Re: load-server-state-from-file "automatic" transfer?

Hi! Thanks for taking a look and explaining. Should I create a ticket on GitHub for this? Daniel > On 25. Jul 2019, at 10:44, William Lallemand wrote: > > On Thu, Jul 25, 2019 at 10:23:24AM +0200, Aleksandar Lazic wrote: >> Hi. >> >> Am 25.07.2019 um 10:06 schrieb William Lallemand: >>> On

load-server-state-from-file "automatic" transfer?

fashion as file handles or stick-tables (via peers)? Thanks a lot! Daniel -- Daniel Schneller Principal Cloud Engineer GPG key at https://keybase.io/dschneller CenterDevice GmbH Rheinwerkallee 3 53227 Bonn www.centerdevice.com __ Geschäftsführung: Dr

Re: DNS Resolver Issues

27; dns name makes haproxy fail > to start despite having the supposedly never failing 'default-server > init-addr last,libc,none' ? Is it possibly a good feature request to support > re-resolving a dns name for the addr setting as well ? > > Regards, > PiBa-NL (Piet

Re: DNS Resolver Issues

uery all > records from the resolver. > > Can you please retest with the updated configuration and report back the > results? > > > Best regards, > > Bruno Henc > > ‐‐‐ Original Message ‐‐‐ > On Thursday, March 21, 2019 12:09 PM, Dan

Re: DNS Resolver Issues

Hello! Friendly bump :) I'd be willing to amend the documentation once I understand what's going on :D Cheers, Daniel > On 18. Mar 2019, at 20:28, Daniel Schneller > wrote: > > Hi everyone! > > I assume I am misunderstanding something, but I cannot figure ou

DNS Resolver Issues

pport. Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available filters : [SPOE] spoe [COMP] compression [TRACE] trace -- Dani

HAProxy keeps using outdated IPs when backend (ELB) address changes

poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available filters : [COMP] compression [TRACE] trace [SPOE] spoe - -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH Rheinwerkallee 3 5

Re: Clarification re Timeouts and Session State in the Logs

imple. > > On Thu, 23 Aug 2018 9:56 pm Daniel Schneller > <mailto:daniel.schnel...@centerdevice.com>> wrote: > Friendly bump. > I'd volunteer to do some documentation amendments once I understand the issue > better :D > >> On 21. Aug 2018, at 16:17, Danie

Re: Clarification re Timeouts and Session State in the Logs

Friendly bump. I'd volunteer to do some documentation amendments once I understand the issue better :D > On 21. Aug 2018, at 16:17, Daniel Schneller > wrote: > > Hi! > > I am trying to wrap my head around an issue we are seeing where there are > many HTTP 504 res

Clarification re Timeouts and Session State in the Logs

nd it is difficult to tell "who's to blame" for an inactivity timeout without knowledge about the content or final size of the request -- I just need some clarity on how the read the logs :) Thanks! Daniel -- Daniel Schneller Principal Cloud Engineer C

Re: Bug when passing variable to mapping function

nk() smp->data.u.str.str is for example > 'distri.com' and after get_trash_chunk() smp->data.u.str.str > is '\000istri.com'. > > At the moment I don't have time to dig deeper, but hopefully this > helps a little bit. > > -Jarno > > -- > J

Bug when passing variable to mapping function

-- The generated header header changes to: -- X-Distri-Mapped-From-Var: aaistri -- Looks like some off-by-one error? Cheers, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH Rheinwerkallee 3 53227 Bonn www.centerde

Re: Reverse String (or get 2nd level domain sample)?

is should also work with earlier versions IMO). Cheers, Daniel > On 25. Jun 2018, at 12:29, Daniel Schneller > wrote: > > Hi! > > Just double checking to make sure I am not simply blind: Is there a way to > reverse a string using a sample converter? > > Backgrou

Reverse String (or get 2nd level domain sample)?

I would like to avoid using maps to keep this thing as generic as possible. Thanks a lot! Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH Rheinwerkallee 3 53227 Bonn www.centerdevice.com __ Geschäftsführung: Dr. Patrick Peschlow, D

Re: 4xx statistics made useless through health checks?

