Re: [PATCH] BUG/MEDIUM: systemd: set KillMode to 'mixed'

2014-10-09 Thread Willy Tarreau
Hi Apollon, On Wed, Oct 08, 2014 at 03:14:41PM +0300, Apollon Oikonomopoulos wrote: By default systemd will send SIGTERM to all processes in the service's control group. In our case, this includes the wrapper, the master process and all worker processes. Since commit c54bdd2a the wrapper

Re: Dynamic Backend Selection

2014-10-09 Thread Willy Tarreau
Hi, On Tue, Oct 07, 2014 at 08:19:59AM -0500, B. Heath Robinson wrote: I am trying to use the dynamic backend selection feature of 1.5, but I am missing something. Here is a snippet of my configuration: frontend sledgehammer bind *:1 option http-pretend-keepalive

TSL handshake errors using mobile applications

2014-10-09 Thread Attila Heidrich
Dear All! I have been using haproxy for more than a year with total satiscation. This is the first problem we are unable to solve, maybe someone has already meet any similar! There are two JBOSS servers (http, port 8080), behind a haproxy (HA config with keepalived, but this is irrelevant at

Re: Freezing haproxy traffic with maxconn 0 and keepalive connections

2014-10-09 Thread Willy Tarreau
Hi Ivan, On Thu, Oct 09, 2014 at 04:10:29PM +1300, Ivan Kurnosov wrote: Since `haproxy v1.5.0` it was possible to temporarily stop reverse-proxying traffic to frontends using set maxconn frontend frontend_name 0 command. I've noticed that if haproxy is configured to maintain

Re: [PATCH] BUG/MEDIUM: systemd: set KillMode to 'mixed'

2014-10-09 Thread Jason J. W. Williams
I'm really amazed by the amount of breakage these new service managers are causing to a simple process management that has been working well for over 40 years of UNIX existence now, and the difficulty we have to work around this whole mess! If there was a poster child for knowing better than

Re: [PATCH] BUG/MEDIUM: systemd: set KillMode to 'mixed'

2014-10-09 Thread Apollon Oikonomopoulos
Hi Willy, On 11:26 Thu 09 Oct , Willy Tarreau wrote: Hi Apollon, On Wed, Oct 08, 2014 at 03:14:41PM +0300, Apollon Oikonomopoulos wrote: By default systemd will send SIGTERM to all processes in the service's control group. In our case, this includes the wrapper, the master process

Re: Freezing haproxy traffic with maxconn 0 and keepalive connections

2014-10-09 Thread Ivan Kurnosov
It's something I'd like to add also for the graceful shutdown, but for now we don't have an easy way to navigate through the idle connections. However something I was considering was to avoid keep-alive when serving a response over a saturated frontend or when the process is stopping. That way

Re: [PATCH] BUG/MEDIUM: systemd: set KillMode to 'mixed'

2014-10-09 Thread Willy Tarreau
On Thu, Oct 09, 2014 at 12:35:10PM +0300, Apollon Oikonomopoulos wrote: Hi Willy, On 11:26 Thu 09 Oct , Willy Tarreau wrote: Hi Apollon, On Wed, Oct 08, 2014 at 03:14:41PM +0300, Apollon Oikonomopoulos wrote: By default systemd will send SIGTERM to all processes in the service's

Re: [PATCH] BUG/MEDIUM: systemd: set KillMode to 'mixed'

2014-10-09 Thread Apollon Oikonomopoulos
On 11:44 Thu 09 Oct , Willy Tarreau wrote: On Thu, Oct 09, 2014 at 12:35:10PM +0300, Apollon Oikonomopoulos wrote: Hi Willy, On 11:26 Thu 09 Oct , Willy Tarreau wrote: Hi Apollon, On Wed, Oct 08, 2014 at 03:14:41PM +0300, Apollon Oikonomopoulos wrote: By default

Re: [PATCH] BUG/MEDIUM: systemd: set KillMode to 'mixed'

2014-10-09 Thread Willy Tarreau
On Thu, Oct 09, 2014 at 12:55:25PM +0300, Apollon Oikonomopoulos wrote: On 11:44 Thu 09 Oct , Willy Tarreau wrote: OK, so I'm merging your patch if you think it's the best solution. Well, I think it's the most sane thing to do and is behaviour-compatible with the current wrapper

Re: [PATCH] BUG/MEDIUM: systemd: set KillMode to 'mixed'

2014-10-09 Thread Apollon Oikonomopoulos
On 12:07 Thu 09 Oct , Willy Tarreau wrote: Anyway we're not there to discuss the benefits or defaults of systemd, some major distros have adopted it and now we have to work around its breakages so that users can continue to use their systems as if it was still a regular, manageable UNIX

1.5.5 - Config with Disabled backend causes silent loss of configuration.

