With haproxy 1.5, Is there any way to add a dynamic header to the http
response (like the `http-request add-header` option for request headers)?
I'm adding a X-Request-Id header to requests before forwarding them on
to the back end, but would also like to be able to send this same header
back in
The current syslog implementation (via UDP) sends log entries with the
millisecond portion of the timestamp stripped off. Our log collector is
capable of handling timestamps with millisecond accuracy and I would
like to have it do so. Is there any way to accomplish this?
I know you can add an
I'm using the %rt field in the unique-id-format config parameter (the
full value is %{+X}o%pid-%rt), and am getting lots of duplicates. In
one specific case, haproxy added the same http_request_counter value to
70 different http requests within a span of 61 seconds (from various
client hosts too).
On 2013/08/11 15:45, Patrick Hemmer wrote:
I'm using the %rt field in the unique-id-format config parameter
(the full value is %{+X}o%pid-%rt), and am getting lots of
duplicates. In one specific case, haproxy added the same
http_request_counter value to 70 different http requests within
So I'm trying to come up with the best way of doing this, but am having
a heck of a time. Basically I have several different backend service
pools, and I have one externally facing haproxy router. I want to take a
map of public URLs and route them to specific backend URLs.
For example
We have this case with haproxy 1.5-dev19 where when a client is
uploading data via a HTTP PUT request, the client will fail to send all
it's data and haproxy will timeout the connection. The problem is that
haproxy is reporting this an error 504 and connection flags of sH--,
meaning it timed out
*From: *Willy Tarreau w...@1wt.eu
*Sent: * 2013-09-18 01:46:50 E
*To: *Patrick Hemmer hapr...@stormcloud9.net
*CC: *haproxy@formilux.org haproxy@formilux.org
*Subject: *Re: Client timeout on http put shows as a server timeout with
error 504
Hi Patrick,
On Tue, Sep 17, 2013 at 06:29:13PM -0400
*From: *Jinn Ko hapr...@mx.ixido.net
*Sent: * 2013-09-24 10:22:49 E
*To: *haproxy@formilux.org
*Subject: *Re: AW: GA Release of 1.5
Hi,
It's good to get a better idea of what's needed to see a GA release of
1.5. We've been keenly awaiting the GA release, and I certainly
understand the need
*From: *Patrick Hemmer hapr...@stormcloud9.net
*Sent: * 2013-09-18 10:26:36 E
*To: *haproxy@formilux.org
*Subject: *Re: Client timeout on http put shows as a server timeout with
error
504
*From: *Willy Tarreau w...@1wt.eu
*Sent: * 2013-09-18 01:46:50 E
*To: *Patrick Hemmer hapr...@stormcloud9
I'm currently using haproxy (1.5-dev19) as a content based router. It
takes an incoming request, looks at the url, rewrites it, and sends it
on to the appropriate back end.
The difficult part is that we need to all parsing and rewriting after
the first match. This is because we might have a url
*From: *Patrick Hemmer hapr...@stormcloud9.net
*Sent: * 2013-10-22 19:13:08 E
*To: *haproxy@formilux.org
*Subject: *handling hundreds of reqrep statements
I'm currently using haproxy (1.5-dev19) as a content based router
*From: *Patrick Hemmer hapr...@stormcloud9.net
*Sent: * 2013-10-22 23:32:31 E
*CC: *haproxy@formilux.org
*Subject: *Re: handling hundreds of reqrep statements
*From: *hushmeh...@hushmail.com
*Sent: * 2013-10-23 01:06:24 E
*To: *hapr...@stormcloud9.net
*CC: *haproxy@formilux.org
*Subject: *Re: handling hundreds of reqrep statements
On Wed, 23 Oct 2013 05:33:38 +0200 Patrick
Simple question: Is there any way to disable a backend through the socket?
I see you can disable both frontends, and servers through the socket,
but I don't see a way to do a backend.
-Patrick
*To: *haproxy@formilux.org
*Subject: *Re: disable backend through socket
On 22 Dec 2013 20:32, Patrick Hemmer hapr...@stormcloud9.net
mailto:hapr...@stormcloud9.net wrote:
That disables a server. I want to disable a backend.
No, you want to disable all the servers in a backend. I'm not sure
there's
On Sun, Dec 22, 2013 at 05:05:16PM -0500, Patrick Hemmer wrote:
No. As I said, I want to disable the backend.
