What is the max size can be sent once?

[flamesea12]

Hi, all

We are trying to tuning tune.bufsize which has a default 16K, can anyone tell 
me how many bytes can be sent once?

Is it 16K exactly? or like 90%? Where in the source code can I find this kind 
of info?

Thank you

Re: [PATCH] Allow OCSP repsonses containing multiple single responses

[Robert Thralls]

Felt bad about not including a documentation patch, so here it is.

Changes:
  - Clarifies that HAProxy does not fetch OCSP responses. Apache just has a
couple of set-and-forget directives that handle everything for you, so this
was definitely non-obvious to me.
  - Removes mention of needing to be a single response (my patch from
ealier today).
  - Removes mention of "good" status, per Emmanuel's patch last week.

I'm not sure if Emmanuel's patch will actually be accepted or not, but I
think the resulting language is clearer regardless, since it avoids
multiple contexts for "valid". Anyone needing the fine details can look at
the code and the (probably rare) people seeing the error already have the
information they need either way. Similarly, I saw there was no mention of
requiring the nextupdate field, but that is indeed a requirement and the
error itself was apparently sufficient documentation.


Rob Thralls




On Wed, Oct 18, 2017 at 3:46 PM, Robert Thralls 
wrote:

> Obligatory "I am not a C programmer" and "my first upstream patch"
> messages.
>
> We had an issue where one of our server certificate issuers was sending us
> responses with 20 different single responses included. The serial numbers
> in the Certificate IDs were exactly sequential, so I'm guessing they're
> pre-generating the responses in chunks. HAProxy didn't like it:
>
> "OCSP response ignored because contains multiple single responses (20).
> Content will be ignored."
>
> I did see the comment in src/ssl_sock.c. "Note: OCSP response containing
> more than one OCSP Single response is not considered valid." But I'm not
> sure how true that really is nowadays. From my searches this morning, it
> seems the standards themselves have been found to be lacking, which has
> resulted in browser support chaos (surprising no one). I'm coming from
> Apache httpd, which happily serves the full responses.
>
> If accepted or adapted, the documentation should be updated as well.
>
>
> Rob Thralls
>
--- haproxy-1.7.9/doc/configuration.txt	Fri Aug 18 02:33:20 2017
+++ haproxy-1.7.9/doc/configuration.txt.new	Wed Oct 18 19:17:00 2017
@@ -10213,16 +10213,14 @@
   For each PEM file, haproxy checks for the presence of file at the same path
   suffixed by ".ocsp". If such file is found, support for the TLS Certificate
   Status Request extension (also known as "OCSP stapling") is automatically
-  enabled. The content of this file is optional. If not empty, it must contain
-  a valid OCSP Response in DER format. In order to be valid an OCSP Response
-  must comply with the following rules: it has to indicate a good status,
-  it has to be a single response for the certificate of the PEM file, and it
-  has to be valid at the moment of addition. If these rules are not respected
-  the OCSP Response is ignored and a warning is emitted. In order to  identify
-  which certificate an OCSP Response applies to, the issuer's certificate is
-  necessary. If the issuer's certificate is not found in the PEM file, it will
-  be loaded from a file at the same path as the PEM file suffixed by ".issuer"
-  if it exists otherwise it will fail with an error.
+  enabled, though haproxy does not currently fetch OCSP responses. The contents
+  of this file are optional. If not empty, it must contain an OCSP response in
+  DER format that is valid at the moment of addition. Otherwise, the contents
+  are ignored and a warning emitted. In order to identify which certificate an
+  OCSP response applies to, the issuer's certificate is necessary. If the
+  issuer's certificate is not found in the PEM file, it will be loaded from a
+  file at the same path as the PEM file suffixed by ".issuer" if it exists,
+  otherwise it will fail with an error.
 
   For each PEM file, haproxy also checks for the presence of file at the same
   path suffixed by ".sctl". If such file is found, support for Certificate

Say Bye to Adwords – Grow with Our Organic Listing Plan

[Rightpapa Web Solution]

Dear  haproxy.com Team,



Hope all well at your end!



After a thorough check of your website, it came into notice that you trying
to captivate more customers and dealing to developing your standpoint both
internationally and locally. You run a sponsor listing on Google to build
your image globally, but “*SORRY*” it won’t help you in the long run.



