On Thu, 2 May 2024 at 19:50, Lukas Tribus wrote:
>
> On Thu, 2 May 2024 at 17:14, Froehlich, Dominik
> wrote:
> > The closest I’ve gotten is the “curves” property:
> > https://docs.haproxy.org/2.8/configuration.html#5.1-curves
> >
> > However, I think it only
On Thu, 2 May 2024 at 17:14, Froehlich, Dominik
wrote:
> The closest I’ve gotten is the “curves” property:
> https://docs.haproxy.org/2.8/configuration.html#5.1-curves
>
> However, I think it only restricts the available elliptic curves in a ECDHE
> handshake, but it does not prevent a TLS 1.3
On Thu, 2 May 2024 at 15:22, Roberto Carna wrote:
>
> Dear all, I have HAproxy in front of a web server node.
>
> I want the web server node to accept just 1000 concurrent connections.
>
> So I want to use the maxconn parameter in order to let new connections
> above 1000 to wait until the web
On Thu, 4 Apr 2024 at 16:00, Tim Düsterhus wrote:
>
> Hi
>
> On 4/4/24 14:35, William Lallemand wrote:
> > I'm not against merging this, but I don't see any change comparing to the
> > current model?
> >
>
> I mainly stumbled upon this new mode in the documentation while looking
> into replacing
his problem is clearly more visible on
> Alpine Linux, as the github issues show.
Thank you, I agree.
Acked-by: Lukas Tribus
Lukas
On Mon, 12 Feb 2024 at 14:13, Nicolas CARPi wrote:
>
> Hello everyone,
>
> Please find attached my very first patch to the documentation. Hope I
> did everything good! :)
>
> Based on a comment from @bugre:
> https://github.com/haproxy/haproxy/issues/2251#issuecomment-1716594046
>
> (and also
On Fri, 2 Feb 2024 at 18:42, John Lauro wrote:
>
> Seems like a lint style checker that doesn't require AI.
> For example, it could recognize that the / in /api isn't valid for
> req.hdr(host)
> [...]
> The _ in path_beg is also questionable. You can have _ in dns names,
> but are not valid in
---
INSTALL | 12
1 file changed, 12 insertions(+)
diff --git a/INSTALL b/INSTALL
index 18eb67f311..8ebf8d298c 100644
--- a/INSTALL
+++ b/INSTALL
@@ -293,6 +293,18 @@ Please also note that wolfSSL supports many
platform-specific features that may
affect performance, and that for
On Fri, 2 Feb 2024 at 08:43, Willy Tarreau wrote:
>
> Hi Lukas!
>
> On Thu, Feb 01, 2024 at 02:52:10PM +, Lukas Tribus wrote:
> > On Thu, 1 Feb 2024 at 12:08, William Lallemand
> > wrote:
> > >
> > > That's interesting, however I'm surprised the i
On Fri, 2 Feb 2024 at 15:09, Tom Braarup wrote:
>
> Hi,
>
> The config validator does not seems to catch this error in syntax and Haproxy
> ignores the second part of the expression:
>
> use_backend api.example.com if { req.hdr(host) -i example.com and path_beg
> /api }
This is correct syntax
Hello William,
On Thu, 1 Feb 2024 at 17:52, William Lallemand wrote:
> > I consider getrandom() a modern and simple solution to all those problems.
>
> Unfortunately this is still a fallback solution if getrandom() is not
> accessible or if the support is not built, as this is a fallback in
>
On Thu, 1 Feb 2024 at 12:08, William Lallemand wrote:
>
> That's interesting, however I'm surprised the init does not work before the
> chroot,
> we are doing a RAND_bytes() with OpenSSL before the chroot to achieve this.
This approach can actually hide chroot issues leading to nasty
Move httpclient keywords into its own section and explain adding
an introductory paragraph.
