SUGGESTION - ssl-load-extra-files - private key name resolution

is feature. SSL-LOAD-EXTRA-FILES is an excellent feature we’ve been waiting for as it simplifies our cert deployment, but in its current form It’s not really usable for us. Thank you. -- Marc-Antoine Leclercq

Re: Using sockets from Lua

sion. You must compile from sources or wait for the next dev release. > > > > Actually, the function "txn.close()" causes a segfault, it will be > > fixed in a few time. > > I just merged your temporary fix, Thierry, so the segfault is supposed > to be gone. CCing

Re: ocsp

to a > single certificate file, not a > directory)? yes it works fine with crt pointing to a signe certificate file. > > Can you make the openssl tests from the server, connecting locally without > any intermediate > devices? i did and results are the same. Regards, > &g

Re: segfault in src/buffer.c

roduce the segfault ? > > Thierry > > On Mon, 17 Aug 2015 15:00:25 +0200 > Marc-Antoine wrote: > > > Hi, > > > > Cyril, as you said, if removed "txn:close()" from the lua script, I don't > > get segfault anymore. > > > > I noticed

Re: segfault in src/buffer.c

127.0.0.1:80 acl debugme req.hdr_cnt(X-debug-me) ge 1 http-request lua mirror if debugme #default_backend be Regards, On Sat, 15 Aug 2015 23:56:57 +0200, Cyril Bonté wrote : > Hi Marc-Antoine, > > Le 12/08/2015 19:01, Marc-Antoine a écrit : > > I

Re: [SPAM] segfault in src/buffer.c

response .. "Content-Length: " .. buffer:len() .. "\r\n" response = response .. "Connection: close\r\n" response = response .. "\r\n" response = response .. buffer txn.res:send(response) txn:close() end On

[SPAM] segfault in src/buffer.c

errorfile 504 /etc/haproxy/errors/504.http ### HTTP ### frontend fe:80 bind 127.0.0.1:80 acl debugme req.hdr_cnt(X-debug-me) ge 1 http-request lua mirror if debugme default_backend be frontend fe:443 bind 127.0.0.1:443 ssl crt /etc/ssl/private de

Re: ECC certificate

> Baptiste wrote on 8/12/2015 11:29: > > On Wed, Aug 12, 2015 at 11:22 AM, Marc-Antoine > > wrote: > >> Hi all, > >> > >> i'm trying to use an ECC certificate under haproxy without success : > >> > >> * haproxy -vv > >>

ECC certificate

/home/provisionning/0.pem crt /home/provisionning/cluster2.d default_backend cluster2 any idea ? -- Marc-Antoine

Re: ocsp

Hi, On Mon, 20 Jul 2015 11:50:50 +0200, Marc-Antoine wrote : > Hi Lukas, > > frontend cluster:443 > bind 1.2.3.4:443 ssl strict-sni crt /home/provisionning/0.pem crt > /home/provisionning/cluster.d > default_backend cluster > capture request header Host len 2

Re: ocsp

> > I made a mistake in my previous email : it works locally AND remotely ! > > What fixed the problem? This may be useful for others as well. > > > Lukas > > -- Marc-Antoine

Re: ocsp

E681 > > Cert Status: good > > This Update: Jul 20 16:42:53 2015 GMT > > Next Update: Jul 21 04:42:53 2015 GMT > > > > [...] > > > > --- > > > > It works locally or remotely ! > > Not sure I understand. Does that mean it works locally, but not remotely? > > > > Regards, > > Lukas > > > -- Marc-Antoine

Re: ocsp

> directory)? > > Can you make the openssl tests from the server, connecting locally without > any intermediate > devices? > > > > Thanks, > > Lukas > > -- Marc-Antoine

Re: ocsp

rder to debug? > > Can you provide the output of "haproxy -vv" please and a > config snippet (the frontend ssl configuration)? > > Do you see a warning if 8150.pem.ocsp contains garbage when you restart > haproxy? > > > > Regards, > > Lukas > > > -- Marc-Antoine

Re: ocsp

Hi, nobody knows plz ? On Thu, 9 Jul 2015 13:06:59 +0200, Marc-Antoine wrote : > Hi all, > > I have some problem making ocsp stapling working. here is what i did : > > I have 8150.pem with chain, cert and key in it. > > I have 8150.pem.ocsp that seems ok : > >

ocsp

, -- Marc-Antoine

Re: [ANNOUNCE] haproxy-1.5.14

Hi, just to let you know changelog is missing 1.5.14 infos ;) great job by the way ! On Fri, 3 Jul 2015 17:55:56 +0200, Willy Tarreau wrote : > Changelog: http://www.haproxy.org/download/1.5/src/CHANGELOG -- Marc-Antoine

