Re: [ANNOUNCE] haproxy-2.2-dev6

[Willy Tarreau]

On Sat, Apr 18, 2020 at 02:05:40AM +0200, Tim Düsterhus wrote:
> Willy,
> 
> Am 17.04.20 um 14:51 schrieb Willy Tarreau:
> > accepted the incoming connection. A new "linux-musl" target was added to
> > the makefile because I believed I was the only one using it but I'm not,
> > so this can slightly help Docker users.
> 
> This is in use by the 'haproxy' image of the Docker Official Images
> program now, so any obvious issues in the future should be detected.
> 
> https://github.com/docker-library/haproxy/pull/111

Thank you Tim!
Willy

Re: Sometimes worker process stops working.

[flamesea12]

Hi,
Thank you very much! I'm using v1.8.25 in production which works fine and 
v2.1.4 in development.
global                                                                          
                    maxconn   1                                             
                                        master-worker                           
                                                            nbproc 4            
                                                                                
daemon                                                                          
                    ca-base /etc/ssl/certs                                      
                                        crt-base /etc/ssl/private               
                                                            
ssl-default-bind-ciphers 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSSssl-default-bind-options
 no-sslv3                                                                   
tune.ssl.default-dh-param 2048                                                  
                    pidfile  /var/run/haproxy.pid                               
                                        stats socket /var/run/haproxy.sock mode 
600 level admin expose-fd listeners                         stats timeout 60s   
                                                                                
                                                                                
                    defaults                                                    
                                        option redispatch                       
                                                            
option http-keep-alive                                                          
                    option forwardfor                                           
                                        retries 3                               
                                                            timeout client  
600s                                                                            
    timeout connect 600s                                                        
                        timeout server  600s                                    
                                            timeout http-request 600s           
                                                                http-reuse 
always                                                                          
         
timeout client-fin 30s                                                          
                    timeout http-keep-alive 600s                                
                                                                                
                                                             
cache static                                                                    
                    total-max-size 1000                                         
                                        max-object-size 104857600               
                                                            max-age 2400        
                                                                                
                                                                                
                    frontend  fe_main                                           
                                        bind *:80                               
                                                            bind :::443 ssl *** 
alpn h2,http/1.1                                                                
redirect scheme https code 301 if !{ ssl_fc }                                   
                    mode http                                                   
                                        option httplog                          
                                                            #filter compression 
                                                                                
#compression algo gzip                                                          
                    #compression offload                                        
                                        #compression algo gzip                  
                                                            #compression type 
application/octet-stream text/css text/html text/javascript 
application/javascript text/plain text/xml application/jsonhttp-request 
cache-use  static                                                               
       http-response cache-store static                                         
                           default_backend app                                  
                                                                                
                                                                   backend app  
                                                             

Re: [ANNOUNCE] haproxy-2.2-dev6

[Tim Düsterhus]

Willy,

Am 17.04.20 um 14:51 schrieb Willy Tarreau:
> accepted the incoming connection. A new "linux-musl" target was added to
> the makefile because I believed I was the only one using it but I'm not,
> so this can slightly help Docker users.

This is in use by the 'haproxy' image of the Docker Official Images
program now, so any obvious issues in the future should be detected.

https://github.com/docker-library/haproxy/pull/111

Best regards
Tim Düsterhus

Re: HAProxy concurrent HTTP query limit based on header

[Olivier D]

Le ven. 17 avr. 2020 à 20:49, Tim Düsterhus  a écrit :

> Olivier,
>
> Am 17.04.20 um 20:22 schrieb Olivier D:
> > My first tries are based on something like this :
> >stick-table type ipv6 size 100k  expire 30s  store http_req_rate(10s)
> Not sure whether that's just an error in your email, but: You store a
> http_req_rate, not a number of connections.
>

You are correct, last test was
   stick-table type ipv6 size 100k  expire 30s  store conn_cur

 but It seems to not do what I want.