Also see Github issue #2409
Should be backported to 2.6 ; but note that:
2.7 does not have httpclient.resolvers.disabled
2.6 does not have httpclient.retries and httpclient.timeout.connect
---
Suggest enabling getrandom() syscall in wolfssl to avoid chroot
problems when using wolfssl.
---
Also see:
https://discourse.haproxy.org/t/haproxy-no-responses-when-built-with-wolfssl-while-working-with-openssl/9320/15
---
INSTALL | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff
On Mon, 16 Oct 2023 at 19:41, Aleksandar Lazic wrote:
>
>
>
> On 2023-10-16 (Mo.) 19:29, Илья Шипицин wrote:
> > Does 1.8 support http/2?
>
> No.
Actually haproxy 1.8 supports H2 (without implementing HTX), as per
the documentation and announcements:
Hello,
an interesting move from the OpenWRT project:
> Switch from wolfssl to mbedtls as default
> =
>
> OpenWrt has transitioned its default cryptographic library from wolfssl
> to mbedtls. This shift brings several changes and implications:
>
> *
On Tue, 10 Oct 2023 at 20:22, Willy Tarreau wrote:
>
> So at this point I'm still failing to find any case where this attack
> hurts haproxy more than any of the benchmarks we're routinely inflicting
> it, given that it acts exactly like a client configured with a short
> timeout (e.g. if you
FYI
https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
Hello,
looks like the bug pages are broken; they contain the table of bugs
but there is really no formatting happening and it appears the entire
HTML header and footer is missing:
Example:
http://www.haproxy.org/bugs/bugs-2.4.html
http://www.haproxy.org/bugs/bugs-2.6.2.html
BR,
Lukas
On Thu, 21 Sept 2023 at 01:20, Björn Jacke wrote:
>
> Hello,
>
> I just experienced that maxconn can easily not work as expected and lead
> to unavailable services. Take this example backend configuration of a
> 2.8.3 haproxy setup:
>
> backend bk_example
>balance first
>server server1
On Thu, 7 Sept 2023 at 14:03, Tom Braarup wrote:
>
> Hello,
>
> After upgrading Haproxy from 2.7 to 2.8, with Nginx (1.25.0) as
> backends and Proxy Protocol v2, the connections are not closed,
> CLOSE_WAIT is increasing over time. No configuration changes apart from
> the Haproxy version.
2.8.3
On Fri, 7 Jul 2023 at 00:26, Tristan wrote:
>
> Hi Willy,
>
> Thanks for sharing that. First, I'm amazed that such a hacky method
> works well-enough to get QUIC (nearly-fully) working.
>
> Now for your concerns... Honestly, I agree with you and really don't
> want to see a brand new protocol
Hello,
yes, H2 behaves very differently; due to protocol differences but also
due to other changes. In the beginning H2 was only implemented in the
frontend and every transaction was downgraded to HTTP/1.1 internally.
This was later changed to an internal generic "HTX" representation
that
On Sat, 3 Jun 2023 at 14:30, William Lallemand wrote:
> That's what we've done in the first place, but I decided to remove it
> because I was not happy with the architecture. And once you have
> something like this, you have to keep the configuration compatibility
> for the next versions and then
On Fri, 2 Jun 2023 at 21:55, Willy Tarreau wrote:
> Initially during the design phase we thought about having 3 states:
> "off", "on", "auto", with the last one only enabling updates for certs
> that already had a .ocsp file. But along discussions with some users
> we were told that it was not
Did you try putting the "del-header" configuration in the backend section?