Re: Which signal causes HAProxy to reload its config

the running haproxy process (well, you do, but not only), you *replace* it. What you may be looking for, though, is haproxy-systemd-wrapper, which does all this automatically when it receives SIGUSR2 or SIGHUP. Regards, Marc-Antoine

Re: [PATCH] Also accept SIGHUP/SIGTERM in systemd-wrapper

On 11 September 2014 07:44, Willy Tarreau wrote: > On Wed, Sep 10, 2014 at 10:38:55PM -0700, Matt Robenolt wrote: >> Awesome, thanks. :) >> >> Is it possible to also get this applied into the 1.5 branch since this is >> low risk and doesn???t break any backwards compatibility and whatnot? > > I'v

Re: [PATCH 0/3] systemd wrapper improvements

stemd wrapper: propagate exit status > > src/haproxy-systemd-wrapper.c | 69 > ++- > 1 file changed, 49 insertions(+), 20 deletions(-) > > -- > 1.9.1 > > > Looks good to me. Any comments, Will? Regards, Marc-Antoine

Re: haproxy-systemd-wrapper spawning multiple processes

On Sat, 2014-02-15 at 20:04 -0600, Ryan O'Hara wrote: > On Sun, Feb 16, 2014 at 10:08:31AM +0900, Marc-Antoine Perennou wrote: > > > This is why you get > > > > haproxy-systemd-wrapper -> main haproxy process -> haproxy worker. > > > > haproxy-sys

Re: haproxy-systemd-wrapper spawning multiple processes

proxy-systemd-wrapper waits for the main haproxy process to exit to avoir zombies. The main haproxy process exits when all its workers are done. > Thanks. > Ryan > Hope that helps and sounds right. Marc-Antoine

Re: Three patches to the haproxy-systemd-wrapper

comments/suggestions are welcome. :) > > > > In case the patches get stripped, they are also available from my > > github account [2]. They are applied to a copy of 1.4.24 there, but > > should apply cleanly to the development tree. > > Great, thank you! I'll wait fo

[PATCH] BUG/MEDIUM: systemd-wrapper: don't leak zombie processes

Formerly, if A was replaced by B, and then B by C before A finished exiting, we didn't wait for B to finish so it ended up as a zombie process. Fix this by waiting randomly every child we spawn. Signed-off-by: Marc-Antoine Perennou --- src/haproxy-systemd-wrapper.c | 10 -- 1

Re: [PATCH v2] BUG/MEDIUM: systemd-wrapper: don't leak zombie processes

On 1 April 2013 23:49, Willy Tarreau wrote: > Great. I'm planning a dev18 release for tomorrow afternoon, tell me > if you want me to wait a bit more. > > Thanks, > Willy > It will be ready before the afternoon so that you can get it in dev18! Thanks

Re: [PATCH v2] BUG/MEDIUM: systemd-wrapper: don't leak zombie processes

Hi, After checking out the man page of waitpid, wait would indeed be sufficient here. I didn't actually know about waitpid(-1) I'll resubmit an updated patch tomorrow! Thanks On 1 April 2013 23:32, Willy Tarreau wrote: > Hi Marc-Antoine, > > On Thu, Mar 14, 2013 at 02:

[PATCH v2] BUG/MEDIUM: systemd-wrapper: don't leak zombie processes

Formerly, if A was replaced by B, and then B by C before A finished exiting, we didn't wait for B to finish so it ended up as a zombie process. Fix this by queuing all process we spawn for waitpid. Signed-off-by: Marc-Antoine Perennou --- src/haproxy-systemd-wrapper.c

[PATCH] MEDIUM: systemd-wrapper: don't leak zombie processes

Formerly, if A was replaced by B, and then B by C before A finished exiting, we didn't wait for B to finish so it ended up as a zombie process. Fix this by queuing all process we spawn for waitpid. Signed-off-by: Marc-Antoine Perennou --- src/haproxy-systemd-wrapper.c

[[V3] 3/3] MEDIUM: add systemd service

Signed-off-by: Marc-Antoine Perennou --- .gitignore | 1 + contrib/systemd/Makefile | 8 contrib/systemd/haproxy.service.in | 11 +++ 3 files changed, 20 insertions(+) create mode 100644 contrib/systemd/Makefile create mode 100644 contrib

Re: [[V2] 3/3] MEDIUM: add systemd service

Hi, On 13 February 2013 08:11, Willy Tarreau wrote: > Hi Marc-Antoine, > > On Tue, Feb 12, 2013 at 10:53:54AM +0100, Marc-Antoine Perennou wrote: > > +systemd/haproxy.service: contrib/systemd/haproxy.service.in > > + mkdir -p systemd > > + sed -e 

