date:20211002

Re: [ANNOUNCE] haproxy-2.4.5

2021-10-02 Thread Matthias Fechner


Am 01.10.2021 um 18:09 schrieb Christopher Faulet:

HAProxy 2.4.5 was released on 2021/10/01. It added 69 new commits
after version 2.4.4. 



could it be, that this upgrade broke something.
The connection seems to hang.
I use the following configuration, which does not work anymore, 
downgrading haproxy to 2.4.4 fixes it:

global
    maxconn 2048
    hard-stop-after 5s
    #user haproxy
    #group haproxy
    user root
    daemon
    tune.ssl.default-dh-param 2048

    # logging
    ulimit-n 65536
    log /var/run/log local0 err

    # enable socket for ocsp reloading
    stats socket /var/run/haproxy.sock mode 600 level admin
    stats socket /var/run/haproxy_read.sock mode 666 level user
    stats timeout 2m

    # Configure chipers to not use, see 
https://mozilla.github.io/server-side-tls/ssl-config-generator/
    ssl-default-bind-ciphers 
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites 
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options prefer-client-ciphers no-sslv3 
no-tlsv10 no-tlsv11 no-tls-tickets


    ssl-default-server-ciphers 
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-server-ciphersuites 
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 
no-tls-tickets


    defaults
    mode http
    log global
    option httplog
    timeout connect 80s
    timeout client 80s
    timeout server 80s
    #timeout check 1s
    option forwardfor
    option http-server-close
    default-server inter 3s fall 2 rise 2 slowstart 60s
    compression algo gzip
    compression type text/html text/plain text/css

    frontend www-http
    bind *:80
    http-request add-header X-Forwarded-Proto http
    default_backend nginx-backend

    frontend www-https
    mode tcp
    option tcplog
    bind 0.0.0.0:443 ssl crt /usr/local/etc/haproxy/certs/ 
alpn h2,http/1.1
    bind :::443 ssl crt /usr/local/etc/haproxy/certs/ alpn 
h2,http/1.1


    tcp-request inspect-delay 5s
    tcp-request content accept if HTTP

    acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30

    use_backend ssh if client_attempts_ssh

    use_backend nginx-http2-backend if { ssl_fc_alpn -i h2 }

    default_backend nginx-http-backend

    backend nginx-backend
    server www-1 127.0.0.1:8082 check send-proxy

    backend nginx-http2-backend
    mode tcp
    http-request add-header X-Forwarded-Proto https
    server www-1 127.0.0.1:8083 check send-proxy

    backend nginx-http-backend
    mode tcp
    server www-1 127.0.0.1:8082 check send-proxy

    backend ssh
    mode tcp
    option tcplog
    log global
    source 0.0.0.0 usesrc clientip
    server ssh 192.168.200.6:22
    timeout server 8h

    frontend haproxy-stats
    bind 192.168.0.251:9001
    mode http
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /haproxy_stats
    stats auth _removed_:_removed_


Gruß
Matthias

--

"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook

Re: [ANNOUNCE] haproxy-2.4.5

2021-10-02 Thread Christopher Faulet


Le 10/2/21 à 10:54 AM, Matthias Fechner a écrit :

Am 01.10.2021 um 18:09 schrieb Christopher Faulet:

HAProxy 2.4.5 was released on 2021/10/01. It added 69 new commits
after version 2.4.4.



Damned ! You're right...

It is a typo in the commit feca2a453 ("BUG/MINOR: filters: Always set FLT_END 
analyzer when CF_FLT_ANALYZE flag is set"). It also affects the 2.5-DEV.


The patch is pretty simple:

diff --git a/src/filters.c b/src/filters.c
index 136a3e80b..f64c192bd 100644
--- a/src/filters.c
+++ b/src/filters.c
@@ -475,7 +475,7 @@ flt_stream_start(struct stream *s)
}
if (strm_li(s) && (strm_li(s)->analysers & AN_REQ_FLT_START_FE)) {
s->req.flags |= CF_FLT_ANALYZE;
-   s->req.analysers |= AN_RES_FLT_END;
+   s->req.analysers |= AN_REQ_FLT_END;
}
return 0;
 }


I will push a fix. As a workaround, you can temporarily disable the HTTP 
compression filter.


Thanks for the report !

--
Christopher Faulet

Re: [ANNOUNCE] haproxy-2.4.5

Re: [ANNOUNCE] haproxy-2.4.5

2 matches

Site Navigation

Mail list logo

Footer information