2014-10-09 Thread Paul Taylor
Hi, I have some 1.5.3 configurations which contain a default_backend which is actually disabled. Snippet below. On upgrading to 1.5.5 - the first backend following the disabled line gets silently lost. Frontend main *:80 ... default_backend default

Re: Freezing haproxy traffic with maxconn 0 and keepalive connections

2014-10-09 Thread Willy Tarreau
On Thu, Oct 09, 2014 at 10:37:04PM +1300, Ivan Kurnosov wrote: It's something I'd like to add also for the graceful shutdown, but for now we don't have an easy way to navigate through the idle connections. However something I was considering was to avoid keep-alive when serving a response

Re: TSL handshake errors using mobile applications

2014-10-09 Thread Attila Heidrich
Finally it turned out NOT to be TLS related. The problem was the HTTP acl matching in the frontend. I used acl: hdr(host). The mobile client was the only in the whole world which specified the :443 for https: URLs, so I have never noticed earlier, that it can be a problem. changed to

[PATCH] systemd: check config before starting.

2014-10-09 Thread Marcus Rueckert
as the patch name says ... systemd gives us a hook to run stuff before the service is started, we can use that to test if the config is valid. that's something that my old init script also did. with kind regards darix -- openSUSE - SUSE Linux is my linux

Re: 2 services (frontend+backend), both with cookies, failure

2014-10-09 Thread Jarno Huuskonen
Hi, On Mon, Oct 06, Kari Mattsson wrote: (IP numbers are imaginary, not real.) When I go to http://200.200.200.111 and http://200.200.200.222, and press F5 (refresh) on Firefox for a few time, I end up with 4 cookies instead of 2. For example when you go to .111 and hit refresh few times do

Re: 1.5.5 - Config with Disabled backend causes silent loss of configuration.

2014-10-09 Thread Bryan Talbot
I think I can reproduce this and a similar bug that causes a SEGFAULT (on load or config check) when 'disabled' appears in a backend using the config shown below. defaults timeout client 5s timeout server 5s frontend main : default_backend one backend one backend two disabled A

Re: 1.5.5 - Config with Disabled backend causes silent loss of configuration.

2014-10-09 Thread Willy Tarreau
Hi guys, On Thu, Oct 09, 2014 at 11:57:03AM -0700, Bryan Talbot wrote: I think I can reproduce this and a similar bug that causes a SEGFAULT (on load or config check) when 'disabled' appears in a backend using the config shown below. defaults timeout client 5s timeout server 5s

Re: [PATCH] systemd: check config before starting.

2014-10-09 Thread Willy Tarreau
Hi Marcus, On Thu, Oct 09, 2014 at 05:00:09PM +0200, Marcus Rueckert wrote: as the patch name says ... systemd gives us a hook to run stuff before the service is started, we can use that to test if the config is valid. that's something that my old init script also did. with kind regards

Re: TSL handshake errors using mobile applications

2014-10-09 Thread Willy Tarreau
Hi, On Thu, Oct 09, 2014 at 02:15:19PM +0200, Attila Heidrich wrote: Finally it turned out NOT to be TLS related. The problem was the HTTP acl matching in the frontend. I used acl: hdr(host). The mobile client was the only in the whole world which specified the :443 for https: URLs, so I

SNI in logs

2014-10-09 Thread Eugene Istomin
Hello, can we log SNI headers (req_ssl_sni) or generally, SNI availability (ssl_fc_has_sni) the same way we log SSL version (%sslv)? /---/ */Best regards,/* /Eugene Istomin/

Re: Connect to SNI-only server (haproxy as a client)

2014-10-09 Thread Eugene Istomin
Hello, yesterday we are looking for the client-side SNI custom string for one of our clients and choose stunnel (as outbound TLS termination) for two reasons: 1) ability to send client certificate (client mode) 2) ability to send custom SNI header in client mode We use haproxy as main L7

Re: Connect to SNI-only server (haproxy as a client)

2014-10-09 Thread Willy Tarreau
Hello Eugene, On Fri, Oct 10, 2014 at 08:13:43AM +0300, Eugene Istomin wrote: Hello, yesterday we are looking for the client-side SNI custom string for one of our clients and choose stunnel (as outbound TLS termination) for two reasons: 1) ability to send client certificate (client mode)