I'll check again on monday with some rest :)

Olivier


>
> >http-request track-sc0 req.hdr( X-Forwarded-For )
> >http-request deny deny_status 429 if { sc0_conn_cur ge 20 }
> >
>
> Best regards
> Tim Düsterhus
>

Re: HAProxy concurrent HTTP query limit based on header

[Tim Düsterhus]

Olivier,

Am 17.04.20 um 20:22 schrieb Olivier D:
> My first tries are based on something like this :
>stick-table type ipv6 size 100k  expire 30s  store http_req_rate(10s)
Not sure whether that's just an error in your email, but: You store a
http_req_rate, not a number of connections.

>http-request track-sc0 req.hdr( X-Forwarded-For )
>http-request deny deny_status 429 if { sc0_conn_cur ge 20 }
> 

Best regards
Tim Düsterhus

HAProxy concurrent HTTP query limit based on header

[Olivier D]

Hello everyone,
I would like to implement a "max concurrent connection" in HAProxy. This is
easy to do at TCP level :

stick-table  type ipv6 size 100k  expire 30s  store conn_cur
http-request track-sc0 src
http-request deny deny_status 429 if { src_conn_cur ge 20 }

But now, I want to do the same for concurrent HTTP queries, based on header
'X-Forwarded-For'. For example, I want to send a 429 error code if someone
is sending an HTTP query when he already have 20 ongoing.

My first tries are based on something like this :
   stick-table type ipv6 size 100k  expire 30s  store http_req_rate(10s)
   http-request track-sc0 req.hdr( X-Forwarded-For )
   http-request deny deny_status 429 if { sc0_conn_cur ge 20 }

but it doesn't seem to work the way I want ...

Now I'm a bit lost, but maybe someone already implemented this ?

Thank you  !

Olivier

Re: Sometimes worker process stops working.

[Willy Tarreau]

Hi,

On Thu, Apr 16, 2020 at 09:40:17AM +0900, flamese...@yahoo.co.jp wrote:
> Hi all,
> I'm using latest v2.1.4, with a multiple processes config(nbproc 4),
> everything works fine at the beginning.Meaning I can see 4 worker processes
> are using CPU at 70~80% by top command.
> The next day I noticed a drop of CPU usage on our monitoring system
> dashboard, then I logged in and found that there are only 3 worker
> processes are using CPU at 70~80% by top command. But all haproxy processes
> are there(1 master, 4 workers). 
> The worker which does not show up on top's output only uses ~1% CPU. So I
> assume that worker does not receive traffic.
> This does not happen always, but when it happens, it happens after several
> hours after start haproxy.
> If you need more information, tell me how to do it, I'm willing to provide.

First, could you please share your config ? (just drop any confidential info
like IP addresses or passwords).

Did you have a working behaviour previously with another version ? If so,
which one ? Do you observe anything abnormal in your logs ? On the stats
page ?

Since you're in multi-process mode, one thing that *could* possibly
happen is that you'd be dealing with some heavy requests over very long
connections, and that once some clients are connected to a given process
and they send it very heavy requests, these ones are affected.

But this should normally not happen unless you have lots of CPU-intensive
rules like regex (or even worse, map_reg() with a large file), all of
which should be possible to get rid of on the long term if needed.

Willy

Problem with crl certificate

[Davide Guarneri]

Hello everyone,
I'm trying to setup haproxy to handle TLS request with mutual
authentication and CRL,
here's an extract of the current configuration:

```
frontend mqtts_frontend
bind *:8883 ssl crt /etc/haproxy/ssl/cert.pem ca-file
/etc/haproxy/ssl/ca-chain.cert.pem verify required crl-file
/etc/haproxy/ssl/intermediate.crl.pem
default_backend mqtts_backend

backend mqtts_backend
server mqtt1 mqtt1:1884 check send-proxy
server mqtt2 mqtt2:1884 check send-proxy
```
Those certificates are working with my current apache setup, when i test
with openssl
everything is working: Verify return code: 0 (ok)

The problem is that when I test against the haproxy i receive the following
error
Verify return code: 19 (self signed certificate in certificate chain).

If I remove the "crl-file /etc/haproxy/ssl/ca.crl.pem" everything goes OK,
but I need to handle the revocate clients.

