SV: Exchange services

[Henning Svane]

Hi

Have you tried to test from
Microsoft Remote Connectivity 
Analyzer

Here you can see what error there is in the connection.
Maybe that could be usable information for debugging

Regards
Henning

Fra: Илья Шипицин 
Sendt: 13. december 2023 22:37
Til: Dario Girella 
Cc: HAProxy 
Emne: Re: exchange services

It would be interesting to bisect on 2.9

On Wed, Dec 13, 2023, 20:24 Dario Girella 
mailto:dario.gire...@aqumo.net>> wrote:
Hello,
i just upgrade my haproxy version from 2.8.5 to 2.9, all seems fine but i 
receive error from outlook trying to configure mailbox by autodiscover.
Also problem to open owa.
Something  change or to check?
I revert back to 2.8.5 and all is fine.

Regards

Dario

SV: HaProxy does not updating DNS cache

[Henning Svane]

Hi 

Thanks for your answer.

It is in the frontend I used the "dynamic" DNS.

Will the resolver also be used in the frontend section?

Because I only can see examples for backend servers.

Regards
Henning 

-Oprindelig meddelelse-
Fra: William Lallemand  
Sendt: 13. september 2023 14:50
Til: Henning Svane 
Cc: haproxy@formilux.org
Emne: Re: HaProxy does not updating DNS cache

On Wed, Sep 13, 2023 at 12:39:36PM +0000, Henning Svane wrote:
> Hi
> 
> I have tried using a DNS with a TTL of 600 sec. and the DNS changes 
> once in a while, but every time I have to restart Haproxy to get the 
> updated DNS to work.  Even if I wait for hours. I can see with 
> nslookup that the server can see the updated DNS correctly.
> 
> So is there a setting that makes HaProxy TTL aware? So HaProxy reloads 
> the DNS record every time the TTL expires.
> 
> Regards Henning

DNS are resolved at startup, if you want dynamic resolving you need to use a 
resolvers section [1] and the resolvers keyword on server lines.


[1]: 
https://docs.haproxy.org/2.8/configuration.html#resolvers%20(The%20resolvers%20section)


--
William Lallemand

SV: HaProxy does not updating DNS cache

[Henning Svane]

Hi 

haproxy -vv
HAProxy version 2.8.2-1ppa1~jammy 2023/08/12 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2028.
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.2.html
Running on: Linux 5.15.0-83-generic #92-Ubuntu SMP Mon Aug 14 09:30:42 UTC 2023 
x86_64
Build options :
  TARGET  = linux-glibc
  CPU = generic
  CC  = cc
  CFLAGS  = -O2 -g -O2 -flto=auto -ffat-lto-objects -flto=auto 
-ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security 
-Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wundef 
-Wdeclaration-after-statement -Wfatal-errors -Wtype-limits 
-Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference 
-fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare 
-Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers 
-Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment
  OPTIONS = USE_OPENSSL=1 USE_LUA=1 USE_SLZ=1 USE_SYSTEMD=1 USE_OT=1 
USE_PROMEX=1 USE_PCRE2=1 USE_PCRE2_JIT=1
  DEBUG   = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS

Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H 
-DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE -LIBATOMIC 
+LIBCRYPT +LINUX_SPLICE +LINUX_TPROXY +LUA +MATH -MEMORY_PROFILING +NETFILTER 
+NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_WOLFSSL +OT -PCRE +PCRE2 +PCRE2_JIT 
-PCRE_JIT +POLL +PRCTL -PROCCTL +PROMEX -PTHREAD_EMULATION -QUIC +RT +SHM_OPEN 
+SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 +SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY 
-WURFL -ZLIB

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=2).
Built with OpenSSL version : OpenSSL 3.0.2 15 Mar 2022
Running on OpenSSL version : OpenSSL 3.0.2 15 Mar 2022
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
OpenSSL providers loaded : default
Built with Lua version : Lua 5.3.6
Built with the Prometheus exporter as a service
Built with network namespace support.
Built with OpenTracing support.
Built with libslz for stateless compression.
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
IP_FREEBIND
Built with PCRE2 version : 10.39 2021-10-29
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 11.4.0

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as  cannot be specified using 'proto' keyword)
 h2 : mode=HTTP  side=FE|BE  mux=H2flags=HTX|HOL_RISK|NO_UPG
   fcgi : mode=HTTP  side=BE mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
 h1 : mode=HTTP  side=FE|BE  mux=H1flags=HTX|NO_UPG
   : mode=HTTP  side=FE|BE  mux=H1flags=HTX
   none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG
   : mode=TCP   side=FE|BE  mux=PASS  flags=

Available services : prometheus-exporter
Available filters :
[BWLIM] bwlim-in
[BWLIM] bwlim-out
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[  OT] opentracing
[SPOE] spoe
[TRACE] trace

Regards
Henning

-Oprindelig meddelelse-
Fra: Aleksandar Lazic  
Sendt: 13. september 2023 17:26
Til: Henning Svane 
Cc: haproxy@formilux.org
Emne: Re: HaProxy does not updating DNS cache

Hi.

On 2023-09-13 (Mi.) 14:39, Henning Svane wrote:
> Hi
> 
> I have tried using a DNS with a TTL of 600 sec. and the DNS changes 
> once in a while, but every time I have to restart Haproxy to get the 
> updated DNS to work.
> 
> Even if I wait for hours. I can see with nslookup that the server can 
> see the updated DNS correctly.
> 
> So is there a setting that makes HaProxy TTL aware? So HaProxy reloads 
> the DNS record every time the TTL expires.

Please add always the output of `haproxy -vv`, thanks.

> Regards
> 
> Henning

Regards
Alex

HaProxy does not updating DNS cache

[Henning Svane]

Hi

I have tried using a DNS with a TTL of 600 sec. and the DNS changes once in a 
while, but every time I have to restart Haproxy to get the updated DNS to work.
Even if I wait for hours. I can see with nslookup that the server can see the 
updated DNS correctly.

So is there a setting that makes HaProxy TTL aware? So HaProxy reloads the DNS 
record every time the TTL expires.

Regards
Henning

ACL with multi or

[Henning Svane]

Hi

If all in the bracket is false then execute "http-request tarpit deny_status 
403", but the following will not be accepted.

http-request tarpit deny_status 403 if !(XMail_Autodiscover || XMail_EAS || 
XMail_ECP || XMail_EWS || XMail_MAPI || XMail_OAB || XMail_OWA || XMail_RPC || 
XMail_PowerShell)

Error is
[ALERT](1564) : config : parsing [/etc/haproxy/haproxy.cfg:108] : error 
detected while parsing an 'http-request tarpit' condition : no such ACL : '('.


