On Tue, May 14, 2024 at 04:48:16PM +0200, Amaury Denoyelle wrote:
> On Wed, May 08, 2024 at 11:43:11AM +0100, William Manley wrote:
> > An attach-srv config line usually looks like this:
> >     tcp-request session attach-srv be/srv name ssl_c_s_dn(CN)
> > while a rhttp server line usually looks like this:
> >     server srv rhttp@ sni req.hdr(host)
> > The server sni argument is used as a key for looking up connection in the
> > connection pool.  The attach-srv name argument is used as a key for
> > inserting connections into the pool.  For it to work correctly they must
> > match.  There was a check that either both the attach-srv and server
> > provide that key or neither does.
> > It also checked that SSL and SNI was activated on the server.  This is too
> > strict.  This patch removes that requirement.  Now you can pass arbitrary
> > expressions as the name expression.
> > With this patch we also produce a more helpful and specific error message.
> > I'm doing this as I want to use `fc_pp_unique_id` as the name.
> > Arguably it would be easier to understand if instead of using `name` and
> > `sni` for `attach-srv` and `server` rules it used the same term in both
> > places - like "conn-pool-key" or something.  That would make it clear that
> > the two must match.  But it's too late to change that now.
> > [...]
> Many thanks for your new patch. I have just merged it with only small
> adaptation in the commit message. Note that however I tried to use PROXY
> protocol with reverse HTTP to test it, but it appears that for now it is
> impossible due to several haproxy internal limitations.
> The main issue is that send-proxy and other related options on a server
> line used for reverse HTTP are simply ignored, thus you cannot connect
> to a bind with accept-proxy. I managed to fix this, but this is not
> enough as PROXY protocol in LOCAL mode seems to not work completely as
> expected either...

FYI, I just merged a series of fix to improve reverse HTTP. It is now
possible to use PROXY protocol on preconnect stage. Also, you have the
availability to use PROXY v2 TLV to differentiate connections. Note
however that PROXY unique-id is not supported for now due to internal
API limitations.

If you can do not hesitate to test this and report us if it's sufficient
for you.

Regards,

-- 
Amaury Denoyelle

Reply via email to