On Thu, 25 May 2023 at 15:25, pham lan wrote:
>
> Hello,
>
> We use haproxy for basic authentication. And afterward, remove the
> Authorization header from the backend section before forwarding the request
> to
On Sun, 23 Apr 2023 at 13:08, Willy Tarreau wrote:
>
> On Sun, Apr 23, 2023 at 12:39:25PM +0200, Tim Düsterhus, WoltLab GmbH wrote:
> > Willy,
> >
> > On 3/27/23 20:25, Willy Tarreau wrote:
> > > OK, let's see what other users and participants think about it. If I get
> > > at least one "please
On Sat, 15 Apr 2023 at 23:08, Willy Tarreau wrote:
>
> On Sat, Apr 15, 2023 at 10:59:42PM +0200, Willy Tarreau wrote:
> > Hi Nick,
> >
> > On Sat, Apr 15, 2023 at 09:44:32PM +0100, Nick Wood wrote:
> > > And here is my configuration - I've slimmed it down to the absolute
> > > minimum
> > > to
Hi,
On Sat, 15 Apr 2023 at 11:32, Willy Tarreau wrote:
> Thus you're seeing me coming with my question: does anyone have any
> objection against turning "alpn h2,http/1.1" on by default for HTTP
> frontends, and "alpn h3" by default for QUIC frontends, and have a new
> "no-alpn" option to
On Sat, 18 Mar 2023 at 20:01, Aleksandar Lazic wrote:
>
> Hi Dinko.
>
> On 17.03.23 20:59, Dinko Korunic wrote:
> > Dear community,
> >
> > Upon many requests, we have started building HAProxy CE for 2.6, 2.7 and
> > 2.8 branches with QUIC (based on OpenSSL 1.1.1t-quic Release 1) as
> > Docker
On Wed, 1 Mar 2023 at 10:09, bjun...@gmail.com wrote:
>
> Hi,
>
> i've upgraded from HAProxy 2.4.15 (OS: Ubuntu 18.04) to 2.4.22 (OS: Ubuntu
> 22.04). Now the stick-table synchronization between peers isn't working
> anymore.
>
> The peers listener is completely not existing (lsof output).
>
>
Hello,
On Thu, 12 Jan 2023 at 09:35, Aurelien DARRAGON wrote:
>
> Hi,
>
> > I am having trouble with Haproxy using a configuration was previously
> > worked and am getting a very odd to me error
> >
> >
> >
> > Jan 11 13:58:00 ca04vlhaproxy01 haproxy[16077]: [ALERT] 010/135800
> > (16077) :
On Fri, 4 Nov 2022 at 16:50, Szabo, Istvan (Agoda)
wrote:
>
> Yeah, that’s why I’m curious anybody ever made it work somehow?
Perhaps I should have been clearer.
It's not supported because it's not possible.
Haproxy the OSS uses the socket API, haproxy cannot forward IP packets
arbitrarily,
On Fri, 4 Nov 2022 at 16:32, Aleksandar Lazic wrote:
>
> Hi.
>
> On 04.11.22 12:24, Szabo, Istvan (Agoda) wrote:
> > Hi,
> >
> > Is there anybody successfully configured haproxy and dsr?
>
> Well maybe this Blog Post is a good start point.
>
>
FYI a CRITICAL openssl vulnerability will be fixed in 3.0.7 and 1.1.1s
to be released Tue, Nov 1st between 1300-1700 UTC:
https://www.openwall.com/lists/oss-security/2022/10/25/4
https://www.openwall.com/lists/oss-security/2022/10/25/6
https://www.openssl.org/policies/general/security-policy.html
Hello,
wolfSSL has also chosen to use the same API for QUIC:
https://www.wolfssl.com/wolfssl-quic-support/
> The wolfSSL QUIC API is aligned with the corresponding APIs in other *SSL
> libraries, making integration with QUIC protocol stacks easier and protecting
> investments. This is a
On Thu, 9 Jun 2022 at 08:42, wrote:
>
> Hi,
>
> I need to enable TLS V1.0 because of some legacy clients which have just been
> "discovered" and won't be updated.
Configure "ssl-default-bind-ciphers" as per:
https://ssl-config.mozilla.org/#server=haproxy=2.3=old=1.1.1k=5.6
If you don't allow
Hello,
> > Let's say we have the following setup.