At present, Internet has become crucial for business and marketing. Hence,
make your website active enough to gain more visibility on internet and
hold a good position on different search engines. Our enthusiasts with
their impeccable online marketing techniques will vitally improve your
Google's organic search results and ranks. Organic (non-paid) results are
superior to paid results from Google Adwords in both traffic and conversion
because people trust organic results more. Hence, our team will help in
generating enormous amount of traffic at an affordable price than Adwords
price.



Join hands with us as soon as possible for a better market strategy and web
services. On your response, we will start with a detailed analysis report
about your current condition.



For a business relationship with us, email us or provide us your contact
details and let us know about the best time to reach you!


I look forward to hear from you.



*Best Regards,*



*Gaurav Rightpapa*



*Digital Marketing Executive*



PS1: You may ask us to “REMOVE” if it seems not interesting else please
reply us back for more info on price list, “How we are different from
others?”, and “Why should you choose us?”




[image: beacon]

[PATCH] Allow OCSP repsonses containing multiple single responses

[Robert Thralls]

Obligatory "I am not a C programmer" and "my first upstream patch" messages.

We had an issue where one of our server certificate issuers was sending us
responses with 20 different single responses included. The serial numbers
in the Certificate IDs were exactly sequential, so I'm guessing they're
pre-generating the responses in chunks. HAProxy didn't like it:

"OCSP response ignored because contains multiple single responses (20).
Content will be ignored."

I did see the comment in src/ssl_sock.c. "Note: OCSP response containing
more than one OCSP Single response is not considered valid." But I'm not
sure how true that really is nowadays. From my searches this morning, it
seems the standards themselves have been found to be lacking, which has
resulted in browser support chaos (surprising no one). I'm coming from
Apache httpd, which happily serves the full responses.

If accepted or adapted, the documentation should be updated as well.


Rob Thralls
--- haproxy-1.7.9/src/ssl_sock.c	Fri Aug 18 02:33:20 2017
+++ haproxy-1.7.9/src/ssl_sock.c.new	Wed Oct 18 13:04:22 2017
@@ -336,7 +333,8 @@
 	OCSP_SINGLERESP *sr;
 	OCSP_CERTID *id;
 	unsigned char *p = (unsigned char *)ocsp_response->str;
-	int rc , count_sr;
+	int rc;
+	int idx_sr = -1;
 	ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd = NULL;
 	int reason;
 	int ret = 1;
@@ -359,13 +357,13 @@
 		goto out;
 	}
 
-	count_sr = OCSP_resp_count(bs);
-	if (count_sr > 1) {
-		memprintf(err, "OCSP response ignored because contains multiple single responses (%d)", count_sr);
+	idx_sr = OCSP_resp_find(bs, cid, -1);
+	if (idx_sr == -1) {
+		memprintf(err, "Failed to get index of OCSP single response");
 		goto out;
 	}
 
-	sr = OCSP_resp_get0(bs, 0);
+	sr = OCSP_resp_get0(bs, idx_sr);
 	if (!sr) {
 		memprintf(err, "Failed to get OCSP single response");
 		goto out;

Question about https rewrite

[Benoît Vézina]

Hi,

I did spend a lot (I really mean a lot) trying to make work Odoo 
webslide behind Haproxy but I still end put an nginx cause that module 
is sending javascript that call stuff in http instead of https.


In the nginx world I have to had that to my server section and all the 
rewrite is done fine:


   proxy_set_header X-Forwarded-Proto $scheme;

So do I have to installed a nginx between haproxy and odoo to do the 
rewrite or do it is a way to do it in haproxy.


Here is my frontend and backend section

frontend 443
bind *:443 ssl crt /etc/haproxy/certs/current/xtremxpert.pem ssl crt 
/etc/haproxy/certs/current

reqadd X-Forwarded-Proto:\ https
mode http
acl 443_xtremxpert_com__host hdr(host) -i xtremxpert.com
acl 443_xtremxpert_com__host hdr(host) -i xtremxpert.com:443
use_backend 443_xtremxpert_com_ if 443_xtremxpert_com__host

backend 443_xtremxpert_com_
acl forwarded_proto hdr_cnt(X-Forwarded-Proto) eq 0
acl forwarded_port hdr_cnt(X-Forwarded-Port) eq 0
http-request add-header X-Forwarded-Port %[dst_port] if forwarded_port
http-request add-header X-Forwarded-Proto https if { ssl_fc } 
forwarded_proto

mode http
server 03bfdfc9400011968ca41e78cca5cf00dc68b773 10.42.179.224:8069

Issue with sdbm hash-type

[Will Wheatley]

We are seeing an issue where using SDBM hash-type that the last server in the 
pool is getting 100% of the traffic and the first server in the pool gets 0. We 
also tried adding a 3rd server and the last server still got all the traffic.
All weights were 1.