The chain of server certificate is: CARoot -> Intermediate -> Server
The clients have a certificate signed also by Intermediate. And also cert
CRL is signed by Intermediate.

Have you any suggestions?

Thanks,
Davide

[ANNOUNCE] haproxy-2.2-dev6

[Willy Tarreau]

Hi,

HAProxy 2.2-dev6 was released on 2020/04/17. It added 88 new commits
after version 2.2-dev5.

It's a bit late as I would have preferred to emit that one earlier, but
anyway now it's available.

The changes are mostly split into 4 categories:
  - bug fixes: 22 bugs were fixed since 2.2-dev5. It's worth noting that
this version is the first tagged 2.2-dev which includs the fix for
CVE-2020-11100 that's going to be published next week

  - SSL runtime cert updates: William has completed his rework of the
certificate management so apparently (if my understanding is right)
now any certificate can now be updated on the fly from the CLI, added
to or deleted from crt-list, etc. This was a long awaited feature but
now it's a reality. See William's e-mail below for all the details:

https://www.mail-archive.com/haproxy@formilux.org/msg36927.html

  - idle connections improvements: it was reported that under sustained
load, some connections were still occasionally dropped and recreated.
This was caused by the fact that we periodically kill half of the idle
ones. Now instead haproxy constantly monitors how many are needed on a
server, and it kills half of those which are not expected to be used
based on the previous period measurements. This way fluctuating loads
will keep even more connections reusable.

  - troubleshooting: given that some users get trapped into running the
wrong haproxy executable when they install several of them on their
system, when haproxy emits an alert during the startup, it will now
also report its exact version and the path the executable was loaded
from (this last one is only on recent linux systems). This can help
detect a wrong path in an init script for example. In addition, there
is a new "zero-warning" mode which can be enabled using -dW or using
"zero-warning" in the global section, which turns any warning into a
fatal error to prevent it from starting. This can help for those who
are careful about keeping clean configs, or who want to enforce clean
configs on shared systems. Last, "haproxy -c" will now indicate at the
end if some warnings were found. This may be useful in check scripts.

The rest is very minor, usual code/doc/CI cleanups mostly. A new sample-
fetch function "so_name" reports the "name" field of the bind line that
accepted the incoming connection. A new "linux-musl" target was added to
the makefile because I believed I was the only one using it but I'm not,
so this can slightly help Docker users.

And I think that's about all for this one.

Regarding the pending stuff I'm aware off, Christopher told me he'll soon
have a first batch of health-check changes, Emeric will have some updates
to support syslog over TCP, there are a few patches still being discussed
on the list and bugs worth having a look at in the github tracker. But
overall I think we'll be good for end of May or early June.

If you're using a lot of SSL certificates or using them in a non-trivial
way, please give this one a try and report anything strange you might
notice, or anything you would find confusing in the way to manage your
certs. William did a lot of tests but we also know it's a very tricky
area where users are sometimes creative :-)

Please find the usual URLs below :
   Site index   : http://www.haproxy.org/
   Discourse: http://discourse.haproxy.org/
   Slack channel: https://slack.haproxy.org/
   Issue tracker: https://github.com/haproxy/haproxy/issues
   Sources  : http://www.haproxy.org/download/2.2/src/
   Git repository   : http://git.haproxy.org/git/haproxy.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy.git
   Changelog: http://www.haproxy.org/download/2.2/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
Adam Mills (1):
  DOC: hashing: update link to hashing functions

Baptiste Assmann (2):
  CLEANUP: remove obsolete comments
  BUG/MEDIUM: dns: improper parsing of aditional records

Daniel Corbett (1):
  BUG/MINOR: stats: Fix color of draining servers on stats page

Dominik Froehlich (1):
  CLEANUP: http: Fixed small typo in parse_http_return

Emmanuel Hocdet (4):
  BUG/MINOR: ssl: memory leak when find_chain is NULL
  CLEANUP: ssl: rename ssl_get_issuer_chain to ssl_get0_issuer_chain
  MINOR: ssl: rework add cert chain to CTX to be libssl independent
  MINOR: ssl: skip self issued CA in cert chain for ssl_ctx

Frédéric Lécaille (3):
  BUG/MINOR: peers: Use after free of "peers" section.
  BUG/MINOR: protocol_buffer: Wrong maximum shifting.
  BUG/MINOR: peers: Incomplete peers sections should be validated.

