Restricting a backend to certain IPs

[Stephan Seitz]

Hello!

I have a frontend configuration that sends requests to different backends 
according to the host header.


Something like:
use_backend backendZ if { hdr(Host) -i  }

This is working fine, but now one such rule should only allowed if the 
clients are from a certain ip range.


According to the documentation if conditions are AND-combined:
acl rule1 
acl rule2 
use_backend backendZ if rule1 rule2

So I tried the following:
acl network_allowed src IP1 IP2 IP3
acl dstvhost hdr(Host) -i 
use_backend backendZ if network_allowed dstvhost

But now I’m not getting to this backend even if my IP is in the list.
The rule
use_backend backendZ if dstvhost
is working but without restrictions.

So how do I solve my problem?

Shade and sweet water!

Stephan

--
|If your life was a horse, you'd have to shoot it.|

Re : haproxy.com : Current Issues in Sustainable Site Design..

[Natasa Hunter]

Dear *haproxy.com  *Owner,



I am *Natasa Hunter*, consultant for one of the leading web design &
development agency.



We are dedicated to help *Start-ups, SMEs & Large Enterprises* for *website
design, application development* & marketing solutions.



Inbox me your message if you like to *update your current haproxy.com
 *or want to build "BRAND *NEW WEBSITE / Application*"
with updated features.



*Feel free to ask me a demo.*



Sincerely yours,



*Natasa Hunter,*

*B.C*- Digital Agency
[image: beacon]

Bid Writing, Fundraising and Volunteering Workshops

[NFP Workshops]

NFP   WORKSHOPS
 Affordable Training Courses



Bid Writing: The Basics


 Do you know the most common reasons for rejection? Are you gathering the right 
evidence? Are you making the right arguments? Are you using the right 
terminology? Are your numbers right? Are you learning from rejections? 

Are you assembling the right documents? Do you know how to create a clear and 
concise standard funding bid? Are you communicating with people or just 
excluding them? Do you know your own organisation well enough? 

Are you thinking through your projects carefully enough? Do you know enough 
about your competitors? Are you answering the questions funders will ask 
themselves about your application? Are you submitting applications correctly?
ONLINE VIA ZOOM
10.00 TO 12.30
COST £95.00
CLICK ON DATE TO BOOK YOUR PLACE
MON 19 JUL 2021
MON 02 AUG 2021
MON 23 AUG 2021
MON 06 SEP 2021
MON 20 SEP 2021
MON 04 OCT 2021
MON 18 OCT 2021




Bid Writing: Advanced

 Are you applying to the right trusts? Are you applying to enough trusts? Are 
you asking for the right amount of money? Are you applying in the right ways? 
Are your projects the most fundable projects? 

Are you carrying out trust fundraising in a professional way? Are you 
delegating enough work? Are you highly productive or just very busy? Are you 
looking for trusts in all the right places? 

How do you compare with your competitors for funding? Is the rest of your 
fundraising hampering your bids to trusts? Do you understand what trusts are 
ideally looking for?
ONLINE VIA ZOOM
10.00 TO 12.30
COST £95.00
CLICK ON DATE TO BOOK YOUR PLACE
TUE 20 JUL 2021
TUE 03 AUG 2021
TUE 24 AUG 2021
TUE 07 SEP 2021
TUE 21 SEP 2021
TUE 05 OCT 2021
TUE 19 OCT 2021



Legacy Fundraising 

Why do people make legacy gifts? What are the ethical issues? What are the 
regulations? What are the tax issues? What are the statistics? What are the 
trends? How can we integrate legacy fundraising into our other fundraising? 

What are the sources for research? How should we set a budget? How should we 
evaluate our results? How should we forecast likely income? Should we use 
consultants? How should we build a case for support? 

What media and marketing channels should we use? What about in memory giving? 
How should we setup our admin systems? What are the common problems & pitfalls?
ONLINE VIA ZOOM
10.00 TO 12.30
COST £95
CLICK ON DATE TO BOOK YOUR PLACE
WED 21 JUL 2021
WED 22 SEP 2021



Major Donor Fundraising

 Major Donor Characteristics, Motivations and Requirements. Researching and 
Screening Major Donors. Encouraging, Involving and Retaining Major Donors.

Building Relationships with Major Donors. Major Donor Events and Activities. 
Setting Up Major Donor Clubs. Asking For Major Gifts. Looking After and 
Reporting Back to Major Donors.  
 
