Re: load-server-state-from-file "automatic" transfer?

Hi! Thanks for taking a look and explaining. Should I create a ticket on GitHub for this? Daniel > On 25. Jul 2019, at 10:44, William Lallemand wrote: > > On Thu, Jul 25, 2019 at 10:23:24AM +0200, Aleksandar Lazic wrote: >> Hi. >> >> Am 25.07.2019 um 10:06 schrieb William Lallemand: >>> On

load-server-state-from-file "automatic" transfer?

fashion as file handles or stick-tables (via peers)? Thanks a lot! Daniel -- Daniel Schneller Principal Cloud Engineer GPG key at https://keybase.io/dschneller CenterDevice GmbH Rheinwerkallee 3 53227 Bonn www.centerdevice.com __ Geschäftsführung: Dr

Re: DNS Resolver Issues

start despite having the supposedly never failing 'default-server > init-addr last,libc,none' ? Is it possibly a good feature request to support > re-resolving a dns name for the addr setting as well ? > > Regards, > PiBa-NL (Pieter) > > Op 21-3-2019 om 20:37 schreef Danie

Re: DNS Resolver Issues

records from the resolver. > > Can you please retest with the updated configuration and report back the > results? > > > Best regards, > > Bruno Henc > > ‐‐‐ Original Message ‐‐‐ > On Thursday, March 21, 2019 12:09 PM, Daniel Schneller

Re: DNS Resolver Issues

Hello! Friendly bump :) I'd be willing to amend the documentation once I understand what's going on :D Cheers, Daniel > On 18. Mar 2019, at 20:28, Daniel Schneller > wrote: > > Hi everyone! > > I assume I am misunderstanding something, but I cannot figure out what it

DNS Resolver Issues

systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available filters : [SPOE] spoe [COMP] compression [TRACE] trace -- Daniel Schneller Principal Cl

HAProxy keeps using outdated IPs when backend (ELB) address changes

poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available filters : [COMP] compression [TRACE] trace [SPOE] spoe - -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH Rheinwerkallee 3 5

Re: Clarification re Timeouts and Session State in the Logs

. > > On Thu, 23 Aug 2018 9:56 pm Daniel Schneller > <mailto:daniel.schnel...@centerdevice.com>> wrote: > Friendly bump. > I'd volunteer to do some documentation amendments once I understand the issue > better :D > >> On 21. Aug 2018, at 16:17, Daniel Schnelle

Clarification re Timeouts and Session State in the Logs

it is difficult to tell "who's to blame" for an inactivity timeout without knowledge about the content or final size of the request -- I just need some clarity on how the read the logs :) Thanks! Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice Gmb

Re: Bug when passing variable to mapping function

example > 'distri.com' and after get_trash_chunk() smp->data.u.str.str > is '\000istri.com'. > > At the moment I don't have time to dig deeper, but hopefully this > helps a little bit. > > -Jarno > > -- > Jarno Huuskonen > > -- -- Daniel Schneller Princip

Bug when passing variable to mapping function

header changes to: -- X-Distri-Mapped-From-Var: aaistri -- Looks like some off-by-one error? Cheers, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH Rheinwerkallee 3 53227 Bonn www.centerdevice.com ___

Re: Reverse String (or get 2nd level domain sample)?

earlier versions IMO). Cheers, Daniel > On 25. Jun 2018, at 12:29, Daniel Schneller > wrote: > > Hi! > > Just double checking to make sure I am not simply blind: Is there a way to > reverse a string using a sample converter? > > Background: I need to extract

Reverse String (or get 2nd level domain sample)?

le, I would like to avoid using maps to keep this thing as generic as possible. Thanks a lot! Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH Rheinwerkallee 3 53227 Bonn www.centerdevice.com __ Geschäftsführung: Dr. Patrick Peschlow, D

Re: 4xx statistics made useless through health checks?

tp://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#4.2-monitor-uri > It says it wont log or forward the request.. not sure but maybe stats will > also skip it. Yes, that’s exactly what’s shown in that linked repo. Thanks for chiming in :) > Regards, > PiBa-NL / Pieter > --

Re: 4xx statistics made useless through health checks?

ot for your thoughts, so far :) Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdevice.de | www.centerdevice.