A config sample:

backend VIP
  http-reuse always
  option httpchk GET /server-status HTTP/1.1\r\nHost:\ haproxy
  balance source
  hash-type consistent sdbm
  default-server inter 2000ms fastinter 250ms downinter 1000ms fall 1 rise 2 
slowstart 10s
  server SERVER1 10.0.0.115:8080 check namespace haproxy
  server SERVER2 10.0.0.116:8080 check namespace haproxy
  server SERVER1:backup 10.0.0.115:8080 backup namespace haproxy
  server SERVER2:backup 10.0.0.116:8080 backup namespace haproxy

We were able to resolve the issue by using sdbm avalanche.

Is this a known issue or a potential regression?

Thanks so much for the help!

Re: patch: allow to use any compiler

[Willy Tarreau]

On Mon, Oct 09, 2017 at 10:27:19AM +0500,  ??? wrote:
> 2017-10-09 10:10 GMT+05:00 Vincent Bernat :
> 
> >  ?  9 octobre 2017 08:49 +0500,  ???  :
> >
> > >> > any particular reason for mixing "CC=gcc" with "CC?=gcc" ?
> > >>
> > >> I don't see any use of ?=, except for stuff that are expected to be in
> > >> environment variables (like HOME, DISPLAY, LANG, PATH).
> > >>
> > >
> > > # find . -name Makefile -exec grep -E '^CC' {} ';' -print
> > > CC = gcc
> > > ./Makefile
> > > CC   = gcc
> > > ./contrib/debug/Makefile
> > > CC   = gcc
> > > ./contrib/halog/Makefile
> > > CC   = gcc
> > > ./contrib/ip6range/Makefile
> > > CC   = gcc
> > > ./contrib/iprange/Makefile
> > > CC ?= gcc
> > > ./contrib/mod_defender/Makefile
> > > CC ?= gcc
> > > ./contrib/modsecurity/Makefile
> > > CC = gcc
> > > ./contrib/spoa_example/Makefile
> > > CC   = gcc
> > > ./contrib/tcploop/Makefile
> >
> > Oh, I didn't understand. I think ?= should just be =.
> >
> 
> I'd stay with ?=, but changing all the occurences to "=" is also nice

I really hate "?=" in makefiles. It causes random issues especially
when building larger, more complex projects involving scripts and
various stuff being passed via the environment. Just take a look at
the patches in crosstool-ng just to fix the accidental sleep of
certain CFLAGS or PATH elements through many layers of makefile to
get an idea.

With just "=" there's no such issue. If you want to change a value,
you can set it on the command line. For example here's the script I'm
using to around 200 times a day during development :

#!/bin/sh
exec make -j 18 TMPDIR=/dev/shm DISTCC_HOSTS="--localslots_cpp=100 
192.168.0.235/100,lzo" PATH=/f/tc/x86_64-gcc47_glibc218-linux-gnu/bin:$PATH 
CC=/g/public/linux/master/x86_64-gcc47_glibc218-linux-gnu-gcc TARGET=linux2628 
CPU=generic CPU_CFLAGS.generic="-O0" ARCH_FLAGS="-pg" DEP= USE_PCRE=1 PCREDIR= 
SMALL_OPTS="-DBUFSIZE=8030 -DMAXREWRITE=1030" DEFINE="-DSO_MARK=36 
-DTCP_USER_TIMEOUT=18 -DTCP_REPAIR=19 -DDEBUG_DONT_SHARE_POOLS 
-DDEBUG_MEMORY_POOLS" USE_OPENSSL=1 USE_ZLIB=1 USE_LUA=1 LUA_LIB_NAME=lua 
EXTRA= USE_SLZ=1 SLZ_INC=/g/public/slz/src SLZ_LIB=/g/public/slz USE_ZLIB= 
USE_NS=1 "$@"

Sure it's ugly. And so what ? Just done it once, and never had to patch
the makefile nor to wonder why it works in one xterm and produces a
different result in another one.