Ilya Shipitsin (11):
  CI: github actions: add weekly h2spec test
  CLEANUP: assorted typo fixes in the code and comments
  CLEANUP: src/fd.c: mask setsockopt with DISGUISE
  CLEANUP: assorted typo fixes in 

Re: HAproxy Error

[Lukas Tribus]

On Fri, 17 Apr 2020 at 13:57,  wrote:
>  Even clean installation isn’t working because the default package available 
> in RHEL from you is without openssl.

You are wrong.

1) we don't provide any packages. RHEL does.
2) a fresh RHEL 8.1 AMI on AWS works just fine and uses the provided
1.8.15 image with SSL support, as opposed to 2.1.2 which clearly you
manually compiled from source.


Here is the evidence from a freshly installed RHEL 8.1 AMI image on AWS:

[root@ip-172-31-42-121 ~]# uname -a
Linux ip-172-31-42-121.eu-central-1.compute.internal
4.18.0-147.el8.x86_64 #1 SMP Thu Sep 26 15:52:44 UTC 2019 x86_64
x86_64 x86_64 GNU/Linux
[root@ip-172-31-42-121 ~]# date
Fri Apr 17 12:22:38 UTC 2020
[ec2-user@ip-172-31-42-121 ~]$ haproxy -vv
-bash: haproxy: command not found
[root@ip-172-31-42-121 ~]# yum update
Red Hat Update Infrastructure 3 Client Configuration Server 8



 7.6 kB/s | 2.1 kB 00:00
Red Hat Enterprise Linux 8 for x86_64 - AppStream from RHUI (RPMs)



  11 kB/s | 2.8 kB 00:00
Red Hat Enterprise Linux 8 for x86_64 - BaseOS from RHUI (RPMs)



  10 kB/s | 2.4 kB 00:00
Dependencies resolved.
Nothing to do.
Complete!
[root@ip-172-31-42-121 ~]# yum install haproxy
Last metadata expiration check: 0:00:07 ago on Fri 17 Apr 2020 12:22:43 PM UTC.
Dependencies resolved.
=
 Package
Architecture
Version
   Repository
  Size
=
Installing:
 haproxy
x86_64
1.8.15-6.el8_1.1
   rhel-8-appstream-rhui-rpms
 1.3 M

Transaction Summary
=
Install  1 Package

Total download size: 1.3 M
Installed size: 4.4 M
Is this ok [y/N]: y
Downloading Packages:
haproxy-1.8.15-6.el8_1.1.x86_64.rpm



 4.9 MB/s | 1.3 MB 00:00
-
Total



 3.5 MB/s | 1.3 MB 00:00
Running transaction check
Waiting for process with pid 1068 to finish.
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing:



 1/1
  Running scriptlet: haproxy-1.8.15-6.el8_1.1.x86_64



 1/1
  Installing   : haproxy-1.8.15-6.el8_1.1.x86_64



 1/1
  Running scriptlet: haproxy-1.8.15-6.el8_1.1.x86_64



 1/1
  Verifying: haproxy-1.8.15-6.el8_1.1.x86_64



 1/1

Installed:
  haproxy-1.8.15-6.el8_1.1.x86_64

Complete!
[root@ip-172-31-42-121 ~]# haproxy -vv
HA-Proxy version 1.8.15 2018/12/13
Copyright 2000-2018 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
-fwrapv -Wno-format-truncation -Wno-null-dereference -Wno-unused-label
  OPTIONS = USE_LINUX_TPROXY=1 USE_CRYPT_H=1 USE_GETADDRINFO=1
USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1
USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.1c FIPS  28 May 2019
Running on OpenSSL version : OpenSSL 1.1.1c FIPS  28 May 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.4
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.42 2018-03-20
Running on PCRE version : 8.42 2018-03-20
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), 

Re: HAproxy Error

[Willy Tarreau]

On Fri, Apr 17, 2020 at 11:57:40AM +, bindushree...@cognizant.com wrote:
> We are asking about the issue using your application. If you don't
> have enough information to provide its okay thank you.

