Hi,
I was wondering if it is possible to start rate-limiting or deny a
connection based on response codes from the backend.
For instance, I would like to start rejecting or rate limit a HTTP
connection when a client triggers more than 20 HTTP 500's within a
certain time frame.
It this
On 12.12.2011 10:28, Guillaume Castagnino wrote:
Le lundi 12 décembre 2011 10:18:33, Vincent Bernat a écrit :
Hi!
When haproxy is bound to an IP address managed by VRRP, this IP
address
may be absent when haproxy starts. What is the best way to handle
this?
1. Start haproxy only when the
On 12.12.2011 13:10, Vincent Bernat wrote:
On Mon, 12 Dec 2011 13:04:22 +0100, Sander Klein wrote:
I started doing this because there is no nonlocal_bind option for
IPv6 (or I didn't search well enough (-: )
From the source code, it seems that IPv4 non local bind sysctl also
applies to IPv6
On 12.12.2011 14:32, Vincent Bernat wrote:
On Mon, 12 Dec 2011 13:23:11 +0100, Sander Klein wrote:
I started doing this because there is no nonlocal_bind option
for
IPv6 (or I didn't search well enough (-: )
From the source code, it seems that IPv4 non local bind sysctl
also
applies
Hi,
I'm observing some strange behavior with slowstart and the track
option.
When taking out web1 for maintenance and putting it back online the
weight of cluster1/web1 returns to 100 in 5 minutes but cluster2/web1
keeps stuk at 7.
Is this expected behavior?
I have the following config:
On 18.01.2012 11:08, Sander Klein wrote:
Hi,
I'm observing some strange behavior with slowstart and the track
option.
When taking out web1 for maintenance and putting it back online the
weight of cluster1/web1 returns to 100 in 5 minutes but cluster2/web1
keeps stuk at 7.
Is this expected
Hi,
On 26.01.2012 18:45, Sebastian Fohler wrote:
I'm trying to setup a loadbalancing configuration with four backend
server on nginx basis.
The first problem I had was, while checking the haproxy stats, that
they show every backendserver is at least the same time DOWN as it is
UP, how can this
On 27.01.2012 16:01, Sebastian Fohler wrote:
Sorry just found out that I definitly do an active check.
But for some reason every second refresh of my stats shows the
servers down.
Any idea why that could be?
The servers are definitly up all that time.
Hmz, I don't know. It think it's helpful
Hi,
while benchmarking my new web-server cluster I quickly hit the limit of
32.768 sockets in TIME_WAIT state.
I've been looking around on the internet but I'm a bit confused if this
limit can be tuned somehow or if it's an hard limit. I read about the
tcp_fin_timeout and
Oh dear...
I did some more testing and it's not a problem with TIME_WAIT. It was a
firewall in between.
During my last test I easily had 60.000 connections in TIME_WAIT state.
Greets,
Sander
On 27.01.2012 21:52, Sander Klein wrote:
Hi,
while benchmarking my new web-server cluster I
Hi Willy,
Thank you for your answer.
During my search on the internet I found a lot of articles about
TIME_WAIT stuff and a limit of 32.768. Since I had around that many
sockets in TIME_WAIT I assumed this would be my problem.
I did enable tcp_tw_reuse, but I'm not sure if it will work
Hi All,
I'm having a small problem with non RFC2616 requests. I would like to
log them, but haproxy only logs:
cluster1-in cluster1-in/NOSRV -1/-1/-1/-1/0 400 1951 - - PR--
235/235/0/0/0 0/0 {|||} {} BADREQ
Is there a way to log them with the full host header and URL?
I know I can show
Hi Willy,
On 13.02.2012 08:07, Willy Tarreau wrote:
You won't have it in the log because the request failed to completely
parse. Maybe we could improve a bit the error path to be able to
report
the request URI when only headers fail, that would help.
In my case that won't help. I need to
Hi,
today I've experienced 3 crashes on 2 servers with haproxy. I've never
had any before so I thought I would just put a note up here.
20120310 crashed with:
Server 1
haproxy[3065] general protection ip:452ddf sp:7fff02906808 error:0 in
haproxy[40+6e000]
Server 2
haproxy[30329]:
Hey Willy,
On 15.03.2012 07:53, Willy Tarreau wrote:
Hi,
On Tue, Mar 13, 2012 at 07:05:36PM +0100, Baptiste wrote:
Hey,
I guess Willy would be keen to get the core dump and the haproxy
binary with its configuration.
