Re: What is the status of FastCGI in new 2.1 version?

2019-12-02 Thread Willy Tarreau
Hi guys,

On Thu, Nov 28, 2019 at 06:18:00AM +, Aleksandar Lazic wrote:
> > I'm so excited that HAProxy supports FastCGI, I would like to try this in 
> > our development env first.
> > Just wonder what is the status of it? Full production ready? What's the 
> > performance?
> 
> Well it's the first release :-)
> 
> I have run a test setup with php-fpm and phpinfo() and it works. Give it a 
> try and share your experience.
> 
> I would say it's production ready, jm2c.

What's important regarding production is to keep in mind that just like
1.9, 2.1 is a technical release aimed at experienced users. As such, it
requires more attention than an LTS release, and to follow updates more
regularly. Thus the question goes beyond just FCGI. So I'd say that 2.1
is indeed okay for production but not for every production. If you're an
admin bored on friday afternoon wishing to give a try to something really
fun and taking a low risk to be called on sunday morning, that's definitely
for you. But if you're a consultant, don't deploy it blindly at a customer's
then leave for example, it will not be the nicest present you'd give them :-)

We're running 2.1 on haproxy.org (we've been running all development
versions for a while). The way I proceed is that I start haproxy in the
foreground and chain it to the previous version (2.0 here) so that if it
unexpectedly dies, the previous one immediately takes over. We've had a
few such occurrences in the early 2.1-dev2 or dev3, but now it's being
running fine on dev5 without any issue over the last 2 weeks (I should
upgrade it, but it just works). It's a nice way of not being woken up
in emergency for a report that everything is down.

Cheers,
Willy



Re: [PATCH] DOC: Fix ordered list in summary

2019-12-02 Thread Willy Tarreau
Hi Julien,

good catch, now merged, thanks.

Willy



Re: [PATCH] DOC: clarify matching strings on binary fetches

2019-12-02 Thread Willy Tarreau
Hi Mathias,

On Mon, Dec 02, 2019 at 09:01:56AM +, Mathias Weiersmüller (cyberheads 
GmbH) wrote:
> Documentation patch provided - I would backport it all the way down to 1.5 as
> it might save from headaches.

Good point indeed, now merged, thank you!

Willy



Re: Haproxy nbthreads + multi-threading lua?

2019-12-02 Thread Willy Tarreau
Hi Dave,

On Mon, Dec 02, 2019 at 10:12:27AM -0600, Dave Chiluk wrote:
> Since 2.0 nbproc and nbthreads are now mutually exclusive, are there
> any ways to make lua multi-threaded?

Unfortunately no. Lua itself is inherently single-threaded and
even when you believe you're using multi-threading, you end up
on a big lock around all the engine that serializes everything.

>From what I've found, there were several attempts to make Lua support
preemptive threads, but most of them had huge limitations like not
sharing anything (pointless already), they were also limited to older
versions like 5.0 or 5.1.

With this said, I can easily understand that something light and fast
like Lua is hard to port to threads without losing all of its benefits.

Are your really using it so much that it becomes a bottleneck ? I find
this quite surprizing. If so, did you find any single part responsible
for most of the CPU usage ? Then do you think that by moving a few of
it to native code (sample fetches, converters set into variables), it
could improve the situation ? Maybe you should try a trick consisting
in setting tune.lua.forced-yield to a lower value (the default being
1) so that it executes much less instructions at once, leaving more
room for other threads to take a share of the CPU. But in any case at
a given instant you will definitely have only one thread executing
Lua code. If at least you can make sure that others are not waiting
too much and find other things to do with the rest of haproxy, maybe
that could improve the efficiency of your program already.

Regards,
Willy



Re: OpenBSD/2.1.0 - weird syslogging?