Feel free to propose a patch to convert the three "?=" to "=" however :-)

Cheers,
Willy

Re: Possible bug in task_wakeup() impacts Lua tasks

[Willy Tarreau]

On Wed, Oct 18, 2017 at 09:49:55AM +0200, Adis Nezirovic wrote:
> On 10/17/2017 07:05 PM, Emeric Brun wrote:
> > Hi Adis,
> > 
> > This patch should fix the issue more consistently.
> > 
> > Could you confirm?
> 
> It seems to work fine here, for the trivial test task and other stuff I
> work with. Thanks!

Great, thanks for testing. I too was convinced that the fix was right
but a test is always better ;-)

Now applied.
Willy

Re: [PATCH] Reset a few more counters on "clear counters"

[Willy Tarreau]

Hi Lukas,

On Wed, Oct 18, 2017 at 07:06:19PM +0200, Lukas Tribus wrote:
> Can we backport this one? There is at least one report for this in 1.7.

yep, I retagged it BUG/MINOR as for me it definitely fixes a bug,
thus it will land in 1.7 next time we backport some patches there.

Thanks for the heads-up!

Willy

Re: [PATCH] Reset a few more counters on "clear counters"

[William Lallemand]

On Wed, Oct 18, 2017 at 07:06:19PM +0200, Lukas Tribus wrote:
> Hello!
> 
> 
> 2017-10-18 18:36 GMT+02:00 Willy Tarreau :
> 
> > On Wed, Oct 18, 2017 at 04:29:19PM +0200, Olivier Houchard wrote:
> > > A few counters (namely, MaxSslRate, SslFrontendMaxKeyRate, and
> > > SslBackendMaxKeyRate) are not cleared as I think they should, when clear
> > > counters is used.
> > > The attached patch addresses that.
> >
> > Applied, thanks!
> > Willy
> >
> 
> Can we backport this one? There is at least one report for this in 1.7.
> 
> 
> 
> Thanks,
> Lukas

Sure, it will be backported.

-- 
William Lallemand

Re: [PATCH] Reset a few more counters on "clear counters"

[Lukas Tribus]

Hello!


2017-10-18 18:36 GMT+02:00 Willy Tarreau :

> On Wed, Oct 18, 2017 at 04:29:19PM +0200, Olivier Houchard wrote:
> > A few counters (namely, MaxSslRate, SslFrontendMaxKeyRate, and
> > SslBackendMaxKeyRate) are not cleared as I think they should, when clear
> > counters is used.
> > The attached patch addresses that.
>
> Applied, thanks!
> Willy
>

Can we backport this one? There is at least one report for this in 1.7.



Thanks,
Lukas

Re: [PATCH] Reset a few more counters on "clear counters"

[Willy Tarreau]

On Wed, Oct 18, 2017 at 04:29:19PM +0200, Olivier Houchard wrote:
> A few counters (namely, MaxSslRate, SslFrontendMaxKeyRate, and 
> SslBackendMaxKeyRate) are not cleared as I think they should, when clear
> counters is used.
> The attached patch addresses that.

Applied, thanks!
Willy

[SPAM] Do you want to know what is happening in the entrepreneurship world? BGI will tell you!

[Building Global Innovators]

Your Newsletter for Updates on the Entrepreneurial Community and great 
opportunities from the BGI Network! Building Global Innovators Announces the 
6 winner Startups for the Smart Energy Challenge 

Building Global Innovators has completed the selection process culminating to 
six disruptive technology startups. The event will allow the startups to pitch, 
engage and receive feedback from industry decision makers and thought leaders 
in this event. 

The competition finalists are the following: Building Global Innovators 
announces the i-Danha Food Lab Annual Event 

BGI is happy to announce that BGI and Idanha City Hall will organize the 
i-Danha Food Lab Annual Event, from the 10 th to the 12 th of November in 
Idanha-a-Nova. Right after the world’s biggest tech conference – Web Summit, 
BGI will bring together investors, corporates, startups, entrepreneurs and 
political stakeholders together, and take them on a unique adventure. During 
these 3 days you will get to discuss a range of topics related with AgriTech, 
FooTech and CleanTech. 

The plan is for you to leave Lisbon on a historical train with us, alongside 
the beautiful Tagus River, deep forests and mountains heading to Idanha 
municipality. The train will have the theme “Dream Green... or Go Gome”. 

The event will be open to the public and you can find the agenda in detail and 
register. Register Hack The Planet 2017: The best engineering hackathon is 
coming to the universities 

Hack the Planet is an initiative with five hackathons in Portugal. The 
initiative comes from BGI's partnership with EIT Climate-Kic Portugal Hub whose 
main mission is to create sustainable growth through mitigation and adaptation 
to climate change. 