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-disabled
That doesn't really work for backends since they don't decide to get
traffic. At least if a config accepts
*From: *Gabriel Sosa sosagabr...@gmail.com
*Sent: * 2013-12-26 09:41:21 E
*To: *Patrick Hemmer hapr...@stormcloud9.net
*CC: *haproxy@formilux.org
*Subject: *Re: disable backend through socket
On Mon, Dec 23, 2013 at 12:21 PM, Patrick Hemmer
hapr...@stormcloud9.net mailto:hapr...@stormcloud9
*From: *Malcolm Turnbull malc...@loadbalancer.org
*Sent: * 2014-01-14 07:13:27 E
*To: *haproxy@formilux.org haproxy@formilux.org
*Subject: *Just a simple thought on health checks after a soft reload of
HAProxy
Just a simple though on health checks after a soft reload of HAProxy
If for
What I'd like to do is add a few items to the log line which contain the
size of the headers, and then the value of the Content-Length header.
This way if the connection is broken for any reason, we can determine if
the client sent all the data they were supposed to.
Logging the Content-Length
*Sent: * 2013-08-13 11:53:16 E
*To: *Patrick Hemmer hapr...@stormcloud9.net
*CC: *haproxy@formilux.org haproxy@formilux.org
*Subject: *Re: haproxy duplicate http_request_counter values
Hi Patrick,
On Sun, Aug 11, 2013 at 03:45:36PM -0400, Patrick Hemmer wrote:
I'm using the %rt field
.
-Patrick
*From: *Patrick Hemmer hapr...@stormcloud9.net
*Sent: * 2014-01-25 03:40:38 E
*To: *Willy Tarreau w...@1wt.eu
*CC: *haproxy@formilux.org haproxy@formilux.org
*Subject: *Re: haproxy duplicate http_request_counter
*From: *Willy Tarreau w...@1wt.eu
*Sent: * 2014-01-25 04:43:28 E
*To: *Patrick Hemmer hapr...@stormcloud9.net
*CC: *haproxy@formilux.org haproxy@formilux.org
*Subject: *Re: haproxy duplicate http_request_counter values
Hi Patrick,
On Sat, Jan 25, 2014 at 03:40:38AM -0500, Patrick Hemmer wrote
Confirmed. Testing various scenarios, and they all work.
Thanks for the quick patch :-)
-Patrick
*From: *Willy Tarreau w...@1wt.eu
*Sent: * 2014-01-25 05:09:09 E
*To: *Patrick Hemmer hapr...@stormcloud9.net
*CC: *haproxy
You can use the proxy protocol for this. Haproxy doesn't allow
manipulation of the TCP stream itself as it could be any number of
protocols which haproxy doesn't support. However the proxy protocol
sends a line at the very beginning of the stream containing the client
source IP, port, destination,
I really like this feature, and it was something actually on my todo
list of things to look into adding to haproxy.
However there is one thing I would consider supporting. Instead of
requiring the index of the capture keyword in the config, which is very
cumbersome and awkward in my opinion,
*From: *Sok Ann Yap sok...@gmail.com
*Sent: * 2014-02-21 05:11:48 E
*To: *haproxy@formilux.org
*Subject: *Re: Just a simple thought on health checks after a soft
reload of HAProxy
Patrick Hemmer haproxy@... writes
*To: *Malcolm Turnbull malc...@loadbalancer.org
*CC: *Neil n...@iamafreeman.com, Patrick Hemmer
hapr...@stormcloud9.net, HAProxy haproxy@formilux.org
*Subject: *Re: Just a simple thought on health checks after a soft
reload of HAProxy
Hi Malcolm,
Hence the retry and redispatch options :)
I know
I have seen feature requests in the past that when haproxy reloads, to
pull the health status of the servers so that haproxy knows their state
without having to health check them. Willy has said he liked the idea
(http://marc.info/?l=haproxym=139064677914723). If this gets
implemented, it would
The haproxy log contains the original request, not the rewritten one. If
you want to see the rewritten URL you need to look at the backend server
which is receiving the request.
-Patrick
*From: *Steve Phillips
2 related questions:
I'm trying to find a way to concat multiple samples to use in a stick table.