2019-12-02 Thread Willy Tarreau
On Sun, Dec 01, 2019 at 01:16:13PM +0100, Philipp Buehler wrote:
> Am 01.12.2019 12:00 schrieb Aleksandar Lazic:
> > just a wild guess have you set "log-send-hostname" if not can you set
> > it and tell us if anything is changed.
> > http://cbonte.github.io/haproxy-dconv/2.1/configuration.html#log-send-hostname
> > 
> 
> I had not, but made me curious. So I did some tcpdump on it and can
> "confirm"
> that without this option the hostname is missing in the syslog message.
> 
> Logging is now mute instead of errors, but I would rather blame my setup
> on this.
> 
> Thanks for this pointer already

I suspect that on other platforms, logging 0 characters from a NULL pointer
is OK and results in nothing being emitted while on OpenBSD it still checks
the pointer's validity before detecting it doesn't need it, resulting in the
error. Could you please try to change the last line Aleks pointed like this:

-(int)host.data, host.area, sep, "");
+(int)host.data, host.area ? host.area : "", sep, "");

I suspect it will be enough.

Thanks,
Willy



Re: [PATCH] BUG/MINOR: ssl: fix X509 compatibility for openssl < 1.1.0

2019-12-02 Thread Willy Tarreau
On Mon, Dec 02, 2019 at 12:27:34PM +0100, Emmanuel Hocdet wrote:
> Hi,
> 
> > Le 2 déc. 2019 à 08:12, William Lallemand  a écrit :
> > 
> > It seems to have break the build on centos 6, could you take a look at this
> > ticket?
> > 
> > https://github.com/haproxy/haproxy/issues/385
> > 
> > 
> 
> Fix tested with openssl 1.0.1

Fix confirmed and now merged (it also broke for me on 1.0.2, and 
broke travis here : https://travis-ci.com/haproxy/haproxy/jobs/262053055).

Thanks,
Willy



订阅

2019-12-02 Thread wang yunxiang
订阅+1


[SPAM] Don’t follow outdated process for teknoids.com

2019-12-02 Thread Ethan Liam
*Hi **teknoids*
*Team,  *

*Hope you are doing well.*





*Building a website without including a descent strategy to publicize will
be a complete waste of your hard-earned money. We understand the importance
of your site and are here to reveal some valuable points that can boost
your presence in the digital world to enhance your growth. **There are many
companies who claim to make websites visible and getting online visitors
following unfair procedure and black-hat techniques. This causes loss of
ranking and black-listed by Google. Practically speaking, making your
website visible is not everybody’s cup of tea. *

*By implementing the latest guideline from Google, our Team will ensure to
multiply visitors which will lead to higher return on investment.*










* Here are some of the factors we have identified need to be taken care of
immediately. - Website errors are the major drawbacks of your performance.
- Majority of keywords selected are yet to reach performance benchmark. -
Your brand needs regular updates on all major social media accounts. -
Search engine algorithms require content based link. I have cited few
aspects that search engines cater to produce relevant outcome on your
ranking however there are many more to implement. All our **deliverable**
are customized to meet up recent digital marketing strategy which includes
SMO, Brand management, organic optimization etc. in order to beat your
competitors.*

*Feel free to reach out for a no-obligation website audit report;
alternately you can mail us your best contact number and feasible time to
discuss.*











*Ethan Liam*

*Digital Marketing Analyst*

*
..
Ps: You may ask us to “REMOVE” to stop further corresponde*nce.
[image: beacon]


Re: How to log %[hdr_ip(X-Forwarded-For,-1)]

2019-12-02 Thread Aleksandar Lazic

Hi.

Am 02.12.2019 um 13:40 schrieb JWD:


I have read this article many times, but still can't figure out how to do?


I can't believe it as there is exact the solution you want in the example and 
doc.


Can you give any detail tips?


capture request header X-Forwarded-For len 15

This line does not log any request with no X-Forwarded-For.
http-request set-log-level silent if !{ hdr(X-Forwarded-For) -m found }

You can't define specific field to log or not, but you can define your own 
logformat.

The default format for http logs is documented here if you set "option httplog"
https://cbonte.github.io/haproxy-dconv/2.1/configuration.html#8.2.3

I strongly suggest to read the logging section in the documentation.
https://cbonte.github.io/haproxy-dconv/2.1/configuration.html#8

It would be nice to share the haproxy -vv output to know which version you use.