You should try to reach him directly.
Yes Sander, please can you send me a
On 15.03.2012 10:10, Willy Tarreau wrote:
Do you care which snapshot I run?
Ideally the first one which exhibited the issue. BTW, do you know
which
most recent one you used without the issue ? Eg: do you know if
20120306
has the same issue ?
I'm currently running 20120207 which doesn't
Hey Esteban,
Your config looks good to me.
Sometimes it can happen that during failover not all servers receive
the gratuitous arp and they keep sending traffic to the backup router.
I normally force another failover to force another gratuitous arp get
it working again. It shouldn't happen
Hi,
On 29.03.2012 16:44, Delta Yeh wrote:
Hi,
It seems haproxy failed to do server check with IPv6.
The top is like:
browser---haproxy-www server
I did the following tests:
1. IPv4 http server with server check, it works
2. IPv6 http server with server check, I get http 503.
Hmmm, I thought I typed more text...
On 22.05.2012 11:06, Sander Klein wrote:
Hi,
When I reload haproxy I get this message:
May 22 11:02:45 lb01-a haproxy: *** glibc detected ***
/usr/sbin/haproxy: double free or corruption (out):
0x01ef41a0
***
I'm running haproxy 1.5-dev10 2012
?
Greets,
Sander Klein
Hey Willy,
On 01.06.2012 01:03, Willy Tarreau wrote:
Sander,
first, thank you very much for your configuration, I could reproduce
the
issue here. It's not 100% reproducible due to address randomization,
but
common enough to get the issue.
The issue comes from the use of user-lists which
Hi List,
We are using HAProxy 1.5-dev11 and have a small issue with it.
Some of our coders use php firebug when they are debugging code. php
firebug puts a lot of stuff in the response headers (X-WF-* headers)
But, it looks like HAProxy blocks responses when the headers are larger
than 8KB.
Hi,
On 25.07.2012 08:22, Stojan Rancic (Iprom) wrote:
Hello,
we're experiencing issues with HAproxy 1.5-dev11 rejecting GET
requests with UTF8-encoded characters. The encoding happens with
Javascript's Encode function for east european characters (š, č, ž,
etc) .
We are experiencing the same
On 26.07.2012 09:44, Stojan Rancic (Iprom) wrote:
On 25.7.2012 11:21, Sander Klein wrote:
We are experiencing the same issue, but it only happens with
Internet
Explorer. So I figured it must be a bug on the internet explorer
side
and not on the HAProxy side since internet explorer doesn't
no no no... isn't that cute, but it's wrong!
It says:
Subscribe to the list : haproxy+subscr...@formilux.org
Unsubscribe from the list : haproxy+unsubscr...@formilux.org
so mailing to haproxy+unsubscr...@formilux.org should do the trick...
On 21.09.2012 19:10, Svancara, Randall wrote:
in HAProxy or is it my config? Downgrading to
dev11-ss-20120604 fixes the issue.
Greets,
Sander Klein
My config:
###
# Global Settings
###
global
log 127.0.0.1 local0
# log 127.0.0.1 local0 notice
# log 127.0.0.1 local0 err
# log
Hi Willy,
On 12.12.2012 22:53, Willy Tarreau wrote:
Hi Sander,
Could you try to disable the splice options just to see ? And if that
does
not change anything, please also try to disable option
abortonclose. That
will help us narrow the issue down. Anyway, I don't see anything
wrong with
Hi Willy,
On 15.12.2012 09:14, Willy Tarreau wrote:
The bug is somehow very hard to trigger. But, I did manage to
trigger
the bug with dev15 a couple of times and I have not been able to
trigger
it with dev15-and-your-patch. So I think your patch fixes the issue.
Thank you very much for
Hi All,
I know this question has been asked more times, but currently I'm
experiencing some problems with some people harvesting data from our
websites at high rates. I would like to block them based on the URL or
simply on src IP.
Currently I've implemented the 'Limiting the HTTP request
Hi!,
On 02.04.2013 16:16, Sander Klein wrote:
When using this config with ss-20130402 I do not get any traffic to
cluster1-2. I didn't have enough time to do a proper debug since I was
doing it in production ;-) I might have a better look at it this
evening. It works fine with ss-20130125
Replying to myself again...