Basically in my frontend I pattern match on the request path to
determine which backend to send a request to. The client requests also
have a client ID header. I want to rate limit based on a
bed...@gmail.com
*Sent: * 2014-03-12 06:26:32 E
*To: *Patrick Hemmer hapr...@stormcloud9.net
*CC: *haproxy@formilux.org haproxy@formilux.org
*Subject: *Re: tcp-request content track
It would be easier to help you if you share your configuration!
Baptiste
On Wed, Mar 12, 2014 at 1:36 AM, Patrick
I was wondering if there were ever any thoughts about adding
module/plugin support to haproxy.
The plugin would be used for adding features to haproxy that are beyond
the scope of haproxy's core focus (fast simple load balancing).
Reading the recent radius authentication thread surprised me. I
I'm assuming it'll be generic authentication. What information will be
made available to the auth daemon? Just the Authorization header?
I would love a feature that allowed any/multiple header to be passed
through. We use haproxy on an API service, which all incoming requests
must pass in a key
1.4 does not support SSL. SSL was added in 1.5-dev12
-Patrick
*From: *Juan Jimenez jjime...@electric-cloud.com
*Sent: * 2014-03-30 02:44:42 E
*To: *haproxy@formilux.org haproxy@formilux.org
*Subject: *No ssl or crt in bind
We have an issue with haproxy (1.5-dev22-1a34d57) where it is
intermittently not connecting to the backend server. However the
behavior it is exhibiting seems strange.
The reason I say strange is that in one example, it logged that the
client disconnected after ~49 seconds with a connection flags
-Patrick
*From: *Patrick Hemmer hapr...@stormcloud9.net
*Sent: * 2014-04-01 15:20:15 E
*To: *haproxy@formilux.org
*Subject: *haproxy intermittently not connecting to backend
We have an issue with haproxy (1.5-dev22-1a34d57
You want the errorfile config param.
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#errorfile
-Patrick
*From: *Piavlo lolitus...@gmail.com
*Sent: * 2014-04-02 15:16:22 E
*To: *haproxy@formilux.org
*Subject:
That makes perfect sense. Thank you very much.
-Patrick
*From: *Willy Tarreau w...@1wt.eu
*Sent: * 2014-04-02 15:38:04 E
*To: *Patrick Hemmer hapr...@stormcloud9.net
*CC: *haproxy@formilux.org
*Subject: *Re: haproxy
Would it be possible to get an option to suppress the warning when a
reqrep rule is placed after a use_backend rule?
[WARNING] 097/205824 (4777) : parsing
[/var/run/hapi/haproxy/haproxy.cfg:1443] : a 'reqrep' rule placed after
a 'use_backend' rule will still be processed before.
I prefer keeping
I've brought up this bug before
(http://marc.info/?l=haproxym=139312718801838), but it seems to not
have gotten any attention, so I'm raising it again.
There is an issue with haproxy mis-reporting layer 4 checks. There are
2, likely related, issues.
1) When haproxy first starts up, it will report
*From: *Willy Tarreau w...@1wt.eu
*Sent: * 2014-04-11 08:29:15 E
*To: *Patrick Hemmer hapr...@stormcloud9.net
*CC: *haproxy@formilux.org
*Subject: *Re: haproxy mis-reporting layer 4 checks
Hi Patrick,
On Thu, Apr 10
the configured timeout should it be a 5XX.
Nginx uses 499 for client closed connection. Perhaps haproxy could use
that status code as well when `option abortonclose` is used.
-Patrick
*From: *Patrick Hemmer hapr
*From: *Cyril Bonté cyril.bo...@free.fr
*Sent: * 2014-04-13 11:15:26 E
*To: *Patrick Hemmer hapr...@stormcloud9.net
*CC: *haproxy@formilux.org
*Subject: *Re: suppress reqrep / use_backend warning
Hi Patrick,
Le 08/04
*From: *Willy Tarreau w...@1wt.eu
*Sent: * 2014-04-14 11:27:59 E
*To: *Patrick Hemmer hapr...@stormcloud9.net
*CC: *haproxy@formilux.org
*Subject: *Re: haproxy intermittently not connecting to backend
Hi Patrick,
On Sat, Apr 12, 2014 at 01:38:54AM -0400, Patrick Hemmer wrote:
This just keeps
With 1.5-dev22, we have a scenario where haproxy is saying the client
closed the connection, but really the server is the one that closed it.
