Hi Remi,
On Thu, May 21, 2015 at 06:07:34PM +0200, Remi Gacogne wrote:
> In the default configuration, Haproxy uses a 1024-bit DH key generated
> from the second Oakley group [2] for Diffie-Hellman Ephemeral (DHE) key
> exchange. This group is widely used, and is likely to be the first
> target fo
Hi Pawel,
On Thu, May 21, 2015 at 01:04:42PM -0700, Pawel Veselov wrote:
> Wiilly, Lucas, thank you so much for analyzing my configs and your help.
>
> We did find out what was wrong.
>
> Some long time ago we added 'option nolinger' to the defaults section. This
> was figured by trial and error
Hi Joseph,
On Thu, May 21, 2015 at 10:50:17AM -0700, Joseph Lynch wrote:
> Hello Willy,
>
> On Sat, May 16, 2015 at 2:05 AM, Willy Tarreau wrote:
> >> I moved the order of the comparisons around a little bit to ensure
> >> that the redispatch_after variable would be defined (namely if
> >> PR_O_
Hi Robert,
On Tue, May 19, 2015 at 04:10:54PM -0700, Robert Brooks wrote:
> On Mon, May 18, 2015 at 7:58 PM, Willy Tarreau wrote:
>
> > It's useless at such sizes. A rule of thumb is that splicing will not be
> > used at all for anything that completely fits in a buffer since haproxy
> > tries t
Hi Rémi,
On Thu, May 21, 2015 at 11:19:15PM +0200, Remi Gacogne wrote:
>
> Hi Hervé,
>
> On 05/21/2015 10:11 PM, Hervé Commowick wrote:
>
> > I encounter a problem with dhparam configuration, if i have 2 bind lines, a
> > tune.ssl.default-dh-param 2048, and a custom group dhparam in one of the
Thanks Baptise,
Let me give this a try.
On May 21, 2015, at 5:26 AM, Baptiste wrote:
it seems your client get connected using HTTPs on the HTTP port of haproxy.
you must make your application aware that SSL offloading is being performed by
a device in front of it.
Some hints:
http://blog.haprox
Hi Hervé,
On 05/21/2015 10:11 PM, Hervé Commowick wrote:
> I encounter a problem with dhparam configuration, if i have 2 bind lines, a
> tune.ssl.default-dh-param 2048, and a custom group dhparam in one of the
> pem file, ALL bind lines will use 1024, the one with the custom group will
> work as
Hello,
I encounter a problem with dhparam configuration, if i have 2 bind lines, a
tune.ssl.default-dh-param 2048, and a custom group dhparam in one of the
pem file, ALL bind lines will use 1024, the one with the custom group will
work as expected, and the one without will use the default Oakley g
Wiilly, Lucas, thank you so much for analyzing my configs and your help.
We did find out what was wrong.
Some long time ago we added 'option nolinger' to the defaults section. This
was figured by trial and error, and that option, on 1.4, served us well to
the point of us forgetting about it. When
>> You can use your own dhparam by appending it to the file specified with
>> the crt command, after your certificate chain and key.
>
> Well, I meant globally, as default.
>
> global
> tune.ssl.default-dh-param /path/to/custom/dhparams.pem
I don't think it's possible right now, but it shou
On 2015-05-21 18:20, Remi Gacogne wrote:
Hi,
from what I've seen in the sources and documentation a default and
pre-generated prime will be used as default (unless appended to the
certificate). HAProxy uses the related functions provided by OpenSSL
itself (get_rfc3526_prime_2048, ...). What I
Hi,
> from what I've seen in the sources and documentation a default and
> pre-generated prime will be used as default (unless appended to the
> certificate). HAProxy uses the related functions provided by OpenSSL
> itself (get_rfc3526_prime_2048, ...). What I miss here is an option to
> specify
Haproxy and weakdh/logjam
Hi,
Everyone has probably heard about the recently disclosed weakdh/logjam
attack [0] already. Here are a few personal thoughts on the impact on
Haproxy.
The weakdh issue is twofold:
- if the HTTPS server is willing to accept a cipher suite using a very
weak Diffie-Hel
Hi,
from what I've seen in the sources and documentation a default and
pre-generated prime will be used as default (unless appended to the
certificate). HAProxy uses the related functions provided by OpenSSL
itself (get_rfc3526_prime_2048, ...). What I miss here is an option to
specify my own
Hi,
On Thu, May 21, 2015 at 11:31:52AM +0530, Krishna Kumar (Engineering) wrote:
> Hi all,
>
> I am getting a big performance hit with SSL termination for small I/O, and
> errors
> when testing with bigger I/O sizes (ab version is 2.3):
>
> 1. Non-SSL vs SSL for small I/O (128 bytes):
>ab -k
Title: BricoPrivé
Pour visualiser correctement ce message, accédez à la version en ligne
Ventes Privées Bricolage & Jardinage : remises jusqu’à -80% !
Bricoprive.com est le site de ventes privées dédiées au br
Hi Pawel,
On Tue, May 19, 2015 at 02:47:41PM -0700, Pawel Veselov wrote:
> > This settings should theoretically make
> > haproxy behave exactly the same.
> >
>
> So think that somehow, 1.5 was creating or keeping a lot more open
> connections at a time, and depriving the kernel, or its own limits
For nbproc= 1, pinned to cpu 0, the drop in RPS/BW is both 45% for 16K I/O
size.
aes-ni is enabled for this processor (ssl speed test shows performance is
about
5x).
Pidstat shows that cpu is heavily used by haproxy during SSL test:
Average UID PID%usr %system %guest%CPU CPU
18 matches
Mail list logo