Delivering on Major Donor Expectations. Showing Your Appreciation to Major 
Donors. Fundraising Budgets and Committees.   
ONLINE VIA ZOOM
10.00 TO 12.30
COST £95
CLICK ON DATE TO BOOK YOUR PLACE
WED 04 AUG 2021
WED 06 OCT 2021



Corporate Fundraising 

Who are these companies? Why do they get involved? What do they like? What can 
you get from them? What can you offer them? What are the differences between 
donations, sponsorship, advertising and cause related marketing? 

Are companies just like trusts? How do you find these companies? How do you 
research them? How do you contact them? How do you pitch to them? How do you 
negotiate with them? 

When should you say no? How do you draft contracts? How do you manage the 
relationships? What could go wrong? What are the tax issues? What are the legal 
considerations?
ONLINE VIA ZOOM
10.00 TO 12.30
COST £95
CLICK ON DATE TO BOOK YOUR PLACE
WED 25 AUG 2021
WED 20 OCT 2021



Recruiting and Managing Volunteers

Where do you find volunteers? How do you find the right volunteers? How do you 
attract volunteers? How do you run volunteer recruitment events? How do you 
interview volunteers?  

How do you train volunteers? How do you motivate volunteers? How do you involve 
volunteers? How do you recognise volunteers? How do you recognise problems with 
volunteers? How do you learn from volunteer problems?  

How do you retain volunteers? How do you manage volunteers? What about 
volunteers and your own staff? What about younger, older and employee 
volunteers?
ONLINE VIA ZOOM
10.00 TO 12.30
COST £95
CLICK ON DATE TO BOOK YOUR PLACE
WED 08 SEP 2021



Feedback From Past Attendees
I must say I was really impressed with the course and the content. My knowledge 
and confidence has increased hugely. I got a lot from your course and a lot of 
pointers! 
I can say after years of fundraising I learnt so much from your bid writing 
course. It was a very informative day and for someone who has not written bids 
before I am definitely more confident to get involved with them. 
I found the workshops very helpful. It is a whole new area for me but the 
information you imparted has given me a lot of confidence w

set mss on backend site on version 1.7.9

[Stefan Fuhrmann]

Hello all,


First, we can not change to newer version so fast within the project.

We are having on old installation of haproxy (1.7.9) and we have the 
need to configure tcp- mss- value on backend site.




Is that possible to change the mss- value on backend site? How?


Tia

Stefan

Re: [PATCH] JA3 TLS Fingerprinting

[Marcin Deranek]

Hi Willy,

On Mon, Jul 12, 2021 at 9:09 PM Willy Tarreau  wrote:

>
> Just out of curiosity (feel free not to respond if you'd prefer not to),
> how are you using this result ? Is it to try to figure outliers by
> matching signatures against what the user-agent claims to be, or just
> for monitoring/logging or maybe for rate limiting bots ? Did you detect
> different SSL libraries for a same user-agent ?
>

TLS Fingerprinting is just another technology to give you more accurate
information regarding what clients/user agents use your service. There is a
multitude of use cases for TLS Fingerprinting:
- More accurate identification of user agents
- Blocking of malware and similar
- Logging/analytics puposes
I don't think we use this yet, but our Security department is interested in
it, so presumably we want a better protection from malware and similar.


> Indeed, it makes sense to offer the option to exclude purposely added noise
> from the computation. I don't know what JA3 specifies regarding this, but I
> guess it excludes it.
>

Yes, it does otherwise you would end up with additional fingerprints
pointing to the very same user agent.


> From what I'm seeing there, you could probably simplify the function and
> consider that you always allocate and copy if you need to exclude grease.
> A client hello is not huge anyway, and the time saved in the memcpy() of
> a few hundred bytes is not much compared to the overall processing of an
> SSL hello. By the way, it would be nice if you could use a different name
> (e.g. "temp") for your local trash pointer, as it shadows the thread-local
> "trash" and can be confusing.
>

Without going into details I simplified the function to always copy the
data. I renamed local trash pointer to 'output' and ssl_capture data
pointer to 'input' to better reflect what goes in and out.


> All this would indeed make a lot of sense. However, just renaming a config
> setting is not an option. What can be done is to create the new one and
> continue to process the old one while emitting a deprecation warning asking
> to use the other one instead.Maybe the size will differ and the doc will
> need to explain how to transform the values.
>

Let's see if I can manage to do that.