Is there a way to make it work?

Regards
Henning

SV: Strange problem

[Henning Svane]

Hi Willy

You were right, replacing "url_beg" with "path_beg" solves the problem.

Strang that it has not been a problem for 2.5, 2.6 and 2.7, could it be there 
has been fixed something in 2.8 for "url_beg" / "path_beg"

But thanks again.
Regards
Henning

-Oprindelig meddelelse-
Fra: Henning Svane  
Sendt: 29. juli 2023 23:47
Til: haproxy@formilux.org
Emne: SV: Strange problem

Hi Willy

Thanks for fast answer. In the meantime I tried to rollback to HAProxy version 
2.7.9-1ppa1~jammy 2023/06/07 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2024.
Known bugs: http://www.haproxy.org/bugs/bugs-2.7.9.html
Running on: Linux 5.15.0-78-generic #85-Ubuntu SMP Fri Jul 7 15:25:09 UTC 2023 
x86_64

And under 2.7.9-1 It works, but when I then switch back to:
HAProxy version 2.8.1-1ppa1~jammy 2023/07/03 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2028.
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.1.html
Running on: Linux 5.15.0-78-generic #85-Ubuntu SMP Fri Jul 7 15:25:09 UTC 2023 
x86_64

It stop working again.

I will try you suggestion as it sound as a solution/ explanation, or at least 
what I was hoping to do in the first place. 

I will let you know if it fix the problem.

Thanks again for fast response.
Regards
Henning
 
-Oprindelig meddelelse-
Fra: Willy Tarreau 
Sendt: 29. juli 2023 23:34
Til: Henning Svane 
Cc: haproxy@formilux.org
Emne: Re: Strange problem

Hi Henning,

On Sat, Jul 29, 2023 at 07:21:58PM +, Henning Svane wrote:
> Hi
> Today I started to get this problem.
> Linie 29140: Jul 29 18:47:09 haproxyxmail01 haproxy[1010]: 192.168.y.65:26570 
> [29/Jul/2023:18:47:09.605] FrontEnd_Xmail_L7_IPv4~ 
> FrontEnd_Xmail_L7_IPv4/ -1/-1/-1/-1/0 503 108 - - SC-- 10/10/0/0/0 0/0 
> "HEAD https://mail.domin.com/OAB/857f4bf9-4f97-466c-a337-6316b1aa3cc8/oab.xml 
> HTTP/2.0<https://mail.domin.com/OAB/857f4bf9-4f97-466c-a337-6316b1aa3cc8/oab.xml%20HTTP/2.0>"
> 
> If I understand the error correctly, it says that it do not find a match for 
> a backend or is this correct, and if so why, because there is a match??

Yes that's it.

> "Mail.domain.com" is the correct FQDN just change here. The only 
> different is it ends on http/2.0 Where all the request that works is
> http/1.1 which fits as Exchange do not support 2.0 but only 1.1

I think I have an explanation below:

  acl XMail_Autodiscover url_beg -i /autodiscover
  acl XMail_EAS url_beg -i /microsoft-server-activesync
  acl XMail_ECP url_beg -i /ecp
  acl XMail_EWS url_beg -i /ews
  acl XMail_MAPI url_beg -i /mapi
  acl XMail_OAB url_beg -i /oab
  acl XMail_OWA url_beg -i /owa
  acl XMail_RPC url_beg -i /rpc
  acl XMail_PowerShell url_beg -i /powershell
  acl XMail_NotAllowed url_beg -i /

Your rules rely on url_beg which matches the full URL, not just the path 
component. HTTP/2 always sends full URLs, while this is optional in HTTP/1. If 
you want to match the path only, your ACLs ought to use "path_beg" instead of 
"url_beg".

> But what make it strange is when I try to debug with Fiddler the 
> problem goes away, and all works, when I turn of Fiddler the problem starts 
> again.

I don't know exactly how fiddler works but I suspect it works in reverse- proxy 
mode and just does not support HTTP/2, thus it forces the client to negotiate 
HTTP/1.1.

Hoping this helps,
Willy

SV: Strange problem

[Henning Svane]

Hi Willy

Thanks for fast answer. In the meantime I tried to rollback to 
HAProxy version 2.7.9-1ppa1~jammy 2023/06/07 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2024.
Known bugs: http://www.haproxy.org/bugs/bugs-2.7.9.html
Running on: Linux 5.15.0-78-generic #85-Ubuntu SMP Fri Jul 7 15:25:09 UTC 2023 
x86_64

And under 2.7.9-1 It works, but when I then switch back to:
HAProxy version 2.8.1-1ppa1~jammy 2023/07/03 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2028.
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.1.html
Running on: Linux 5.15.0-78-generic #85-Ubuntu SMP Fri Jul 7 15:25:09 UTC 2023 
x86_64

It stop working again.

I will try you suggestion as it sound as a solution/ explanation, or at least 
what I was hoping to do in the first place. 

I will let you know if it fix the problem.

Thanks again for fast response.
Regards
Henning
 
-Oprindelig meddelelse-
Fra: Willy Tarreau  
Sendt: 29. juli 2023 23:34
Til: Henning Svane 
Cc: haproxy@formilux.org
Emne: Re: Strange problem

Hi Henning,

On Sat, Jul 29, 2023 at 07:21:58PM +, Henning Svane wrote:
> Hi
> Today I started to get this problem.
> Linie 29140: Jul 29 18:47:09 haproxyxmail01 haproxy[1010]: 192.168.y.65:26570 
> [29/Jul/2023:18:47:09.605] FrontEnd_Xmail_L7_IPv4~ 
> FrontEnd_Xmail_L7_IPv4/ -1/-1/-1/-1/0 503 108 - - SC-- 10/10/0/0/0 0/0 
> "HEAD https://mail.domin.com/OAB/857f4bf9-4f97-466c-a337-6316b1aa3cc8/oab.xml 
> HTTP/2.0<https://mail.domin.com/OAB/857f4bf9-4f97-466c-a337-6316b1aa3cc8/oab.xml%20HTTP/2.0>"
> 
> If I understand the error correctly, it says that it do not find a match for 
> a backend or is this correct, and if so why, because there is a match??

Yes that's it.