> >
> > ```
> > maxconn 2
> > nbthread 4
> > ```
> >
> > My understanding is that HAProxy will accept 2 concurrent connection,
> > right? Even when I increase the nbthread will HAProxy *NOT* accept more then
> > 2 concurrent
Hello Willy,
On Sat, 26 Mar 2022 at 10:22, Willy Tarreau wrote:
> A change discussed around previous announce was made in the H2 mux: the
> "timeout http-keep-alive" and "timeout http-request" are now respected
> and work as documented, so that it will finally be possible to force such
>
Reverts 75df9d7a7 ("DOC: explain HTTP2 timeout behavior") since H2
connections now respect "timeout http-keep-alive".
If commit 15a4733d5d ("BUG/MEDIUM: mux-h2: make use of http-request
and keep-alive timeouts") is backported, this DOC change needs to
be backported along with it.
---
Hello,
take a look at how we are using tests with vtc/vtest in
doc/regression-testing.txt.
Maybe this tool can be useful for your use-case.
Lukas
Hello,
On Mon, 21 Feb 2022 at 14:25, Tom Browder wrote:
>
> I'm getting ready to try 2.5 HAProxy on my system
> and see http comression is recommended.
I'm not sure we are actively encouraging to enable HTTP compression.
Where did you see this recommendation?
> From those sources I thought
On Sat, 19 Feb 2022 at 18:38, Carlos Renato wrote:
>
> Yes,
>
> In stats server2 is DOWN. accept the VM's network card.
Provide detailed logs please.
Lukas
Hello,
On Sat, 19 Feb 2022 at 17:46, Moutasem Al Khnaifes
wrote:
> but for some reason HAProxy thinks that Plex is down
John already explained this perfectly.
> the status page is inaccessible
Your configuration is:
> listen stats
> bind localhost:1936
[...]
> stats uri
On Sat, 19 Feb 2022 at 16:15, Carlos Renato wrote:
>
> Hi Lukas,
>
> Thanks for the reply and willingness to help.
>
> I did a test and it didn't work. I dropped the server2 interface and only
> server1 was UP.
> Traffic continues to exit through the main bakend. My wish is that the
> traffic
Hello,
I suggest you put your backup server in a dedicated backend and select
it in the frontend. I guess the same could be done with use-server in
a single backend, but I feel like this is cleaner:
frontend haproxy
option forwardfor
bind server.lab.local:9191
use_backend backup_servers
As per issue #1552 the mailer code currently breaks on ESMTP multiline
responses. Let's negotiate SMTP instead.
Should be backported to 2.0.
---
src/mailers.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mailers.c b/src/mailers.c
index 3d01d7532..34eaa5bb6 100644
---
I'd suggest you give WSL/WSL2 a try.
Lukas
On Thu, 10 Feb 2022 at 11:25, Gowri Shankar wrote:
>
> Im trying to install haproxy for loadbalancing for my servers,but im not able
> install from my windows system.Is there ha proxy available for windows,
> please give and help us with
On Mon, 17 Jan 2022 at 19:37, wrote:
>
> Hi
>
> Configuration uses 'no option http-use-htx' in defaults because of case
> insensitivity.
> Statistics path haproxy?stats is behind simple username/password and
> both credentials are specified in config.
> When accessing haproxy?stats, 2.0.25 works
On Mon, 13 Dec 2021 at 19:51, Valters Jansons wrote:
>
> Is this thread really "on-topic" for HAProxy?
>
> Attempts to mitigate Log4Shell at HAProxy level to me feel similar
> to.. looking at a leaking roof of a house and thinking "I should put
> an umbrella above it, so the leak isn't hit by
On Mon, 13 Dec 2021 at 14:43, Aleksandar Lazic wrote:
> Well I go the other way around.