Regards
Aleks


Thanks.

JWD
*From:* Aleksandar Lazic 
*Date:* 2019-12-02 18:42
*To:* JWD ; haproxy 
*Subject:* Re: How to log %[hdr_ip(X-Forwarded-For,-1)]
Hi.
Am 02.12.2019 um 09:27 schrieb JWD:
 > Hi,all
 > I want to write %[hdr_ip(X-Forwarded-For,-1)] to log, how to do that?
 > And how to log it with [if] confition? Like set-header below:
 >  http-request set-header X-Client-IP %[hdr_ip(X-Forwarded-For,-1)] if !{ 
hdr(X-Client-IP) -m found } { hdr(X-Forwarded-For) -m found }
 >  http-request set-header X-Client-IP %[src] if !{ hdr(X-Client-IP) -m 
found } !{ hdr(X-Forwarded-For) -m found }
 > Can anyone help me? Thanks.

>

You can capture request header via the following setup.
https://cbonte.github.io/haproxy-dconv/2.1/configuration.html#4-capture%20request%20header
For logging can you use this statement.
https://cbonte.github.io/haproxy-dconv/2.1/configuration.html#4.2-http-request%20set-log-level
 > JWD
Regards
Aleks





Haproxy nbthreads + multi-threading lua?

2019-12-02 Thread Dave Chiluk
Since 2.0 nbproc and nbthreads are now mutually exclusive, are there
any ways to make lua multi-threaded?

One of our proxy's makes heavy use of lua scripting.  I'm not sure if
this is still the case, but in earlier versions of HAProxy lua was
single threaded per process.  Because of this we were running that
proxy with nbproc=4, and nbthread=4. This allowed us to scale without
being limited by lua.

Has lua single-threaded-ness now been solved?  Are there other options
I should be aware of related to that?  What's the preferred way around
this?

Thanks,
Dave.



[PATCH] BUG/MINOR: ssl: certificate choice can be unexpected with openssl >= 1.1.1

2019-12-02 Thread Emmanuel Hocdet

Hi,

address #394

++
Manu



0001-BUG-MINOR-ssl-certificate-choice-can-be-unexpected-w.patch
Description: Binary data


[PATCH] BUG/MINOR: ssl: fix X509 compatibility for openssl < 1.1.0

2019-12-02 Thread Emmanuel Hocdet
Hi,

> Le 2 déc. 2019 à 08:12, William Lallemand  a écrit :
> 
> It seems to have break the build on centos 6, could you take a look at this
> ticket?
> 
> https://github.com/haproxy/haproxy/issues/385
> 
> 

Fix tested with openssl 1.0.1

++
Manu



0001-BUG-MINOR-ssl-fix-X509-compatibility-for-openssl-1.1.patch
Description: Binary data


Re: How to log %[hdr_ip(X-Forwarded-For,-1)]

2019-12-02 Thread Aleksandar Lazic

Hi.

Am 02.12.2019 um 09:27 schrieb JWD:

Hi,all
I want to write %[hdr_ip(X-Forwarded-For,-1)] to log, how to do that?
And how to log it with [if] confition? Like set-header below:
 http-request set-header X-Client-IP %[hdr_ip(X-Forwarded-For,-1)] if !{ 
hdr(X-Client-IP) -m found } { hdr(X-Forwarded-For) -m found }
 http-request set-header X-Client-IP %[src] if !{ hdr(X-Client-IP) -m found 
} !{ hdr(X-Forwarded-For) -m found }
Can anyone help me? Thanks.


You can capture request header via the following setup.
https://cbonte.github.io/haproxy-dconv/2.1/configuration.html#4-capture%20request%20header

For logging can you use this statement.

https://cbonte.github.io/haproxy-dconv/2.1/configuration.html#4.2-http-request%20set-log-level


JWD


Regards
Aleks



[PATCH] DOC: clarify matching strings on binary fetches

2019-12-02 Thread cyberheads GmbH
Documentation patch provided - I would backport it all the way down to 1.5 as 
it might save from headaches.