Are you serious ? Did you even read *any* single response ? Several
people told you that you were running a locally built haproxy package
which has nothing to do with the one provided by RHEL, and you insist
on not taking that very basic diagnostic into account.

> Also we have come to you after checking everything from our end. Even clean
> installation isn't working because the default package available in RHEL from
> you is without openssl.

No, either you didn't check, or you're not doing the very basic things
any admin would do. You're starting haproxy from /usr/local/sbin and
you won't find such a path in a mainstream distro, it definitely is for
your locally installed packages.

Some someone on your end *has* built and installed this bogus version
and you're not using the one from the distro. A quick googling seems
to indicate that RHEL8 ships with haproxy 1.8. Yours is 2.1 so it does
not come from RHEL.

> If you can help us with rpm which is having openssl in it.

I'm sorry but you're on your own here. Your system is obviously broken,
everyone sees it without having access to it, and you refuse to admit it.
There's hardly anything anyone can do remotely to help you if you continue
to report wrong diagnostics.

Now what else to do ? I don't know. Maybe use rpm to figure what package
provides /usr/local/sbin/haproxy and remove that package, then install
the valid one provided by your distro instead. Maybe your distro isn't
genuine and was badly modified by someone in your team. Maybe someone
installed a backdoored executable there before leaving your company, I
don't know, everything is possible, but I can't guess for you I'm afraid.

Hoping this helps,
Willy

Re: [PR] Updating Documentation for Hashing

[Willy Tarreau]

Hi Adam,

On Wed, Apr 15, 2020 at 02:23:10AM +0200, PR Bot wrote:
> Dear list!
> 
> Author: Adam Mills 
> Number of patches: 1
> 
> This is an automated relay of the Github pull request:
>Updating Documentation for Hashing
> 
> Patch title(s): 
>Updating Documentation for Hashing

Thanks, now merged, with minor edits:
  - edited the subject line to comply with CONTRIBUTING
  - I kept the link description at the end unmodified ("mixing functions")
since it's the purpose of the link and the article still speaks about
this.

Willy

RE: HAproxy Error

[BINDUSHREE.DB]

Hi Willy,

For your kind information not asking you how to manage server or how to google.
We are asking about the issue using your application. If you don't have enough 
information to provide its okay thank you.
Also we have come to you after checking everything from our end. Even clean 
installation isn’t working because the default package available in RHEL from 
you is without openssl.
If you can help us with rpm which is having openssl in it.

Thank you.

Thanks,
Bindushree D B


-Original Message-
From: Willy Tarreau 
Sent: Friday, April 17, 2020 1:07 PM
To: D B, Bindushree (Cognizant) 
Cc: li...@ltri.eu; haproxy@formilux.org
Subject: Re: HAproxy Error

[External]


On Fri, Apr 17, 2020 at 04:02:41AM +, bindushree...@cognizant.com wrote:
> HI Lukas,
>
> Package was installed in RHEL machines using yum. Let me know how to install 
> Redhat openssl version.

Well, I'm sorry but at this point you're mainly asking how to manage
*your* server. Participants here are not in a position to help you fix what's 
on your server if you performed wrong operations. Either you trash it and 
reinstall it from scratch to have a clean install, or you contract with someone 
to do the job for you. But your requests for help are absolutely not related to 
haproxy at this point, only to help you figure how to use google to find how to 
install packages on your system.

There's no point continuing this thread, everyone is wasting his time, 
including you apparently since you've remained stuck at point zero before the 
elementary google search.