: > http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#4.2-monitor-uri > It says it wont log or forward the request.. not sure but maybe stats will > also skip it. Yes, that’s exactly what’s shown in that linked repo. Thanks for chiming in :) > Regards, > PiBa-NL / Pieter

Re: 4xx statistics made useless through health checks?

so far :) Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdevice.de | www.centerdevice.de Geschäftsführung: Dr. Pa

Re: 4xx statistics made useless through health checks?

health checking that does not spoil the counters? Daniel Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdevice.de

4xx statistics made useless through health checks?

P response ranges gets totally thrown off by all these health checks. Is there anything I can do to “make them both happy”? Any suggestions would be much appreciated. Thanks, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11

Encrypted Passwords Documentation Patch

noticeable at all to it almost eating a full core, even for a not very busy site. Tested with 1.6, but this applies to all versions, if I am not mistaken. Cheers, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11

Re: HTTP DELETE command failing

Hi! Please provide the configuration file (at least the relevant portion) showing frontend/backend and the ACLs. Otherwise it is difficult to judge what’s going on. Regards, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11

Re: Force Sticky session on HaProxy

e same JSESSIONID gets to the same backend every time. As the information is in the cookie, there is no state to be lost on the haproxy side. Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen te

Re: Question related to gpc0_rate values in stick-table

ore reasonable starting point to figure out where the issue comes from. Regards, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland

Re: Inspect data sent through haproxy and create statistics

ase nothing known matches http-request set-var(txn.op) str(Unkwn) ... http-request set-var(txn.op) str(DocDelMul) if METH_POST rq_path_documents rq_content_type_json rq_body_action_delete# Delete Multiple Documents … Hope that helps. Daniel -- Daniel Schneller Principal Cloud E

Re: Enable SSL Forward Secrecy

Hi,inspired by this, I added a paragraph with links to the documentation.Small patch attached.Cheers,Daniel 0001-DOC-Refer-to-Mozilla-TLS-info-config-generator.patch Description: Binary data -- Daniel SchnellerPrincipal Cloud Engineer CenterDevice GmbH                  | Hochstraße 11           

[PATCH] DOC: Add note about "* " prefix in CSV stats

Just a little documentation patch I wrote, after stumbling across this:https://github.com/dschneller/bosun/commit/6ca776dd6543d123a135b4a84a5e3e66093c3986 0001-DOC-Add-note-about-prefix-in-CSV-stats.patch Description: Binary data Cheers,Daniel -- Daniel SchnellerPrincipal Cloud Engineer CenterDevi

Re: Enable SSL Forward Secrecy

Darn! Looking at the “openssl ciphers” Julian provided earlier, my mind “autocompleted" the missing trailing “E” in ECDH (/me facepalms). Thanks, Cyril, for pointing that out! I was starting to doubt myself here :) Cheers, Daniel -- Daniel Schneller Principal Cloud Engineer CenterD

Re: Enable SSL Forward Secrecy

’t have any real traffic in there. Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdevice.de | www.cent

Re: Enable SSL Forward Secrecy

are proxies/firewalls? Can you post a minimal haproxy config that reproduces the issue? Please verify you can see the requests coming in by checking haproxy’s log. You should be able to at least see the requests being rejected due to bad handshakes. Daniel -- Daniel Schneller Principal Cl

Re: Enable SSL Forward Secrecy

Ok, so that’s not it. What about the ciphers output? -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdevice.de

Re: Enable SSL Forward Secrecy

Also, please run haproxy -vv to get some idea about what SSL library it actually uses. -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland

Re: Enable SSL Forward Secrecy

A PSK-AES256-CBC-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA SRP-DSS-AES-128-CBC-SHA SRP-RSA-AES-128-CBC-SHA SRP-AES-128-CBC-SHA ECDH-RSA-AES128-SHA ECDH-ECDSA-AES128-SHA AES128-SHA PSK-AES128-CBC-SHA Check the output on your load balancer — maybe the OpenSSL version just too old? Regards

Re: Enable SSL Forward Secrecy

handshakes and go through them — IIRC there is some “FS” vs. “No FS” marker there. Regards, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711

Re: req.cook_cnt() broken?