[[V2] 3/3] MEDIUM: add systemd service

Signed-off-by: Marc-Antoine Perennou --- .gitignore | 1 + Makefile | 8 ++-- contrib/systemd/haproxy.service.in | 11 +++ 3 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 contrib/systemd/haproxy.service.in

[[V2] 2/3] MEDIUM: add haproxy-systemd-wrapper

(not to conflict with haproxy itself) signal, and spawing a new haproxy with "-sf" as a child to relay the first one. Signed-off-by: Marc-Antoine Perennou --- .gitignore| 1 + Makefile | 16 +- src/haproxy-systemd-wrapper.c | 113 +

[[V2] 1/3] MEDIUM: New cli option -Ds for systemd compatibility

her systems. Signed-off-by: Marc-Antoine Perennou --- doc/haproxy-en.txt | 1 + doc/haproxy-fr.txt | 1 + doc/haproxy.1 | 4 include/types/global.h | 1 + src/haproxy.c | 35 +++ 5 files changed, 30 insertions(+), 12 deletions(

Re: [PATCH 1/3] MEDIUM: New cli option -Ds for systemd compatibility

On 9 February 2013 11:06, Willy Tarreau wrote: > Hi, > > On Sat, Feb 09, 2013 at 10:44:04AM +0100, Marc-Antoine Perennou wrote: > > I just made a simple test, running a webserver serving a big file > locally, > > using haproxy, > > my wrapper and systemd service. I

Re: [PATCH 2/3] MEDIUM: add haproxy-systemd-wrapper

SIGUSR2 ok here ? I first did it with SIGUSR1 but then children couldn't bind to this signal on reload, since it was already a USR1 action, so I took the first one not colliding. On 9 February 2013 09:49, Willy Tarreau wrote: > On Fri, Feb 08, 2013 at 03:58:47PM +0100, Marc-Anto

Re: [PATCH 1/3] MEDIUM: New cli option -Ds for systemd compatibility

On 9 February 2013 09:45, Willy Tarreau wrote: > On Fri, Feb 08, 2013 at 03:58:46PM +0100, Marc-Antoine Perennou wrote: > > @@ -1493,8 +1499,13 @@ int main(int argc, char **argv) > > px = px->next; > > } > > > > -

[PATCH 3/3] MEDIUM: add systemd service

Signed-off-by: Marc-Antoine Perennou --- .gitignore | 1 + Makefile | 8 ++-- contrib/systemd/haproxy.service.in | 11 +++ 3 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 contrib/systemd/haproxy.service.in

[PATCH 1/3] MEDIUM: New cli option -Ds for systemd compatibility

Signed-off-by: Marc-Antoine Perennou --- doc/haproxy-en.txt | 1 + doc/haproxy-fr.txt | 1 + doc/haproxy.1 | 4 include/types/global.h | 1 + src/haproxy.c | 35 +++ 5 files changed, 30 insertions(+), 12 deletions(-) diff --git

HAProxy and systemd compatibility

Hi, Currently, to reload haproxy configuration, you have to use "-sf". Systemd philosophy is for the daemon not to fork by themselves, but rather let the init process do it for them. My first patch adds a new option "-Ds" which is exactly like "-D", but instead of forking n times to get n jobs

[PATCH 2/3] MEDIUM: add haproxy-systemd-wrapper

Signed-off-by: Marc-Antoine Perennou --- .gitignore| 1 + Makefile | 16 +- src/haproxy-systemd-wrapper.c | 122 ++ 3 files changed, 137 insertions(+), 2 deletions(-) create mode 100644 src/haproxy-systemd

Re: -sf/-st not working

It is totally normal that systemd kills the new process as the main one which was the first has exited. This is the expected behaviour. I'm currently patching haproxy to fully support systemd, I'll probably submit my patches by tomorrow (It's fully functionnal here, only needs a little cleaning)

[PATCH] MEDIUM: New cli option -Ds for systemd compatibility

Signed-off-by: Marc-Antoine Perennou --- doc/haproxy-en.txt | 1 + doc/haproxy-fr.txt | 1 + doc/haproxy.1 | 4 include/types/global.h | 1 + src/haproxy.c | 31 +++ 5 files changed, 26 insertions(+), 12 deletions(-) diff --git a

[RFC] Systemd compatibility

Hi, I'm trying to use haproxy with systemd. It cannot be done with a raw haproxy for now, because when "reloading" the configuration file with haproxy -sf , the former process gets killed, so the service enters a "failed" state and thus kills all its children, resulting in no haproxy running. In