Who can apply? 

All students of engineering universities in Portugal can apply for one of these 
institutions when will happen the hackathon. 
Universidade de Coimbra ; 
Universidade da Beira Interior ; 
UL-FCUL ; 
Universidade Nova de Lisboa - FCT ; 
Instituto Superior Técnico 


What ’s the prize? 

The best idea wins a money prize to 500€. 

How can you apply? 

You will find the application form here: 
http://hacktheplanet.tech/Candidatura.html 

Learn More 

Entrepreneurs Leaders Retreat: for exceptional entrepreneurs, visionaries and 
people 'who make it happen' 

This is an opportunity to bring together a group of people that have been 
proven to overcome various challenges. The initiative includes experts in their 
respective areas, founders of startups, entrepreneurs from different 
backgrounds who know the difficulties inherent to success, who have encountered 
obstacles but also ways of exceeding those obstacles. 

You will have the opportunity to join a small group of individuals just like 
you. 



Are you interested? 
Building Global Innovators is a partner of Entrepreneurs Leaders Retreat, so we 
have a 20% discount for you ! Apply 

Eco.Constroi: The circular economy workshop 

The Instituto Politécnico de Leiria is holding the 'ECO.CONSTROI' workshop on 
the 20th of October. 

The event will consist of discussions on the importance of accelerating the 
circular economy, with some university projects and business models in this 
area. Learn more 

Global Startup Challenge 2017: FinTech 

This is an initiave to empower innovations startups across the globe through 
the platform Edge196. The challenge runs across 26 global clusters (196 
countries) where our objetive is to identify startups that have the potential 
to become the next unicorn in the world. Apply 

FuelSave: the startup that will save more than 3 million liters of fuel 

BGI is happy to announce that FuelSave in the next months the group RNM and 
Luís Simões will start using Fuel Save. The app will adapt to the 
characteristics of each vehicle, road or situation. 

Pavnext at WebSummit by Startup League 

Pavnext was 1 of 5 portuguese startups selected by Startup League to be present 
at WebSummit 2017. 
Pavnext is working with local governments of Portuguese cities to bring the 
concept to implementation. 

© BGI, 2017, ge...@bgi.pt 

This newsletter is sent to you because you are a customer or subscriber of 
geral@bgi. Unsubscribe

[PATCH] Reset a few more counters on "clear counters"

[Olivier Houchard]

Hi,

A few counters (namely, MaxSslRate, SslFrontendMaxKeyRate, and 
SslBackendMaxKeyRate) are not cleared as I think they should, when clear
counters is used.
The attached patch addresses that.

Regards,

Olivier
>From d90baef4715024e50d9596bd1410b8ea03ae1ed9 Mon Sep 17 00:00:00 2001
From: Olivier Houchard 
Date: Tue, 17 Oct 2017 19:23:25 +0200
Subject: [PATCH] MINOR: stats: Clear a bit more counters with in
 cli_parse_clear_counters().

Clear MaxSslRate, SslFrontendMaxKeyRate and SslBackendMaxKeyRate when
clear counters is used, it was probably forgotten when those counters were
added.
---
 src/stats.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/stats.c b/src/stats.c
index 6cbda22f1..25d6e65ff 100644
--- a/src/stats.c
+++ b/src/stats.c
@@ -3579,6 +3579,9 @@ static int cli_parse_clear_counters(char **args, struct 
appctx *appctx, void *pr
 
global.cps_max = 0;
global.sps_max = 0;
+   global.ssl_max = 0;
+   global.ssl_fe_keys_max = 0;
+   global.ssl_be_keys_max = 0;
return 1;
 }
 
-- 
2.13.5

Re: Force Sticky session on HaProxy

[Igor Cicimov]

https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#option
redispatch

On 18 Oct 2017 11:28 pm, "Devendra Joshi" 
wrote:

Hi Daniel ,

Following is the case.


[image: Inline images 1]

My Query is :
1: When users are serving the webpages,and  my *Apache1 *get down, HaProxy
shifted the traffic to *Apache2*.
But i don't want to shift this traffic to *Apache2 *when my *Apache1 *is
down, cause my application is session base.  I want, those are serving
from *Apache1
*, they should keep on *Apache1*. not to shift on *Apache2*.
I want to apply Force sticky session in Haproxy.