> "Mail.domain.com" is the correct FQDN just change here. The only 
> different is it ends on http/2.0 Where all the request that works is 
> http/1.1 which fits as Exchange do not support 2.0 but only 1.1

I think I have an explanation below:

  acl XMail_Autodiscover url_beg -i /autodiscover
  acl XMail_EAS url_beg -i /microsoft-server-activesync
  acl XMail_ECP url_beg -i /ecp
  acl XMail_EWS url_beg -i /ews
  acl XMail_MAPI url_beg -i /mapi
  acl XMail_OAB url_beg -i /oab
  acl XMail_OWA url_beg -i /owa
  acl XMail_RPC url_beg -i /rpc
  acl XMail_PowerShell url_beg -i /powershell
  acl XMail_NotAllowed url_beg -i /

Your rules rely on url_beg which matches the full URL, not just the path 
component. HTTP/2 always sends full URLs, while this is optional in HTTP/1. If 
you want to match the path only, your ACLs ought to use "path_beg" instead of 
"url_beg".

> But what make it strange is when I try to debug with Fiddler the 
> problem goes away, and all works, when I turn of Fiddler the problem starts 
> again.

I don't know exactly how fiddler works but I suspect it works in reverse- proxy 
mode and just does not support HTTP/2, thus it forces the client to negotiate 
HTTP/1.1.

Hoping this helps,
Willy

Strange problem

[Henning Svane]

Hi
Today I started to get this problem.
Linie 29140: Jul 29 18:47:09 haproxyxmail01 haproxy[1010]: 192.168.y.65:26570 
[29/Jul/2023:18:47:09.605] FrontEnd_Xmail_L7_IPv4~ 
FrontEnd_Xmail_L7_IPv4/ -1/-1/-1/-1/0 503 108 - - SC-- 10/10/0/0/0 0/0 
"HEAD https://mail.domin.com/OAB/857f4bf9-4f97-466c-a337-6316b1aa3cc8/oab.xml 
HTTP/2.0"

If I understand the error correctly, it says that it do not find a match for a 
backend or is this correct, and if so why, because there is a match??

"Mail.domain.com" is the correct FQDN just change here. The only different is 
it ends on http/2.0
Where all the request that works is http/1.1 which fits as Exchange do not 
support 2.0 but only 1.1
But what make it strange is when I try to debug with Fiddler the problem goes 
away, and all works, when I turn of Fiddler the problem starts again.

But why this problem now and any ideas how to fix it.
I am running HAproxy 2.8.1 under Ubuntu 22.04 (Full updated) and updated some 
days ago to 2.8.1.


Here is the Frontend config
frontend FrontEnd_Xmail_L7_IPv4
modehttp
option  socket-stats
timeout tarpit 10s

# Allow Exchange Admin Center to certain private network only
acl From_private_network src 10.0.0.0/8 192.168.y.0/24

bind 10.x.x.x:80
bind 10.x.x.x:443 ssl crt /etc/haproxy/crt/mail_domain_com.pem
acl Client_Certificate_Accepted always_true

http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-Content-Type-Options nosniff
http-response set-header Strict-Transport-Security max-age=63072000

acl XMail hdr(host) -i mail.domian.com autodiscover.domain.com
http-request tarpit deny_status 404 if !XMail
http-request redirect scheme https code 301 if !{ ssl_fc }

acl XMail_Autodiscover url_beg -i /autodiscover
acl XMail_EAS url_beg -i /microsoft-server-activesync
acl XMail_ECP url_beg -i /ecp
acl XMail_EWS url_beg -i /ews
acl XMail_MAPI url_beg -i /mapi
acl XMail_OAB url_beg -i /oab
acl XMail_OWA url_beg -i /owa
acl XMail_RPC url_beg -i /rpc
acl XMail_PowerShell url_beg -i /powershell
acl XMail_NotAllowed url_beg -i /

use_backend HA_DAG_XMail_Autodiscover if XMail XMail_Autodiscover #( 
From_private_network || Client_Certificate_Accepted )
use_backend HA_DAG_XMail_EAS if XMail XMail_EAS 
Client_Certificate_Accepted
use_backend HA_DAG_XMail_ECP if XMail XMail_ECP 
From_private_network
use_backend HA_DAG_XMail_EWSif XMail XMail_EWS 
From_private_network
use_backend HA_DAG_XMail_MAPI  if XMail XMail_MAPI 
From_private_network
use_backend HA_DAG_XMail_OABif XMail XMail_OAB 
From_private_network
use_backend HA_DAG_XMail_OWA   if XMail XMail_OWA 
From_private_network Client_Certificate_Accepted
use_backend HA_DAG_XMail_RPC if XMail XMail_RPC 
From_private_network
use_backend HA_DAG_XMail_PowerShellif XMail XMail_PowerShell 
From_private_network

Regards
Henning

Re: [PATCH] spell fixes, spelling whitelist addition

[Henning Svane]

Sorry sendt to the wrong mail account

Hilsen
Henning Svane

Fra: Henning Svane
sendt: lørdag den 22. april 2023 20.43
til: Илья Шипицин; HAProxy
Emne: Re: [PATCH] spell fixes, spelling whitelist addition


Nej

Hilsen
Henning Svane

Fra: Илья Шипицин 
sendt: lørdag den 22. april 2023 20.34
til: HAProxy
Emne: [PATCH] spell fixes, spelling whitelist addition

Hello,

yet another spell fixes

Ilya

Re: [PATCH] spell fixes, spelling whitelist addition

[Henning Svane]

Nej

Hilsen
Henning Svane

Fra: Илья Шипицин 
sendt: lørdag den 22. april 2023 20.34
til: HAProxy
Emne: [PATCH] spell fixes, spelling whitelist addition

Hello,

yet another spell fixes

Ilya

SV: add-apt-repository ppa:vbernat/haproxy-2.7 fails

[Henning Svane]

Hi Vincent

Thanks for your reply and pointing me in the right direction.

I have a Squid cache as APT cache. And can see that sudo add-apt-repository 
ppa:vbernat/haproxy-2.7 tries to go direct to the internet.
So you was right that it was an "internet problem" as the it was blocked by the 
firewall. 

I've looked into it a bit and see that this is normal behavior for APT Cache.
Little strange it work with ppa:vbernat/haproxy-2.6, so I have to find out how 
to get it to work now.

