Re: [ANNOUNCE] haproxy-1.7.0 (multi-certs openssl version)

[Jarno Huuskonen]

Hello,

On Fri, Nov 25, Willy Tarreau wrote:
>   - support of multi-certs : different certificates for a same domain so
> that the best one can be picked according to browser support. The main
> use is to be able to deliver ECDSA certificates to clients supporting
> them, without breaking compatibility with older clients.

Does this multi-certs functionality depend on certain openssl version
(does it need >= 1.0.2 to load different ca path for rsa / ecdsa certs) ?

Cloudflare describes in this blog post:
https://blog.cloudflare.com/tls-certificate-optimization-technical-details/
How they decide which certificate to use.

Does haproxy with multi-certs use similar logic to decide between
rsa / ecdsa cert ?

-Jarno

PS. BTW, when upgrading from 1.5.x to 1.6.x or 1.7.x I noticed a minor
compatability difference with Content-Security-Policy headers:
with 1.5.x I had:
http-response set-header Content-Security-Policy connect-src\ 'self'\ 
https://some.host...

With 1.6.x/1.7.x clients see this as: connect-src self https://some.host...
(Missing '' around self).

Changing this to:
http-response set-header Content-Security-Policy "connect-src 'self' 
https://some.host...;
works with 1.6.x/1.7.x.

-- 
Jarno Huuskonen

Re: [ANNOUNCE] haproxy-1.7.0

[Aleksandar Lazic]

Am 25-11-2016 18:51, schrieb Willy Tarreau:

Hi,

HAProxy 1.7.0 was released on 2016/11/25. It added 107 new commits
after version 1.7-dev6. Most of them were late minor bug fixes and code
cleanups. Over the last two weeks we finally managed to clean a lot of
historical mess, just by splitting some huge code parts into several
files, or moving them into the appropriate file. It's better done
before than after a release since it will make backports easier for the
maintenance branch. To be honnest there's nothing outstanding compared
to 1.7-dev6 so I won't comment on these very latest changes.


Gratulations ;-)

Aleks


Haproxy 1.7 now is what I would have liked 1.6 to be, and is what I
consider the cleanest version we've ever produced. When 1.6 was 
released
one year ago, I predicted that we'd face one year worth of bug fixes 
due
to the important changes that were brought to the connection 
management,

and it indeed took almost one year to get rid of all of them. Now we
mostly focused on fixes, cleanups and modularity, but not on 
earth-shaking

changes.

It's interesting to note that among the 706 commits that were produced
between 1.6.0 and 1.7.0, no less than 207 were bug fixes (roughly 1/3),
around 70 were build fixes and code reorganizations, and around 60 were
doc updates, so 1.7 was where the fixes for 1.6 were developped, and 
that
brings it its current level of maturity. We have almost not observed 
any

1.7-specific regression during its development for now which is a very
good sign of the code becoming more modular and much less tricky than
what it used to be. We had to emit 1.6.1 only one week after 1.6.0 due
to a major bug, I bet we'll be able to wait longer before requiring 
such

an update, time will tell.

Despite this it still brings quite some significant improvements over
1.6 :
  - significant improvements of the CLI : it is now possible to easily
register new commands without causing some inter-dependencies 
between

the CLI code and the functional code, so we could already improve a
large number of commands with better help and extra arguments. In
addition to this, the Lua code can also register CLI commands, 
pushing

the limits as far as your imagination goes.

  - typed statistics : will make it easier to aggregate statistics over
multiple processes. Additionally, all the fields that used to be
available in HTML are now also exported in the CSV output, such as
the server's address and port, cookie, average response times, etc.

  - SPOE (stream processing offload engine) : ability to delegate some
slow, unreliable or dangerous processing to external processes,
ensuring it will be much less necessary to touch the core parts to
add new features, and that some parts could possibly work across
multiple versions.

  - filters : these are a new type of internal hooks to many events and
around most analysers in order to plug code that can manipulate 
data

and headers. The compression was moved to a filter, and it will be
easy to write new code using filters. SPOE was built entirely as a
filter.

  - log-format : the parser now honnors error processing. It's been a
huge source of complaints over the last few years where some log
fields were empty because improperly typed in the config, but the
much more modular architecture now made this possible.

  - support of directories for config files : now if the argument to -f
is a directory, all files found there are loaded in alphabetical
order. Additionally, files can be specified after "--" without 
having

to repeat "-f".

  - config : it is now possible to set/unset/preset environment 
variables
directly in the global section, and even to consult them on the 
CLI.


  - init-addr : it is now possible to decide in which order the FQDN
should be resolved on "server" lines, and even accept to start with
no address, waiting for a run-time resolution.

  - server update on the CLI : the CLI makes it possible to change a
server's address, port, maxconn, check address and port so that it
is not required anymore to reload haproxy just to update an 
address.

In conjunction with init-addr, it even allows to pre-populate some
server pools that are filled at run time.

  - state change via the DNS : a valid DNS resolution can now start a
server, and repeated failures can stop it (configurable). This is
another step in the direction of a more dynamic configuration.

  - agent-check : an agent can now change the server's maxconn setting. 
A
server may now take its own load into consideration when deciding 
what

its connection limit should be.