On 02.04.2013 16:59, Sander Klein wrote:
Hi!,
On 02.04.2013 16:16, Sander Klein wrote:
When using this config with ss-20130402 I do not get any traffic to
cluster1-2. I didn't have enough time to do a proper debug since I
was
doing it in production ;-) I might
Hi Thomas,
On 02.04.2013 21:02, Thomas Heil wrote:
Of course, it matters. As you explained the problem should be arround
patch 86 up to 101. How does you haproxy -vv
look like? Do you use compression or SSL? Could you eliminate Patch
91,92 and 98?
haproxy -vv looks like:
sander@lb01-a:~$
Hi,
I try to do the following in my haproxy (dev18) config:
http-request set-header X-Forwarded-Proto https if ssl_fc
http-request set-header X-Forwarded-Ssl on if ssl_fc
http-request set-header X-Forwarded-Proto http if ! ssl_fc
http-request set-header X-Forwarded-Ssl off if ! ssl_fc
But,
11:38, Baptiste wrote:
Hi,
You want to use anonymous ACLs which requires brackets '{' and '}',
like:
http-request set-header X-Forwarded-Proto https if { ssl_fc }
Baptiste
On Wed, Apr 3, 2013 at 11:15 AM, Sander Klein roe...@roedie.nl
wrote:
Hi,
I try to do the following in my haproxy
-SSL %[ssl_fc] https
%[ssl_fc] will be 0 in case of HTTP and 1 in case of SSL.
You can't setup an ACL after the set-header directive.
Baptiste
On Wed, Apr 3, 2013 at 12:09 PM, Sander Klein roe...@roedie.nl
wrote:
Hmmm, nope, it still doesn't work
I did:
http-request set-header X-Forwarded
On 03.04.2013 14:20, Willy Tarreau wrote:
On Wed, Apr 03, 2013 at 12:09:37PM +0200, Sander Klein wrote:
Hmmm, nope, it still doesn't work
I did:
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Ssl on if { ssl_fc }
http-request set-header X
On 03.04.2013 14:20, Willy Tarreau wrote:
On Wed, Apr 03, 2013 at 12:09:37PM +0200, Sander Klein wrote:
Hmmm, nope, it still doesn't work
I did:
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Ssl on if { ssl_fc }
http-request set-header X
Hi Lukas,
On 05.04.2013 12:00, Lukas Tribus wrote:
Whats is the percentage of requests failing this way?
I'm not sure. But I think it's less than 1%. We do a couple of 100's
request per second and about every second I see one failed request.
Do you know if this is an issue introduced by a
Heh, I didn't have time to test the previous one, but I'll test this one this
evening.
Greets,
Sander
On 6 apr. 2013, at 11:50, Willy Tarreau w...@1wt.eu wrote:
Hi Sander,
the patch I proposed was not enough, it only fixed a few of the
occurrences. The issue was introduced in dev12 with
On 06.04.2013 11:50, Willy Tarreau wrote:
Hi Sander,
the patch I proposed was not enough, it only fixed a few of the
occurrences. The issue was introduced in dev12 with the connection
rework.
Please use the attached patch, which I have tested to fix the issue
here
and merged.
The issue
Hi,
I want to move some websites behind cloudfare. They already add an
X-Forwarded-For header so I do not want to add it if the request comes
from cloudfare, but I do want to add it if the request is not from
cloudfare.
Since both requests will pass through the same frontend I need some
Replying to myself ;-)
On 08.05.2013 10:52, Sander Klein wrote:
Hi,
I want to move some websites behind cloudfare. They already add an
X-Forwarded-For header so I do not want to add it if the request comes
from cloudfare, but I do want to add it if the request is not from
cloudfare.
Since
Hey,
You have the optional argument if-none for option forwardfor,
but you should not do this with external proxies whose addresses
you don't know because anyone could pass one and fool you.
This doesnt feel like a good option ;-)
In practice you would need them to pass you some information
Thanks everyone for answering. I'll play around a bit with my config and the
suggestions.
Greets,
Sander
On 8 mei 2013, at 15:04, Willy Tarreau w...@1wt.eu wrote:
On Wed, May 08, 2013 at 08:29:15AM -0400, John Marrett wrote:
The definitive list of cloudflare IPs doesn't appear to be too
Hi,
I think I've found a possible bug with the combination SSL, compression
and NTLM auth. But, I'm not sure if it's really a bug or if NTLM auth is
crap (well it is...).