Regards
Henning

-Oprindelig meddelelse-
Fra: Vincent Bernat  
Sendt: 5. januar 2023 22:31
Til: Henning Svane ; haproxy@formilux.org
Emne: Re: add-apt-repository ppa:vbernat/haproxy-2.7 fails

On 2023-01-05 18:23, Henning Svane wrote:

> TimeoutError: [Errno 110] Connection timed out

Either your system does not have a connection to Internet or there was a 
transient error with Launchpad. Not much to do except retry a bit later.

add-apt-repository ppa:vbernat/haproxy-2.7 fails

[Henning Svane]

Hi

I would like to upgrade my current version to version 2.7.1
HAProxy is running on:
Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-56-generic x86_64)

My current version is:
haproxy -v
HAProxy version 2.6.7-1ppa1~jammy 2022/12/02 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2027.
Known bugs: http://www.haproxy.org/bugs/bugs-2.6.7.html
Running on: Linux 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 
x86_64
I have added haproxy -vv in the bottom of the mail if that include information 
of importance.

HAProxy is running in a HA setup with keepalived

I tried to add repository for haproxy-2.7 with these steps

  1.  sudo apt-get install --no-install-recommends software-properties-common
  2.  sudo add-apt-repository ppa:vbernat/haproxy-2.7
  3.  sudo apt-get install haproxy=2.7.\*


But get a long error report after step 2) how to fix this or what is the 
problem:

odin@haproxyxmail02:~$ sudo add-apt-repository ppa:vbernat/haproxy-2.7
Traceback (most recent call last):
  File "/usr/bin/add-apt-repository", line 364, in 
sys.exit(0 if addaptrepo.main() else 1)
  File "/usr/bin/add-apt-repository", line 347, in main
shortcut = handler(source, **shortcut_params)
  File "/usr/lib/python3/dist-packages/softwareproperties/shortcuts.py", line 
40, in shortcut_handler
return handler(shortcut, **kwargs)
  File "/usr/lib/python3/dist-packages/softwareproperties/ppa.py", line 82, in 
__init__
if self.lpppa.publish_debug_symbols:
  File "/usr/lib/python3/dist-packages/softwareproperties/ppa.py", line 120, in 
lpppa
self._lpppa = self.lpteam.getPPAByName(name=self.ppaname)
  File "/usr/lib/python3/dist-packages/softwareproperties/ppa.py", line 107, in 
lpteam
self._lpteam = self.lp.people(self.teamname)
  File "/usr/lib/python3/dist-packages/softwareproperties/ppa.py", line 98, in 
lp
self._lp = login_func("%s.%s" % (self.__module__, self.__class__.__name__),
  File "/usr/lib/python3/dist-packages/launchpadlib/launchpad.py", line 494, in 
login_anonymously
return cls(
  File "/usr/lib/python3/dist-packages/launchpadlib/launchpad.py", line 230, in 
__init__
super(Launchpad, self).__init__(
  File "/usr/lib/python3/dist-packages/lazr/restfulclient/resource.py", line 
472, in __init__
self._wadl = self._browser.get_wadl_application(self._root_uri)
  File "/usr/lib/python3/dist-packages/lazr/restfulclient/_browser.py", line 
447, in get_wadl_application
response, content = self._request(url, media_type=wadl_type)
  File "/usr/lib/python3/dist-packages/lazr/restfulclient/_browser.py", line 
389, in _request
response, content = self._request_and_retry(
  File "/usr/lib/python3/dist-packages/lazr/restfulclient/_browser.py", line 
359, in _request_and_retry
response, content = self._connection.request(
  File "/usr/lib/python3/dist-packages/httplib2/__init__.py", line 1693, in 
request
(response, new_content) = self._request(
  File "/usr/lib/python3/dist-packages/launchpadlib/launchpad.py", line 144, in 
_request
response, content = super(LaunchpadOAuthAwareHttp, self)._request(
  File "/usr/lib/python3/dist-packages/lazr/restfulclient/_browser.py", line 
184, in _request
return super(RestfulHttp, self)._request(
  File "/usr/lib/python3/dist-packages/httplib2/__init__.py", line 1441, in 
_request
(response, content) = self._conn_request(conn, request_uri, method, body, 
headers)
  File "/usr/lib/python3/dist-packages/httplib2/__init__.py", line 1363, in 
_conn_request
conn.connect()
  File "/usr/lib/python3/dist-packages/httplib2/__init__.py", line 1153, in 
connect
sock.connect((self.host, self.port))
TimeoutError: [Errno 110] Connection timed out


haproxy -vv
HAProxy version 2.6.7-1ppa1~jammy 2022/12/02 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2027.
Known bugs: http://www.haproxy.org/bugs/bugs-2.6.7.html
Running on: Linux 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 
x86_64
Build options :
  TARGET  = linux-glibc
  CPU = generic
  CC  = cc
  CFLAGS  = -O2 -g -O2 -flto=auto -ffat-lto-objects -flto=auto 
-ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security 
-Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wundef 
-Wdeclaration-after-statement -Wfatal-errors
-Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond 
-Wnull-dereference -fwrapv -Wno-address-of-packed-member -Wno-unused-label 
-Wno-sign-compare -Wno-unused-parameter -Wno-clobbered 
-Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int 
-Wno-atomic-alignment
  OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_OPENSSL=1 USE_LUA=1 USE_SLZ=1 
USE_SYSTEMD=1 USE_OT=1 USE_PROMEX=1
  DEBUG   = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS

Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT 
+POLL +THREAD +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY 
+LINUX_SPLICE +LIBCRYPT 

Source IP in Status WEBpage

[Henning Svane]

Hi

In PFsense implementation of HAProxy it is possible to see who, with there IP 
number, are sending traffic through the loadbalancer.

How can I do the same. I have look at there autogenerated configuration, but 
cannot get the same to work under HAproxy under Ubunutu.
I am using
HAProxy version 2.5.7-1ppa1~focal 2022/05/14

Regards
Henning

SV: SV: Traffic from HAproxy get error 401 and 500

[Henning Svane]

Hi Baptiste

Fantastic it works.:-)
All the strange Exchange errors solved with 3 lines deleted:-)

Thanks
Regards
Henning

Fra: Baptiste 
Sendt: 3. juni 2022 08:43
Til: Henning Svane 
Cc: Christopher Faulet ; haproxy@formilux.org
Emne: Re: SV: Traffic from HAproxy get error 401 and 500

Hi Henning,

Please remove this "option http-server-close" from your configuration, entirely 
:)

Baptiste

SV: Traffic from HAproxy get error 401 and 500

[Henning Svane]

Hi
I have tried haproxy -d and here I saw 401 and 500.
But I have also seen this, but I have and Error I do not how to fix:
odin@haproxy01:~$ sudo haproxy -d -f /home/odin/haproxy07e.cfg
Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result FAILED
Total: 3 (2 usable), will use epoll.