Re: 4xx statistics made useless through health checks?

roxy” health checking that does not spoil the counters? Daniel Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdevice.de

Encrypted Passwords Documentation Patch

noticeable at all to it almost eating a full core, even for a not very busy site. Tested with 1.6, but this applies to all versions, if I am not mistaken. Cheers, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11

Re: Force Sticky session on HaProxy

e same JSESSIONID gets to the same backend every time. As the information is in the cookie, there is no state to be lost on the haproxy side. Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen te

Re: Question related to gpc0_rate values in stick-table

easonable starting point to figure out where the issue comes from. Regards, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland dani

Re: Inspect data sent through haproxy and create statistics

tp-request set-var(txn.op) str(Unkwn) ... http-request set-var(txn.op) str(DocDelMul) if METH_POST rq_path_documents rq_content_type_json rq_body_action_delete# Delete Multiple Documents … Hope that helps. Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH

Re: Enable SSL Forward Secrecy

Hi,inspired by this, I added a paragraph with links to the documentation.Small patch attached.Cheers,Daniel 0001-DOC-Refer-to-Mozilla-TLS-info-config-generator.patch Description: Binary data -- Daniel SchnellerPrincipal Cloud Engineer CenterDevice GmbH                  | Hochstraße 11           

[PATCH] DOC: Add note about "* " prefix in CSV stats

Just a little documentation patch I wrote, after stumbling across this:https://github.com/dschneller/bosun/commit/6ca776dd6543d123a135b4a84a5e3e66093c3986 0001-DOC-Add-note-about-prefix-in-CSV-stats.patch Description: Binary data Cheers,Daniel -- Daniel SchnellerPrincipal Cloud Engineer 

Re: Enable SSL Forward Secrecy

Darn! Looking at the “openssl ciphers” Julian provided earlier, my mind “autocompleted" the missing trailing “E” in ECDH (/me facepalms). Thanks, Cyril, for pointing that out! I was starting to doubt myself here :) Cheers, Daniel -- Daniel Schneller Principal Cloud Engineer CenterD

Re: Enable SSL Forward Secrecy

ve any real traffic in there. Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdevice.de | www.centerdev

Re: Enable SSL Forward Secrecy

are proxies/firewalls? Can you post a minimal haproxy config that reproduces the issue? Please verify you can see the requests coming in by checking haproxy’s log. You should be able to at least see the requests being rejected due to bad handshakes. Daniel -- Daniel Schneller Principal Cl

Re: Enable SSL Forward Secrecy

Ok, so that’s not it. What about the ciphers output? -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdevice.de

Re: Enable SSL Forward Secrecy

Also, please run haproxy -vv to get some idea about what SSL library it actually uses. -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland

Re: Enable SSL Forward Secrecy

-AES128-SHA ECDHE-ECDSA-AES128-SHA SRP-DSS-AES-128-CBC-SHA SRP-RSA-AES-128-CBC-SHA SRP-AES-128-CBC-SHA ECDH-RSA-AES128-SHA ECDH-ECDSA-AES128-SHA AES128-SHA PSK-AES128-CBC-SHA Check the output on your load balancer — maybe the OpenSSL version just too old? Regards, Daniel -- Daniel Schneller

Re: Enable SSL Forward Secrecy

handshakes and go through them — IIRC there is some “FS” vs. “No FS” marker there. Regards, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711

Re: req.cook_cnt() broken?

1.8, 1.7.9, and 1.6.13 just now. Works as expected with all three. :D Any chance of getting this fix backported to the 1.7 and ideally 1.6 branches? It would come in handy on a production system currently running 1.6 that I cannot easily upgrade to 1.7. Cheers, Daniel -- Daniel S

Re: req.cook_cnt() broken?

