Re: Debian + QUIC / HTTP/3

[Shawn Heisey]

On 6/5/23 01:41, Artur wrote:
What is suggested/recommended way to get QUIC / HTTP/3 working in 
haproxy on Debian ?


I have been debating for a while whether or not to get the work I have 
done on build scripts out into the world.  Just mirrored the repo from 
my gitlab server to github, so have fun with it!


https://github.com/elyograg/haproxy-scripts

I happened to have a debian 11 VM, i386 architecture.  I tested the 
scripts there with these steps:


mkdir ~/git
cd ~/git
sudo apt-y install git
git clone https://github.com/elyograg/haproxy-scripts.git
cd haproxy-scripts
./prep-source
sudo mkdir -p /etc/haproxy
./install-haproxy-service git-haproxy-2.8
./fullstack

They're shell scripts, so there is no mystery about what they do.

The prep_source script will install a whole lot of packages ... 
compilers, libraries needed for the compile, and some other tools.


The "repo_overrides" file is pre-setup to force a specific branch of 
quictls.  If you remove that, it will get the newest 3.1.x branch that 
ends in +quic.


The scripts do not attempt to install /etc/haproxy/haproxy.cfg ... you 
will have to handle that.  You can use the `ci-haproxy-cfg.txt` file as 
a starting point for your own config.  It's the barebones config that I 
use for the gitlab CI job I built.  It uses a self-signed certificate 
that is also included but not copied by default to the right directory 
for the config.


The scripts that compile the software will figure out how many physical 
CPU cores you have, divide that by 2, then set the number of threads for 
`make` to that value or a minimum value of 3.


This means the scripts have been tested on Ubuntu, Debian, and CentOS 7, 
and were found to work on all 3.


Thanks,
Shawn

RE: VoIP dataset for your marketing campaign

[Lalaine Loffer]

Hi,

Are you interested in purchasing any of the datasets below?

Please let me know, I'll provide more information. Thanks a lot!

Regards,
Lalaine Loffer

On 06/01/2023, Lalaine Loffer wrote

Hello,

Are you interested in acquiring contact information for VoIP users to enhance 
your marketing campaigns?

We have a comprehensive database of VoIP users that can be tailored to your 
specific target geography and job titles.

In addition to VoIP users, we also offer contact lists for various other 
technology users, including Cisco, Avaya, ShoreTel, Mitel, Brocade, Juniper 
Networks, and users of video conferencing and audio conferencing software, 
etc...

We also have lists of IT resellers, call center and data center decision 
makers, and telecom administrators.

If you let us know your specific interests, we can provide you with sample 
files and pricing information. Thank you, and we look forward to hearing from 
you.

Best regards,
Lalaine Loffer

tune.quic.socket-owner misspelled in configuration.txt (bind section)

[Artur]

Hello,

In the following commit tune.quic.socket-owner parameter is introduced. 
However, in configuration.txt, line 4629, it's misspelled as 
tune.quic.conn-owner.


https://github.com/haproxy/haproxy/commit/511ddd5785266c149dfa593582512239480e1688

I can fill a "bug" report on github if necessary.

--
Best regards,
Artur

regression? scheme and hostname logged with %r with 2.6.13

[Robert Newson]

Hi,

I've recently upgraded some hosts from 2.0.31 to 2.6.13. I have a custom 
log-format that matches the standard httplog but with some extra items on the 
end.

Notably I log %{+Q}r 

In 2.0.31 this is as the documentation described, it's the request line "GET 
/foo HTTP/1.1". The docs for 2.6.31 (and everything inbetween) say the same, 
and all the examples show this too.

However, I've noticed that what's logged now includes the full URI (which is 
obviously not present in the request line transmitted by the client). e.g, "GET 
https://somewhere.com/foo HTTP/1.1"

the code for LOG_FMT_REQ in 2.0.31 and 2.6.31 looks the same to me, so I am 
inferring that txn-uri used to get some processing prior to logging that no 
longer happens.

(I've also tried %{+Q}HU and also get the scheme and hostname with that)

I have a very complicated config so I'm not sure what parts are relevant to 
share.

Has anyone else seen this behaviour?

Regards,
Robert Newson

Re: Debian + QUIC / HTTP/3

[Илья Шипицин]

I think that people use README as landing page.
maybe it worth adding docker hub link there ? it is hard for first time
user to identify whether docker image(s) exists or not.