Available filters :
[SPOE] spoe
[CACHE] cache
[FCGI] fcgi-app
[COMP] compression
[TRACE] trace
Using epoll() as the polling mechanism.

But to your question
I have attached the file debug.txt which are the output from haproxy -d whenI 
try to open Outlook.
There are some errors but I do not what they mean.

Regards
Henning


Fra: Baptiste 
Sendt: 1. juni 2022 07:57
Til: Henning Svane 
Cc: haproxy@formilux.org
Emne: Re: Traffic from HAproxy get error 401 and 500



On Mon, May 30, 2022 at 11:58 PM Henning Svane 
mailto:h...@energy.dk>> wrote:
Hi
I have a strange problem.

I have a HAProxy with 2 NICs
NIC 1 VLAN 110 HAProxy have IP 10.40.152.10/28<http://10.40.152.10/28>
NIC 2 VLAN 120 HAProxy have IP 10.40.252.10/28<http://10.40.252.10/28> is also 
the VLAN for Exchange server IP 10.40.252.11/28<http://10.40.252.11/28>

I have a outlook client in VLAN 100 10.40.2.1/24<http://10.40.2.1/24>
I have 2 cases for testing:
Case 1: VLAN 100 <-> FW <-> (NIC 1VLAN 110) HAProxy ( NIC 2 Exchange VLAN 120) 
<-> Exchange Server
Autodiscover.domain.com<http://Autodiscover.domain.com> 10.40.152.10
Mail.doamin.com<http://Mail.doamin.com> 10.40.152.10
Frontend:
acl XMail hdr(host) -i mail. domain.com<http://domain.com> autodiscover. 
domain.com<http://domain.com> domain.com<http://domain.com>
acl XMail_Autodiscover url_beg -i /Autodiscover
use_backend HA_DAG_XMail_Autodiscoverif XMail 
XMail_Autodiscover

Backend HA_DAG_XMail_Autodiscover:
server XMailDB01 XMailDB01.domain.com:443<http://XMailDB01.domain.com:443>  
maxconn 100 ssl ca-file /etc/haproxy/crt/mail_domain_com.pem

Case 2: VLAN 100 <-> FW <-> VLAN 120 Exchange Server
Autodiscover.domain.com<http://Autodiscover.domain.com> 10.40.252.11
Mail.doamin.com<http://Mail.doamin.com> 10.40.252.11

Case 1 gives HTTP Error 401 and 500
Case 2 works as it should

Case 1
I have tried with fiddler to find out what goes on but have not found out why I 
get Error 401 and 500
I am capturing traffic from both NIC 1 and NIC 2 but I cannot relay find out 
what is going on and how to see what is the problem.

Hope somebody have an idear how to fix this.

Regards
Henning


Hi Henning,

You can start HAProxyin debug mode and check what happens and also share 
generated log lines, they may contain useful information such as termination 
status code for the session.

Baptiste
odin@haproxy01:~$ sudo haproxy -d -f /home/odin/haproxy07e.cfg
Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result FAILED
Total: 3 (2 usable), will use epoll.

Available filters :
[SPOE] spoe
[CACHE] cache
[FCGI] fcgi-app
[COMP] compression
[TRACE] trace
Using epoll() as the polling mechanism.
:FrontEnd_Xmail_L7_IPv4.accept(000b)=003e from [10.1.0.2:52410] 
ALPN=
:FrontEnd_Xmail_L7_IPv4.clireq[003e:]: POST 
/mapi/emsmdb/?MailboxId=2d28b5f2-df74-459e-a4f3-263c284e8...@domain.com HTTP/1.1
:FrontEnd_Xmail_L7_IPv4.clihdr[003e:]: cache-control: no-cache
:FrontEnd_Xmail_L7_IPv4.clihdr[003e:]: pragma: no-cache
:FrontEnd_Xmail_L7_IPv4.clihdr[003e:]: content-type: 
application/mapi-http
:FrontEnd_Xmail_L7_IPv4.clihdr[003e:]: accept: 
application/mapi-http
:FrontEnd_Xmail_L7_IPv4.clihdr[003e:]: authorization: Bearer
:FrontEnd_Xmail_L7_IPv4.clihdr[003e:]: user-agent: Microsoft 
Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.15225; Pro)
:FrontEnd_Xmail_L7_IPv4.clihdr[003e:]: 
x-ms-cookieuri-requested: t
:FrontEnd_Xmail_L7_IPv4.clihdr[003e:]: x-featureversion: 1
:FrontEnd_Xmail_L7_IPv4.clihdr[003e:]: accept-auth: 
badger,Wlid1.1,Bearer,Basic,NTLM,Digest,Kerberos,Negotiate,Nego2
:FrontEnd_Xmail_L7_IPv4.clihdr[003e:]: client-request-id: 
{53DB4F87-2EE4-4650-8423-A40E36CA8623}
:FrontEnd_Xmail_L7_IPv4.clihdr[003e:]: x-user-identity: 
administra...@domain.com
:FrontEnd_Xmail_L7_IPv4.clihdr[003e:]: x-ms-account-type: 
Organization
:FrontEnd_Xmail_L7_IPv4.clihdr[003e:]: x-accept: 
application/json
:FrontEnd_Xmail_L7_IPv4.clihdr[003e:]: x-clientapplication: 
Outlook/16.0.15225.20070
:FrontEnd_Xmail_L7_IPv4.clihdr[003e:]: x-clientinfo: 
{E234690D-749A-4C38-B229-3AA1D0638647}:86800015
:F

Traffic from HAproxy get error 401 and 500

[Henning Svane]

Hi
I have a strange problem.