> I'm having an issue with your new definition of ssl_capture_location
> and its use in ssl_capture:
>
>  /* Location and size of the data in the buffer */
>  struct ssl_capture_location {
> unsigned char len;   // offset 0, size 1 byte, followed by a
> 7-byte hole
> size_t offset;   // offset 8, size 8 bytes
>  };
>
> => this structure takes 16 bytes of memory
>
>  /* This memory pool is used for capturing clienthello parameters. */
>  struct ssl_capture {
> unsigned long long int xxh64;
> unsigned int protocol_version;
> struct ssl_capture_location ciphersuite;
> struct ssl_capture_location extensions;
> struct ssl_capture_location ec;
> struct ssl_capture_location ec_formats;
> char data[VAR_ARRAY];
>  };
>
> => thus above just for the lengths we're using 64 bytes of memory, this
>starts to be quite a lot per capture. Given that no TLS record can be
>larger than 16kB (or is that 64?), you could use two unsigned shorts
>and divide this overhead by 4.


It looks like although I came across this thread:
https://mta.openssl.org/pipermail/openssl-dev/2015-September/002845.html
Which seems to suggest that theoretically we might end up with X * ~16kB
which would suggest to use int instead of short int. I try to play safe
here :-)


> > - Instead of creating a new converter I decided to extend existing hex
> > conveter to provide a similar functionality to bin2int. I thought this
> > makes more sense as extended hex converter is fully backward compatible.
> It
> > has to be noted that extended hex converter is not strictly necessary to
> > produce JA3 TLS Fingerprint, but but might useful in some other
> scenarios.
>
> Actually I've already missed this ability to decode larger ints so it's
> welcome. But there's an important point that your change doesn't take into
> account (for both bin2int and hex), which is the input byte ordering. At
> the moment only big endian is supported. In addition, the "bin2int" makes
> me think it emits an integer while it emits an ASCII decimal representation
> of it.
>
> What I could suggest instead would be to add the following converters:
>   be2dec()  // big endian to decimal
>   be2hex()  // big endian to hexadecimal
>   le2dec()  // little endian to decimal
>   le2hex()  // little endian to hexadecimal
>
> We could later complete these with other less useful variants like octal
> or raw ints (e.g. to extract dates). Just like we could imagine supporting
> some flavors of varints on input later if needed for some protocols.
>

Will add new converters and name them be2hex / be2dec (hex will stay
intact).


> > Example usage:
> > http-request set-header X-SSL-JA3
> >
> %[ssl_fc_protocol

Re: [PATCH] JA3 TLS Fingerprinting

[Marcin Deranek]

Hi Илья,

Well, JA3 is one the approaches which seems to be a "standard" our there.
If you want to build your own you are still able to do so if you wish,
however using a "standard" gives you a benefit of interoperability between
different software (eg. JA3 on Nginx is the same JA3 on HAProxy) and
ability to exchange information in a unified manner (eg. somebody posts JA3
fingerprint of some malware which you can block right away without a need
of discovering it).
Regards,

Marcin Deranek

On Mon, Jul 12, 2021 at 7:37 PM Илья Шипицин  wrote:

> JA3 is good approach, but it lacks few ideas.
>
> we fingerprinted clients by "ssl ciphers" (all ciphers sent by client in
> Client Helo) + "all client curves" (also sent by client).
>
> however you approach is flexible enough to be extended.
>
> пн, 12 июл. 2021 г. в 20:03, Marcin Deranek :
>
>> Hi,
>>
>> Over a past few weeks I have been working on implementing JA3 compatible
>> TLS Fingerprinting[1] in the HAProxy. You can find the outcome in
>> attachments. Feel free to review/comment them.
>> Here are some choices I made which you should be aware of:
>> - I decided to go with a "modular" approach where you can build JA3
>> compatible fingerprint with available fetchers/converters rather than a
>> single JA3 fetcher. This makes approach more "reusable" in some other
>> scenarios.
>> - Each Client Hello related fetcher has option to include/exclude GREASE
>> (RFC8701) values from the output. This is mainly for backward compatibility
>> and ability to get "pure" data. I suspect in most cases people do not want
>> GREASE values to be present in the output (which is not the case right now
>> for cipherlist fetchers).
>> - exclude_grease function allocates trash on demand depending on GREASE
>> (RFC8701) values position in the list. We can get away without creating
>> trash buffer if GREASE values are present at the very beginning and/or the
>> very end of the list. I decided to allocate trash buffer only when it's
>> really needed, so that's why it's creation is "hidden" inside exlude_grease
>> function.
>> - Now ssl_capture (next to ciphersuite) contains data about extensions,
>> ec ciphers etc. One of the reasons I decided to merge all those values in a
>> single ssl_capture buffer is easier control of buffer size limit. I think
>> it's beneficial to have a single buffer limit for all those values rather
>> than separate values for each. Having said that probably
>> tune.ssl.capture-cipherlist-size needs to change it's name to eg.
>> tune.ssl.capture-buffer-limit to better reflect it's function.
>> - Instead of creating a new converter I decided to extend existing hex
>> conveter to provide a similar functionality to bin2int. I thought this
>> makes more sense as extended hex converter is fully backward compatible. It
>> has to be noted that extended hex converter is not strictly necessary to
>> produce JA3 TLS Fingerprint, but but might useful in some other scenarios.
>>
>> Example usage:
>> http-request set-header X-SSL-JA3
>> %[ssl_fc_protocol_hello_id],%[ssl_fc_cipherlist_bin(1),bin2int(-,2)],%[ssl_fc_extlist_bin(1),bin2int(-,2)],%[ssl_fc_eclist_bin(1),bin2int(-,2)],%[ssl_fc_ecformats_bin,bin2int(-,1)]
>> http-request set-header X-SSL-JA3-Hash
>> %[req.fhdr(x-ssl-ja3),digest(md5),hex]
>>
>> Question: I noticed that during Client Hello parsing we calculate xxh64
>> right away and store it. Isn't better to calculate it when it's actually
>> used?
>> Regards,
>>
>> Marcin Deranek
>>
>> [1] https://github.com/salesforce/ja3
>> 
>>
>>

