC ciphers are "weak": > > [cid:image002.jpg@01D6117D.1C8AC910] > > I've tried to explicitly negate these ciphers with an "!" in haproxy.cfg to > no

Re: [PATCH] ssl defaults enhancements

2020-04-22 Thread Jerome Magnin
On Wed, Apr 22, 2020 at 12:06:15PM +0200, Jerome Magnin wrote: > Hi, > [...] > The other patch adds a new keyword in global section to set default bind > curves. > I updated the second patch to remove the ability to set the default curves at build time because I did it wrong a

Re: How to suppress weak ciphers

2020-04-23 Thread Jerome Magnin
On Thu, Apr 23, 2020 at 03:59:59AM +, Branitsky, Norman wrote: > Jerome, > > Thanks for the clarification. > > This string: > > CHACHA20:AESGCM:AESCCM:!RSA > resulted in an F grade from SSL Labs due to the inclusion of TLS_DH_anon > ciphers: > > [cid:image001.jpg@01D61902.1FDF86A0] > >

[PATCH] ssl defaults enhancements

2020-04-22 Thread Jerome Magnin
to set default bind curves. Jérôme >From d86993cbd4476e1901eafdc7fbe88d31ca6f8e90 Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Wed, 22 Apr 2020 11:40:18 +0200 Subject: [PATCH] BUG/MINOR: ssl: default settings for ssl server options are not used Documentation states that default setti

[PATCH] option logasap does not depend on mode

2020-04-23 Thread Jerome Magnin
Hi, this patch is to disambiguate option logasap. regards, Jérôme >From b7feb6d24341c15320ec961ebf1f8fc39342c0da Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Thu, 23 Apr 2020 19:01:17 +0200 Subject: [PATCH] DOC: option logasap does not depend on mode The documentation for option loga

Re: How to suppress weak ciphers

2020-04-22 Thread Jerome Magnin
On Wed, Apr 22, 2020 at 06:20:14PM +, Branitsky, Norman wrote: > As you can see from my pasted configuration, I was specifying exactly 4 > ciphers. > The 2 weak CBC ciphers were magically appearing in the SSL Labs report. > I tried to explicitly delete them - but the delete request is

[PATCH] DOC: retry-on can only be used with mode http

2020-05-13 Thread Jerome Magnin
rom e030ea97758cc8b6af5f655637137230e9a1791f Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Wed, 13 May 2020 20:09:57 +0200 Subject: [PATCH] DOC: retry-on can only be used with mode http The documentation for retry-on hints at it being meant to be used in conjuction with mode http, but since we've a had bug report involving m

Re: [PATCH 1/3] BUG/MINOR: pollers: remove uneeded free in global init

2020-05-13 Thread Jerome Magnin
e breaks clang builds because it removes the fail_revt label but it is still declared as a local label, and clang errors on it. Please find a patch attached. Jérôme >From 7549f1648f4e32ded652eabc07cd1dd7f0e7f38f Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Wed, 13 May 2020 15:11:

Re: [PATCH 1/3] BUG/MINOR: pollers: remove uneeded free in global init

2020-05-13 Thread Jerome Magnin
Hi Willy, On Wed, May 13, 2020 at 03:52:54PM +0200, Willy Tarreau wrote: > Hi Jérôme, > [...] > Ah crap! I didn't notice this part which didn't appear in the context > of the patch. I didn't notice we still had a few such labels in very > old files. Do you mind if instead I edit your patch to

[PATCH] DOC: ssl-load-extra-files only applies to certificates on bind lines.

2020-09-07 Thread Jerome Magnin
rom: Jerome Magnin Date: Mon, 7 Sep 2020 11:55:57 +0200 Subject: [PATCH] DOC: ssl-load-extra-files only applies to certificates on bind lines. Be explicit about ssl-load-extra-files not applying to certificates referenced with the crt keyword on server lines. --- doc/configuration.txt | 3 ++- 1 f

Re: Is the "source" keyword supported on FreeBSD?

2020-08-12 Thread Jerome Magnin
Hi Frank, On Wed, Aug 12, 2020 at 11:50:05AM +0200, Frank Wall wrote: > Hi, > > this *feels* like a silly question and I may have missed something > pretty obvious, but... I've tried to use the "source" keyword and > it doesn't work. HAProxy does not use the specified IP address when >

Re: HTTP/2 in 2.1.x behaves different than in 2.0.x

2020-07-03 Thread Jerome Magnin
Hi Christian, On Fri, Jul 03, 2020 at 11:02:48AM +0200, Christian Ruppert wrote: > Hi List, > > we've just noticed and confirmed some strange change in behavior, depending > on whether the request is made with HTTP 1.x or 2.x. > [...] > That also affects ACLs like url*/path* and probably

missing backports in haproxy-1.8

2020-06-11 Thread Jerome Magnin
Hi list, haproxy-1.8 is missing two backports, and can't be built with recent gcc as a result. 72d9f3351 BUILD: chunk: properly declare pool_head_trash as extern 2231b6388 BUILD: cache: avoid a build warning with some compilers/linkers regards, Jérôme

Re: missing backports in haproxy-1.8

2020-06-11 Thread Jerome Magnin
On Thu, Jun 11, 2020 at 07:27:26PM +0200, William Lallemand wrote: > On Thu, Jun 11, 2020 at 12:41:51PM +0200, Jerome Magnin wrote: > > 72d9f3351 BUILD: chunk: properly declare pool_head_trash as extern > > 2231b6388 BUILD: cache: avoid a build warning with some compilers/linkers