I have a HAProxy with 2 NICs
NIC 1 VLAN 110 HAProxy have IP 10.40.152.10/28
NIC 2 VLAN 120 HAProxy have IP 10.40.252.10/28 is also the VLAN for Exchange 
server IP 10.40.252.11/28

I have a outlook client in VLAN 100 10.40.2.1/24
I have 2 cases for testing:
Case 1: VLAN 100 <-> FW <-> (NIC 1VLAN 110) HAProxy ( NIC 2 Exchange VLAN 120) 
<-> Exchange Server
Autodiscover.domain.com 10.40.152.10
Mail.doamin.com 10.40.152.10
Frontend:
acl XMail hdr(host) -i mail. domain.com autodiscover. domain.com domain.com
acl XMail_Autodiscover url_beg -i /Autodiscover
use_backend HA_DAG_XMail_Autodiscoverif XMail 
XMail_Autodiscover

Backend HA_DAG_XMail_Autodiscover:
server XMailDB01 XMailDB01.domain.com:443  maxconn 100 ssl ca-file 
/etc/haproxy/crt/mail_domain_com.pem

Case 2: VLAN 100 <-> FW <-> VLAN 120 Exchange Server
Autodiscover.domain.com 10.40.252.11
Mail.doamin.com 10.40.252.11

Case 1 gives HTTP Error 401 and 500
Case 2 works as it should

Case 1
I have tried with fiddler to find out what goes on but have not found out why I 
get Error 401 and 500
I am capturing traffic from both NIC 1 and NIC 2 but I cannot relay find out 
what is going on and how to see what is the problem.

Hope somebody have an idear how to fix this.

Regards
Henning

VS: HAproxy reset TLS connection (Solved)

[Henning Svane]

Hi

Solved!
I found out what was the problem.

Exchange server 2019 do not use HTTP/2 only 1.1. And I specified alpn h2 this 
was the problem not a certificate error.
But as the error do not says what is wrong it can be difficult to find out.
The way I found out was by using this program as a trial.
Fiddler Everywhere.
It can show the network capture like Wireshark, but also decrypt it, so you can 
see what's going on. And here I could see it was http/1.1

So the traffic was reset because the server has send 200 ok, but in http/1.1 
and not in http/2 and therefore it was not accepted.


I am still trying to get TLS to work, but with so far no luck.

Haproxy:  fc00:::##61::11
Server:  fc00:::##22::11 (Exchange server)

When I run my mini HAProxy test script, HAproxy close the connection with 
Encryption Alert or as it shows in the log file:
failed, reason: Layer7 invalid response, check duration: 10ms

I have tried to look into the traffic with Wireshark, and it is here I can see 
that it is terminated with "Encryption Alert (21)"
But why, I cannot see, and I cannot find a way to get more information out of 
Haproxy.
Both wget and curl with the certificate work as it should and reply 200 ok.
curl https://xmail.XX.dk/ecp/healthcheck.htm --cacert crt5.pem
200 OK
Crt5.pem = public + intermediates + Root CA + Private

This is the code there produce the connection:
 backend HA_DAG_XMail_ECP
   mode http
   id 503
   log global
   balance roundrobin
   option log-health-checks
  option httpchk GET /ecp/healthcheck.htm
   http-check expect status 200
   server XMailDB01 XMail01.xx.dk:443 check maxconn 
100 ssl ca-file /etc/haproxy/crt/crt5.pem alpn h2
   server XMailDB02 XMail02.xx.dk:443 check maxconn 
100 ssl ca-file /etc/haproxy/crt/crt5.pem alpn h2
   server XMailDB03 XMail03.xx.dk:443 check maxconn 
100 ssl ca-file /etc/haproxy/crt/crt5.pem alpn h2

Here is the TLS output from Wireshark:
27  15:54:19,399602   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 324   Client 
Hello
30  15:54:19,401908   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 694   Server 
Hello, Certificate, Server Key Exchange, Server Hello Done
34  15:54:19,405761   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 232   Client 
Key Exchange, Change Cipher Spec, Encrypted Handshake Message
35  15:54:19,407486   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 125   Change 
Cipher Spec, Encrypted Handshake Message
36  15:54:19,407584   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 143   
Application Data
39  15:54:19,407936   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 159   
Application Data
43  15:54:21,410207   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 324   Client 
Hello
46  15:54:21,412491   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 694   Server 
Hello, Certificate, Server Key Exchange, Server Hello Done
50  15:54:21,416660   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 232   Client 
Key Exchange, Change Cipher Spec, Encrypted Handshake Message
51  15:54:21,418423   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 125   Change 
Cipher Spec, Encrypted Handshake Message
52  15:54:21,418561   
fc00:::##22::11   fc00:::##61::11   
 

HAproxy reset TLS connection

[Henning Svane]

Hi

I am still trying to get TLS to work, but with so far no luck.

Haproxy:  fc00:::##61::11
Server:  fc00:::##22::11 (Exchange server)

When I run my mini HAProxy test script, HAproxy close the connection with 
Encryption Alert or as it shows in the log file:
failed, reason: Layer7 invalid response, check duration: 10ms

I have tried to look into the traffic with Wireshark, and it is here I can see 
that it is terminated with "Encryption Alert (21)"
But why, I cannot see, and I cannot find a way to get more information out of 
Haproxy.
Both wget and curl with the certificate work as it should and reply 200 ok.
curl https://xmail.XX.dk/ecp/healthcheck.htm --cacert crt5.pem
200 OK
Crt5.pem = public + intermediates + Root CA + Private

This is the code there produce the connection:
Backend HA_DAG_XMail_ECP
mode http
   id 503
   log global
   balance roundrobin
   option log-health-checks
   option httpchk GET /ecp/healthcheck.htm
   http-check expect status 200

Here is the TLS output from Wireshark:
27  15:54:19,399602   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 324   Client 
Hello
30  15:54:19,401908   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 694   Server 
Hello, Certificate, Server Key Exchange, Server Hello Done
34  15:54:19,405761   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 232   Client 
Key Exchange, Change Cipher Spec, Encrypted Handshake Message
35  15:54:19,407486   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 125   Change 
Cipher Spec, Encrypted Handshake Message
36  15:54:19,407584   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 143   
Application Data
39  15:54:19,407936   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 159   
Application Data
43  15:54:21,410207   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 324   Client 
Hello
46  15:54:21,412491   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 694   Server 
Hello, Certificate, Server Key Exchange, Server Hello Done
50  15:54:21,416660   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 232   Client 
Key Exchange, Change Cipher Spec, Encrypted Handshake Message
51  15:54:21,418423   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 125   Change 
Cipher Spec, Encrypted Handshake Message
52  15:54:21,418561   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 143   
Application Data
55  15:54:21,418931   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 159   
Application Data
56  15:54:21,419013   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 105   Encrypted 
Alert
61  15:54:23,421367   
fc00:::##61::11   fc00:::##22::11   
TLSv1.2 324   Client 
Hello
64  15:54:23,423533   
fc00:::##22::11   fc00:::##61::11   
TLSv1.2 694   Server 
Hello, 

PEM Certificates for HAproxy

[Henning Svane]

Hi

I have tried to build a PEM Certificate, but with no luck.
What should it include and in which order?