>
> The application must know what data are allowed, verify the input and if the
> input is not valid discard it.´
You clearly did not understand my point so let me try to phrase it differently:
The log4j
On Mon, 13 Dec 2021 at 13:25, Aleksandar Lazic wrote:
> 1. Why is a input from out site of the application passed unchecked to the
> logging library!
Because you can't predict the future.
When you know that your backend is SQL, you escape what's necessary to
avoid SQL injection (or use
In commit 6f7497616 ("MEDIUM: connection: rename fc_conn_err and
bc_conn_err to fc_err and bc_err"), fc_conn_err became fc_err, so
update this example.
---
Should be backported to 2.5.
---
doc/configuration.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
Hello,
On Wed, 8 Dec 2021 at 17:50, Tim Düsterhus wrote:
>
> Lukas,
>
> On 12/8/21 11:33 AM, Lukas Tribus wrote:
> > We are using comma-delimited list for init-addr for example, let's
> > document that this is space-delimited to avoid the guessing game.
>
>
Hello Cyril,
On Tue, 23 Nov 2021 at 17:18, Willy Tarreau wrote:
>
> Hi,
>
> HAProxy 2.5.0 was released on 2021/11/23. It added 9 new commits after
> version 2.5-dev15, fixing minor last-minute details (bind warnings
> that turned to errors, and an incorrect free in the backend SSL cache).
could
We are using comma-delimited list for init-addr for example, let's
document that this is space-delimited to avoid the guessing game.
---
doc/configuration.txt | 14 +-
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index
Use the instructions in INSTALL to build openssl statically. Building
and installing a custom shared build of openssl on a OS is something
that I'd suggest you avoid, because it will become complicated.
Lukas
Hello Ben,
On Wed, 3 Nov 2021 at 12:55, Ben Hart wrote:
>
> Thanks again Lukas!
> So the server directive's use of a cert or CA file is only to
> verify the identity of the server in question.
No, "crt" (a certificate including private key) and "ca-file" (the
public certificate of a CA) are two
Hello Ben,
On Wed, 3 Nov 2021 at 03:54, Ben Hart wrote:
>
> I wonder, can I ask if the server directives are correct insofar as
> making a secured connection to the backend server entries?
>
> I'm told that HAP might be connecting by IP in which case the
> SSL cert would be useless
The
Hello,
On Tue, 2 Nov 2021 at 21:24, Ben Hart wrote:
>
> In the config (pasted here
> https://0bin.net/paste/1aOh1F4y#qStfT0m0mER3rhI3DonDbCsr0NRmVuH9XiwvagEkAiE)
> My questions surround the syntax of the config file..
Most likely those clients don't send SNI. Capture the SSL handshake
and
On Thu, 28 Oct 2021 at 21:20, Shawn Heisey wrote:
>
> On 10/28/21 10:02 AM, Lukas Tribus wrote:
> > You seem to be trying very hard to find a problem where there is none.
> >
> > Definitely do NOT overwrite CPU flags in production. This is to *test*
> > AE
On Thu, 28 Oct 2021 at 15:49, Shawn Heisey wrote:
>
> On 10/28/21 7:34 AM, Shawn Heisey wrote:
> > Does haproxy's use of openssl turn on the same option that the
> > commandline does with the -evp argument? If it does, then I think
> > everything is probably OK.
>
>
> Running "grep -r EVP ." in
On Thu, 28 Oct 2021 at 08:31, Lukas Tribus wrote:
>
> Hi,
>
> On Thursday, 28 October 2021, Shawn Heisey wrote:
>>
>> On 10/27/2021 2:54 PM, Lukas Tribus wrote:
>>>
>>> I'd be surprised if the OpenSSL API calls we are using doesn't support
>>&g
Hi,
On Thursday, 28 October 2021, Shawn Heisey wrote:
> On 10/27/2021 2:54 PM, Lukas Tribus wrote:
>
>> I'd be surprised if the OpenSSL API calls we are using doesn't support
>> AES-NI.