6.13 just now. Works as expected with all three. :D Any chance of getting this fix backported to the 1.7 and ideally 1.6 branches? It would come in handy on a production system currently running 1.6 that I cannot easily upgrade to 1.7. Cheers, Daniel -- Daniel Schneller Princip

Re: req.cook_cnt() broken?

Kindly bumping this during the summer vacation time for potentially new recipients :) > On 21. Aug. 2017, at 21:14, Daniel Schneller > wrote: > > Hi! > > According to the documentation > > req.cook_cnt([]) : integer > Returns an integer value representing the n

req.cook_cnt() broken?

-- So without being very C-savvy, this appears to exit early when there is no parameter of type string passed in. I hope someone can shed some light on this. :) Thanks in advance, Daniel -- Daniel Schneller Principal Clou

Re: fields vs word converter, unexpected "0" result

On 1. Aug. 2017, at 17:32, Holger Just wrote: > GET / HTTP/1.1 > Host: 127.0.0.1:8881 > User-Agent: curl/7.43.0 > Accept: */* > > The HTTP 1.1 specification requires that a Host header is always sent > along with the request. Curl specifically always sends the host from the > given URL, unless i

fields vs word converter, unexpected "0" result

ged? Ideally, I’d like this to show as “-“, but empty string would be fine, too. But “0” is pretty counter-intuitive. It’s not strictly horrible, but at least it is unexpected and would also collide with cases where the actual 2nd subdomain was called “0”. Is this a bug, or am I doing someth

Re: haproxy does not capture the complete request header host sometimes

ration files — which may or may not be what you expect when doing minor upgrades. Granted, when you currently use an out-of-range value, you probably _want_ this fix, but still might hit you unexpectedly. It should be made very prominent in the release notes. Cheers, Daniel -- Daniel Sch

Re: truncated request in log lines

This is a limitation of the syslog protocol, IIRC. -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdevice.de

Re: Automatic Certificate Switching Idea

> > That's perfect! Your feedback and possible trouble in doing this will > also definitely help! > Oh, if experience tells me one thing, no matter how “straightforward” this may look, there _will_ be trouble ;-) Cheers Daniel -- Daniel Schneller Principal Cloud Engine

Re: Automatic Certificate Switching Idea

you meant when referring to the “not-before” date. Daniel PS: This is an interesting discussion, and I am happy to continue it, if anyone feels the same. As I said, I will try to solve this via provisioning scripts in the meantime, so there is no time press

Re: Automatic Certificate Switching Idea

m our specific setup, I might then release it into the wild for the select few who might find it useful :) Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

-- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdevice.de | www.centerdevice.de Geschäftsführung: Dr. Patrick Peschlow, Dr

Re: Automatic Certificate Switching Idea

> > Am 28-04-2017 09:26, schrieb Daniel Schneller: > >> Hello! >> I am managing a few haproxy instances that each manage a good number of >> domains and do the TLS termination on behalf of what you might call "hosted" >> sites. >> Most of the clients

Automatic Certificate Switching Idea

-- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdevice.de | www.centerdevice.de Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas

Re: Certificate order

. Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdevice.de | www.centerdevice.de Geschäftsführung: Dr. Patrick

Re: SSL Termination or Passthrough

Damn. I shouldn't respond to questions after midnight :-(. I completely overread this is about client certificates until now. Sorry for missing that, Sam; and thanks Willy for the interesting link. One question comes up for me though, after reading it (unless I am still not awake enough, in wh

Re: SSL Termination or Passthrough

se >> mode TCP and passthrough? Is there a way to do that without turning off >> hostname verifier at the client level? >> >> Thanks, >> Sam >> >>> On February 17, 2017 at 7:13:23 PM, Daniel Schneller >>> (daniel.schnel...@centerdevice.com)

Re: SSL Termination or Passthrough

Sam, This not working the way you would like is the corner stone and one of the key features of TLS. It is designed to ensure there is nothing in the middle between the client and the server. If you need to inspect the traffic, by definition you cannot without the clients trusting your certific