Willy
This e-mail and any files transmitted with it are for the sole use of the 
intended recipient(s) and may contain confidential and privileged information. 
If you are not the intended recipient(s), please reply to the sender and 
destroy all copies of the original message. Any unauthorized review, use, 
disclosure, dissemination, forwarding, printing or copying of this email, 
and/or any action taken in reliance on the contents of this e-mail is strictly 
prohibited and may be unlawful. Where permitted by applicable law, this e-mail 
and other e-mail communications sent to and from Cognizant e-mail addresses may 
be monitored.
This e-mail and any files transmitted with it are for the sole use of the 
intended recipient(s) and may contain confidential and privileged information. 
If you are not the intended recipient(s), please reply to the sender and 
destroy all copies of the original message. Any unauthorized review, use, 
disclosure, dissemination, forwarding, printing or copying of this email, 
and/or any action taken in reliance on the contents of this e-mail is strictly 
prohibited and may be unlawful. Where permitted by applicable law, this e-mail 
and other e-mail communications sent to and from Cognizant e-mail addresses may 
be monitored.

Re: MINOR: http: Fixed small typo in parse_http_return

[Willy Tarreau]

Hi Dominik,

On Fri, Apr 17, 2020 at 09:20:05AM +, Froehlich, Dominik wrote:
> While looking for the solution for another problem I found a couple of small 
> typos in a warning.

Merged, thanks!
Willy

MINOR: http: Fixed small typo in parse_http_return

[Froehlich, Dominik]

Hi,

While looking for the solution for another problem I found a couple of small 
typos in a warning.

Thanks for review/merge.

Regards,
Dominik Froehlich
dominik.fro...@gmail.com
dominik.froehl...@sap.com



0001-MINOR-http-Fixed-small-typo-in-parse_http_return.patch
Description: 0001-MINOR-http-Fixed-small-typo-in-parse_http_return.patch

Re: [PATCH] 8th iteration of typo fixes

[Willy Tarreau]

On Thu, Apr 16, 2020 at 11:53:34PM +0500,  ??? wrote:
> Hello,
> 
> next typo fixes.

applied, thanks Ilya!

Willy

Re: HAproxy Error

[Willy Tarreau]

On Fri, Apr 17, 2020 at 04:02:41AM +, bindushree...@cognizant.com wrote:
> HI Lukas,
> 
> Package was installed in RHEL machines using yum. Let me know how to install 
> Redhat openssl version.

Well, I'm sorry but at this point you're mainly asking how to manage
*your* server. Participants here are not in a position to help you
fix what's on your server if you performed wrong operations. Either
you trash it and reinstall it from scratch to have a clean install,
or you contract with someone to do the job for you. But your requests
for help are absolutely not related to haproxy at this point, only to
help you figure how to use google to find how to install packages on
your system.

There's no point continuing this thread, everyone is wasting his time,
including you apparently since you've remained stuck at point zero
before the elementary google search.

Willy

Logging captured payload not working

[Tom]

Hi

Any hints on my question below, how I can capture request payload with 
2.1.3?


Many thanks.
Kind regards,
Tom



 Forwarded Message 
Subject: Logging captured payload not working
Date: Mon, 6 Apr 2020 07:39:32 +0200
From: Tom 
To: haproxy@formilux.org

Hi

Using haproxy 2.1.3, I'm trying to capture the request payload of an 
http/1.1 tls-offloaded session:


config-snippet:

---

   declare capture request len 9
   declare capture response len 9
   log-format "srcip=%ci:%cp feip=%fi:%fp(%f,%ft,%fc) 
beip=%bi:%bp(%b,%bc) serverip=%si:%sp(%s) "%r" %ac/%fc/%bc/%sc/%rc 
%sq/%bq requests=%rt resptime=%Tr bytesread=%B status=%ST tsc=%tsc 
sslv=%sslv ms=%ms request=%hr response=%hs"

   http-request capture req.payload(0,0) id 0
   http-response capture res.payload(0,0) id 0

---

The log shows only "{#DO?} instead of the requested payload:

...sslv=TLSv1.3 ms=325 request={#D0?} response={#D0?}


As I remember the config above worked for haproxy-1.8.x.

Any hints for this?

Many thanks.

Tom