When enabling compression the authorization fails sometimes. When I
disable compression everything is fine. I don't know
almost sure compression is not compatible with tunnel
mode.
Baptiste
On Thu, May 23, 2013 at 10:44 AM, Sander Klein roe...@roedie.nl
wrote:
Hi,
I think I've found a possible bug with the combination SSL,
compression and
NTLM auth. But, I'm not sure if it's really a bug or if NTLM auth
Hi,
On 01.06.2013 03:09, Brendon Colby wrote:
On Wed, May 29, 2013 at 6:46 AM, joris dedieu joris.ded...@gmail.com
wrote:
Hi Syd,
I'm guessing an an NFS share from the 2 webservers to the 1
fileserver. However, from a bit of research with load balanced
magento setups there seems to be a
On 02.07.2013 10:39, Hudec Peter wrote:
Thanks Lukas,
I will try 1.5 version.
But for Debian this version is in experimental now ;( I will look if
some
already done for Wheezy.
I have 1.5 packages for amd64 on my site. They are based on the
packaging done by Vincent Bernat. They Work For
Hi
I think this is just related to ie 8 on windows xp not supporting SNI. But I
could be wrong.
Greets,
Sander
On 8 jul. 2013, at 18:50, Jürgen Haas juer...@paragon-es.de wrote:
This is a follow-up question to the other thread SSL Problem -
Untrusted Connection which has meanwhile been
Hi,
Is it possible to use webdav with haproxy while in http mode? Or dou I
have to use tcp mode for that?
Regards,
Sander
, there won't be any issues at all.
Which product are you targeting for your webdav deployment?
Baptiste
On Wed, Oct 9, 2013 at 8:57 AM, Sander Klein roe...@roedie.nl wrote:
Hi,
Is it possible to use webdav with haproxy while in http mode? Or dou
I have
to use tcp mode for that?
Regards,
Sander
Wicked, thanks for your answer.
Sander
On 10.10.2013 00:03, Bryan Talbot wrote:
I've used it in front of SVN running in apache httpd and proxy in
http mode with ssl. works great.
-Bryan
On Wed, Oct 9, 2013 at 1:59 AM, Sander Klein roe...@roedie.nl
wrote:
Hey Baptiste,
We want to use
Hi,
I've compiled 1.5-dev20 on debian wheezy and now I get a double free or
corruption bug. Haproxy will not start.
*** glibc detected *** /usr/sbin/haproxy: double free or corruption
(fasttop): 0x03c5a880 ***
=== Backtrace: =
On , Willy Tarreau wrote:
Hi Sander,
On Mon, Dec 16, 2013 at 09:43:07AM +0100, Sander Klein wrote:
Hi,
I've compiled 1.5-dev20 on debian wheezy and now I get a double free
or
corruption bug. Haproxy will not start.
Interesting, I never experienced this one. Could you please run
On , Willy Tarreau wrote:
OK here's the fix, it was not a big deal, just a missing NULL
after a free when loading patterns from a file. Thank you for
your quick help Sander!
Something is fishy. I've compiled a new version with your patch, haproxy
starts but it 'just doesn't work (tm)'.
I
On , Sander Klein wrote:
On , Willy Tarreau wrote:
OK here's the fix, it was not a big deal, just a missing NULL
after a free when loading patterns from a file. Thank you for
your quick help Sander!
Something is fishy. I've compiled a new version with your patch,
haproxy starts but it 'just
On , Willy Tarreau wrote:
On Mon, Dec 16, 2013 at 01:10:11PM +0100, Sander Klein wrote:
On , Willy Tarreau wrote:
OK here's the fix, it was not a big deal, just a missing NULL
after a free when loading patterns from a file. Thank you for
your quick help Sander!
Something is fishy. I've
On , Willy Tarreau wrote:
On Mon, Dec 16, 2013 at 02:19:28PM +0100, Sander Klein wrote:
On , Willy Tarreau wrote:
On Mon, Dec 16, 2013 at 01:10:11PM +0100, Sander Klein wrote:
On , Willy Tarreau wrote:
OK here's the fix, it was not a big deal, just a missing NULL
after a free when loading
Hi,
I've enabled http-keep-alive in my config and now haproxy continuously
peaks at 100% CPU usage where without http-keep-alive it only uses
10-13% CPU.