Kindly bumping this during the summer vacation time for potentially new recipients :) > On 21. Aug. 2017, at 21:14, Daniel Schneller > <daniel.schnel...@centerdevice.com> wrote: > > Hi! > > According to the documentation > > req.cook_cnt([]) : integ

req.cook_cnt() broken?

So without being very C-savvy, this appears to exit early when there is no parameter of type string passed in. I hope someone can shed some light on this. :) Thanks in advance, Daniel -- Daniel Schneller Principal Cloud Engineer CenterD

Re: fields vs word converter, unexpected "0" result

On 1. Aug. 2017, at 17:32, Holger Just wrote: > GET / HTTP/1.1 > Host: 127.0.0.1:8881 > User-Agent: curl/7.43.0 > Accept: */* > > The HTTP 1.1 specification requires that a Host header is always sent > along with the request. Curl specifically always sends the host from the

fields vs word converter, unexpected "0" result

in “0” being logged? Ideally, I’d like this to show as “-“, but empty string would be fine, too. But “0” is pretty counter-intuitive. It’s not strictly horrible, but at least it is unexpected and would also collide with cases where the actual 2nd subdomain was called “0”. Is this a bug, or am I d

Re: haproxy does not capture the complete request header host sometimes

ration files — which may or may not be what you expect when doing minor upgrades. Granted, when you currently use an out-of-range value, you probably _want_ this fix, but still might hit you unexpectedly. It should be made very prominent in the release notes. Cheers, Daniel -- Daniel Sch

Re: truncated request in log lines

This is a limitation of the syslog protocol, IIRC. -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdevice.de

Re: Automatic Certificate Switching Idea

> > That's perfect! Your feedback and possible trouble in doing this will > also definitely help! > Oh, if experience tells me one thing, no matter how “straightforward” this may look, there _will_ be trouble ;-) Cheers Daniel -- Daniel Schneller Principal Cloud Engineer

Re: Automatic Certificate Switching Idea

ot-before” date. Daniel PS: This is an interesting discussion, and I am happy to continue it, if anyone feels the same. As I said, I will try to solve this via provisioning scripts in the meantime, so there is no time pressure. -- Daniel Schneller Princip

Re: Automatic Certificate Switching Idea

it separated from our specific setup, I might then release it into the wild for the select few who might find it useful :) Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solinge

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

-- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdevice.de | www.centerdevice.de Geschäftsführung: Dr. Patrick Peschlow, Dr

Re: Automatic Certificate Switching Idea

e: > > HI. > > Am 28-04-2017 09:26, schrieb Daniel Schneller: > >> Hello! >> I am managing a few haproxy instances that each manage a good number of >> domains and do the TLS termination on behalf of what you might call "hosted" >> sites. >&

Automatic Certificate Switching Idea

-- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdevice.de | www.centerdevice.de Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas

Re: Certificate order

. Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdevice.de | www.centerdevice.de Geschäftsführung: Dr. Patrick

Re: SSL Termination or Passthrough

Damn. I shouldn't respond to questions after midnight :-(. I completely overread this is about client certificates until now. Sorry for missing that, Sam; and thanks Willy for the interesting link. One question comes up for me though, after reading it (unless I am still not awake enough, in

Re: SSL Termination or Passthrough

l client certificates? Just use >> mode TCP and passthrough? Is there a way to do that without turning off >> hostname verifier at the client level? >> >> Thanks, >> Sam >> >>> On February 17, 2017 at 7:13:23 PM, Daniel Schneller >>> (danie

Re: SSL Termination or Passthrough

Sam, This not working the way you would like is the corner stone and one of the key features of TLS. It is designed to ensure there is nothing in the middle between the client and the server. If you need to inspect the traffic, by definition you cannot without the clients trusting your