>>
>
> Honestly that would surprise me too. But I have no idea how to
Hello,
On Wed, 27 Oct 2021 at 22:17, Shawn Heisey wrote:
>
> I am building haproxy from source.
>
> For some load balancers that I used to manage, I also built openssl from
> source, statically linked, and compiled haproxy against that, because
> the openssl included with the OS (CentOS 6 if I
Hello,
PCRE (1) is end of life and unmaintained now (see below). Not a huge
problem, because PCRE2 has been supported since haproxy 1.8.
However going forward (haproxy 2.5+) should we:
- warn when compiling with PCRE?
- remove PCRE support?
- both, but start with a warning in 2.5?
- maintain
Hello Jonathan,
On Wed, 8 Sept 2021 at 21:28, Jonathan Greig wrote:
>
> Hello! My name is Jonathan Greig and I'm a reporter for ZDNet. I'm
> writing a story about CVE-2021-40346 and I was wondering if
> Ha Proxy had any comment about the vulnerability.
Just making sure you are aware that this
On Fri, 20 Aug 2021 at 13:08, Илья Шипицин wrote:
>
> double slashes behaviour is changed in BUG/MEDIUM:
> h2: match absolute-path not path-absolute for :path · haproxy/haproxy@46b7dff
> (github.com)
Actually, I think the patch you are referring to would *fix* this
particular issue, as it was
On Thursday, 19 August 2021, James Brown wrote:
> Are there CVE numbers coming for these vulnerabilities?
>
>
CVE-2021-39240: -> 2) Domain parts in ":scheme" and ":path"
CVE-2021-39241: -> 1) Spaces in the ":method" field
CVE-2021-39242: -> 3) Mismatch between ":authority" and "Host"
Lukas
Hello,
On Tue, 20 Jul 2021 at 08:13, Peter Jin wrote:
> 2. There is a stack buffer overflow found in one of the files. Not
> disclosing it here because this email will end up on the public mailing
> list. If there is a "security" email address I could disclose it to,
> what is it?
It's
On Thu, 15 Jul 2021 at 11:27, Илья Шипицин wrote:
>
> I really wonder what they will suggest.
>
> I'm not a spam source, since we do not have "opt in" policy, anybody can send
> mail. so they do.
> please address the issue properly, either change list policy or be calm with
> my experiments.
Hello Stefan,
On Tue, 13 Jul 2021 at 14:10, Stefan Fuhrmann
wrote:
>
> Hello all,
>
>
> First, we can not change to newer version so fast within the project.
>
> We are having on old installation of haproxy (1.7.9) and we have the
> need to configure tcp- mss- value on backend site.
>
>
>
> Is
Hello,
On Wed, 23 Jun 2021 at 22:25, Willy Tarreau wrote:
>
> Hi Tim, Max,
>
> On Wed, Jun 23, 2021 at 09:38:12PM +0200, Tim Duesterhus wrote:
> > Hi Willy, Lukas, List!
> >
> > GitHub finally launched their next evolution of issue templates, called
> > issue
> > forms, as a public beta:
> >
Hello Shawn,
On Sun, 20 Jun 2021 at 14:03, Shawn Heisey wrote:
>
> On 6/20/2021 1:52 AM, Lukas Tribus wrote:
> > Can you try disabling threading, by putting nbthread 1 in your config?
>
> That didn't help. From testssl.sh:
>
> SSL Session ID support ye
Hello Shawn,
On Sun, 20 Jun 2021 at 08:39, Shawn Heisey wrote:
> This is what SSL Labs now says for the thing that started this thread:
>
> Session resumption (caching)No (IDs assigned but not accepted)
> Session resumption (tickets)Yes
>
> I'd like to get the caching item fixed, but I
On Wed, 16 Jun 2021 at 17:03, Илья Шипицин wrote:
>
> ssl sessions are for tls1.0 (disabled in your config)
> tls1.2 uses tls tickets for resumption
That is not true, you can disable TLS tickets and still get resumption
on TLSv1.2. Disabling TLSv1.0 does not mean disabling Session ID
caching.