Best regards

Mathias

>
> It would be nice when you send us a patch to fix the doc.
> 
> Regards
> Aleks
> 
> Nov 30, 2019 11:35:24 AM Mathias Weiersmüller (cyberheads GmbH) 
> :
>
> > (CCing Thierry Fournier as maintainer of the pattern matching part)
> > 
> > 
> > > We use HAProxy in TCP Mode for non-HTTP protocols.
> > > 
> > > The request of one particular protocol looks like this:
> > > 
> > - length of message (binary value, 4 bytes long)
> > >  
> > > - binary part (40-200 bytes)
> > > - XML part
> > > 
> > > Goal: We want to use a particular backend when the XML part of the 
> > > request contains the string "".
> > > 
> > > We used this ACL:
> > > acl tag_found req.payload(0,0) -m sub 
> > > 
> > > The problem:
> > > The substring matching stops on a Null byte (\0) in a binary fetch. 
> > > We always have this case (the request normally starts with Null 
> > > bytes). Therefore, the match never succeeds. As there might be null 
> > > bytes in the binary part too, we cannot just start the payload fetch 
> > > after byte 4.
> > > 
> > > ==
> > > frontend fe_test
> > > bind *:3000
> > > 
> > > tcp-request inspect-delay 5s
> > > 
> > > acl content_present req_len gt 0
> > > acl tag_found req.payload(0,0) -m sub 
> > > 
> > > tcp-request content accept if content_present tcp-request content 
> > > reject
> > > 
> > > # depending on if the payload contains the string "", we use 
> > > different backends # right now, the two backends are exactly the same.
> > > use_backend be_tag if tag_found
> > > default_backend be_default
> > > 
> > > backend be_tag
> > > server srv_1:4000
> > > 
> > > backend be_default
> > > server srv_1:4000
> > > 
> > > Test cases:
> > > (tested on versions 2.0.10, 1.5.18)
> > > echo -e '' | nc 127.0.0.1 3000 # will use backend be_tag echo 
> > > -e '\0' | nc 127.0.0.1 3000 # will use backend be_default, but 
> > > should use be_tag ==
> > > 
> > > Workaround:
> > > =>convert payload into hexified string, parse against hex:
> > > acl tag_found req.payload(0,0),hex -m sub 3C7461673E # this is  
> > > in hexadecimal
> > > 
> > > Dear list members, these are the questions I am twisting my mind with. Do 
> > > you have a good take one these?
> > > 
> > > - Is there another (better) way to do a substring match on a payload 
> > > which contains Null bytes?
> > > - Would another, new match method make sense here (something like 
> > > sub_bin ? )
> > > - Do we run into a problem with the hex conversion because the size 
> > > of the sample has double the size than the original (maybe bigger 
> > > than bufsize?)
> > > 
> > > 
> > 
> > If this behavior is intended, then the configuration manual (7.1.3 Matching 
> > strings) should be updated to reflect this:
> > 
> > Do not use string matches for binary fetches which might contain null 
> > bytes (0x00), as the comparison stops at the occurrence of the first 
> > null byte. Instead, convert the binary fetch to a hex string with the hex 
> > converter first.
> > 
> > Example:
> > acl tag_found req.payload(0,0),hex -m sub 3C7461673E # this is  
> > in hexadecimal
 



0001-DOC-clarify-matching-strings-on-binary-fetches.patch
Description: 0001-DOC-clarify-matching-strings-on-binary-fetches.patch


How to log %[hdr_ip(X-Forwarded-For,-1)]

2019-12-02 Thread JWD
Hi,all

I want to write %[hdr_ip(X-Forwarded-For,-1)] to log, how to do that?

And how to log it with [if] confition? Like set-header below:
http-request set-header X-Client-IP %[hdr_ip(X-Forwarded-For,-1)] if !{ 
hdr(X-Client-IP) -m found } { hdr(X-Forwarded-For) -m found }
http-request set-header X-Client-IP %[src] if !{ hdr(X-Client-IP) -m found 
} !{ hdr(X-Forwarded-For) -m found }

Can anyone help me? Thanks.




JWD