On 15.04.2016 16:01, Christian Ruppert wrote:
> Hi,
>
> would it be possible to inherit the SSL information from a SSL
> listener/frontend via PROXY protocol?
> So for example:
>
> listen ssl-relay
> mode tcp
>
> ...
>
> server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2
>
Did a bit more digging on the most recent instance, and found that the
haproxy pid doing the hogging was handling a connection to the stats
port :
listen haproxy_stats :5
stats enable
stats uri /
no log
, with this 'netstat -pantlu' entry :
tcp0 99756
Hi Jim,
Le 15/04/2016 23:20, Jim Freeman a écrit :
I have haproxy slaved to 2d cpu (CPU1), with frequent config changes
and a '-sf' soft-stop with the now-old non-listening process nannying
old connections.
Sometimes CPU1 goes to %100, and then a few minutes later request
latencies suffer
Hello,
I know this question is stupid. Is there a coding style for config
files, like this: http://www.haproxy.org/coding-style.html ?
Cheers,
Michael
signature.asc
Description: OpenPGP digital signature
I have haproxy slaved to 2d cpu (CPU1), with frequent config changes
and a '-sf' soft-stop with the now-old non-listening process nannying
old connections.
Sometimes CPU1 goes to %100, and then a few minutes later request
latencies suffer across multiple haproxy peers.
An strace of the nanny
Oh, great thanks!
On Thu, Apr 14, 2016 at 11:50 PM Willy Tarreau wrote:
> Hi David,
>
> On Fri, Apr 15, 2016 at 03:35:11AM +, David Birdsong wrote:
> > Is there anyway to use:
> >
> > http-request set-var()
> >
> > to set a var for later use in forming an ACL?
> >
> > I've
Hi,
are there are plans to support DNS resolution based on TTL a la NGINX? This
would be helpful for use cases where the upstream is an ELB or similar
system. I've pasted a reply from AWS support based on some observations
from a couple of our services that use HAProxy 1.6 in front of ELBs. Note
On Apr 15, 2016 4:24 AM, "Janusz Dziemidowicz"
wrote:
>
> 2016-04-14 17:39 GMT+02:00 David Martin :
> > Here's a revised patch, it throws a fatal config error if
> > SSL_CTX_set1_curves_list() fails. The default echde option is used so
> > current
Hi,
would it be possible to inherit the SSL information from a SSL
listener/frontend via PROXY protocol?
So for example:
listen ssl-relay
mode tcp
...
server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2
listen ssl-rsa_ecc
mode tcp
...
bind
Hi,
I have a concret use case that need http/2 : one ssl frontend with
multiple heterogeneous (h2,http/1.1) backends
gRPC is http2 only and if you have to use it behind a single domain
you need to be able to route http/2 traffic among http/1.1.
In this case, I need to apply some http specific
On 15/04/2016 11:44 πμ, Willy Tarreau wrote:
> Hi Christian,
>
> On Fri, Apr 15, 2016 at 11:26:18AM +0200, Christian Ruppert wrote:
>> Just in case someone is interested in this setup:
>> Don't put the two SSL binds into the frontend. Add a second listener for the
>> two SSL binds and from
On Fri, Apr 15, 2016 at 11:56:20AM +0200, Pavlos Parissis wrote:
> nbproc > 1 introduces also 2 other __issues__ which has been discussed
> several times in this ML:
>
> 1) the aggregation of statistics
> 2) performing operations such as disable/enable/change weight.
> In setups where the
On 15/04/2016 11:26 πμ, Christian Ruppert wrote:
> On 2016-04-14 11:06, Christian Ruppert wrote:
>> Hi Willy,
>>
>> On 2016-04-14 10:17, Willy Tarreau wrote:
>>> On Thu, Apr 14, 2016 at 08:55:47AM +0200, Lukas Tribus wrote:
Le me put it this way:
frontend haproxy_test
Hi Christian,
On Fri, Apr 15, 2016 at 11:26:18AM +0200, Christian Ruppert wrote:
> Just in case someone is interested in this setup:
> Don't put the two SSL binds into the frontend. Add a second listener for the
> two SSL binds and from there via send-proxy-v2 to the frontend.
> Why? Because
On 2016-04-14 11:06, Christian Ruppert wrote:
Hi Willy,
On 2016-04-14 10:17, Willy Tarreau wrote:
On Thu, Apr 14, 2016 at 08:55:47AM +0200, Lukas Tribus wrote:
Le me put it this way:
frontend haproxy_test
bind-process 1-8
bind :12345 process 1
bind :12345 process 2
bind :12345 process 3
2016-04-15 11:16 GMT+02:00 Pavlos Parissis :
> But on server side you need openssl 1.1.0[1] which is not ready yet and
> I think it requires changes on haproxy. Nginx has already some level of
> support[2] for openssl 1.1.0.
Sure, I didn't mean that it will work right
2016-04-14 17:39 GMT+02:00 David Martin :
> Here's a revised patch, it throws a fatal config error if
> SSL_CTX_set1_curves_list() fails. The default echde option is used so
> current configurations should not be impacted.
>
> Sorry Janusz, forgot the list on my reply.
I
On 15/04/2016 10:58 πμ, Janusz Dziemidowicz wrote:
> 2016-04-15 6:55 GMT+02:00 Willy Tarreau :
>>> Switching ECDHE curves can have performance impact, for example result
>>> of openssl speed on my laptop:
>>> 256 bit ecdh (nistp256) 0.0003s 2935.3
>>> 384 bit ecdh (nistp384)
2016-04-15 6:55 GMT+02:00 Willy Tarreau :
>> Switching ECDHE curves can have performance impact, for example result
>> of openssl speed on my laptop:
>> 256 bit ecdh (nistp256) 0.0003s 2935.3
>> 384 bit ecdh (nistp384) 0.0027s364.9
>> 521 bit ecdh (nistp521) 0.0016s
Hi David,
On Fri, Apr 15, 2016 at 03:35:11AM +, David Birdsong wrote:
> Is there anyway to use:
>
> http-request set-var()
>
> to set a var for later use in forming an ACL?
>
> I've tried all the prefixes to make the variable survive past http
> processing, but the ACL is always rejected
On Fri, Apr 15, 2016 at 07:58:43AM +0200, Cyril Bonté wrote:
> commit 7c0ffd23 is only considering the explicit use of the "process" keyword
> on the listeners. But at this step, if it's not defined in the configuration,
> the listener bind_proc mask is set to 0. As a result, the code will compute
21 matches
Mail list logo