Hello,
On Tue, 8 Jun 2021 at 17:36, Godfrin, Philippe E
wrote:
>
> Certainly,
>
> Postrgres sends this message across the wire:
>
> Jun 2 21:14:40 ip-172-31-77-193 haproxy[9031]: #0110x00: 00 00 00 4c 00
> 03 00 00 75 73 65 72 00 74 73 64 |...Luser.tsd|
> Jun 2 21:14:40
Hello,
On Mon, 7 Jun 2021 at 14:51, Godfrin, Philippe E
wrote:
>
> Greetings!
>
> I can’t seem to find instructions on how to use this builtin ACL. Can someone
> point me in the right direction, please?
There is nothing specific about it, you use just like every other ACL.
http-request deny
Hello,
On Wed, 26 May 2021 at 13:29, reshma r wrote:
>
> Hello all,
> Periodically I need to write some configuration data to a file.
> However I came across documentation that warned against writing to a file at
> runtime.
> Can someone give me advice on how I can achieve this safely?
You'll
The first thing I'd try is to disable multithreading (by putting
nbthread 1 in the global section of the configuration), so if that
helps.
Lukas
Hi Willy,
On Tue, 30 Mar 2021 at 17:56, Willy Tarreau wrote:
>
> Guys,
>
> out of curiosity I wanted to check when the overflow happened:
>
> $ date --date=@$$(date +%s) * 1000) & -0x800) / 1000))
> Mon Mar 29 23:59:46 CEST 2021
>
> So it only affects processes started since today. I'm
Hi Willy,
On Tue, 23 Mar 2021 at 09:32, Willy Tarreau wrote:
>
> Guys,
>
> These two patches address it for me, and I could verify that they apply
> on top of 2.2.11 and work there as well. This time I tested with two
> counters at different periods 500 and 2000ms.
Both Sander and Thomas now
Hello Thomas,
this is a known issue in any release train other than 2.3 ...
https://github.com/haproxy/haproxy/issues/1196
However neither 2.3.7 (does not contain the offending commits), nor
2.3.8 (contains all the fixes) should be affected by this.
Are you absolutely positive that you are
Hello,
On Mon, 29 Mar 2021 at 20:54, Илья Шипицин wrote:
>> > Dear list,
>> >
>> > on browser load (html + js + css) I observe 80% of cpu spent on gzip.
>> > also, I observe that zlib is probably one of the slowest implementation
>> > my personal benchmark correlate with
Hello,
On Mon, 29 Mar 2021 at 15:25, Aleksandar Lazic wrote:
>
> Hi.
>
> I need to create some log statistics with awffull stats and I assume this
> messages
> means that only one line is written for 3 requests, is this assumption right?
>
> Mar 28 14:04:07 lb1 haproxy[11296]: message repeated
Hi Ilya,
On Mon, 29 Mar 2021 at 15:34, Илья Шипицин wrote:
>
> Dear list,
>
> on browser load (html + js + css) I observe 80% of cpu spent on gzip.
> also, I observe that zlib is probably one of the slowest implementation
> my personal benchmark correlate with https://github.com/inikep/lzbench
Double post on discourse, please refrain from this practice in the future!
https://discourse.haproxy.org/t/haproxy-proxy-protocol/6413/2
Thanks,
Lukas
Hello,
On Sat, 27 Mar 2021 at 11:52, Aleksandar Lazic wrote:
>
> Hi.
>
> I have a lot of such entries in my logs.