Here is the log entry from haproxy:
haproxy[12540]: 10.230.0.195:33580 storage_upd storage_upd/storage_upd_2
0/0/0/522/555 0/0/0/0/0 0/0 412/271 200 CD--
*From: *Patrick Hemmer hapr...@stormcloud9.net
*Sent: * 2014-04-16 17:38:54 E
*To: *haproxy@formilux.org haproxy@formilux.org
*Subject: *haproxy incorrectly reporting connection flags
With 1.5-dev22, we have a scenario where haproxy is saying the client
closed the connection, but really
*From: *Cyril Bonté cyril.bo...@free.fr
*Sent: * 2014-04-23 02:37:07 E
*To: *Patrick Hemmer hapr...@stormcloud9.net
*CC: *haproxy@formilux.org haproxy@formilux.org
*Subject: *Re: haproxy incorrectly reporting connection
*From: *Lukas Tribus luky...@hotmail.com
*Sent: * 2014-04-23 12:16:01 E
*To: *Patrick Hemmer hapr...@stormcloud9.net
*CC: *haproxy@formilux.org haproxy@formilux.org
*Subject: *RE: haproxy incorrectly reporting connection flags
Sorry about that. I see it on the mailing list archive
*From: *Willy Tarreau w...@1wt.eu
*Sent: * 2014-05-02 02:02:11 E
*To: *Rachel Chavez rachel.chave...@gmail.com
*CC: *haproxy@formilux.org
*Subject: *Re: please check
On Thu, May 01, 2014 at 03:44:46PM -0400, Rachel Chavez wrote:
The problem is:
when client sends a request with incomplete body
*From: *Willy Tarreau w...@1wt.eu
*Sent: * 2014-05-02 11:15:07 E
*To: *Patrick Hemmer hapr...@stormcloud9.net
*CC: *Rachel Chavez rachel.chave...@gmail.com, haproxy@formilux.org
*Subject: *Re: please check
Hi Patrick,
On Fri, May 02, 2014 at 10:57:38AM -0400, Patrick Hemmer wrote:
*From
*From: *Willy Tarreau w...@1wt.eu
*Sent: * 2014-05-02 12:56:16 E
*To: *Patrick Hemmer hapr...@stormcloud9.net
*CC: *Rachel Chavez rachel.chave...@gmail.com, haproxy@formilux.org
*Subject: *Re: please check
On Fri, May 02, 2014 at 12:18:43PM -0400, Patrick Hemmer wrote:
At any moment the server
*From: *Willy Tarreau w...@1wt.eu
*Sent: * 2014-05-02 14:00:24 E
*To: *Patrick Hemmer hapr...@stormcloud9.net
*CC: *Rachel Chavez rachel.chave...@gmail.com, haproxy@formilux.org
*Subject: *Re: please check
On Fri, May 02, 2014 at 01:32:30PM -0400, Patrick Hemmer wrote:
I've set up a test
*From: *Willy Tarreau w...@1wt.eu
*Sent: * 2014-05-02 15:06:13 E
*To: *Patrick Hemmer hapr...@stormcloud9.net
*CC: *Rachel Chavez rachel.chave...@gmail.com, haproxy@formilux.org
*Subject: *Re: please check
On Fri, May
*From: *Willy Tarreau w...@1wt.eu
*Sent: * 2014-05-06 17:41:18 E
*To: *Patrick Hemmer hapr...@stormcloud9.net, Rachel Chavez
rachel.chave...@gmail.com
*CC: *haproxy@formilux.org
*Subject: *Re: please check
Hi Patrick, hi Rachel,
I might have fixed half of the issue, I'd like you to test
*From: *Willy Tarreau w...@1wt.eu
*Sent: * 2014-05-07 09:45:47 E
*To: *Patrick Hemmer hapr...@stormcloud9.net, Rachel Chavez
rachel.chave...@gmail.com
*CC: *haproxy@formilux.org
*Subject: *Re: please check
Hi Patrick, hi
*From: *Bryan Talbot bryan.tal...@playnext.com
*Sent: * 2014-05-13 11:52:32 E
*To: *HAProxy haproxy@formilux.org
*Subject: *unique-id-header with capture request header
We have more than 1 proxy tier. The edge proxy generates a unique ID
and the other tiers (and apps in between) log the value
While going through the Qualys SSL test
(https://www.ssllabs.com/ssltest), one of the items it mentions is a DoS
vulnerability in regards to client-side initiated SSL renegotiation
(https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks).
