Actually, it looks like I can make use of existing stick stuff to hit
my end goal. Still curious if the above could work, tho.
Example of what I'm going to go with for now:
stick-table type ip size 1m expire 5m store gpc0,sess_cnt
stick on hdr_ip(X-Forwarded-For,-1)
On Wed, Dec 16, 2015
Is it possible to modify the client src address in the proxy protocol
and loop back to haproxy over abns without needing tproxy? I'm hoping
that by encapsulating the usesrc in the proxy protocol I can avoid
needing any type of tproxy setup.
End goal is to ratelimit based on source address that is
❦ 16 décembre 2015 16:32 -0800, Marc Fournier :
> Damn … Apache does, but, Wordpress doesn’t … unless we’ve missed
> something, but you have to make a choice with Wordpress … either its a
> https:// site, or its a http:// site … they hard code the protocol /
> url right into the database …
>Fro
Damn … Apache does, but, Wordpress doesn’t … unless we’ve missed something, but
you have to make a choice with Wordpress … either its a https:// site, or its a
http:// site … they hard code the protocol / url right into the database …
Any ETA on ALPN on the backend? 1.7? Or not until 1.8?
Hi Marc,
> server web2 119.81.152.73:443 weight 1 maxconn 30 check ssl verify none
Apache expects that the TLS client negotiates h2 via ALPN, but the TLS client in
this case is haproxy, so this won't work.
You have to disable TLS on the backend und go unencrypted. nginx and jetty
can do clear-
Tried matching hte ciphers on haproxy as I have on apache, and removed the h2:
bind :443 ssl crt /etc/ssl/hospitality.pro.pem no-sslv3 alpn http/1.1 ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256
page loads fine …
its only when the h2 is in there that it fails …
I’ve also
Okay … thanks to Vincent/Lukas, I have a 1.6.2 built that has OpenSSL 1.0.2
statically linked … so this line now works, in so far as letting the server
start up:
bind :443 ssl crt /etc/ssl/cert.pem no-sslv3 ciphers TLSv1.2 alpn
h2,http/1.1
When I hit the server, the haproxy.log file shows
Hi,
On Mon, Dec 14, 2015 at 11:13:53AM -0800, Christopher Opena wrote:
> Is this the proper way to unsubscribe? I've tried this, sending
> unsubscribe to haproxy+unsubscribe, bit neither seem to work. Might be
> good to have this documented somewhere.
haproxy+unsubscr...@formilux.org is the pro
On Wed, Dec 16, 2015 at 04:23:44PM +0100, Manfred Hollstein wrote:
> > On Wed, Dec 09, 2015 at 07:51:11PM +0100, Manfred Hollstein wrote:
> > > FWIW, David's patch is completely right. __USE_* features shouldn't be
> > > defined manually, but should be inherited from their proper definition
> > > b
Hi Willy,
On Wed, 16 Dec 2015, 15:57:24 +0100, Willy Tarreau wrote:
> Hi Manfred,
>
> On Wed, Dec 09, 2015 at 07:51:11PM +0100, Manfred Hollstein wrote:
> > FWIW, David's patch is completely right. __USE_* features shouldn't be
> > defined manually, but should be inherited from their proper defin
Hi Manfred,
On Wed, Dec 09, 2015 at 07:51:11PM +0100, Manfred Hollstein wrote:
> FWIW, David's patch is completely right. __USE_* features shouldn't be
> defined manually, but should be inherited from their proper definition
> by #include'ing , with glibc at least.
(...)
Thanks for your detailed
Hi Cyril,
thank you for you answer and proposed solution.
Best regards
Andreas
> -Ursprüngliche Nachricht-
> Von: Cyril Bonté [mailto:cyril.bo...@free.fr]
> Gesendet: Freitag, 4. Dezember 2015 09:23
> An: Andreas Mock
> Cc: haproxy@formilux.org
> Betreff: Re: Why does this config snipp
❦ 15 décembre 2015 22:34 -0800, Marc Fournier :
> [ALERT] 349/062436 (12994) : parsing [/etc/haproxy/haproxy.cfg:34] : 'bind
> :443' : 'alpn' : library does not support TLS ALPN extension
> [ALERT] 349/062436 (12994) : Error(s) found in configuration file :
> /etc/haproxy/haproxy.cfg
> [ALERT]
Hi Marc,
> [ALERT] 349/062436 (12994) : parsing [/etc/haproxy/haproxy.cfg:34] : 'bind
> :443' : 'alpn' : library does not support TLS ALPN extension
> [ALERT] 349/062436 (12994) : Error(s) found in configuration file :
> /etc/haproxy/haproxy.cfg
> [ALERT] 349/062436 (12994) : Fatal errors found
14 matches
Mail list logo