Re: req.cook_cnt() broken?
On 24. Aug. 2017, at 01:50, Cyril Bonté wrote: > > You're right. currently, the code and the documentation don't say the same > things. > > Can you try the attached patch ? > > -- > Cyril Bonté > Thanks for the patch! Tried against 1.8, 1.7.9, and 1.6.13 just now. Works as expected with all three. :D Any chance of getting this fix backported to the 1.7 and ideally 1.6 branches? It would come in handy on a production system currently running 1.6 that I cannot easily upgrade to 1.7. Cheers, Daniel -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711| Deutschland daniel.schnel...@centerdevice.de | www.centerdevice.de Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina, Michael Rosbach, Handelsregister-Nr.: HRB 18655, HR-Gericht: Bonn, USt-IdNr.: DE-815299431
Re: Two way authentication issue
Am 25.08.17 um 08:49 schrieb Lukas Tribus: > Hello, > > > Am 25.08.2017 um 01:47 schrieb Keresztes Péter-Zoltán: >> Hello >> >> Basically what I need is when I browse /service/ws to use client certificate >> authentication otherwise for everything else to use normal ssl termination > > this is not possible with Haproxy. > > Also, never ever bind to the same port twice. The kernel will load-balance > between the 2 frontends and the behavior will be undeterministic. > > > cheers, > lukas > > > you can do or use client authentication with ssl certificates on haproxy. BUT 1) you have to use and configure the certificates on haproxy 2) you can not pass this certificate to the backend server. only eg. user name as an environment variable markus
Re: Two way authentication issue
Hello, Am 25.08.2017 um 17:27 schrieb Markus Rietzler: > you can do or use client authentication with ssl certificates on haproxy. My point is: you cannot enable SSL client certificate authentication on a specific URI. You need to server based renegotiation for that, which haproxy does not support. Apache is the only product I know that supports this. I strongly suggest to use a dedicated hostname (and IP:port combination) for your SSL client certification authentication needs. lukas
Re: req.cook_cnt() broken?
Hi Daniel, On Fri, Aug 25, 2017 at 12:47:41PM +0200, Daniel Schneller wrote: > On 24. Aug. 2017, at 01:50, Cyril Bonté wrote: > > > > You're right. currently, the code and the documentation don't say the same > > things. > > > > Can you try the attached patch ? > > > > -- > > Cyril Bonté > > > > Thanks for the patch! > > Tried against 1.8, 1.7.9, and 1.6.13 just now. Works as expected with all > three. :D > > Any chance of getting this fix backported to the 1.7 and ideally 1.6 branches? > > It would come in handy on a production system currently running 1.6 that I > cannot easily upgrade to 1.7. Don't worry, we *always* backport fixes as far as relevant (so possibly even 1.5 and 1.4). We know that haproxy is such a sensitive component which once deployed rarely experiences major upgrades, so what's most important is that what is deployed works. We're late on 1.6 fixes by the way, the bug chasing in 1.7 has made us uncertain about a few fixes for a while, causing us to wait before taking risks on 1.6. I think we'll soon be more confident in preparing 1.6.14, likely with the aforementionned fix :-) Cheers, Willy
Re: Removed health check in combination with load-server-state-from-file (Bug)
Hi as I did not receive any reply at all to my email from Aug 13 I thought I resend it (Quoted below). Can anyone at least verify that my bug report is valid? :-) Tim Am 13.08.2017 um 13:19 schrieb Tim Düsterhus: > Hi > > I run haproxy with 'load-server-state-from-file'. Before reloading > haproxy I dump the state using: > > echo show servers state |nc -U admin.sock > /etc/haproxy/state/global > > I noticed a buggy behaviour with this: > > 1. Check that the backend is 'DOWN'. > 2. Dump the state using the command above (the 'DOWN' state is written > into the file). > 3. Remove the health check of the backend. > 4. Reload haproxy. > 5. The backend will now be 'DOWN' forever, as the initial state taken > from the file is 'DOWN' and no health checks are running. > > I attached an example configuration and an example state file. To > reproduce the issue: > > 1. Start haproxy. > 2. Open the Stats page. > 3. Place the state file. > 4. Remove the 'check' from the configuration. > 5. Reload haproxy. > 6. Start the backend. > 7. Reload the Stats page and notice that the backend still is 'DOWN'. > > Tim >