Re: Haproxy issue

vices > backend rest_services > server shstand 10.0.0.2:8089 ssl verify none > So It works > > De : Daniel Schneller [mailto:daniel.schnel...@centerdevice.com] > Envoyé : mardi 14 février 2017 17:17 > À : Skarbek, John > Cc : DAIGNE Thibault OBS/OAB; haproxy+h...@for

Re: Haproxy issue

e ACL to not match. > It would also be a good idea to setup a `default backend` as a way to help > test where your requests are going. > For debugging these kinds of things I usually run haproxy in debug mode: haproxy -d -f haproxy.cfg That way it will echo inco

Re: ACL randomly failing

. So I suggest you make sure first you have exactly one instance running, e. g. with “ps aux | grep haproxy”. Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711

Re: http-send-name-header for response?

d also delete it from the request in the frontend on the way in to prevent the request from actually sticking to a single server. Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754

Re: Debug Log: Response headers logged before rewriting

Hello everyone! While I have since figured out what my original problem was, the original question remains. Is this intentional, am I missing something, or both? :) Cheers, Daniel > On 3. Feb. 2017, at 13:40, Daniel Schneller > wrote: > > Hi there! > > I currently tryi

Debug Log: Response headers logged before rewriting

he server actually puts on the wire towards the client? Thanks Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdev

TLS certificate precedence

cific cert where the domain actually matches one of the the CN / SAN fields? Thanks, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland dani

Re: HAproxy / Reverse proxy Debian

age. If you want to configure TLS on the mail server / web server itself, there is no need to configure haproxy for TLS at all. Switch it to TCP mode and remove the TLS configuration. That way it will just hand the still encrypted traffic over to nginx. -- Daniel Schneller Principal Cl

Re: HAproxy / Reverse proxy Debian

Sounds as if you have nginx set up for TLS termination, too. This does not make sense, because haproxy will already have decrypted the traffic. Make sure nginx does not expect https on what in your config would be ip_email_server:888. -- Daniel Schneller Principal Cloud Engineer

Re: HAproxy / Reverse proxy Debian

Re-adding the list. And: > Do I have to "cat file.key file.crt file.pem > certi.chained.crt" ?? Yes. Though I am not sure what file.crt and file.pem are :) Cheers, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH

Re: HAproxy / Reverse proxy Debian

. intermediates Make sure to have these files not world-readable as they contain secret crypto material. HTH, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711

Re: Bytes in / out counters for TCP Keepalive Sessions

.xx and that there is no good way to fix it. Is there any chance of it returning, or should it maybe marked as broken in the docs at least, maybe issue a warning on startup? http://www.serverphorums.com/read.php?10,747628 Thanks :) Daniel -- Daniel Schneller Principal Cloud Engineer

Re: Bytes in / out counters for TCP Keepalive Sessions

Adding the list back. Sorry for dropping it earlier. > On 8 Sep 2016, at 19:56, PiBa-NL wrote: > > Hi, > Op 8-9-2016 om 15:43 schreef Daniel Schneller: >>> http://cbonte.github.io/haproxy-dconv/1.7/snapshot/configuration.html#4.2-option%20contstats >> Indeed, t

Bytes in / out counters for TCP Keepalive Sessions

:5672 check on-marked-down shutdown-sessions Is this the expected behavior? If so, is there any configuration option we can change to show “live” stats of bytes flowing through the persistent connections? Thanks! Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH

Re: HTTP 429 Too Many Requests

logs and being nice and readable :-) > On 24 Jun 2016, at 23:13, Cyril Bonté wrote: > >> Le 24/06/2016 à 22:57, Daniel Schneller a écrit : >> That is indeed pretty cool :-) >> Would the addition of a header work the way I originally suggested, though? > > Only

Re: HTTP 429 Too Many Requests

; http-request deny deny_status 429 > > [1] > http://www.haproxy.org/git?p=haproxy-1.6.git;a=commit;h=108b1dd69d4e26312af465237487bdb855b0de60 > [2] > http://www.haproxy.org/git?p=haproxy-1.6.git;a=commit;h=60f01f8c89e4fb2723d5a9f2046286e699567e0b > >> >> On Fri,