Is this normal/expected behavior?
Greets,
Sander
On , Willy Tarreau wrote:
On Tue, Dec 17, 2013 at 10:44:12AM +0100, Guillaume Castagnino wrote:
Le mardi 17 décembre 2013 10:32:30 Sander Klein a écrit :
Hi,
I've enabled http-keep-alive in my config and now haproxy continuously
peaks at 100% CPU usage where without http-keep-alive it only
Hi,
I know haproxy doesn't do UDP loadbalancing, but I figured someone here
might now A nice tool which can doe this for me. (If haproxy could do it
it would have been nice though... ;-) )
I've looked at pen but it doesn't seem to do IPV6.
LVS can do the trick but I need to reconfigure a
Hi,
I'm using haproxy ss-20131229 to reverse proxy some windows iis server
with ntlm-auth enabled (one of them being exchange 2012).
While I understood that using 'option http-keep-alive' would make
ntlm-auth work, it doesn't work for me. Are there still some issue with
http-keep-alive and
On , Willy Tarreau wrote:
On Tue, Dec 31, 2013 at 12:44:26AM +0100, Lukas Tribus wrote:
Hi,
Hi,
I know haproxy doesn't do UDP loadbalancing, but I figured someone here
might now A nice tool which can doe this for me. (If haproxy could do it
it would have been nice though... ;-) )
I've
On 31.12.2013 00:50, Lukas Tribus wrote:
Hi,
Subject: http-keep-alive broken?
Hi,
I'm using haproxy ss-20131229 to reverse proxy some windows iis server
with ntlm-auth enabled (one of them being exchange 2012).
While I understood that using 'option http-keep-alive' would make
ntlm-auth work,
Hi Baptiste, Lukas,
@Lukas: Sorry I misread your tunnel-mode for tcp-mode. Tunnel-mode works
(almost) fine as you can read below.
I have been investigating my problem a bit more, and then I remembered
that I also updated haproxy a week before we started using our new
Windows 2012 servers.
Heyz,
On 03.01.2014 22:52, Lukas Tribus wrote:
Hi,
The problem I'm having (also tested with ss-20140101 yesterday)
happens
with http-keep-alive enabled and also when just running in tunnel
mode.
But, when http-keep-alive is enabled I get the problem with ~98% of
the
requests and in tunnel
Hey,
On 03.01.2014 22:52, Lukas Tribus wrote:
You said that one of your backends is exchange 2012. What release are
the
other ntlm-auth backends exactly and is the issue the same on all of
them?
All backends are windows 2012 with the standard IIS that comes with it.
I have the problem on
Hey,
On 05.01.2014 17:33, Lukas Tribus wrote:
Hi,
Well, after spending some time compiling testing compiling testing I
finally found that the patch
0103-OPTIM-MEDIUM-epoll-fuse-active-events-into--1.5-dev19.diff done
between 20131115 and 20131116 is causing my problems.
I also found that
On 06.01.2014 15:10, Willy Tarreau wrote:
I would go even further (using git). What I understand here is that the
issue
was introduced after the epoll optimization and is hidden by this one.
So I'd
rather start by reverting that patch and then looking up for another
faulty
patch after those :
Hi,
I'm sorry you haven't heard from me yet. But I didn't have time to look
into this issue. Hope to do it this weekend.
Greets,
Sander
Heyz,
On 10.01.2014 09:14, Willy Tarreau wrote:
Hi Sander,
On Fri, Jan 10, 2014 at 08:57:18AM +0100, Sander Klein wrote:
Hi,
I'm sorry you haven't heard from me yet. But I didn't have time to
look
into this issue. Hope to do it this weekend.
Don't rush on it, Baptiste has reported to me
Hi,
would it be possible to support IP_FREEBIND with HAProxy-1.5 on linux?
I'm asking because nonlocal_bind only works for IPv4 and it seems linux
upstream does not want to support nonlocal_bind for IPv6.
A thread about this can be found here:
On 03.03.2014 14:45, Sander Klein wrote:
Hi,
would it be possible to support IP_FREEBIND with HAProxy-1.5 on linux?
I'm asking because nonlocal_bind only works for IPv4 and it seems
linux upstream does not want to support nonlocal_bind for IPv6.