While
*From: *Lukas Tribus luky...@hotmail.com
*Sent: * 2014-05-16 13:23:43 E
*To: *Patrick Hemmer hapr...@stormcloud9.net, haproxy@formilux.org
haproxy@formilux.org
*Subject: *RE: Disable TLS renegotiation
Hi Patrick,
While going through the Qualys SSL test
(https://www.ssllabs.com/ssltest
*From: *Willy Tarreau w...@1wt.eu
*Sent: * 2014-05-26 12:07:09 EDT
*To: *Arnall arnall2...@gmail.com
*CC: *haproxy@formilux.org
*Subject: *Re: Error 408 with Chrome
On Mon, May 26, 2014 at 05:52:15PM +0200, Arnall wrote:
Haproxy 1.6 is very close to release.
See http://marc.info/?l=haproxym=140129354705695 and
http://marc.info/?l=haproxym=140085816115800
-Patrick
*From: *Stephen Balukoff sbaluk...@bluebox.net
*Sent: * 2014-06-18 08:40:55
Err, pardon the typo, 1.5 :-)
-Patrick
*From: *Patrick Hemmer hapr...@stormcloud9.net
*Sent: * 2014-06-18 08:49:27 EDT
*To: *Stephen Balukoff sbaluk...@bluebox.net, haproxy@formilux.org
*Subject: *Re: HAProxy 1.5 release
*From: *Willy Tarreau w...@1wt.eu
*Sent: * 2014-06-23 10:23:44 EDT
*To: *haproxy@formilux.org
*CC: *Patrick Hemmer hapr...@stormcloud9.net, Rachel Chavez
rachel.chave...@gmail.com
*Subject: *3rd regression : enough is enough
*From: *Willy Tarreau w...@1wt.eu
*Sent: * 2014-06-24 01:33:41 EDT
*To: *Patrick Hemmer hapr...@stormcloud9.net
*CC: *haproxy@formilux.org, Rachel Chavez rachel.chave...@gmail.com
*Subject: *Re: 3rd regression : enough is enough!
Hi Patrick,
On Mon, Jun 23, 2014 at 09:30:11PM -0400, Patrick
*From: *Lukas Tribus luky...@hotmail.com
*Sent: * 2014-06-24 06:44:44 EDT
*To: *Willy Tarreau w...@1wt.eu, Patrick Hemmer hapr...@stormcloud9.net
*CC: *haproxy@formilux.org haproxy@formilux.org, Rachel Chavez
rachel.chave
*From:* Nick Jennings n...@silverbucket.net
*Sent:* 2014-08-26 19:55:34 EDT
*To:* haproxy haproxy@formilux.org
*Subject:* Getting size of response
Hi all, is there a way to get the size of a response as it's being
sent out through haproxy during logging? The node.js app (restify) is
sending
*From: *Willy Tarreau w...@1wt.eu
*Sent: * 2014-09-05 11:19:22 EDT
*To: *Ghislain gad...@aqueos.com
*CC: *Mark Janssen maniac...@gmail.com, david rene comba lareu
shadow.of.sou...@gmail.com, Colin Ingarfield co...@ingarfield.com,
haproxy@formilux.org haproxy@formilux.org
*Subject: *Re: Spam to
*From: *Cyril Bonté cyril.bo...@free.fr
*Sent: * 2014-09-05 15:50:21 EDT
*To: *Patrick Hemmer hapr...@stormcloud9.net, Willy Tarreau
w...@1wt.eu, Ghislain gad...@aqueos.com
*CC: *Mark Janssen maniac...@gmail.com, david rene comba lareu
shadow.of.sou...@gmail.com, Colin Ingarfield co
It looks like the mailing list archives stopped working mid-December.
https://marc.info/?l=haproxy
-Patrick
On 2017/1/27 14:38, Cyril Bonté wrote:
> Le 27/01/2017 à 20:11, Ciprian Dorin Craciun a écrit :
>> On Fri, Jan 27, 2017 at 9:01 PM, Cyril Bonté
>> wrote:
>>> Instead of using "unique-id-header" and temporary headers, you can
>>> use the
>>> "unique-id" fetch sample [1] :
On 2017/1/27 15:31, Ciprian Dorin Craciun wrote:
> On Fri, Jan 27, 2017 at 10:24 PM, Patrick Hemmer
> <hapr...@stormcloud9.net> wrote:
>> Something that might satisfy both requests, why not just append to the
>> existing request-id?