пн, 5 июн. 2023 г. в 11:57, Artur :

> Thank you Илья and Dinko.
>
> What I can see is that haproxy doc suggest using QuicTLS library.
> The build process is well explained in Dockerfile. That's perfect.
>
> I've also seen some information about haproxy 2.6 configuration for
> HTTP/3 over QUIC in the following article. I imagine it may be suitable
> for 2.8 version as well...
>
> https://www.haproxy.com/blog/announcing-haproxy-2-6
>
> --
> Best regards,
> Artur
>
>
>

Re: OCSP renewal with 2.8

[Matthias Fechner]

Am 05.06.2023 um 10:08 schrieb William Lallemand:

As I explained in my previous mail, the option was not set on the bind
lines because of architectural problems, but you could expect to have a
way to do it globally in future versions.


thanks a lot for this information.
I will wait then to have a more simple, less verbose configuration 
(ideally just a single global parameter to enable ocsp renewal on bind line)
The scripts I use to renew OCSP are working for years without any 
problems, no need to rush here ;)


Gruß
Matthias

--

"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook

Re: Debian + QUIC / HTTP/3

[Artur]

Thank you Илья and Dinko.

What I can see is that haproxy doc suggest using QuicTLS library.
The build process is well explained in Dockerfile. That's perfect.

I've also seen some information about haproxy 2.6 configuration for 
HTTP/3 over QUIC in the following article. I imagine it may be suitable 
for 2.8 version as well...


https://www.haproxy.com/blog/announcing-haproxy-2-6

--
Best regards,
Artur

Re: Debian + QUIC / HTTP/3

[Илья Шипицин]

There're at least

"build from source" haproxy/INSTALL at master · haproxy/haproxy (github.com)

"use docker images" haproxytech's Profile | Docker Hub


maybe other ways ?

пн, 5 июн. 2023 г. в 09:44, Artur :

> Hello,
>
> What is suggested/recommended way to get QUIC / HTTP/3 working in
> haproxy on Debian ?
>
> --
> Best regards,
> Artur
>
>
>

Re: OCSP renewal with 2.8

[Lukas Tribus]

On Sat, 3 Jun 2023 at 14:30, William Lallemand  wrote:
> That's what we've done in the first place, but I decided to remove it
> because I was not happy with the architecture. And once you have
> something like this, you have to keep the configuration compatibility
> for the next versions and then you are stuck with something awful.
>
> My concern here, is that the ocsp-update option was never a "bind"
> option, it's a feature which applies on the internal storage part, which
> is not directly exposed in the configuration. So for example if you use
> the same certificate on multiple bind lines, setting "ocsp-update on" on
> one line and "ocsp-update off" on the other doesn't make sense.

I understand, I just think that those are tradeoffs that need to be made.

We could document it well, and trigger configuration warnings or
alerts (depending on severity) for conflicts.

Not providing bind lines configuration support to avoid conflicting
configurations in a small number of cases, while not supporting the
most commonly used configuration does not seem like a good tradeoff.


Note that I'm not saying conflicting configuration warnings for this
are trivial to implement or anything like that. I don't actually know;
I'm just saying this sounds like in this case the cure may be worse
than the disease.



> We are well aware on the current limitations of this model, and we are
> working on it, that's why it landed in the crt-list for now, but that
> will evolve!

Great, thank you!


Lukas

Debian + QUIC / HTTP/3

[Artur]

Hello,

What is suggested/recommended way to get QUIC / HTTP/3 working in 
haproxy on Debian ?


--
Best regards,
Artur

Re: OCSP renewal with 2.8

[William Lallemand]

Hello,

On Sat, Jun 03, 2023 at 04:28:30PM -0600, Shawn Heisey wrote:
> On 6/3/23 15:37, Shawn Heisey wrote:
> > On 6/3/23 15:28, Shawn Heisey wrote:
> >> So maybe a completely separate global option makes sense.  The 
> >> crt-list requirement is not really a burden for me, but for someone 
> >> who uses a LOT of certificates that change frequently, it probably 
> >> would become a burden.
> > 
> > Unless it is possible to have a directory as an entry in the crt-list 
> > file like it is for the crt option.  The crt-list doc does not say that 
> > this is possible, and I have not tested it.
> 
> Using a directory as an entry in the crt-list file causes `haproxy -c 
> -f` to hang.  Which I think means that crt-list doesn't support directories.
> 

Hm that's weird, that shouldn't load at all! I'll take a look.

> How hard would it be to add that support?  I would hope that most of the 
> code needed is already present in the part that parses crt options.
> 

We won't support this, directories are represented internally as a
crt-list, this would add a huge complexity in the code. crt-list were
made as an cleaner alternative to directories so you could specify each
file you need manually and set options to them.

As I explained in my previous mail, the option was not set on the bind
lines because of architectural problems, but you could expect to have a
way to do it globally in future versions.

-- 
William Lallemand