The PEM file from the Exchange Server include Attributes blocks, should these 
been removed from the Private PEM file?
Here are all the certificates I have
Also from DigiCert which certificate should I include

  *   Intermediate Certificate
  *   Root Certificate
>From the Private Certificate I have

  *   Private Certificate
  *   Public Certificate

Here is the Privat Certificate with the mention Attributes Blocks
Bag Attributes
Microsoft Local Key set: 
localKeyID: 01 00 00 00
friendlyName: xx-xx----
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
Key Attributes
X509v3 Key Usage: 10
-BEGIN PRIVATE KEY-
(Private certificate has been removed)
-END PRIVATE KEY-
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: "friendly Name"
subject=C = DK, L = Copenhagen, O = "Company name", CN = "Common name"

issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1

-BEGIN CERTIFICATE-
(Certificate has been removed)
-END CERTIFICATE-

Regards
Henning

write to log file

[Henning Svane]

Hi

My configuration do not do what I thought it should do, so I would like to 
debug it.
Old school with "print" commands of acl's, but I cannot find a method to do 
that.

Is it possible and if so what is the command.

Regards
Henning

SV: Incompatible with 'frontend http-request header rule'

[Henning Svane]

Hi Christopher

I tried your rule and it did not compile, but I am trying to understand it.
/haproxy02.cfg:20] : error detected while parsing an 'http-request tarpit' 
condition : no such ACL : 'http-response'
I placed the rule in the frontend, but was thinking if it should be in the 
backend, as it is here server is called and hereby produce the return code.

I understand the idea in your rule, but at the same time, I do not understand 
the order of execution.
It looks like it has to be executed from the right with the " if { 
capture.req.uri -m beg /login } { status 401 }" first.
But then what?

If I understand correctly 
1) You save the request url in a table with capture.req.uri.
2) Then server try to execute the url
3) Based on the server return the http-response (this part I have not fully 
understand yet)
4) If the response is 401 then " http-request tarpit deny_status 429"

I will try to work a little more with you suggestion and see if I can get to 
work.

Regards
Henning


haproxy02.cfg:20] : error detected while parsing an 'http-request tarpit' 
condition : no such ACL : 'http-response'.

-Oprindelig meddelelse-
Fra: Christopher Faulet  
Sendt: 2. marts 2022 09:06
Til: haproxy@formilux.org
Emne: Re: Incompatible with 'frontend http-request header rule'

Le 3/1/22 à 22:00, Henning Svane a écrit :
> http-request track-sc0 src table table_login_limiter if { url_beg 
> /login } { status 401 }
> 
> http-request tarpit deny_status 429 if { sc_http_req_rate(0) gt 10 } { 
> url_beg /login }
> 

Hi,

You cannot match on the response status in a request rule. At this stage, the 
response is not received yet. So, you should rely on an http-response rule 
instead. But, at this stage, url_beg is no longer available because the request 
was already sent. You must use capture.req.uri instead.

In addition, because the tracking will be performed during the response 
evaluation, you must use table_http_req_rate() converter to look up in your 
stick-table. (Note that in your tarpit rule, you must explicitly specify the 
table name)

You can try the following rules :

http-request tarpit deny_status 429 if { 
src,table_http_req_rate(table_login_limiter) gt 10 } { url_beg /login } 
http-response track-sc0 src table table_login_limiter if { capture.req.uri -m 
beg /login } { status 401 }

You can also match on the url in an http-request rule to set a variable and use 
it in the http-response rule.

Regards,
--
Christopher Faulet

Incompatible with 'frontend http-request header rule'

[Henning Svane]

Hi

I am trying to make a configuration that counts missed login attempts and block 
after 10 attempts in 60 sec.
The following example are accepted, but with a warning.
It looks like the configuration will not work as keyword 'status' is 
incompatible with 'frontend http-request header rule'
I have also tried to find an explanation around the keyword 'status' but cannot 
find anything.
Have also tried to remove status keyword, but that return an error instead.
So what is the trick to get this to work?

defaults
retries 3 # Try to connect up to 3 times in case of failure
timeout connect 5s # 5 seconds max to connect or to stay in queue
timeout http-keep-alive 1s # 1 second max for the client to post next 
request
timeout http-request 15s # 15 seconds max for the client to send a 
request
timeout queue 30s # 30 seconds max queued on load balancer
timeout client 30s
timeout server 10s

log global
mode http
option httplog
option dontlognull
option http-server-close
maxconn 100

frontend http-in
bind :80
http-request track-sc0 src table table_login_limiter if { url_beg /login } { 
status 401 }
http-request tarpit deny_status 429 if { sc_http_req_rate(0) gt 10 } { url_beg 
/login }
default_backend be_default_server

backend table_login_limiter
stick-table type ip size 1m expire 60s store http_req_rate(60s)

backend be_default_server
balance leastconn
server server_1 127.0.0.1:80

haproxy -f /home/user/haproxy02.cfg -c
[NOTICE]   (1338291) : haproxy version is 2.5.3-1ppa1~focal
[NOTICE]   (1338291) : path to executable is /usr/sbin/haproxy
[WARNING]  (1338291) : config : parsing [/home/user/haproxy02.cfg:19] : 
anonymous acl will never match because it uses keyword 'status' which is 
incompatible with 'frontend http-request header rule'
[WARNING]  (1338291) : config : log format ignored for frontend 'http-in' since 
it has no log address.
Warnings were found.
Configuration file is valid

Regards
Henning

SV: SV: Troubles with AND in acl

[Henning Svane]

Hi Tim

What is best practis HAProxy?

I have multiple test of the type 
http-request set-var(txn.xmail_eas) bool(1) if XMail { url_beg -i 
/microsoft-server-activesync } 

Do I do all the test and at the end for the frontend block
Make the http-request tarpit if { var(txn.xmail_eas || txn.xmail_xxx) -m bool }

Or should I do a 
http-request tarpit if { var(txn.xmail_eas) -m bool } 
for each test and exit from the frontend block from there.

Normally when I code in c/c++ I prefere only to have one return in the 
procedure, but what is best way in HAProxy because I will make a lot of 
unnecessary test.

Also will a http-request tarpit if { var(txn.xmail_eas ) -m bool } 
Work like a return so it exit from the frontend?