A thread about this can be found here:
http
On 03.03.2014 21:31, Willy Tarreau wrote:
On Mon, Mar 03, 2014 at 09:10:51PM +0100, Lukas Tribus wrote:
Lets set IP_FREEBIND on IPv6 sockets as well, this works since Linux
3.3
and doesn't require CAP_NET_ADMIN privileges (IPV6_TRANSPARENT does).
This allows unprivileged users to bind to
On 12.03.2014 10:36, William Lewis wrote:
Hi,
I’m looking for any advice in tuning kernel parameters for haproxy.
Current sysctl.conf is
net.ipv4.icmp_echo_ignore_broadcasts = 1
fs.file-max = 800
vm.swappiness = 20
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_max_syn_backlog = 32768
Hi
On 24.03.2014 18:35, Andy Walker wrote:
For what it's worth, haproxy can be running on a server, and listening
on IP addresses that aren't actually associated with that server. In
linux, just make sure NET.IPV4.IP_NONLOCAL_BIND is set to 1, and
this will allow haproxy to bind to addresses
Hey,
On 26.03.2014 12:17, Jarno Huuskonen wrote:
Hi,
On Wed, Mar 26, Sander Klein wrote:
Hi
On 24.03.2014 18:35, Andy Walker wrote:
For what it's worth, haproxy can be running on a server, and listening
on IP addresses that aren't actually associated with that server. In
linux, just make
Hi,
I noticed a dramatic increase in CPU usage between HAProxy ss-20140329
and ss-20140425. With the first haproxy uses around 20% of CPU and with
the latter it eats up 80-90% of cpu and sites start to become sluggish.
Health checks take much more time to complete 1100ms vs 2ms normal.
Hey Willy,
On 25.04.2014 14:39, Willy Tarreau wrote:
On Fri, Apr 25, 2014 at 02:12:23PM +0200, Sander Klein wrote:
Hi,
I noticed a dramatic increase in CPU usage between HAProxy ss-20140329
and ss-20140425. With the first haproxy uses around 20% of CPU and
with
the latter it eats up 80-90
On 25.04.2014 15:46, Willy Tarreau wrote:
Just to make sure I didn't give you a bogus report is
upgraded/downgraded a couple of times, but every time I install
20140425
the CPU spikes and sites become sluggish.
OK. Does it happen immediately or does it take some time ?
It happens
On 25.04.2014 15:46, Willy Tarreau wrote:
On Fri, Apr 25, 2014 at 03:34:14PM +0200, Sander Klein wrote:
I currently don't have compression enabled in my config. I disabled it
some time ago because of CPU usage ;-)
Ah too bad, it would have been an easy solution!
With the current snapshot I
On 25.04.2014 17:22, Willy Tarreau wrote:
On Fri, Apr 25, 2014 at 04:56:06PM +0200, Sander Klein wrote:
I've done a search and it breaks between 20140413 and 20140415.
OK, that's already very useful. I'm assuming this covers the period
between commits 01193d6ef and d988f2158. During
Hey All,
Sorry for my late response, but we have a national holiday here...
'Kings day' would be the translation ;-)
On 26.04.2014 13:53, Lukas Tribus wrote:
Hi,
- recommit the patch I submitted as it is, and let users concerned
with
the CPU impact use static DH parameter in the
On 26.04.2014 16:07, Lukas Tribus wrote:
Hi,
I've disabled sslv3 and use certificates with 4096bits keys. I know
4096
bits keys are a bit over the top, but while testing the impact seemed
to
be acceptable so I thought 'What the heck, let's just use it'
Thats it, with Remi's patch your
On 02.05.2014 16:52, Lukas Tribus wrote:
Hi Remi,
The default value for max-dh-param-size is set to 1024, thus keeping
the current behavior by default. Setting a higher value (for example
2048 with a 2048 bits RSA/DSA server key) allows an easy upgrade
to stronger ephemeral DH keys (and back
On 02.05.2014 16:52, Lukas Tribus wrote:
Hi Remi,
The default value for max-dh-param-size is set to 1024, thus keeping
the current behavior by default. Setting a higher value (for example
2048 with a 2048 bits RSA/DSA server key) allows an easy upgrade
to stronger ephemeral DH keys (and back
On 19.05.2014 06:51, Willy Tarreau wrote:
Hi Rémi,
On Mon, May 12, 2014 at 06:34:01PM +0200, Remi Gacogne wrote:
Hi,
On 05/05/2014 12:06 PM, Sander Klein wrote:
I've added a 2048bit dhparam to my most used certificates and I don't
see a big jump in resource usage.