>>
>> unique-id-fo
So on one of my local development machines haproxy started pegging the
CPU at 100%
`strace -T` on the process just shows:
...
epoll_wait(0, {}, 200, 0) = 0 <0.03>
epoll_wait(0, {}, 200, 0) = 0 <0.03>
epoll_wait(0, {}, 200, 0) = 0 <0.03>
The documentation doesn't mention the sample fetcher `51d.all`, nor the
converter `51d.single`. The only place they're mentioned is the repo README.
Also the documentation for `51degrees-property-name-list` indicates it
takes an optional single string argument (`[]`), rather than
multiple string
While working with the `http-request set-var` (and a few other places,
but primarily here), it would be very useful to be able to use haproxy
format strings to define the variable.
For example
http-request set-var(txn.foo) fmt(%ci:%cp:%Ts)
Or even
http-request set-var(txn.foo)
Can we get the ability to configure the peer namespace?
Right now haproxy uses the default namespace, but in our system we have
an "internal" interface which is able to talk to the other haproxy
nodes, and this interface is in another network namespace.
Additionally, the error output for failure
I'm trying to limit concurrent connections but having trouble getting it
working with sc0_conn_cur.
The relevant portion of my config looks like:
frontend www
log-format %ac\ %tsc\ %[sc0_conn_cur]
stick-table type ip size 1 expire 10s peers cluster store conn_cur
On 2016/12/7 19:15, Cyril Bonté wrote:
> Hi,
>
> On 07/12/2016 21:40, Patrick Hemmer wrote:
>> How do you use a comma inside an argument to a sample fetcher or
>> converter?
>> For example, the sample fetch str, if I try to do `str(foo,bar)` I get
>> the error
&
On 2016/12/13 11:14, Ricardo Fraile wrote:
> Hello Jarno,
>
>
> Yes, you are right, this is not an elegant solution, and reloading
> doesn't work. This is the systemd report:
>
>
> # systemctl status haproxy.service -l
> ● haproxy.service - HAProxy Load Balancer
>Loaded: loaded
How do you use a comma inside an argument to a sample fetcher or converter?
For example, the sample fetch str, if I try to do `str(foo,bar)` I get
the error
fetch method 'str' : end of arguments expected at position 2, but
got ',bar'
All variations such as `str('foo,bar')`, `str(foo\,bar)`,
On 2017/1/12 06:42, Ricardo Fraile wrote:
> Hello,
>
>
> As 1.7 release allow to load multiple files from a directory:
>
>
> https://cbonte.github.io/haproxy-dconv/1.7/management.html
>
> -f : adds to the list of configuration files
> to be loaded. If is a directory, all the
After using the addon, I've run across a few issues trying to get it
running.
The first are mostly documentation issues:
1. The example for `da-csv-conv` has `da-csv()` instead of `da-csv-conv()`.
2. The documentation lists the parameter `deviceatlas-separator`. The
param is really
I was mostly just wondering about differences between using things like
`capture request header`/`http-request capture` and `http-request set-var`.
set-var seems to have all the capabilities of captures, and are much
easier to work with. You don't have to pre-declare them, you don't have
to set
On 2017/1/5 02:15, Igor Cicimov wrote:
> Hi all,
>
> On one of my haproxy's I get the following message on reload:
>
>
>
On 2016/12/24 10:42, Alex.Chen wrote:
> for my scenario, i need to using "balance source" to keep the
> persistence of haproxy's balancing, I find that when one of my backend
> server (s1) has been killed, and if the next round health check is
> still not launched, then s1 is still be marked as
On 2016/12/23 09:28, Arnall wrote:
> Hi everyone,
>
> i'm using a nbproc > 1 configuration for ssl offloading :
>
> listen web_tls
> mode http
> bind *:443 ssl crt whatever.pem process 2
> bind *:443 ssl crt whatever.pem process 3
>
> ../..
> server web_plain u...@plain.sock
On 2016/12/5 03:35, thierry.fourn...@arpalert.org wrote:
> On Sun, 4 Dec 2016 09:17:00 -0500
> Patrick Hemmer <hapr...@stormcloud9.net> wrote:
>
>> I was mostly just wondering about differences between using things like
>> `capture request header`/`http-request capture
On 2017/7/22 11:11, Claus Strommer wrote:
> Hi all, I'm seeing some odd behaviour with our haproxy balancer and am
> looking for some insights.