  - support for OpenSSL 1.1.0 : this makes this new version 
future-proof
given that 1.1.0 is about to ship in some future distros. 
Compatibility

with older versions was validated on 0.9.8, 1.0.1 and 1.0.2.

  - support of multi-certs : different certificates for a 

Re: [ANNOUNCE] haproxy-1.7.0

[Jonathan Opperman]

On 26/11/2016 11:06, "Willy Tarreau"  wrote:
>
> On Sat, Nov 26, 2016 at 10:14:57AM +1300, Jonathan Opperman wrote:
> > On 26/11/2016 10:11, "Baptiste"  wrote:
> > >
> > > Congrats all 
> > >
> > > Baptiste
> >
> > High 5 guys, haproxy is an awesome product. Congratulations to all
> > involved. What's the best way to get involved with helping with the
> > development of haproxy?
>
> Test it, help others when you can, report issues, read patches posted
here,
> test them, comment, review them, and at some point you'll figure you're
able
> to propose your own and to improve it yourself. We all started like this
:-)
>
> Cheers,
> Willy

Thanks Willy, I will do this. These days it's so easy to fire up test
environments and do some testing especially with lxc/lxd.

Thanks again to all for haproxy's existence. :)

Cheers
Jono

Re: [ANNOUNCE] haproxy-1.7.0

[Willy Tarreau]

On Sat, Nov 26, 2016 at 10:14:57AM +1300, Jonathan Opperman wrote:
> On 26/11/2016 10:11, "Baptiste"  wrote:
> >
> > Congrats all 
> >
> > Baptiste
> 
> High 5 guys, haproxy is an awesome product. Congratulations to all
> involved. What's the best way to get involved with helping with the
> development of haproxy?

Test it, help others when you can, report issues, read patches posted here,
test them, comment, review them, and at some point you'll figure you're able
to propose your own and to improve it yourself. We all started like this :-)

Cheers,
Willy

Re: [ANNOUNCE] haproxy-1.7.0

[Jonathan Opperman]

On 26/11/2016 10:11, "Baptiste"  wrote:
>
> Congrats all 
>
> Baptiste

High 5 guys, haproxy is an awesome product. Congratulations to all
involved. What's the best way to get involved with helping with the
development of haproxy?

Re: [ANNOUNCE] haproxy-1.7.0

[Baptiste]

Congrats all 

Baptiste

Re: [ANNOUNCE] haproxy-1.7.0

[Willy Tarreau]

On Fri, Nov 25, 2016 at 09:06:38PM +0100, Cyril Bonté wrote:
> Le 25/11/2016 à 20:09, Willy Tarreau a écrit :
> > Hi Cyril,
> > 
> > On Fri, Nov 25, 2016 at 07:25:12PM +0100, Cyril Bonté wrote:
> > > I was about to prepare the HTML documentation :-)
> > > But it will come a bit later : it seems that the repository for 
> > > haproxy-1.7
> > > is not cloneable yet (missing info/refs).
> > 
> > I think you tell me this at each release, and that at each release I
> > forget to set the post-update hook... One more reason for releasing
> > more often :-)
> > 
> > It should be OK now.
> 
> It is :) and now the documentation for 1.7.0 and 1.8-dev0 is ready.

Excellent, thanks for taking care of it this fast!

Willy

Re: [ANNOUNCE] haproxy-1.7.0

[Cyril Bonté]

Le 25/11/2016 à 20:09, Willy Tarreau a écrit :

Hi Cyril,

On Fri, Nov 25, 2016 at 07:25:12PM +0100, Cyril Bonté wrote:

I was about to prepare the HTML documentation :-)
But it will come a bit later : it seems that the repository for haproxy-1.7
is not cloneable yet (missing info/refs).


I think you tell me this at each release, and that at each release I
forget to set the post-update hook... One more reason for releasing
more often :-)

It should be OK now.


It is :) and now the documentation for 1.7.0 and 1.8-dev0 is ready.

Cheers !

--
Cyril Bonté

Re: [ANNOUNCE] haproxy-1.7.0

[Willy Tarreau]

Hi Cyril,

On Fri, Nov 25, 2016 at 07:25:12PM +0100, Cyril Bonté wrote:
> I was about to prepare the HTML documentation :-)
> But it will come a bit later : it seems that the repository for haproxy-1.7
> is not cloneable yet (missing info/refs).

I think you tell me this at each release, and that at each release I
forget to set the post-update hook... One more reason for releasing
more often :-)

It should be OK now.

Cheers,
Willy

Re: [ANNOUNCE] haproxy-1.7.0

[Cyril Bonté]

Hi all, hi Willy,

Le 25/11/2016 à 18:51, Willy Tarreau a écrit :

Hi,

HAProxy 1.7.0 was released on 2016/11/25.


Great news !


[...]
Please find the usual URLs below :
   Site index   : http://www.haproxy.org/
   Discourse: http://discourse.haproxy.org/
   Sources  : http://www.haproxy.org/download/1.7/src/
   Git repository   : http://git.haproxy.org/git/haproxy-1.7.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-1.7.git
   Changelog: http://www.haproxy.org/download/1.7/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/


I was about to prepare the HTML documentation :-)
But it will come a bit later : it seems that the repository for 
haproxy-1.7 is not cloneable yet (missing info/refs).



--
Cyril Bonté