Devendra Joshi
8080106035
--
--


On 18 October 2017 at 17:37, Daniel Schneller  wrote:

> Hi,
>
> maybe I am missing something, but isn’t this what
> http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#4.2-cookie is
> supposed to do for you?
> We are using this (in prefix mode) to make sure the same JSESSIONID gets
> to the same backend every time.
> As the information is in the cookie, there is no state to be lost on the
> haproxy side.
>
> Daniel
>
> --
> Daniel Schneller
> Principal Cloud Engineer
>
> CenterDevice GmbH  | Hochstraße 11
> 
>| 42697 Solingen
> tel: +49 1754155711 <+49%20175%204155711>| Deutschland
> daniel.schnel...@centerdevice.de   | www.centerdevice.de
>
> Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
> Michael Rosbach, Handelsregister-Nr.: HRB 18655,
> HR-Gericht: Bonn, USt-IdNr.: DE-815299431
>
>
> On 18. Oct. 2017, at 11:58, Gibson, Brian (IMS) 
> wrote:
>
> I've used peers for this situation personally.
>
> Sent from Nine
> 
> From: Aaron West 
> Sent: Oct 18, 2017 5:33 AM
> To: Devendra Joshi
> Cc: HAProxy
> Subject: Re: Force Sticky session on HaProxy
>
> I've used something like this before:
>
> stick store-response res.cook(JSESSIONID)
> stick match req.cook(JSESSIONID)
>
> "stick on" does this I think:
>
> stick match req.cook(JSESSIONID)
> stick store-request req.cook(JSESSIONID)
>
> As the client doesn't have the cookie at the beginning of the
> connection it has to wait to store it until it's received from the
> server, I have a vague memory that I had issues with using simply
> "stick on" for this so switched to the first method above.
>
> There is a massive problem with my suggestion however, if you clear
> the stick table or restart the service(Which will clear the stick
> table) then users lose persistence until they close their browsers and
> start a new session or the server issues a new cookie. Obviously
> reloads while synchronising the stick table should be fine.
>
> However, i'm sure there will be a far better solution so I'm just
> starting the ball rolling really...
>
> Aaron West
>
> Loadbalancer.org Ltd.
>
> www.loadbalancer.org
>
> +1 888 867 9504 <+1%20888-867-9504> / +44 (0)330 380 1064
> <+44%20330%20380%201064>
> aa...@loadbalancer.org
>
> LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG
>
>
> 
>
> Information in this e-mail may be confidential. It is intended only for
> the addressee(s) identified above. If you are not the addressee(s), or an
> employee or agent of the addressee(s), please note that any dissemination,
> distribution, or copying of this communication is strictly prohibited. If
> you have received this e-mail in error, please notify the sender of the
> error.
>
>
>

Re: Force Sticky session on HaProxy

[Devendra Joshi]

Hi Daniel ,

Following is the case.


[image: Inline images 1]

My Query is :
1: When users are serving the webpages,and  my *Apache1 *get down, HaProxy
shifted the traffic to *Apache2*.
But i don't want to shift this traffic to *Apache2 *when my *Apache1 *is
down, cause my application is session base.  I want, those are serving
from *Apache1
*, they should keep on *Apache1*. not to shift on *Apache2*.
I want to apply Force sticky session in Haproxy.









Devendra Joshi
8080106035
--
--


On 18 October 2017 at 17:37, Daniel Schneller <
daniel.schnel...@centerdevice.com> wrote:

> Hi,
>
> maybe I am missing something, but isn’t this what
> http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#4.2-cookie is
> supposed to do for you?
> We are using this (in prefix mode) to make sure the same JSESSIONID gets
> to the same backend every time.
> As the information is in the cookie, there is no state to be lost on the
> haproxy side.
>
> Daniel
>
> --
> Daniel Schneller
> Principal Cloud Engineer
>
> CenterDevice GmbH  | Hochstraße 11
> 
>| 42697 Solingen
> tel: +49 1754155711 <+49%20175%204155711>| Deutschland
> daniel.schnel...@centerdevice.de   | www.centerdevice.de
>
> Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
> Michael Rosbach, Handelsregister-Nr.: HRB 18655,
> HR-Gericht: Bonn, USt-IdNr.: DE-815299431
>
>
> On 18. Oct. 2017, at 11:58, Gibson, Brian (IMS) 
> wrote:
>
> I've used peers for this situation personally.
>
> Sent from Nine
> 
> From: Aaron West 
> Sent: Oct 18, 2017 5:33 AM
> To: Devendra Joshi
> Cc: HAProxy
> Subject: Re: Force Sticky session on HaProxy
>
> I've used something like this before:
>
> stick store-response res.cook(JSESSIONID)
> stick match req.cook(JSESSIONID)
>
> "stick on" does this I think:
>
> stick match req.cook(JSESSIONID)
> stick store-request req.cook(JSESSIONID)
>
> As the client doesn't have the cookie at the beginning of the
> connection it has to wait to store it until it's received from the
> server, I have a vague memory that I had issues with using simply
> "stick on" for this so switched to the first method above.
>
> There is a massive problem with my suggestion however, if you clear
> the stick table or restart the service(Which will clear the stick
> table) then users lose persistence until they close their browsers and
> start a new session or the server issues a new cookie. Obviously
> reloads while synchronising the stick table should be fine.
>
> However, i'm sure there will be a far better solution so I'm just
> starting the ball rolling really...
>
> Aaron West
>
> Loadbalancer.org Ltd.
>
> www.loadbalancer.org
>
> +1 888 867 9504 <+1%20888-867-9504> / +44 (0)330 380 1064
> <+44%20330%20380%201064>
> aa...@loadbalancer.org
>
> LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG
>
>
> 
>
> Information in this e-mail may be confidential. It is intended only for
> the addressee(s) identified above. If you are not the addressee(s), or an
> employee or agent of the addressee(s), please note that any dissemination,
> distribution, or copying of this communication is strictly prohibited. If
> you have received this e-mail in error, please notify the sender of the
> error.
>
>
>

Re: Force Sticky session on HaProxy

[Daniel Schneller]

Hi,

maybe I am missing something, but isn’t this what  
http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#4.2-cookie 
 is 
supposed to do for you?
We are using this (in prefix mode) to make sure the same JSESSIONID gets to the 
same backend every time.
As the information is in the cookie, there is no state to be lost on the 
haproxy side.

Daniel

-- 
Daniel Schneller
Principal Cloud Engineer
 
CenterDevice GmbH  | Hochstraße 11
   | 42697 Solingen
tel: +49 1754155711| Deutschland
daniel.schnel...@centerdevice.de   | www.centerdevice.de

Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431


> On 18. Oct. 2017, at 11:58, Gibson, Brian (IMS)  wrote:
> 
> I've used peers for this situation personally.
> 
> Sent from Nine>
> 
> From: Aaron West mailto:aa...@loadbalancer.org>>
> Sent: Oct 18, 2017 5:33 AM
> To: Devendra Joshi
> Cc: HAProxy
> Subject: Re: Force Sticky session on HaProxy
> 
> I've used something like this before:
> 
> stick store-response res.cook(JSESSIONID)
> stick match req.cook(JSESSIONID)
> 
> "stick on" does this I think:
> 
> stick match req.cook(JSESSIONID)
> stick store-request req.cook(JSESSIONID)
> 
> As the client doesn't have the cookie at the beginning of the
> connection it has to wait to store it until it's received from the
> server, I have a vague memory that I had issues with using simply
> "stick on" for this so switched to the first method above.
> 
> There is a massive problem with my suggestion however, if you clear
> the stick table or restart the service(Which will clear the stick
> table) then users lose persistence until they close their browsers and
> start a new session or the server issues a new cookie. Obviously
> reloads while synchronising the stick table should be fine.
> 
> However, i'm sure there will be a far better solution so I'm just
> starting the ball rolling really...
> 
> Aaron West
> 
> Loadbalancer.org Ltd.
> 
> www.loadbalancer.org 
>  >
> 
> +1 888 867 9504 / +44 (0)330 380 1064
> aa...@loadbalancer.org 
> 
> LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG
> 
> 
> 
> 
> Information in this e-mail may be confidential. It is intended only for the 
> addressee(s) identified above. If you are not the addressee(s), or an 
> employee or agent of the addressee(s), please note that any dissemination, 
> distribution, or copying of this communication is strictly prohibited. If you 
> have received this e-mail in error, please notify the sender of the error.