This was not a big
On 19.06.2014 21:54, Willy Tarreau wrote:
Hi everyone,
The list has been unusually silent today, just as if everyone was
waiting
for something to happen :-)
Today is a great day, the reward of 4 years of hard work. I'm
announcing the
release of HAProxy 1.5.0.
Congratulations!
Now people
On 18.10.2014 16:37, David Coulson wrote:
You mean like this?
http://blog.haproxy.com/2014/10/15/haproxy-and-sslv3-poodle-vulnerability/
On 10/18/14, 10:34 AM, Malcolm Turnbull wrote:
I was thinking Haproxy could be used to block any non-TLS
connection
Like you can with iptables:
Hi,
I'm testing some stuff with quite a big regex and now I am wondering
what would be more efficient. Is it more efficient to load the regex
with -i or is it better to specify it in the regex
So,
-i (some|words)
or
((S|s)(O|o)(M|m)(E|e)|(W|w)(O|o)(R|r)(D|d)(S|s))
Greets,
Sander
On 02.02.2015 12:09, Mathieu Sergent wrote:
Hi,
I try to set up a load balancing with HAProxy and 3 web servers.
I want to receive on my web servers the address' client.
I read that it is possible with the option source ip usesrc but
you need to be root.
If you want to not be root, you have
Hi Mathieu,
Pleas keep the list in the CC.
On 02.02.2015 15:26, Mathieu Sergent wrote:
Thanks for your reply.
I just used the option forwardfor in the haproxy configuration. And i
can find client's address from my web server (with tcpdump).
But if i don't use the option forwardfor, the web
On 02.02.2015 16:33, Mathieu Sergent wrote:
Hi Sander,
Yes i reloaded the haproxy and my web server too. But no change.
And i'm not using proxy protocol.
To give you more precisions, on my web server i used tcpdump functions
which give me back the header of the requete http. And in this i
On 20.01.2015 10:54, andriatsiresy johary wrote:
J'ai mis en place un système de load balancing d'un cluster de base
de données, avec HAProxy, sur une debian 7, j'ai activer la page de
statistique de HAProxy et je ne sais pas ou trouver le code source de
ce page, pourriez-vous m'aider s'il vous
On 2015-05-04 07:35, ANISH S IYER wrote:
Hi
while configuring Ha proxy.
mv /etc/haproxy/haproxy.cfg{,.original}
what is the meaning of this line. what you mean by original
It will move the file haproxy.cfg to haproxy.cfg.original. So, it is the
same as mv /etc/haproxy/haproxy.cfg
Hey,
please keep it on the list...
On 2015-05-04 10:19, ANISH S IYER wrote:
Hi
thanks for your fast replay
after configuring the HA proxy
the log file seems like
May 4 03:42:00 discourse haproxy[3590]: Proxy haproxy_in started.
May 4 03:42:00 discourse haproxy[3590]: Proxy haproxy_in
On 2015-06-19 16:08, Mauricio Aguilera wrote:
El problema es por el ; antes del csv de la url
Tengo el mismo problema y pude detectar que
Nagios corta ahí el comando y
obviamente se ejecuta mal,
intenté pasarle los valores con y ' ', pero nada...
Se les ocurre algo?
Me gustaría tratar de
Hi,
I have some clients that complain about getting 408 errors with
Microsoft Edge. I haven't been able to catch such a request yet, but I
am wondering if this is the same as the Google Chrome preconnect
problem.
Anyone by any chance got the same experience or any ideas on this?
Greets,
Hi Nenad,
On 2015-11-24 16:15, Nenad Merdanovic wrote:
Can you post a minimal configuration (or full) which reproduces this?
Yes, here it is:
global
log /dev/loglocal0
log /dev/loglocal1 notice
chroot /var/lib/haproxy
stats socket
Hi All,
I'm running haproxy 1.6.2 and it seems it ignores the values given with
ssl-default-bind-options and/or ssl-default-server-options.
I have the following in my global conf:
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
ssl-default-bind-ciphers
1 - 100 of 158 matches
Mail list logo