>
> ```
> Mar 27 11:48:20 lb1 haproxy[14556]: ::::23167
> [27/Mar/2021:11:48:20.523] https-in~ https-in/ -1/-1/-1/-1/0 0 0 - -
> PR-- 1041/1011/0/0/0 0/0 ""
> Mar 27 11:48:20
FYI
-- Forwarded message -
From: OpenSSL
Date: Thu, 25 Mar 2021 at 15:03
Subject: OpenSSL Security Advisory
To: , OpenSSL User Support ML
, OpenSSL Announce ML
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [25 March 2021]
Hello,
just a heads-up, this was also reported for 1.8:
https://discourse.haproxy.org/t/counter-issues-on-1-8-29/6381/
Lukas
On Tue, 23 Mar 2021 at 09:32, Willy Tarreau wrote:
>
> Guys,
>
> These two patches address it for me, and I could verify that they apply
> on top of 2.2.11 and work
Hello Willy,
On Sat, 20 Mar 2021 at 10:09, Willy Tarreau wrote:
> > 1.6 was EOL last year, I don't understand why there is a last release.
>
> There were some demands late last year and early this year to issue a
> last one with pending fixes to "flush the pipe" but it was terribly
> difficult
Hello Bertrand,
On Sun, 7 Mar 2021 at 00:53, Bertrand Jacquin wrote:
> I am not proposing haproxy build-system to use -Werror here, I'm only
> proposing to use -Werror when probing for options supported by the
> compiler, as effectively clang return a code if 0 even if an option is
> not
Hello,
On Sat, 6 Mar 2021 at 21:25, Bertrand Jacquin wrote:
>
> gcc returns non zero code if an option is not supported (tested
> from 6.5 to 10.2).
>
> $ gcc -Wfoobar -E -xc - -o /dev/null < /dev/null > /dev/null 2>&1 ; echo $?
> 1
>
> clang always return 0 if an option in not recognized
On Thu, 11 Feb 2021 at 05:31, Victor Sudakov wrote:
>
> Lukas Tribus wrote:
> >
> > On Wed, 10 Feb 2021 at 16:55, Victor Sudakov wrote:
> > >
> > > I can even phrase my question in simpler terms. What happens if the sum
> > > total of all servers' m
Hello Victor,
On Wed, 10 Feb 2021 at 16:55, Victor Sudakov wrote:
>
> I can even phrase my question in simpler terms. What happens if the sum
> total of all servers' maxconns in a backend is less than the maxconn
> value in the frontend pointing to the said backend?
Queueing for "timeout queue"
Hello,
On Mon, 8 Feb 2021 at 18:14, Максим Куприянов
wrote:
>
> Hi!
>
> I faced a problem dealing with l4 (tcp mode) haproxy-based proxy over
> Graphite's component receiving metrics from clients and clients who are
> connecting just to send one or two Graphite-metrics and disconnecting right
Hello Dominik,
you are looking for hard-stop-after:
http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#hard-stop-after
Regards,
Lukas
On Thu, 4 Feb 2021 at 11:40, Froehlich, Dominik
wrote:
>
> Hi,
>
>
>
> I am currently experimenting with the HAproxy soft reload functionality
On Wed, 3 Feb 2021 at 18:47, Илья Шипицин wrote:
>> while I do not mind to have such optimization, but when 'a.example.com"
>> responds with http2 GOAWAY, that affects also "b.example.com" and "
>> c.example.com". Chrome is not clever enough to open new connections instead
>> of abandoned one.
>
Hello,
On Wed, 3 Feb 2021 at 17:44, Илья Шипицин wrote:
>
> TLS1.2 uses tls tickets, when TLS1.0 uses ssl sessions.
I believe this is incorrect, TLSv1.2 works just fine with Session ID's
(RFC5246) and TLS 1.0 works fine with TLS tickets (RFC5077). I'm not
aware of any restrictions between
Hello Johan,
we are gonna need the outputs of "haproxy -vv" from both situations,
as well as at the very least *all* the ssl configuration parameters in
haproxy that you are using.
However, I do not believe it is likely that we can find the root
cause, without access to those handshakes, since
1 - 100 of 1576 matches
Mail list logo