Re: Haproxy issue

t:8089/> > use_backend rest_services if host_rest_services > backend rest_services > server shstand 10.0.0.2:8089 ssl verify none > So It works > > De : Daniel Schneller [mailto:daniel.schnel...@centerdevice.com] > Envoyé : mardi 14 février 2017 17:17 > À :

Re: Haproxy issue

a good idea to setup a `default backend` as a way to help > test where your requests are going. > For debugging these kinds of things I usually run haproxy in debug mode: haproxy -d -f haproxy.cfg That way it will echo incoming and outgoing headers. Daniel -- Daniel Schneller Princ

Re: ACL randomly failing

. So I suggest you make sure first you have exactly one instance running, e. g. with “ps aux | grep haproxy”. Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711

Re: http-send-name-header for response?

d also delete it from the request in the frontend on the way in to prevent the request from actually sticking to a single server. Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754

Re: Debug Log: Response headers logged before rewriting

Hello everyone! While I have since figured out what my original problem was, the original question remains. Is this intentional, am I missing something, or both? :) Cheers, Daniel > On 3. Feb. 2017, at 13:40, Daniel Schneller > <daniel.schnel...@centerdevice.com> wr

Debug Log: Response headers logged before rewriting

more cumbersome to debug, because I need to capture both the server’s and the client’s logs and merge them together. Is there a switch or config setting I am missing that would show what the server actually puts on the wire towards the client? Thanks Daniel -- Daniel Schneller Principal

TLS certificate precedence

where the domain actually matches one of the the CN / SAN fields? Thanks, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel.

Re: HAproxy / Reverse proxy Debian

age. If you want to configure TLS on the mail server / web server itself, there is no need to configure haproxy for TLS at all. Switch it to TCP mode and remove the TLS configuration. That way it will just hand the still encrypted traffic over to nginx. -- Daniel Schneller Principal Cl

Re: HAproxy / Reverse proxy Debian

Sounds as if you have nginx set up for TLS termination, too. This does not make sense, because haproxy will already have decrypted the traffic. Make sure nginx does not expect https on what in your config would be ip_email_server:888. -- Daniel Schneller Principal Cloud Engineer

Re: HAproxy / Reverse proxy Debian

Re-adding the list. And: > Do I have to "cat file.key file.crt file.pem > certi.chained.crt" ?? Yes. Though I am not sure what file.crt and file.pem are :) Cheers, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH

Re: HAproxy / Reverse proxy Debian

. intermediates Make sure to have these files not world-readable as they contain secret crypto material. HTH, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711

Re: Bytes in / out counters for TCP Keepalive Sessions

.xx and that there is no good way to fix it. Is there any chance of it returning, or should it maybe marked as broken in the docs at least, maybe issue a warning on startup? http://www.serverphorums.com/read.php?10,747628 Thanks :) Daniel -- Daniel Schneller Principal Cloud Engineer

Re: Bytes in / out counters for TCP Keepalive Sessions

Adding the list back. Sorry for dropping it earlier. > On 8 Sep 2016, at 19:56, PiBa-NL <piba.nl@gmail.com> wrote: > > Hi, > Op 8-9-2016 om 15:43 schreef Daniel Schneller: >>> http://cbonte.github.io/haproxy-dconv/1.7/snapshot/configuration.html#4.2-o

Bytes in / out counters for TCP Keepalive Sessions

:5672 check on-marked-down shutdown-sessions Is this the expected behavior? If so, is there any configuration option we can change to show “live” stats of bytes flowing through the persistent connections? Thanks! Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH

Re: HTTP 429 Too Many Requests

in the logs and being nice and readable :-) > On 24 Jun 2016, at 23:13, Cyril Bonté <cyril.bo...@free.fr> wrote: > >> Le 24/06/2016 à 22:57, Daniel Schneller a écrit : >> That is indeed pretty cool :-) >> Would the addition of a header work the way I originally suggeste