Re: missing backports in haproxy-1.8

2020-06-12 Thread Jerome Magnin
On Fri, Jun 12, 2020 at 11:10:08AM +0200, William Lallemand wrote: > I pushed them in the 1.8 git. I couldn't reproduce the issue though, > which compiler do you use? > I ran into the issue with gcc 10.1.0. Thanks for the backports! Jérôme

Re: Ubuntu 20.04 + TLSv1

2020-06-12 Thread Jerome Magnin
On Fri, Jun 12, 2020 at 03:09:18PM +0200, bjun...@gmail.com wrote: > Hi, > > currently i'm testing Ubuntu 20.04 and HAProxy 2.0.14. > > I'm trying to get TLSv1 working (we need this for some legacy clients), so > far without success. > > I've read different things, on the one hand Ubuntu has

Re: Log levels when logging to stdout

2020-07-16 Thread Jerome Magnin
Hi Martin, On Thu, Jul 16, 2020 at 10:05:40AM +0300, Martin Grigorov wrote: > > I am using such logging configuration (HAProxy built from master branch): > > global > log stdout format raw local0 err > ... > defaults > log global > option dontlog-normal > option httplog > option

SRV records resolution failure if Authority section is present

2020-07-26 Thread Jerome Magnin
On Sun, Jul 26, 2020 at 01:21:45PM +0200, Jerome Magnin wrote: > as I was trying to reproduce the issue with DNS Service Discovery with > SRV records reported in issue #775 I encountered a different issue. > > I am using bind as a dns server, and its answers contain an Authority &g

Re: SRV records resolution failure if Authority section is present

2020-07-26 Thread Jerome Magnin
or your review. -- Jérôme >From 363ed1dd2f3ded7837bbb424eabb309803fc6292 Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Sun, 26 Jul 2020 12:13:12 +0200 Subject: [PATCH] BUG/MAJOR: dns: don't treat Authority records as an error Support for DNS Service Discovery by means of SRV records was enhanced with commit 13a

haproxy@formilux.org

2020-07-26 Thread Jerome Magnin
ions to 2.2 can have their service break because of this. -- Jérôme >From 9637655e5ee0d4d51056cbdb948f4c2b1da272e4 Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Sun, 26 Jul 2020 12:13:12 +0200 Subject: [PATCH] BUG/MAJOR: dns: don't treat Authority records as an error Support for DNS Service Di

[PATCH] BUG/MAJOR: dns: fix null pointer dereference in snr_update_srv_status

2020-07-28 Thread Jerome Magnin
Hi, this is a patch for issue #775. -- Jérôme >From 68e8b71c50d0805faf5facba587f1c8c3f1760b7 Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Tue, 28 Jul 2020 13:38:22 +0200 Subject: [PATCH] BUG/MAJOR: dns: fix null pointer dereference in snr_update_srv_status Since commit 13a923

Re: SRV records resolution failure if Authority section is present

2020-07-28 Thread Jerome Magnin
is email. >From db0198a29ab493796414033b8fb11661e91d0bee Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Sun, 26 Jul 2020 12:13:12 +0200 Subject: [PATCH] BUG/MAJOR: dns: don't treat Authority records as an error Support for DNS Service Discovery by means of SRV records was enhanced with commit

Re: [ANNOUNCE] haproxy-2.0.16

2020-07-18 Thread Jerome Magnin
Hi Dmitry On Sat, Jul 18, 2020 at 12:29:10PM +0300, Dmitry Sivachenko wrote: > > 1) new warnings: > > src/log.c:1692:10: warning: logical not is only applied to the left hand side > of this comparison [-Wlogical-not-parentheses] > while (HA_SPIN_TRYLOCK(LOGSRV_LOCK, >lock) !=

Re: [PATCH] BUG/MINOR: init: enforce strict-limits when using master-worker

2021-01-13 Thread Jerome Magnin
Hi William, On Wed, Jan 13, 2021 at 08:57:47AM +0100, William Dauchy wrote: > On Tue, Jan 12, 2021 at 08:36:57PM +0100, Jerome Magnin wrote: > > From ca260ac46cd441ed4108cdef7b304b6c0baec68c Mon Sep 17 00:00:00 2001 > > From: Jerome Magnin > > Date: Tue, 12 Jan 2021 20:19

Re: [PATCH] BUG/MINOR: init: enforce strict-limits when using master-worker

2021-01-13 Thread Jerome Magnin
c68c Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Tue, 12 Jan 2021 20:19:38 +0100 Subject: [PATCH] BUG/MINOR: init: enforce strict-limits when using master-worker The strict-limits global option was introduced with commit 0fec3ab7b ("MINOR: init: always fail when setrlimit fai

[PATCH] BUG/MINOR: init: enforce strict-limits when using master-worker

2021-01-12 Thread Jerome Magnin
Hi William, list, This is a patch for issue 1042. I removed all tests for master-worker mode for everything related to strict-limits. regards, -- Jérôme >From ca260ac46cd441ed4108cdef7b304b6c0baec68c Mon Sep 17 00:00:00 2001 From: Jerome Magnin Date: Tue, 12 Jan 2021 20:19:38 +0100 Subj