>
> The setup:
>
> I have a webserver that is behind two haproxy balancers (version
> 1.5.18 on EL7), which are behind CloudFlare. In effect the request
So as the subject indicates, I'm looking to limit concurrent connections
to a backend by the source IP. The behavior I'm trying for is that if
the client has more than 6 connections, we sit on the request for a
second, and then send back a 302 redirect to the same resource that was
just requested.
a value from a stick table was
to track the connection.
The documentation is also a little confusing as it seems to imply it'll
use the string form of the IP address, when I expect the table stores
the binary form of the IP address. But it seems to work from my testing.
> Best,
> -Mark
&
On 2017/6/30 01:00, Willy Tarreau wrote:
> Hi Patrick, sorry for the delay :-/
>
> On Mon, Jun 19, 2017 at 01:54:36PM -0400, Patrick Hemmer wrote:
>> Well my argument for keeping the name starting with `ssl_fc_session_` is
>> that there is also `ssl_fc_session_id`.
On 2017/6/12 15:14, Lukas Tribus wrote:
> Hello,
>
>
> Am 12.06.2017 um 19:35 schrieb Patrick Hemmer:
>> Would we be able to get a new sample which provides the SSL session
>> master-key?
>> This is so that when performing packet captures with ephemeral ci
Would we be able to get a new sample which provides the SSL session
master-key?
This is so that when performing packet captures with ephemeral ciphers
(DHE), we can decrypt the traffic in the capture.
-Patrick
On 2017/6/19 13:54, Patrick Hemmer wrote:
>
>
> On 2017/6/17 00:00, Willy Tarreau wrote:
>> Hi Patrick,
>>
>> On Fri, Jun 16, 2017 at 09:36:30PM -0400, Patrick Hemmer wrote:
>>> The main reason I had for supporting the older code is that it seems
>>> m
On 2017/6/17 00:00, Willy Tarreau wrote:
> Hi Patrick,
>
> On Fri, Jun 16, 2017 at 09:36:30PM -0400, Patrick Hemmer wrote:
>> The main reason I had for supporting the older code is that it seems
>> many (most?) linux distros, such as the one we use (CentOS/7), still
>&g
We've been running across a fair amount of haproxy processes lately that
won't shut down. We're currently using 1.7.5, but have also experienced
the issue with earlier versions, 1.7.2 for sure, but likely back even
further.
The processes are getting signaled to shut down by the
> On 05/24/2017 10:40 AM, Willy Tarreau wrote:
>> Hi Patrick,
>>
>> On Tue, May 23, 2017 at 01:49:42PM -0400, Patrick Hemmer wrote:
>> (...)
>>> haproxy 28856 root1u IPv4 420797940 0t0
>>> TCP 10.0.33.145:35754->1
On 2017/1/17 17:02, Willy Tarreau wrote:
> Hi Patrick,
>
> On Tue, Jan 17, 2017 at 02:33:44AM +, Patrick Hemmer wrote:
>> So on one of my local development machines haproxy started pegging the
>> CPU at 100%
>> `strace -T` on the process just shows:
>>
&
So we had an incident today where haproxy segfaulted and our site went
down. Unfortunately we did not capture a core, and the segfault message
logged to dmesg just showed it inside libc. So there's likely not much
we can do here. We'll be making changes to ensure we capture a core in
the future.
On 2017/5/29 16:04, Frederic Lecaille wrote:
> On 05/29/2017 06:12 PM, Patrick Hemmer wrote:
>>
>> On 2017/5/29 08:22, Frederic Lecaille wrote:
>>>
>>> Hi Patrick,
>>>
>>> First thank you for this nice and helpful report.
>>>
>>
On 2017/6/16 09:34, Willy Tarreau wrote:
> Hi Patrick,
>
> On Mon, Jun 12, 2017 at 07:31:36PM -0400, Patrick Hemmer wrote:
>> I patched my haproxy to add a ssl_fc_session_key fetch, and with the
>> value I was able to decrypt my te
I'm looking to get some clarification around the documentation for the
duration of sticky counter tracking. There are 2 specific points I'm a
little confused on.
1. Under the documentation for `tcp-request content`, it says:
> In case of HTTP keep-alive with the client, all tcp-request content
1 - 100 of 206 matches
Mail list logo