Re: HTTP 429 Too Many Requests

deny_status ] > > Example : > http-request deny deny_status 429 > > [1] > http://www.haproxy.org/git?p=haproxy-1.6.git;a=commit;h=108b1dd69d4e26312af465237487bdb855b0de60 > [2] > http://www.haproxy.org/git?p=haproxy-1.6.git;a=commit;h=60f01f8c89e4fb2723d5a9f2046286e69

HTTP 429 Too Many Requests

allow me to specify different values for the "Retry-After:" header to inform well-written clients after which time they should come back and try again. Does that sound like a sensible addition? Cheers, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH https://www.centerdevice.de

Re: Compilation problem: haproxy 1.6.5 (latest) on Solaris 11

On the http://www.haproxy.org homepage there is a link to each version’s repo. Cheers, Daniel > On 19.05.2016, at 15:30, Jonathan Fisher wrote: > > Cool, thanks! > > Where is the git repo for haproxy? having trouble finding the official

Re: nbproc 1 vs >1 performance

? If so, that would explain some issues I had in the past when quickly iterating config changes and restarting haproxy each time, but sometimes getting results that could only have come from an older config? Thanks, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH

Re: CIDR Notation in ACL -- silent failure

On 12.04.2016, at 14:07, Willy Tarreau wrote:I will at least provide a documentation patch then, soon.OK.As promised, a few words, hopefully clarifying things in the docs. 0001-DOC-Clarify-IPv4-address-mask-notation-rules.patch Description: Binary data Cheers,Daniel

Re: CIDR Notation in ACL -- silent failure

will be typos or other accidental mistakes in config files. I might be alone here, but I believe a warning (not a failure) about these rather unorthodox notations being used would improve things :) Thoughts? Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice G

Re: CIDR Notation in ACL -- silent failure

Hi Pavlos! > On 09.04.2016, at 11:39, Pavlos Parissis <pavlos.paris...@gmail.com> wrote: > > On 08/04/2016 11:59 πμ, Daniel Schneller wrote: >> Hi! >> >> I noticed that while this ACL matches my source IP of 192.168.42.123: >> >> acl src_interna

CIDR Notation in ACL -- silent failure

. Especially if ACLs are used for actual access control, this can have nasty consequences. What do you think? Cheers, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH

Re: Segfault with stick-tables

SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Segmentation fault (core dumped) > On 29.03.2016, at 14:16, Daniel Schneller <daniel.schnel...@centerdevice.com> > wrote: > > Hi! > > I am seeing a segfault upon the first request coming through the > c

Segfault with stick-tables

errors, rerun with: -v ==4628== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Segmentation fault (core dumped) -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Merscheider Straße 1 | 42699 Solingen tel: +49

DOC Patch: tune.vars.xxx-max-size

From 29bddd461c30bc850633350ac81e3c9fd7b56cb8 Mon Sep 17 00:00:00 2001 From: Daniel Schneller <d...@danielschneller.de> Date: Mon, 21 Mar 2016 20:46:57 +0100 Subject: [PATCH] DOC: Clarify tunes.vars.xxx-max-size settings Adds a little more clarity to the description of the maximum

http-request capture id frontend/backend not working?

Hi! I am trying to capture an HTTP Request Header that gets added under certain circumstances in the backend. From the documentation I understand I can use a capture slot for that. This is what I tried in my stripped down config file: ... frontend fe_http bind 192.168.1.3:80 declare

Re: http-request capture id frontend/backend not working?

ll bail if it does find a referenced ID that is not declared in the current proxy entry. As my declaration is in the frontend, but the actual capture tries to reference it in the backend, they are in different proxies, making this check fail? Daniel > On 18.03.2016, at 13:43, Daniel Schneller <daniel

Re: SSL backends stopped working

Have you checked the time/date on the Haproxy host? If they are wrong, the certificate might look bad from HAProxy’s point of view. Daniel -- Daniel Schneller Infrastructure Architect / Developer CenterDevice GmbH On 23.04.2015, at 10:00, i...@linux-web-development.de wrote: -BEGIN