HTTP 429 Too Many Requests

allow me to specify different values for the "Retry-After:" header to inform well-written clients after which time they should come back and try again. Does that sound like a sensible addition? Cheers, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH https://www.centerdevice.de

Re: Compilation problem: haproxy 1.6.5 (latest) on Solaris 11

On the http://www.haproxy.org homepage there is a link to each version’s repo. Cheers, Daniel > On 19.05.2016, at 15:30, Jonathan Fisher wrote: > > Cool, thanks! > > Where is the git repo for haproxy? having trouble finding the official one, > all I can find is

Re: nbproc 1 vs >1 performance

? If so, that would explain some issues I had in the past when quickly iterating config changes and restarting haproxy each time, but sometimes getting results that could only have come from an older config? Thanks, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH >

Re: CIDR Notation in ACL -- silent failure

On 12.04.2016, at 14:07, Willy Tarreau wrote:I will at least provide a documentation patch then, soon.OK.As promised, a few words, hopefully clarifying things in the docs. 0001-DOC-Clarify-IPv4-address-mask-notation-rules.patch Description: Binary data Cheers,Daniel

Re: CIDR Notation in ACL -- silent failure

l be typos or other accidental mistakes in config files. I might be alone here, but I believe a warning (not a failure) about these rather unorthodox notations being used would improve things :) Thoughts? Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice G

Patch: Add predefined METH_PUT and METH_DELETE ACLs

Hi!I virtually every haproxy.cfg I touch I need to define ACLs for METH_PUT and METH_DELETE in line with the predefined METH_GET, METH_POST etc.Unless there is a non-obvious reason I don’t know about (Googling haproxy METH_PUT/DELETE does not produce anything apparent), I offer the attached small p

Re: CIDR Notation in ACL -- silent failure

Hi Pavlos! > On 09.04.2016, at 11:39, Pavlos Parissis wrote: > > On 08/04/2016 11:59 πμ, Daniel Schneller wrote: >> Hi! >> >> I noticed that while this ACL matches my source IP of 192.168.42.123: >> >> acl src_internal_net src 192.168.42.0/24

CIDR Notation in ACL -- silent failure

sing. Especially if ACLs are used for actual access control, this can have nasty consequences. What do you think? Cheers, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH

Re: Segfault with stick-tables

n with: -v ==4802== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Segmentation fault (core dumped) > On 29.03.2016, at 14:16, Daniel Schneller > wrote: > > Hi! > > I am seeing a segfault upon the first request coming through the > configuration bel

Segfault with stick-tables

f detected and suppressed errors, rerun with: -v ==4628== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Segmentation fault (core dumped) -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Merscheider Straße 1

DOC Patch: tune.vars.xxx-max-size

From 29bddd461c30bc850633350ac81e3c9fd7b56cb8 Mon Sep 17 00:00:00 2001 From: Daniel Schneller Date: Mon, 21 Mar 2016 20:46:57 +0100 Subject: [PATCH] DOC: Clarify tunes.vars.xxx-max-size settings Adds a little more clarity to the description of the maximum sizes of the different variable scopes

http-request capture id frontend/backend not working?

Hi! I am trying to capture an HTTP Request Header that gets added under certain circumstances in the backend. From the documentation I understand I can use a capture slot for that. This is what I tried in my stripped down config file: ... frontend fe_http bind 192.168.1.3:80 declare capture

Re: http-request capture id frontend/backend not working?

t will bail if it does find a referenced ID that is not declared in the current proxy entry. As my declaration is in the frontend, but the actual capture tries to reference it in the backend, they are in different proxies, making this check fail? Daniel > On 18.03.2016, at 13:43, Daniel Sc

Re: SSL backends stopped working

Have you checked the time/date on the Haproxy host? If they are wrong, the certificate might look bad from HAProxy’s point of view. Daniel -- Daniel Schneller Infrastructure Architect / Developer CenterDevice GmbH > On 23.04.2015, at 10:00, i...@linux-web-development.de wr