Re: Happroxy and TCP SYN flood attacks

[Pavlos Parissis]

On 18/10/2017 01:06 μμ, Pooja Patel wrote:
> Respected Sir,
> 
> I am Pooja from University of Hyerabad. Currently I am working on networking 
> project for which I am
> using HAProxy as a load balancer. I have one doubt and that is:
> 
> *Does HAProxy by default protect itself from DOS or TCP SYN flood attack? If 
> not then how can
> protect it from these attacks?
> *
> 
> I have done simulation on my server using hping3 and hynae tool by flooding 
> HAProxy server with TCP
> SYN packets but I am not able to see any changes in my statistics.
> 
> Kindly go through my questions and Waiting for your reply.
> 

Before a TCP connection is handled by HAProxy, the Linux kernel processes it. 
So, you need to look
at defense mechanisms there. Newer kernels (see 4.9 and higher) provide very 
good ways to handle TCP
Syn flooding, one of them is about lockless listener, see commits
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4d54d86546f62c7c4a0fe3b36a64c5e3b98ce1a9

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e6934f3ec00b04234acb24a1a2c28af59763d3b5

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c3fc7ac9a0b978ee8538058743d21feef25f7b33


With above patches CPU utilization stays the same when a server is under TCP 
Syn flood, while older
kernels suffer from CPU saturation.

Cheers,
Pavlos



signature.asc
Description: OpenPGP digital signature

Happroxy and TCP SYN flood attacks

[Pooja Patel]

Respected Sir,

I am Pooja from University of Hyerabad. Currently I am working on
networking project for which I am using HAProxy as a load balancer. I have
one doubt and that is:


*Does HAProxy by default protect itself from DOS or TCP SYN flood attack?
If not then how can protect it from these attacks?*

I have done simulation on my server using hping3 and hynae tool by flooding
HAProxy server with TCP SYN packets but I am not able to see any changes in
my statistics.

Kindly go through my questions and Waiting for your reply.

Thanking you.
-- 
Best regards,
Pooja G. Patel,
M.tech (Computer Science),
University of Hyderabad(UoH),
Hyderabad
Email 
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Re: Force Sticky session on HaProxy

[Gibson, Brian (IMS)]

I've used peers for this situation personally.

Sent from Nine

From: Aaron West 
Sent: Oct 18, 2017 5:33 AM
To: Devendra Joshi
Cc: HAProxy
Subject: Re: Force Sticky session on HaProxy

I've used something like this before:

stick store-response res.cook(JSESSIONID)
stick match req.cook(JSESSIONID)

"stick on" does this I think:

stick match req.cook(JSESSIONID)
stick store-request req.cook(JSESSIONID)

As the client doesn't have the cookie at the beginning of the
connection it has to wait to store it until it's received from the
server, I have a vague memory that I had issues with using simply
"stick on" for this so switched to the first method above.

There is a massive problem with my suggestion however, if you clear
the stick table or restart the service(Which will clear the stick
table) then users lose persistence until they close their browsers and
start a new session or the server issues a new cookie. Obviously
reloads while synchronising the stick table should be fine.

However, i'm sure there will be a far better solution so I'm just
starting the ball rolling really...

Aaron West

Loadbalancer.org Ltd.

www.loadbalancer.org

+1 888 867 9504 / +44 (0)330 380 1064
aa...@loadbalancer.org

LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG




Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.

Re: Force Sticky session on HaProxy

[Aaron West]

I've used something like this before:

stick store-response res.cook(JSESSIONID)
stick match req.cook(JSESSIONID)

"stick on" does this I think:

stick match req.cook(JSESSIONID)
stick store-request req.cook(JSESSIONID)

As the client doesn't have the cookie at the beginning of the
connection it has to wait to store it until it's received from the
server, I have a vague memory that I had issues with using simply
"stick on" for this so switched to the first method above.

There is a massive problem with my suggestion however, if you clear
the stick table or restart the service(Which will clear the stick
table) then users lose persistence until they close their browsers and
start a new session or the server issues a new cookie. Obviously
reloads while synchronising the stick table should be fine.

However, i'm sure there will be a far better solution so I'm just
starting the ball rolling really...

Aaron West

Loadbalancer.org Ltd.

www.loadbalancer.org

+1 888 867 9504 / +44 (0)330 380 1064
aa...@loadbalancer.org

LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG

Re: Possible bug in task_wakeup() impacts Lua tasks

[Adis Nezirovic]

On 10/17/2017 07:05 PM, Emeric Brun wrote:
> Hi Adis,
> 
> This patch should fix the issue more consistently.
> 
> Could you confirm?

It seems to work fine here, for the trivial test task and other stuff I
work with. Thanks!

Best regards,
Adis