Regards
Henning

-Oprindelig meddelelse-
Fra: Tim Düsterhus  
Sendt: 2. januar 2022 17:04
Til: Henning Svane ; Aleksandar Lazic ; 
haproxy@formilux.org
Emne: Re: SV: Troubles with AND in acl

Henning,

On 1/2/22 4:00 PM, Henning Svane wrote:
> This can be parsed
> acl XMail_EAS  url_beg -i /microsoft-server-activesync && XMail but 
> this will not acl XMail_EAS  XMail && url_beg -i 
> /microsoft-server-activesync error detected while parsing ACL 
> 'XMail_EAS' : unknown fetch method 'XMail' in ACL expression 'XMail'.

HAProxy does not support logical conjunctions within an ACL definition. 
You can use a variable as a workaround:

http-request set-var(txn.xmail_eas) bool(1) if XMail { url_beg -i 
/microsoft-server-activesync } http-request tarpit if { var(txn.xmail_eas) -m 
bool }

Best regards
Tim Düsterhus

SV: Troubles with AND in acl

[Henning Svane]

Hi Aleksandar

Thanks that help, but still gives me problems

This can be parsed
acl XMail_EAS  url_beg -i /microsoft-server-activesync && XMail 
but this will not
acl XMail_EAS  XMail && url_beg -i /microsoft-server-activesync
error detected while parsing ACL 'XMail_EAS' : unknown fetch method 'XMail' in 
ACL expression 'XMail'.

But when the parser accepts acl XMail_EAS , but not acl XMail_EAS_NoAccess, and 
I have tried with or without surrounding { }
acl XMail_EAS  url_beg -i /microsoft-server-activesync && XMail
acl XMail_EAS_NoAccess { url_beg -i /microsoft-server-activesync } && { 
status 401 || status 403 }
http-request track-sc1 src table Table_SRC_XMail_EAS_L4 if 
XMail_EAS_NoAccess
http-request tarpit deny_status 429 if XMail_EAS && { 
sc_http_req_rate(1) gt 10 }

[ALERT](436347) : config : parsing [/home/odin/haproxy01.cfg:108] : error 
detected while parsing ACL 'XMail_EAS_NoAccess' : missing fetch method in ACL 
expression '{'.
[ALERT](436347) : config : parsing [/home/odin/haproxy01.cfg:110] : error 
detected while parsing an 'http-request track-sc1' condition : no such ACL : 
'XMail_EAS_NoAccess'.

Also is there a way to create constants so instead of writing 10 in many lines 
I could use a constant which have the value 10.

I hope you can help me understand what I do wrong here.

To your question to the version I use:
Haproxy -vv
HAProxy version 2.5.0-1ppa1~focal 2021/11/26 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2023.
Known bugs: http://www.haproxy.org/bugs/bugs-2.5.0.html
Running on: Linux 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 
x86_64
Build options :
  TARGET  = linux-glibc
  CPU = generic
  CC  = cc
  CFLAGS  = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-IUgeIz/haproxy-2.5.0=. 
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time 
-D_FORTIFY_SOURCE=2 -Wall -Wextra -Wundef -Wdeclaration-after-statement -fwrapv 
-Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare 
-Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers 
-Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 
-Wduplicated-cond -Wnull-dereference
  OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_OPENSSL=1 USE_LUA=1 USE_SLZ=1 
USE_SYSTEMD=1 USE_PROMEX=1
  DEBUG   =

Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT 
+POLL +THREAD +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY 
+LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL +LUA +ACCEPT4 -CLOSEFROM 
-ZLIB +SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL 
+SYSTEMD -OBSOLETE_LINKER +PRCTL -PROCCTL +THREAD_DUMP -EVPORTS -OT -QUIC 
+PROMEX -MEMORY_PROFILING

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 1.1.1f  31 Mar 2020
Running on OpenSSL version : OpenSSL 1.1.1f  31 Mar 2020
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with the Prometheus exporter as a service
Built with network namespace support.
Built with libslz for stateless compression.
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")
Support for malloc_trim() is enabled.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
IP_FREEBIND
Built with PCRE2 version : 10.34 2019-11-21
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 9.3.0

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as  cannot be specified using 'proto' keyword)
  h2 : mode=HTTP   side=FE|BE mux=H2   
flags=HTX|CLEAN_ABRT|HOL_RISK|NO_UPG
fcgi : mode=HTTP   side=BEmux=FCGI 
flags=HTX|HOL_RISK|NO_UPG
: mode=HTTP   side=FE|BE mux=H1   flags=HTX
  h1 : mode=HTTP   side=FE|BE mux=H1   flags=HTX|NO_UPG
: mode=TCPside=FE|BE mux=PASS flags=
none : mode=TCPside=FE|BE mux=PASS flags=NO_UPG

Available services : prometheus-exporter
Available filters :
[SPOE] spoe
[CACHE] cache
[FCGI] fcgi-app
[COMP] compression
[TRACE] trace

Regards
Henning

-Oprindelig meddelelse-
Fra: Aleksandar Lazic  
Sendt: 2. januar 2022 00:49
Til: Henning Svane ; haproxy@formilux.org
Emne: Re: Troubles with AND in acl

Hi.

On 01.01.22 20:56, Henning Svane wrote:
> Hi
> 
&g

Troubles with AND in acl

[Henning Svane]

Hi

I have used it for some time in PFsense, but know made a Linux installation and 
now the configuration give me some troubles.
What have I done wrong here below?
As I cannot see what I should have done different, but sudo haproxy -c -f 
/etc/haproxy/haproxy01.cfg gives the following errors

error detected while parsing ACL 'XMail_EAS' : unknown fetch method 'if' in ACL 
expression 'if'.
error detected while parsing an 'http-request track-sc1' condition : unknown 
fetch method 'XMail_EAS' in ACL expression 'XMail_EAS'.

I have tried with { } around but that did not help

Configuration:

bind 10.40.61.10:443 ssl crt /etc/haproxy/crt/mail_domain_com.pem alpn 
h2,http/1.1

acl XMail hdr(host) -i mail.domain.com autodiscover.domain.com
http-request redirect scheme https code 301 if !{ ssl_fc }

acl XMail_EAS if XMail AND {url_beg -i /microsoft-server-activesync}
http-request track-sc1 src table Table_SRC_XMail_EAS_L4 if { XMail_EAS } { 
status 401 }  { status 403 }
http-request tarpit deny_status 429 if  { XMail_EAS} { sc_http_req_rate(1) gt 
10 }

Regards
Henning