-- 
Marcin Deranek
Senior Site Reliability Engineer
[image: Booking.com] 
Making it easier for everyone
to experience the world.


-- 
Marcin Deranek
Senior Site Reliability Engineer
[image: Booking.com] 
Making it easier for everyone
to experience the world.

Re: [PATCH] JA3 TLS Fingerprinting

[Marcin Deranek]

Hi Tim,

Will try to include reg-tests for converters (first need to read on how to
do it). I'm affraid fetchers are not really suitable for regtest.
Jump label was already indented by 1 space.
Thank you for feedback Tim.
Regards,

Marcin Deranek

On Mon, Jul 12, 2021 at 5:21 PM Tim Düsterhus  wrote:

> Marcin,
>
> On 7/12/21 4:59 PM, Marcin Deranek wrote:
> > Over a past few weeks I have been working on implementing JA3 compatible
> > TLS Fingerprinting[1] in the HAProxy. You can find the outcome in
> > attachments. Feel free to review/comment them.
>
> I can't comment on the correctness of the patches, but please add
> reg-tests where possible. At the very least the new / updated converters
> should should (must?) get a reg-test to ensure correctness.
>
> Also one minor remark regarding the first patch: Please indent jump
> labels (store_capture:) by at least one space. This improves the
> detection of diff hunk headers in some cases.
>
> Best regards
> Tim Düsterhus

Re: set mss on backend site on version 1.7.9

[Lukas Tribus]

Hello Stefan,

On Tue, 13 Jul 2021 at 14:10, Stefan Fuhrmann
 wrote:
>
> Hello all,
>
>
> First, we can not change to newer version so fast within the project.
>
> We are having on old installation of haproxy (1.7.9) and we have the
> need to configure tcp- mss- value on backend site.
>
>
>
> Is that possible to change the mss- value on backend site? How?

No.

You can set the MSS on the frontend socket, but not on the backend socket.

You need to work with your OS/kernel configuration.


Lukas

fairly distribute shutdown session a few minutes before hard-stop-after expires

[Joao Morais]

Hello list, we have a HAProxy cluster in front of some chat-like applications. 
This HAProxy cluster is dynamically updated and now and then the instances need 
to be reloaded.

Some of the applications behind this cluster have a few thousand of active 
users and, every time that the old instance’s hard-stop-after expires, closing 
the remaining connections, the applications receive an avalanche of 
reconnections from the clients (usually browsers) almost at the same time.

What I’m planning to do is to monitor every old instance and start a `shutdown 
session` via cli, a few connections at a time, fairly distributing them in the 
last 25% or so of the remaining time. However maybe someone has a better idea 
or even pointing to a configuration that does more or less what I’m trying to 
implement.

~jm

haproxy for IIS

[Haproxy]

Dear there, This is Jun from China. I am trying to setup haproxy to load 
balance IIS websites on 2 local Servers, it was achieved to load balance one 
website, however, I don't know how to load balance for many websites from the 2 
servers where have the same websites running on. Could you guide on this 
please. thank you. condykou 邮箱：condy...@msn.com 签名由 网易邮箱大师 定制